Stop Trusting Nix Caches

Posted3 months agoActive3 months ago

todsacerdoti

22 points

3 comments

garnix.ioTechstory

calmnegative

Debate

20/100

NixCachingReproducibility

Key topics

Nix

Caching

Reproducibility

The article argues that Nix caches are not trustworthy, sparking a discussion on the reliability of Nix builds and the importance of reproducibility.

Snapshot generated from the HN discussion

Discussion Activity

Light discussion

First comment

Peak period

2-3h

Avg / period

Key moments

01Story posted
Oct 1, 2025 at 11:42 AM EDT
3 months ago
Step 01
02First comment
Oct 1, 2025 at 2:25 PM EDT
3h after posting
Step 02
03Peak activity
1 comments in 2-3h
Hottest window of the conversation
Step 03
04Latest activity
Oct 1, 2025 at 4:36 PM EDT
3 months ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (3 comments)

Showing 3 comments

craftkiller

3 months ago

1 reply

I already barely touch the cache because I rebuild all my software with zen4 optimizations but this article has convinced me to go all-the-way and disable the upstream nix cache completely. Even if it doesn't save me from a hypothetical cache poisoning attack that may never happen, I'll barely notice the change anyway since I'm already compiling all of my software, and it'll put less strain/cost on the nix cache servers.

jkarni

3 months ago

Yeah, I heard Jane Street disables even cache.nixos.org, and I think that's very sensible (but a pity...).

AtlasBarfed

3 months ago

The trend in geopolitics is one of increased conflict, war, economic warfare, and cyberespionage. Particularly with China-Russia-India-US becoming a sort of four way geopolitical competition, US increased isolationism, demographic disruption, and who knows what with climate change stresses.

I fear that open source repositories and similar infrastructure fundamentally based on idealistic cooperation will be so comprehensively targeted by these competing entities that they won't be able to function.

That their existence relies on a degree of international cooperation that is now effectively a bygone era. Without multi-governmental funding for diligent curation of these repositories, things might be looking dark.

The funding should be there. These repositories power the fundamental software not only of defense departments (sorry, it's WAR Department now ...), but of economic vitality.

I'm bringing this up here mostly because I thought of it while reading this. Nix isn't particularly vulnerable to this, actually since it uses some degree of immutable sets for reliable reproduction of builds/configuration, its approach is probably fundamental to addressing what I detailed above.

View full discussion on Hacker News

ID: 45439093Type: storyLast synced: 11/20/2025, 5:23:56 PM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN