1. 14
    1. 4

      Nix’s nixpkgs pinning is so much easier to manage using flakes and devShells rather than using a legacy shell.nix and manual hash pinning.

      I am all for this, [using Nix for the entire build process,] but if we can tightly control the dependencies without actually building inside a Nix environment, we’ve still improved the reproducibility a lot, and it’s not that hard.

      I’m coming around now to the idea that devShells are useful, but you should really not stop at a devShell because it gives you reproducible binaries. Not doing the whole build with Nix itself but inside a devShell turns a declarative + stateless system into an imperative + stateful, and more reproducible isn’t really all that useful til your build is fully reproducible—as in it is either reproducible or it’s not. Going from a full Nix build system, which offers compelling advantages over Docker containers, to devShells is probably worse than just stacking containers. Nix isn’t easy, but keep going!