Home 零对冲(ZeroHedge)每日HackerNews

NixOS 可重复构建:最小 ISO 成功独立重建
NixOS Reproducible Builds: minimal ISO successfully independently rebuilt

原始链接: https://discourse.nixos.org/t/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt/34756

10 月 29 日,NixOS 社区宣布使用 Nix Reproducible Builds 框架成功复制其最小安装 ISO,从而实现构建和分发软件的可验证性和可靠性。 复制过程涉及创建运行 NixOS 20.03 的虚拟盒环境并通过 Nix shell 和 Git 执行命令。 实现这一壮举需要解决与 Hydra 缓存和可替代依赖项相关的各种问题。 尽管这种可重现的构建再次证明了单个包的可重现性,但与之前发布的版本相比,它引入了差异,这凸显了与消除黑客攻击相关的挑战。 展望未来,NixOS 团队的目标是改进定期独立重建的基础设施,开发用于共享和使用构建证明的工具,并努力使其他安装和分发介质可复制。 总体而言,Nix Reproducible Builds 项目为创建值得信赖且可靠的系统提供了令人兴奋的机会,同时为开发人员和用户之间的源代码到二进制关系提供透明度。

然而,为了回答您最初的问题,这确实让我们了解了 Nix 和 NixOS 与 Ansible 或类似工具之间的概念差异。 虽然这些工具在管理基础设施或服务器方面提供自动化和控制,但它们通过命令式脚本语言进行操作,并且主要关注正在执行的操作,而不是提供总体所需系统配置的高级抽象。 Nix 作为 NixOS 中集成的声明性系统配置工具,不仅在定义状态方面,而且在定义组件和这些组件之间的交互方面提供了更高水平的表达性和一致性。 关于正在 Nix 中实现二进制可再现性的局限性和影响的持续讨论,“内容寻址派生允许多个输出”的说法意味着 Nix 本身存在某种程度的不确定性,无论是否存在可再现的构建系统。 This limitation is inherent in Nix's nature since it allows different build inputs, potentially causing outputs to differ, whereas content-addressing aims to ensure consistent outcomes based solely on input content and metadata。 Overall, the Nix and NixOS ecosystem offers several advantages compared to traditional OSs and package managers in terms of reproducibility, modularity, and system-wide consistency。 These benefits stem largely from the functional programming concepts embodied within Nix's declarative style, resulting in numerous applications and extensions across various areas including scientific computing, data analytics, and artificial intelligence development。 Nevertheless, challenges remain, especially in addressing issues of large-scale deployment and ensuring binary reproducibility, among others。 Continued improvements in both theoretical understandings and practical implementations of Nix and associated technologies will undoubtedly lead to exciting advances in system engineering and administration。
相关文章
原文

We have successfully created an independent, bit-by-bit-identical rebuild of the nixos-minimal ISO published by Hydra :tada:

Why is this useful?

While there are a number of ‘side-benefits’, the main point of Reproducible Builds is that it gives us a reliable way to verify the binaries we ship are faithful to their sources, and have not been tampered with anywhere in the build pipeline (e.g. on Hydra).

For general information on Reproducible Builds see:

What exactly was reproduced?

This means we now have successfully reproduced:

  • All packages that make it into the ISO
  • The building of the ISO itself

The rebuild also built the packages that were needed to build the ISO (but aren’t included in it), rather than relying on cached binaries.

How did we reproduce?

We reproduced this Hydra build by starting a fresh VirtualBox appliance with NixOS 20.03 (adding plenty of CPU and memory, and resizing the disk to about 65G), and then:

nix-shell -p git
git clone https://github.com/nixos/nixpkgs
cd nixpkgs
git checkout 63678e9f3d3a
# because of https://github.com/NixOS/nix/issues/9251
sudo touch /dev/kvm
sudo chmod a+rwx /dev/kvm
# because of https://github.com/NixOS/nixpkgs/issues/263730
nix-shell -p nix -I nixpkgs=/home/demo/nixpkgs --option substitute false
# let's go!
nix-build nixos/release-combined.nix -A nixos.iso_minimal.x86_64-linux --option substitute false --max-jobs 6 --arg nixpkgs "{ revCount = 541036; shortRev = \"63678e9f3d3a\"; rev = \"63678e9f3d3afecfeafa0acead6239cdb447574c\"; }"
# all below because of https://github.com/NixOS/nixpkgs/issues/263898:
sudo -o remount,rw /nix/store
sudo touch -d "1980-01-01·00:00:00.000000000·+0000" /nix/store/bn8y1ibzcvbqbl7d43zszl180ghy4rsn-lingering-users
sudo chmod 644 /nix/store/bn8y1ibzcvbqbl7d43zszl180ghy4rsn-lingering-users
sudo touch -d "1980-01-01·00:00:00.000000000·+0000" /nix/store/31cmbwil5awd20rvcbb13nps9mrw6gmj-etc-netgroup
sudo chmod 644 /nix/store/31cmbwil5awd20rvcbb13nps9mrw6gmj-etc-netgroup
sudo touch -d "1980-01-01·00:00:00.000000000·+0000" /nix/store/6cn8wcl7c850rfs52sw2598c2qhh1njc-mdadm.conf
sudo chmod 644 /nix/store/6cn8wcl7c850rfs52sw2598c2qhh1njc-mdadm.conf
sudo touch -d "1980-01-01·00:00:00.000000000·+0000" /nix/store/*-etc-mdadm.conf
sudo chmod 644 /nix/store/*-etc-mdadm.conf
rm result
nix-store --delete /nix/store/*-squashfs.img
nix-store --delete /nix/store/*-nixos-minimal-*.iso
# final build
nix-build nixos/release-combined.nix -A nixos.iso_minimal.x86_64-linux --option substitute false --max-jobs 6 --arg nixpkgs "{ revCount = 541036; shortRev = \"63678e9f3d3a\"; rev = \"63678e9f3d3afecfeafa0acead6239cdb447574c\"; }"

The --option substitute false makes sure ‘everything’ is built on the machine itself, instead of fetching them from the binary cache.

Aren’t there bootstrap problems with the above approach?

Well, yes: if the 2020 ova or the downloaded git contained elaborate backdoors, those might still be attack vectors. It would have been better to do the rebuild on a fully-bootstrapped system, but we’re not quite there yet - see this thread for exciting progress in this area. Still, this test gives a high confidence in the reproducibility of the ISO.

Weren’t we here before?

You may remember 2021 announcement that the minimal ISO was 100% reproducible. While back then we successfully tested that all packages were needed to build the ISO were individually reproducible, actually rebuilding the ISO still introduced differences. This was due to some remaining problems in the hydra cache and the way the ISO was created. By the time we fixed those, regressions had popped up (notably an upstream problem in Python 3.10), and it isn’t until this week that we were back to having everything reproducible and being able to validate the complete chain.

Where to from now?

Successfully rebuilding the minimal ISO once is an extremely satisfying milestone - but a somewhat arbitrary one. There is a lot more to do to reap the benefits of reproducibility, such as:
联系我们 contact @ memedata.com