I've been thinking if this could be done in Nix and toyed around with the idea just a little bit using nano-gpt. Hermeticity always seems to mean isolation, but depending on who you ask it does not always mean computing…
A consequence of universal healthcare that people don't talk about much is that it turns unhealthy citizens from an individual cost into more of a collective one. So it makes sense that countries with universal…
I think outright shortening copyright terms could be a beneficial policy along similar lines.
I would blame how Austria, a very small country, is organized into 9 provinces that actually have their own budget and can pass their own laws on some topics. Rail service is funded at the federal level, so there's less…
If you make a conventional AI agent do packaging and configuration tasks, it has to do one imperative step after the other. While it can forget, it can't really undo the effects of what it already did. If you…
Yes, the cycle times are bad and some ecosystems and tasks are a real pain still. I also agree with you when it comes to the task of auditing every line of Nix code that factors into a given system. Nix doesn't really…
I think as AI gets smarter, defenders should start assembling systems how NixOS does it. Defenders should not have to engage in an costly and error-prone search of truth about what's actually deployed. Systems should be…
I mentioned another alternative to adding flake-specific metadata to data structures that are transferred over the network, as part of the signed traces or otherwise, in a comment on that PR Eelco linked. It's keeping…
As a current PhD student (working on Nix stuff) let me take this opportunity to congratulate you on your successful PhD defense and publicly thank you for your writing. That you write and what you write are inspiring.
I work with Nix a lot, and I had never seen `__findFile`. It's kind of crazy how much there is to know about Nix. I wish there was a bit less surface area to the language. On the other hand it's really interesting how…
Human-readability was one of the aspects that I enjoyed about using CCL,the Categorical Configuration Language (https://chshersh.com/blog/2025-01-06-the-most-elegant-config...), in one of my projects recently. It saves…
I wrote a paper about how I think trust should work for software dependencies. It very much builds on the hash-based cache lookup mechanism this paper calls constructive traces (in contrast to what they call deep…
Thanks, and thank you for reading! :)
I want to try to become an independent researcher, when the funding for my PhD position runs out. My idea for financing this is finding a few companies who pay a retainer fee to not only get direct easy access to my…
That's great. Feel free to reach out if you want to, I'm happy to answer any questions. It's basically my job, that I really love. :)
I know about mass rebuilds, but in the parent comment you were talking about fixed output derivations, and committing the hashes for a mass rebuild to version control is technically possible, but not a reasonable…
Yes. Reproducibility also makes it possible to aggregate information about the links in dependency trees and distribute trust on that basis. That stuff is useful to humans, but it is also really useful for cold hard…
You also couldn't feasibly do that for derivations that actually build packages, instead of fixed output derivations only, because if you the update the package set to include a newer version of the compiler, which…
There are also some other gaps left to close to implement this vision, mentioned in this post an my reply to it: https://news.ycombinator.com/item?id=43030046
I think it would have been a good thing to mention, but difficult to do well in more than a quick reference or sidenote and could easily turn into a extensive detour. I'm saying this as someone who's working on exactly…
Ollama tries to appeal to a lowest common denominator user base, who does not want to worry about stuff like configuration and quants, or which binary to download. I think they want their project to be smart enough to…
I think its great that Julien and his coauthors actually show some evidence of Nix working at scale, to successfully rebuild the vast majority of things, and bit-by-bit reproduce a significant portion. Lots of people…
Tools should surface information on the right level of abstraction for their users, and tools should have good UX no matter how much or little their users know. Signature verification tools on the command line do not…
I really wish we would take defining what it means for an artifact to be signed more seriously. Which key(s) is it signed with? What is the hash of the corresponding unsigned artifact? Signature verification tools…
Of those 100 announcements, 17 are not directly related to AI: 61-64, 66, 68-72, 75, 76, 85, 86, 88, 89 and 91. 5 look like they involve AI (would need to check): 43, 49, 56, 60 and 67. 78 are clearly related to AI…
I've been thinking if this could be done in Nix and toyed around with the idea just a little bit using nano-gpt. Hermeticity always seems to mean isolation, but depending on who you ask it does not always mean computing…
A consequence of universal healthcare that people don't talk about much is that it turns unhealthy citizens from an individual cost into more of a collective one. So it makes sense that countries with universal…
I think outright shortening copyright terms could be a beneficial policy along similar lines.
