Excellent! I love that it’s enabled flakes by default. The choice of Rust over shell in this case is pretty choice, too. Mac ships an appallingly old bash that is wildly different from … every Linux distribution today.
Unfortunately it doesn’t support FreeBSD yet. Nix/Nixpkgs itself has pretty poor support for FreeBSD today, so we didn’t build it out yet. We could definitely add it!
I haven’t had a lot of luck getting anything to work. If you have some idea/blog/website of how to bootstrap a new system, I’d love to hear about it. The official docs still download a little tarball of binaries built from a pre-existing nix system, and so far as I can tell, it’s not generally available for FreeBSD.
I’ve been lurking in the Exotic Nix Targets Matrix room, and it looks like the folks there have been putting a lot of good work into supporting less widespread targets, including BSDs and Illumos, recently. That room might be worth joining if you’re interested in those developments :)
Thanks for pushing this forward with a maximum of community engagement. Regardless of whether your particular Rust codebase replaces the upstream installers, I think that the concept of an “installation receipt” is a great idea that should be adopted upstream.
I like it too! Come to think of it, it’s a lot like file system journals, isn’t it? At least, that’s the first thing it reminded me of, and I believe it’s designed to solve a similar problem.
Although flakes and the unified CLI remain experimental features of Nix, we’re confident that new users should adopt them now and that more seasoned Nix users should make the transition ASAP.
I’m a Nix user of 8 years. I avoided Nix Flakes until about 2 weeks ago. I wanted to wait for stability and I didn’t see any critical benefits.
Yeah – flakes was a big reason I finally managed to finally get into Nix. They aren’t perfect and still can be somewhat intimidating, they’ve made things much more approachable in my opinion, especially in combination with the unified nix command.
Where would I make use of nix? Day to day I don’t even really touch apt all too much other than to update things. The main place where I do installations where this would seem relevant is in Dockerfiles - is that the intended use case?
There are many “levels” at which Nix can be useful, for example:
you can install it and use it to manage software in container images as @wimpress suggests, if you’re using Dockerfiles to “test the waters” or need to be compatible with other components that only like Dockerfiles;
you can use it to manage the everyday software you use on your workstation, simply by installing the software using Nix or by installing and configuring it using home-manager;
you can use nix run to try out software without worrying about uninstalling it again later;
you can put your entire OS together with Nix, as with NixOS or more specialised setups like liminix;
All of these are options which will appeal to various people to various degrees, and you can pick and choose which ones you’re most interested in!
Different Bash implementations have subtle differences that make it hard to eliminate inconsistencies and edge cases—and it’s hard to discover those in the first place because Bash is all but untestable.
I would guess that part is talking about disparate platform and version number combinations of Bash, unless I am also uninformed on some other indie Bash impl
I agree that it’s speaking a bit loosely about platform/version differences, plus utility/env differences.
For example, here’s a dumb edge-case we hit in the official installer around a bug in the bash that ships with macOS: https://github.com/NixOS/nix/pull/5951
Another recent example was that the installer was using rsync for ~idempotently copying the store seed into the nix store. Debian, iirc, lacked rsync, so someone changed it to a cp command. But the flags weren’t supporting an idempotent copy, so a lot of people started getting hard errors during partial reinstalls that would’ve otherwise worked.
We’ve also run into trouble recently because the platforms we were supporting were all using GNU diffutils. I took advantage of some of its flags for formatting less-programmer-centric diffs for some state-curing actions, and then macOS Ventura promptly dropped gnu diffutils for their own homegrown version without these flags.
I couldn’t run it with single user mode. A hard pass for me as multi user mode causes a lot of problem (user number Id) where I work. Will check back in after they support it.
we’ve had this discussion before, it always comes full circle:
What is your solution to improve upon this shell piping ?
Verify Checksum: Coming from the same source, you have to trust them
download a .deb: Coming from the same source, you have to trust them and they have to provide a ton of different package formats
apt install: it’s new, there is no shipped version
docker: this isn’t made for docker - also docker doesn’t mean security
VM: neat, but how do I get from the “vm” testing step to my actual installation ? I could just pipe this shell command in the VM anyway, so no need to provide a VM image (which format?).
snap/flatpack/appimage.. which one of them, are they even useful for this installer ? also you’re still trusting the authors and now the snap servers too
You can only argue that downloading it to disk and then executing can leave a trace on the disk, so you can inspect the malware later on. We’re still downloading debian ISOs straight from the host, not that big of a difference. And I bet no relevant percentage checks the signatures or checksums.
Downloading it first or putting it at some reliable hosting (where you can’t change the download for specific people by random just through compromised developer hosts) is definitely one step better. But it doesn’t change much in terms of the core complaints: Running shell scripts from the internet.
Well, pretty much all free software boils down to “Running [executable code] from the internet”.
The question is whom you need to trust. The connection is HTTPS and you need to trust both, your TLS setup and determinate.systems anyway to use this installer, so not much is left.
Getting a an external signature/checksum would guard you against a compromised web server, but only if you can get that checksum out of band or from multiple, independent sources.
Excellent! I love that it’s enabled flakes by default. The choice of Rust over shell in this case is pretty choice, too. Mac ships an appallingly old
bashthat is wildly different from … every Linux distribution today.Can’t wait to try it. Does it work on FreeBSD?
