Tails is one of few OS that do that
I always thought that most Linux distribution are reproducible?
I never check in detail, but i'm under impression most of them aren't reproducibl. But i found this interesting PDF from website you mentioned,
https://reproducible-builds.org/_lfs/presentations/2023-09-10-what-s-missing-so-that-debian-is-finally-reproducible.pdf.
On application level, Umbrel makes it much more difficult since it use Docker to ship and run the apps[
What exactly is hindering the reproduction of Docker images?
And Umbrell should at least make the system itself reproducible.
I barely use Docker, but i recall one of the reason is not all people who create Docker image pin exact version or certain file name/content depends on current timestamp. And from less technical user perspective (like me), verifying Docker image feels more tricky.
Hi ABCbits I saw your slides, particularly this one that mentions
“Holger NMUed everything that was built before buildinfo
files existed, however there are cases where packages
without buildinfo files pop up (like packages going through
NEW).
buildinfos.debian.net is just a PoC, but it works around
#862073, #763822, #862538, #929397 (all against
ftp.debian.org well enough.”As a strong supporter of Debian, I really appreciate the growing attention developers are paying to reproducibility. However, Nix and Debian use fundamentally different methods to achieve it. Nix is "Reproducible by Design" while Debian uses "Reproducible by Verification". Still, both try to solve the "it works on my machine" problem by creating a strict mapping between inputs, like source code and build tools and the final, bit-for-bit identical binary output.
Nix treats build processes as pure functions. Just like in mathematics, a pure function’s output depends only on explicit inputs, without relying on or altering the outside environment. In practice, Nix achieves this by taking every single input, like the source code, the compiler, and all dependencies and calculating a combined cryptographic hash for them.
This hash becomes the exact directory name where the built software is saved. If you change even a single bit in any input, the hash changes completely, creating a brand-new directory instead of overwriting the old one. This idea, formalized in Eelco Dolstra's doctoral work, guarantees that software builds are perfectly isolated and immutable.
There are also different levels of reproducibility. At the language level, package managers for specific ecosystems like Cargo for Rust, npm for Node.js, and uv for Python share the same goal as Nix, but with varying degrees of strictness. The C and C++ ecosystem is famously fragmented because, unlike Rust or Node.js, it does not have a single, official package manager built into the language. However, industry standards like Conan and vcpkg step in to fill that role. Manifest files across these tools, like Cargo.toml, package.json, or conanfile.txt, are similar to Nix expressions. They let you declare your high-level intent. Lock files then resolve those requirements into specific versions and record their cryptographic hashes. This prevents what the community calls "dependency version drift" where packages update unpredictably across different machines ensuring everyone downloads the exact same files.
The big difference is control. Cargo and uv lock down your source code dependencies, but they do not control the underlying environment. If you build on a Mac and a coworker builds on Linux, or if you have different system-level compilers, the build might still fail or behave differently. Nix essentially acts as a mega-lockfile for the entire operating system. It doesn't just lock down the Python or C++ packages; it locks down the Python interpreter, the C compiler, the system libraries, and the bash shell used to run the build script.
Regarding Nix, I am personally more familiar with using Flakes to manage these environments. However, it is worth noting that Flakes are still officially classified as an experimental feature and are considered unstable, even though they are widely adopted in the community.
All the best.
