chriswarbo-net: 6c5170f47558d866e0aea660f812110c6a608c87

     1: ---
     2: title: Dependency solving in Nix
     3: ---
     4: 
     5: I've added [Dependency solving in Nix](/projects/nixos/nix_dependencies.html) to
     6: [my Nix pages](/projects/nixos). It's about using Nix for projects which rely on
     7: legacy "package managers". The latter have two major problems, which complicate
     8: the software supply chain and weaken security and reproducibility:
     9: 
    10:  - Dependencies are referenced by a user-chosen "name" and "version", like
    11:    `my-json-parser-1.2`. Resolving these to a specific artifact (like a
    12:    precompiled library or source tarball) requires trust, since it's trivial for
    13:    malicious code to *claim* that it's `my-json-parser-1.2`.
    14:    - Compare this to Nix, which using hashes that uniquely specify the content
    15:      and cannot be spoofed. This allows trustless distribution, e.g. via caches
    16:      or even P2P networks (at least when it comes to sources).
    17:  - Many legacy "package managers" also allow dependencies to be specified with a
    18:    pseudo-numerical "range" of versions. Choosing a particular version for each
    19:    dependency requires running a constraint solver, to find an assignment that
    20:    satisfies all of the specified ranges simultaneously, and transitively.
    21: 
    22: There seems to be a mistaken belief that Nix cannot run such constraint solvers.
    23: I don't know where that idea originated, but it's demonstrably false, since I've
    24: been doing it for years with various package managers (Cabal, Maven, SBT, etc.).
    25: 
    26: That's why I've written that page, so I can link to it if I see anybody else
    27: make such claims!