Unfortunately it doesn’t support FreeBSD yet. Nix/Nixpkgs itself has pretty poor support for FreeBSD today, so we didn’t build it out yet. We could definitely add it!
Freebsd has its own port though.
I haven’t had a lot of luck getting anything to work. If you have some idea/blog/website of how to bootstrap a new system, I’d love to hear about it. The official docs still download a little tarball of binaries built from a pre-existing nix system, and so far as I can tell, it’s not generally available for FreeBSD.
I’ve been lurking in the Exotic Nix Targets Matrix room, and it looks like the folks there have been putting a lot of good work into supporting less widespread targets, including BSDs and Illumos, recently. That room might be worth joining if you’re interested in those developments :)
Thanks for pushing this forward with a maximum of community engagement. Regardless of whether your particular Rust codebase replaces the upstream installers, I think that the concept of an “installation receipt” is a great idea that should be adopted upstream.
Thanks, Corbin! I’m really glad to hear that :). We like it, too… props to Ana for raising the idea.
I like it too! Come to think of it, it’s a lot like file system journals, isn’t it? At least, that’s the first thing it reminded me of, and I believe it’s designed to solve a similar problem.
I’m a Nix user of 8 years. I avoided Nix Flakes until about 2 weeks ago. I wanted to wait for stability and I didn’t see any critical benefits.
Big things I did get out of adopting flakes:
builtins.currentSystem)I can definitely recommend starting to use flakes if you haven’t already. It’s a pretty good feature!
Yeah – flakes was a big reason I finally managed to finally get into Nix. They aren’t perfect and still can be somewhat intimidating, they’ve made things much more approachable in my opinion, especially in combination with the unified nix command.
nice! the zero to nix guide helped me understand nix a lot more then i did 2 weeks ago so thank you for that :D
I am so happy to hear that! Thank you for saying so!
Where would I make use of nix? Day to day I don’t even really touch
aptall too much other than to update things. The main place where I do installations where this would seem relevant is in Dockerfiles - is that the intended use case?There are many “levels” at which Nix can be useful, for example:
nix runto try out software without worrying about uninstalling it again later;All of these are options which will appeal to various people to various degrees, and you can pick and choose which ones you’re most interested in!
Yes 👍️ You can use the Determinate Nix Installer to “install” nix in Podman and Docker containers.
Am I being gaslit here, or where are the other bash impls than https://www.gnu.org/software/bash/ ?
I would guess that part is talking about disparate platform and version number combinations of Bash, unless I am also uninformed on some other indie Bash impl
I agree that it’s speaking a bit loosely about platform/version differences, plus utility/env differences.
For example, here’s a dumb edge-case we hit in the official installer around a bug in the bash that ships with macOS: https://github.com/NixOS/nix/pull/5951
Another recent example was that the installer was using rsync for ~idempotently copying the store seed into the nix store. Debian, iirc, lacked rsync, so someone changed it to a cp command. But the flags weren’t supporting an idempotent copy, so a lot of people started getting hard errors during partial reinstalls that would’ve otherwise worked.
We’ve also run into trouble recently because the platforms we were supporting were all using GNU diffutils. I took advantage of some of its flags for formatting less-programmer-centric diffs for some state-curing actions, and then macOS Ventura promptly dropped gnu diffutils for their own homegrown version without these flags.
Just different versions. macOS ships with Bash 3.0, which is 10+ years old and has subtle bugs around empty arrays and other areas.
My Mac install nags me to move over to zsh. I just use bash as a launcher so don’t really care.
I couldn’t run it with single user mode. A hard pass for me as multi user mode causes a lot of problem (user number Id) where I work. Will check back in after they support it.
Can we please please stop this
we’ve had this discussion before, it always comes full circle:
What is your solution to improve upon this shell piping ?
You can only argue that downloading it to disk and then executing can leave a trace on the disk, so you can inspect the malware later on. We’re still downloading debian ISOs straight from the host, not that big of a difference. And I bet no relevant percentage checks the signatures or checksums.
I sometimes see:
This way the website can’t detect whether it’s being piped to
sh, and you don’t get screwed over if the connection fails halfway through.Downloading it first or putting it at some reliable hosting (where you can’t change the download for specific people by random just through compromised developer hosts) is definitely one step better. But it doesn’t change much in terms of the core complaints: Running shell scripts from the internet.
Well, pretty much all free software boils down to “Running [executable code] from the internet”.
The question is whom you need to trust. The connection is HTTPS and you need to trust both, your TLS setup and determinate.systems anyway to use this installer, so not much is left.
Getting a an external signature/checksum would guard you against a compromised web server, but only if you can get that checksum out of band or from multiple, independent sources.
Agree, it’s missing a
sudo!What’s a better alternative?
Just stop…everything https://github.com/kelseyhightower/nocode
Sure—just as soon as all software is verifiable, which projects like this are an important step towards :)
Just used this as part of the intro to nix site—worked well!
very exciting! I admit, I am a lot more likely to contribute to this than to the official installer, because it’s Rust.
I’m going to have to try this out in a VM just to see how the flow works and everything.