I would blame how Austria, a very small country, is organized into 9 provinces that actually have their own budget and can pass their own laws on some topics. Rail service is funded at the federal level, so there's less…
If you make a conventional AI agent do packaging and configuration tasks, it has to do one imperative step after the other. While it can forget, it can't really undo the effects of what it already did. If you…
Yes, the cycle times are bad and some ecosystems and tasks are a real pain still. I also agree with you when it comes to the task of auditing every line of Nix code that factors into a given system. Nix doesn't really…
I think as AI gets smarter, defenders should start assembling systems how NixOS does it. Defenders should not have to engage in an costly and error-prone search of truth about what's actually deployed. Systems should be…
I mentioned another alternative to adding flake-specific metadata to data structures that are transferred over the network, as part of the signed traces or otherwise, in a comment on that PR Eelco linked. It's keeping…
As a current PhD student (working on Nix stuff) let me take this opportunity to congratulate you on your successful PhD defense and publicly thank you for your writing. That you write and what you write are inspiring.
I work with Nix a lot, and I had never seen `__findFile`. It's kind of crazy how much there is to know about Nix. I wish there was a bit less surface area to the language. On the other hand it's really interesting how…
Human-readability was one of the aspects that I enjoyed about using CCL,the Categorical Configuration Language (https://chshersh.com/blog/2025-01-06-the-most-elegant-config...), in one of my projects recently. It saves…
I wrote a paper about how I think trust should work for software dependencies. It very much builds on the hash-based cache lookup mechanism this paper calls constructive traces (in contrast to what they call deep…
Thanks, and thank you for reading! :)
I want to try to become an independent researcher, when the funding for my PhD position runs out. My idea for financing this is finding a few companies who pay a retainer fee to not only get direct easy access to my…
That's great. Feel free to reach out if you want to, I'm happy to answer any questions. It's basically my job, that I really love. :)
I know about mass rebuilds, but in the parent comment you were talking about fixed output derivations, and committing the hashes for a mass rebuild to version control is technically possible, but not a reasonable…
Yes. Reproducibility also makes it possible to aggregate information about the links in dependency trees and distribute trust on that basis. That stuff is useful to humans, but it is also really useful for cold hard…
You also couldn't feasibly do that for derivations that actually build packages, instead of fixed output derivations only, because if you the update the package set to include a newer version of the compiler, which…
There are also some other gaps left to close to implement this vision, mentioned in this post an my reply to it: https://news.ycombinator.com/item?id=43030046
I think it would have been a good thing to mention, but difficult to do well in more than a quick reference or sidenote and could easily turn into a extensive detour. I'm saying this as someone who's working on exactly…
Ollama tries to appeal to a lowest common denominator user base, who does not want to worry about stuff like configuration and quants, or which binary to download. I think they want their project to be smart enough to…
I think its great that Julien and his coauthors actually show some evidence of Nix working at scale, to successfully rebuild the vast majority of things, and bit-by-bit reproduce a significant portion. Lots of people…
Tools should surface information on the right level of abstraction for their users, and tools should have good UX no matter how much or little their users know. Signature verification tools on the command line do not…
I really wish we would take defining what it means for an artifact to be signed more seriously. Which key(s) is it signed with? What is the hash of the corresponding unsigned artifact? Signature verification tools…
Of those 100 announcements, 17 are not directly related to AI: 61-64, 66, 68-72, 75, 76, 85, 86, 88, 89 and 91. 5 look like they involve AI (would need to check): 43, 49, 56, 60 and 67. 78 are clearly related to AI…