I’ve heard on at least one occasion that it would be difficult for a company to adopt Nix/NixOS without having a vendor they can go to for support.

If I had a team of engineers and a lot of budget, I think it would be interesting to create a vendor that focuses on Nix/Nixpkgs/NixOS. First order of business might be to pick a random NixOS release and turn it into an LTS, where it would be supported for 2 years or so (instead of the normal 6-months).

It would be interesting to see if creating a vendor like this would spur more interest in using Nix/NixOS professionally.

Personnally I would try to improve the developper experience. NixOs fits poorly with many “language package managers” (e.g. npm) that tries to download pre-built binaries, and it would be great to automatically patch these files, provide a loader in NixOs or provide a way to enter a kind of FHS without creating a VM (VM or even steam-run are poorly integrated with the host system). Just trying to program with electron is already a challenge! EDIT I discovered meanwhile nix-ld whose goal is exactly to provide a system-wide loader… Really cool, this should be more documented ! That said this won’t help to package stuff in nixpkgs as this only works in NixOs.

Another improvement would be regarding caching when creating/debugging a derivation: I spent so many time recompiling a big package 10 times because of a few typos in the install phase… So adding a simple cache between the build phase and install phase would be really cool. I’m aware of nix-shells but in any case I’ll need to compile at least twice to test the final derivation, which is a waste of time. Ideally, nix-build could even provide a debug option where when we build twice, it tries to use to files that have already been compiled in the previous try, providing basically the benefits of nix-shells directly into nix-build, which would save the need for manually calling the various phases in a nix-shell.

This is why the most important thing we do is not any new features, but emphasizing layering.

The more modular the Nix ecosystem is, but more isolated groups of people will be able focus down on individual areas of improvement in isolation, and yet we can still try out their work through mixing in matching.

Well, yes, my wishlist has a ton of «more separated and hot-pluggable .*»

Unfortunately «pull whatever as a nix subcommand without a clear way to switch it out for something similar» is the way development will actually go…

A consistent, uniform and robust lang2nix approach for all major package sets. Fixes/RFCs upstream to various tools to make things work the way they ought to work if necessary.

Every build system would have a single lang2nix that is good enough for both nixpkgs and development environments.

From useful/important to least important:

• Useful type checker. When one forgets/incorrectly names/… attributes, the error messages are often completely useless. The right kind of type system could help a lot. But this is a nontrivial task.
• Fully automate minor version updates to existing packages. Such PRs should just be automatically merged if all ofborg tests are green. Reserve human attention to more important tasks and never “burn through” contributors.
• Secret handling. Like passwords, deployment keys, database passwords, and so on. Each module/service ships its own fragile, noncomposable “solution”.
• Clean nixpkgs pipelines. Merge trains, a core package set that has to have all tests succeeding before a merge.
• Better security story. CVEs have to be handled quickly and transparently, by a dedicated, responsive team. And before they are publicly known. This is often a blocker for commercial adoption.
• Make tests into separate derivations. When packages fail because of tests, disabling them or fixing them shouldn’t need to rebuild everything, but only the test. Similarly, disabling tests should not rebuild everything.
• Easier entry/migration for existing projects to NixOS. Especially at work we have the situation that someone writes code, infrastructure, CI, etc. without nix, and then at some point people start wishing for reproduceability, fast (cached) pipelines, deterministic builds. But if you’ve set up all the machines without nix already, it’s hard to use nix without switching to NixOS. I don’t know a good solution. Maybe bundling? Ansible integration?
• Stabilise the nix development. Don’t bring out features so quickly. Test and review them better with a beta user crowd to receive community feedback before breaking stuff for many people.
• Better meta-programming story, or rather better import-from-derivation story, mainly to update lock files. In particular on Hydra. There are reasons it is not enabled there, but it’s annoying. A lot of “organically evolved” update scripts are lying around because of this. Alternatively, use nix flakes in nixpkgs (and deprecate non-flakes).
• Modularise toplevel/all-packages.nix and avoid huge files in the future. (Maybe let's sort and/or categorize all-packages?)

That only works for projects that follow semver very strict and there are enough which don’t or don’t follow it all the time. Also this would not remove upstreamed patches, update compile flags, dependencies or meta data, summarized we would by default not react to any upstream changes if the package still compiles and tests pass which would make bit rotting an even bigger problem.

merge-trains do not really solve the problems we are having. A good amount of the PRs to nixpkgs are fully independent of each other and the PRs to staging which would benefit by this are not viable right now because of rebuild counts and the required compute power. We could run the checks required for the unstable channel to advance but most packages would not benefit from that because they do not influence those tests. This could fully change with CA and after some optimization for it which is one of the reasons why I am looking very much forward to it.

