NixOS Wiki

Ca-derivations

Revision as of 17:42, 18 September 2025 by Erethon (talk | contribs) (The NGI0 Cache doesn't exist since at least summer of 2024)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

ca derivations (or more formally Floating content-addressed derivations) is an upcoming feature of the Nix package manager.

Without entering too much into the details − this blog post or the relevant section in Eelco’s PhD thesis provide a more detailed explanation of the underlying idea and its consequences − content-addressed Nix is an extension of the Nix model bringing several new possibilities. In particular, it enables “early cutoff” (stopping a rebuild if it can be proved that the end-result will be the same as something already known), which could reduce hydra’s (and yours) load and storage a lot. It also changes the Trust model of Nix, allowing for example several users to share the same store without trusting each other.

Setting-up Nix for CA derivations

Being still an experimental feature, CA derivations are currently only available on unstable Nix versions, and require an explicit opt-in.

On NixOS

In NixOS this can be achieved with the following options in configuration.nix. 

{ pkgs, ... }: {
   nix.settings.experimental-features = [
    "ca-derivations"
  ];
}

Non NixOS

Make sure the file `/etc/nix/nix.conf` exists and contains the following: 

experimental-features = ca-derivations

Using CA derivations

The feature is opt-in, meaning that each derivation must individually be marked as content-addressed. When using nixpkgs-unstable, this can be done by setting __contentAddressed = true in the call to mkDerivation.

It is also possible to mark all the derivations as content-addressed by default, by passing config.contentAddressedByDefault = true as argument to nixpkgs.

Ensuring that a derivation is properly content-addressed

Once a derivation has been built, one can check that it is indeed content-addressed by running nix path-info --sigs {outPath}. If this yields a line containing ca:fixed:r:…, then it means that the path is indeed content-addressed (and as such is trusted by your system). For example: 

$ nix-build '<nixpkgs>' --arg config '{ contentAddressedByDefault = true; }' -A vim
/nix/store/988jq9bj7s336q48bzdaamcl90k5g1yw-vim-8.2.2567
$ nix path-info --sigs ./result
/nix/store/988jq9bj7s336q48bzdaamcl90k5g1yw-vim-8.2.2567    ca:fixed:r:sha256:0z37vk3ndszn3p2in3li6rk3kln1lfqd9b6vl6w0qhkn7bixqibc

Tweag + Nix dev update #12: https://discourse.nixos.org/t/tweag-nix-dev-update-12/13185/3

Retrieved from "https://wiki.nixos.org/w/index.php?title=Ca-derivations&oldid=26412"