Distribution developers nixos reported about the implementation of Support Verification of the integrity of the minimum ISO image (ISO_minimal.x86_64-Linux) using the mechanism of repeated assemblies. Previously repeated assemblies were available at the level of individual packages, and now extended for the entire ISO image. Any user can form an ISO image that is fully identical with the ISO-provided download and make sure that it is assembled from the source code provided and does not contain hidden changes. To automate the ISO image check NIXOS using repetitive assemblies prepared Special script. At the next stage, repeated assemblies are planned to provide for a complete ISO image with the GNOME desktop.
Repeated builds are an important security link, since it is possible to independently check that the byte assembly distribution proposed by the assembly coincides with the assemblies, Collected personally from the source texts. Without the ability to check the identity of the binary assembly, the user remains only blindly trusted by someone else’s assembly infrastructure, compromising the compiler or assembly toolkit in which can lead to substitution of hidden bookmarks. To ensure repeated assemblies, it is required to play the stuffing and parameters of the assembly environment, use identical versions of programs, dependencies and boot components, eliminate the changes of changing data (time tags, random placeholders, etc.), as well as save the procedure for assembling files and package packages in ISO -Food.
Recall that the NIXOS distribution is based on the NIX packet manager and provides a number of own developments that simplify the setting and maintenance of the system. For example, Nixos uses a single system configuration file (configuration.nix), it is possible to quickly roll back updates, there is support for switching between different states of the system, the installation of individual packages is supported by individual users (the packet is installed in the home directory) and simultaneously install multiple versions of one program . When using the NIX, packets are installed in a separate / Nix / Store tree or subdirectory in the user directory. For example, the package is installed as /Nix/store/F2B5…8A563-FIREFOX-89.0.1/, where “F2B5 …” is a unique package identifier used to control dependencies.
Packages are made in the form of containers containing the components necessary for the application. Between the packets, it is possible to define dependencies, while to search for the presence of already established dependencies use the scanning of hash identifiers in the directory of the installed packages. It is possible how to download ready-made binary packages from the repository (only Delta-changes are downloaded to the binary packages when installing updates) and the assembly of source texts with all dependencies. The collection of packages is presented in a special repository nixpkgs .