A good idea that came up in the nixpkgs architecture matrix chat is to just sort packages by their first letter into subdirectories which would make automated sorting easy.

One could opt-in for packages that follow semver. Minor version changes simply should not trigger the problems you are mentioning.

Anyways, I’m noticing that a lot of maintenance work is “reviewing” and merging minor version updates. This scares away people. Newcomer PR reviewers are looking through the massive number of PRs, say “these are all just boring version bumps, what could I possibly sensibly review here”, and look for another OS project where they can spend more meaningful time. (I’m claiming this after having conversations with NixOS newcomers.)

This is a problem and I’ve suggested a change.

Then we need to improve the documentation for newcomers that the amount of open PRs are not that scary and they get the knowledge to navigate them.

One way is to filter out r-ryantm PRs Pull requests · NixOS/nixpkgs · GitHub

and the open PRs are a lot but currently we are merging ~900 a week which is also a lot. nixpkgs scale is just big.

I’ve been looking for a way to filter like that, thanks!!!

I would really like to see a NixOS-native multi-host orchestration system with automatic task-scheduling, self-healing and other docker swarm-like features which would use nix as configuration language and nix closures instead of oci-containers.

Yes please, to this specifically.

And a bit more generally on some other topics too. There are too many options. Pick something and at least make it the mainstream/default option (examples in docs, etc) for the majority of users where the more niche differences between options matter less. Nothing prevents those alternatives, but a single focus for the common case helps the other solutions specialise on their particular strengths too.

I think all of my big Nix daydreams are ultimately about (a) making Nix/Nixpkgs use in general more NixOS-like and (b) making Nix/Nixpkgs more widely available. They’re more user- even consumer-focused than they are centered on the health of Nixpkgs. Some of them might not actually be that big.

The main thing is this: NixOS is the first-class way to use Nix, not only because it has control of the whole system, but crucially because the main way to go is declarative by default and it includes capabilities for not just installing but for configuring tons of software. In virtue of such features, NixOS is awesome, in a way that installing Nix and using nix-env on Ubuntu or macOS just plain ain’t.

But the fact is that NixOS will not always be the first, easiest, or even best way that Nix might be used in a given case. So with that in mind, I would direct this fantastical army of engineers to work on:

1. A grand unified module system

Use of Nix configuration modules for operating systems other than NixOS should be a first class experience and the recommended approach.

Concretely, this would look like

• Unifying NixOS, Nix-Darwin, and Home Manager so that instead of modules copying and pasting from each other and coordinating interop at a distance, they live in one repo and share code via something like the Nix process management framework
• adding support for systemd-based foreign Linux distributions, analogous to Nix-Darwin for Linux
• a unified profile manager for working with both user profiles and the system profile (replacing the nixos-rebuild, darwin-rebuild, and home-manager commands)
• once the pieces are in place, modules can start being ported over to the more universal system one-by-one

It goes without saying that the NixOS-ification of the wider Nix world would benefit immensely from some kind of provenance tracking for values configured via modules, so that we don’t get weird, distant error messages. (If Nickel is the path of least resistance here, great.)

I think this could be a huge help for making really pleasant, stable experiences available to new users. I think it’s also kinda overdue in that the proof of value is already there, in the use and maintenance of the third-party module systems.

2. Native Windows support

This would be a priority for me because without a paid team, it seems unlikely to get the sustained effort required to develop it and push for its integration. The more concrete goals:

• drop Bash in favor of a nice shell that runs on Windows without big compatibility layers, like Nushell or Elvish or Oil
• help flesh out uutils, the permissively licensed, Windows-friendly, Rust clone of GNU coreutils, and bundle it with the shell for the new stdenv
• combine this with the existing and largely paused Windows porting efforts

3. Idiot-proof Nix environment setup

The Nix installer is the place where a lot of people are going to encounter Nix for the first time. The places that set up all the necessary paths and environment variables are the places where that is most likely to break or require cleanup, and also where things will simply seem broken to users of non-POSIX shells. This has been a source of user frustration for years, and getting this piece to be stable is especially important if we want to have NixOS-like experiences on other operating systems.

