Tweag + Nix dev update #18

Full of good résolutions for the new school year, here is nearly right on time (two weeks and a day after the previous one) the new bi-weekly update from the Tweag Nix team.


Flakes design refinements

@edolstra worked on a number of small(-ish) flake-related design points that needed to be settled before the next release. In particular

  • #4639 was a potential source of non-reproducibility in the evaluation. After some discussions wrt the right way to handle this (#4639, #5255), @edolstra found a way to explicitely mark the ambiguous cases in #5257.
  • #5168 was opening the way to both performance and security issues. It has been fixed in #5279.
  • #4394 was also a minor inconvenience, and got fixed by #5248.
  • #5253 restricts the use of import-from-derivation (IFD) in flakes. The initial proposal to ban all IFD by default was too controversial, so we now only disallow IFD in some “query” commands like nix flake show, where users would not expect Nix to start building.

CI improvements

  • The Nix CI times were getting quite out-of-hand (~1h for a full run).
    Fortunately, @edolstra found low-hanging fruit to make the situation better (some instantiations of the testsuite that were running sequentially).
    He also removed the cross-build checks from the github action as they aren’t critical and are checked by Hydra anyway.
    Thanks to these (#5246), the bulk of the CI jobs is now done in a bit more than 20mins (though there’s still a job taking a good extra 30mins because of some missing caching).
  • After some struggles to get the caching right (again), @regnat managed to make #5059 (adding a CI step to test everything with Nix master as the daemon) to “only” add 5mins of CI time. Though this still isn’t perfect, it’s already much better than the 30mins it used to take and might be enough to get it merged.


  • Thanks to funding from Flox, @edolstra has started working on a prototype for adding ACLs to store paths (based on some design notes here).
  • Also funded by Flox, @edolstra has added TCP support to the Nix daemon (#5265). This is primarily useful for testing, but it could serve as a basis for a lower-level remote builder protocol that wouldn’t require ssh.
  • Speaking of SSH, @edolstra fixed a small UX issue causing Nix to show an unhelpful error message when the remote machine prints anything on stdout.
  • #4922 which made the git fetcher fetch the submodules by default got reverted in #5284 because this was causing a huge performance regression (#5280). Hopefully there’s a way to make this work without the performance hit, and it can be added back after the 2.4 release.
  • nix --help used to call man behind the scenes, which was causing all sort of undesirable behaviors (not working with a statically linked Nix, occasionally showing the doc for the wrong version, etc…). #5240 changes that to directly print the documentation using lowdown.
  • @edolstra added a couple of missing subcommands to nix profile in #5249.


  • @francois-caddet fixed a (quite annoying) bug causing imports not to be typechecked (#393). Unfortunately, this fix isn’t totally sound, so @yannham opened a new pull-request to fix the fix (#395).
  • @peperunas fixed a panic when the interpreter is encountering an unbound type variable (#397). He also added position informations to these variables to make the error message prettier (#399).
  • The PR implementing bidirectional type-checking (#392) triggered some discussions. Some nice reading for type-theory nerds :nerd_face:

And that’s all, folks.