Ca-derivations: Difference between revisions

Latest revision as of 17:42, 18 September 2025

ca derivations (or more formally Floating content-addressed derivations) is an upcoming feature of the Nix package manager.

Without entering too much into the details − this blog post or the relevant section in Eelco’s PhD thesis provide a more detailed explanation of the underlying idea and its consequences − content-addressed Nix is an extension of the Nix model bringing several new possibilities. In particular, it enables “early cutoff” (stopping a rebuild if it can be proved that the end-result will be the same as something already known), which could reduce hydra’s (and yours) load and storage a lot. It also changes the Trust model of Nix, allowing for example several users to share the same store without trusting each other.

Setting-up Nix for CA derivations

Being still an experimental feature, CA derivations are currently only available on unstable Nix versions, and require an explicit opt-in.

On NixOS

In NixOS this can be achieved with the following options in configuration.nix.

{ pkgs, ... }: {
   nix.settings.experimental-features = [
    "ca-derivations"
  ];
}

Non NixOS

Make sure the file `/etc/nix/nix.conf` exists and contains the following:

experimental-features = ca-derivations

Using CA derivations

The feature is opt-in, meaning that each derivation must individually be marked as content-addressed. When using nixpkgs-unstable, this can be done by setting __contentAddressed = true in the call to mkDerivation.

It is also possible to mark all the derivations as content-addressed by default, by passing config.contentAddressedByDefault = true as argument to nixpkgs.

Ensuring that a derivation is properly content-addressed

Once a derivation has been built, one can check that it is indeed content-addressed by running nix path-info --sigs {outPath}. If this yields a line containing ca:fixed:r:…, then it means that the path is indeed content-addressed (and as such is trusted by your system). For example:

$ nix-build '<nixpkgs>' --arg config '{ contentAddressedByDefault = true; }' -A vim
/nix/store/988jq9bj7s336q48bzdaamcl90k5g1yw-vim-8.2.2567
$ nix path-info --sigs ./result
/nix/store/988jq9bj7s336q48bzdaamcl90k5g1yw-vim-8.2.2567    ca:fixed:r:sha256:0z37vk3ndszn3p2in3li6rk3kln1lfqd9b6vl6w0qhkn7bixqibc

Links

Tweag + Nix dev update #12: https://discourse.nixos.org/t/tweag-nix-dev-update-12/13185/3

@@ Line 29: / Line 29: @@
 It is also possible to mark all the derivations as content-addressed by default, by passing <code>config.contentAddressedByDefault = true</code> as argument to nixpkgs.
-Be warned that although there’s a [https://hydra.ngi0.nixos.org/jobset/ca-test/nixpkgs hydra instance testing ''some stuff''], it’s not a channel blocker, and [https://cache.ngi0.nixos.org its associated binary cache] won’t contain nearly as many things as <code>cache.nixos.org</code>. So doing so will probably entail rebuilding most of your system yourself, and you ''might'' encounter some unexpected breakages.
-To use the binary cache <code>cache.ngi0.nixos.org</code> to speed up your builds, merge the following into your <code>nix.conf</code>:
-<pre>substituters = https://cache.ngi0.nixos.org/
-trusted-public-keys = cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=</pre>
 == Ensuring that a derivation is properly content-addressed ==