This means we need something better than nix.sh and nix-daemon.sh. Imo we should either have nix do this itself or we should have a super simple binary to set up the environment. There should be two ways available to Nix users for Nixifying their shell environment:

• have a program emit code in the appropriate shell language for them to have their shell source, or
• have a program prepare a correct environment and then exec into any shell (maybe makeBinaryWrapper could be extended to produce a program that does this? idk)

with the latter being more important because it sets up the Nix environment as early as possible (obviating hacks like we need to make the Fish shell work reliably on NixOS) and because it can work completely regardless of what shell the user prefers and what its language looks like. I’m not sure if the former is necessary at all, but it might be nice when users have shells that can’t exec and they want to Nixify their running shell. (Emitting shell code would also give users flexibility to (re-)set up Nix later than other badly behaved software that might clobber their PATH or whatever.)

4. An LTS release

I don’t think much needs to be explained here, but that NixOS only has very short-lived releases makes it hard to pitch or use in some places.

Maybe this could be NixOS/Nixpkgs’ own thing, or maybe we could import source tarballs and backported security patches from some upstream distro (rhel2nix? lol). And maybe NixOS/Nixpkgs doesn’t need LTS releases to be as long-lived as they are with some distros, because of how easy NixOS upgrades can be.

Regardless, having a dedicated team sorting out how to get some Nixpkgs/NixOS releases out there where a substantial subset of packages are supported for at least a few years would be a huge deal and seems likely to require this kind of financial and engineering support.

I think with those four things, a lot more users (especially developers on macOS or Linux) could easily jump in with Nix and have a great experience without much commitment or up-front setup.

@uep

one way to handle NixOS upgrade failing due to a missing package would be to offer a mechanism to move the failing packages to the nix profile of the user in their current version, and remove them from the configuration. This could be interactive or not.

This could be a somewhat clean workaround.

If the package is used by a NixOS module, this will probably break, won’t it?

It’s possible, but I’d expect it to be exceedingly rare.

Coordinating hacks and fixups between NixOS modules and the programs they configure does happen (most shells that can be enabled as login shells via a programs.$SHELL.enable = true; have some measure of this, for example) but I don’t think it’s needed for most packages. Many (most?) modules that configure a package even offer an argument to let you plug in a different version of that package if you want. Consider also that you won’t generally have a module that expects a newer package than is available in Nixpkgs, since the modules live in the same repo and are developed against the packages that are in the repo with them.

If you were leaping across years worth of NixOS versions and the package had a major version change that included big changes to its config file sourcing behavior or a new configurarion file format, then you would definitely break the module. So if your old version of the package is 2.3, and you try to upgrade to a new NixOS release where the module was substantially reworked to service version 3.0, and the package on the newer NixOS release is broken because the current version is 3.1 and there’s some specific issue with 3.1, you’ll have a problem.

That’s solvable, one way or another, with enriched metadata. If you know what Nixpkgs version the broken package came from and you can figure out that it gets pulled in because of a module you have enabled. Then you can forego the suggestion if the module code has changed between those two Nixpkgs versions, or if the Nixpkgs versions are on different major releases, or something like that. If modules declared what package versions they know how to configure, you could be less conservative, or see try the last good build that supposedly works with that module.

I think you could also see a workaround like the one described reveal an incompatibility if some module mainly focused on a different package uses the broken-and-thus-reverted package as an optional runtime dependency, and the other packages it configures no longer work with the old version of the broken package and expect a newer one that has not yet been added as an update to Nixpkgs. (In that case the workaround wouldn’t be causing the issue, though, just revealing a latent runtime compatibility issue that would still be there if you fixed the broken package’s build without updating it.)

I want first-class support for installing arbitrary versions of available packages, as long as that version at some point worked in nixpkgs. The foundations of Nix support this, but the lack of first-class human-readable versions and the fact that older versions disappear over time undermines the potential.

I think nix profile install allows this, if you know the nixpkgs commit you want

As this came up in the discord again today:

• something like haskells (.) and ($) is missing
• cond or another “multiclause if”
• case/match that allows true pattern matching

Just in case, I do think that some of the wishlist items here would end up making the situation worse; and I guess some of my wishlist items would make the situation worse from some other people’s points of view.

(Not saying I have anything against match, though, worst case — in my opinion — is it still being nice but not used much anyway; chose the timing of the comment to be non-revealing)