--- title: Nix cas beta discourse announcement --- Hello Nixers, One year and a half after the submission of the [RFC](https://github.com/NixOS/rfcs/pull/62), I'm happy to announce that thanks to the work of @edolstra, @ericson2314, and your humble servant, content-addressed Nix has now reached beta-grade quality. This means that it’s now time to start using it. # Content what? Without entering too much into the details − I invite you to check out [this blog post](https://www.tweag.io/blog/2020-09-10-nix-cas/) or [the relevant section in Eelco’s PhD thesis](https://edolstra.github.io/pubs/phd-thesis.pdf#page=143) for that − content-addressed Nix is an extension of the Nix model bringing several new possibilities. In particular, it enables “early cutoff” (stopping a rebuild if it can be proved that the end-result will be the same as something already known), which could reduce hydra’s (and yours) load and storage a lot. It also changes the Trust model of Nix, allowing for example several users to share the same store without trusting each other. # So what’s the status? All the features are here to make this a reality: It’s now possible to build content-addressed derivations, both locally and remotely, to move them across machines and transparently sign and substitute them. Now this is a big change, and as such there’s certainly a number of ugly monsters hiding in some dark corners of the code and waiting for the right edge-case to wake them up. And that’s where we need you, to track them down to the last one, and crush them all. # What can I do? There's several things you can do, depending on how much of an adventurer you feel. Before anything, make sure that you have a recent-enough Nix — both client and daemon, either by using `nixUnstable` from a `nixos-unstable` from after the 4th of march, or by fetching it directly from source. - **Level 0 — Remote adventurer 📺 :** Try using some CA closures in a sandbox: Run a CA build of Emacs: ```console $ nix shell \ --experimental-features 'ca-references nix-command' \ --store /tmp/my-ca-nix \ --trusted-public-keys '' \ --substituters https://cache.ngi0.nixos.org/ \ /nix/store/yvk5yl9fid0zlxqk1xvvzn787d8gbh00-emacs-27.2 \ -c emacs --version ``` See that content-addressed paths don't need signatures, because they are self-authenticating! ```console $ nix store verify \ --experimental-features nix-command \ --store /tmp/my-ca-nix \ --sigs-needed 10000 \ /nix/store/yvk5yl9fid0zlxqk1xvvzn787d8gbh00-emacs-27.2 ``` (to get more paths to test, use this dirty one-liner to fetch all the paths built by the latest evaluation: ```sh curl https://hydra.ngi0.nixos.org/jobset/ca-test/nixpkgs/evals -H 'Accept: application/json' | nix run nixpkgs#jq -- '.evals[0].builds[]' | xargs -I{} sh -c 'curl -s https://hydra.ngi0.nixos.org/build/{} -H "Accept: application/json" | nix run nixpkgs#jq -- -r ".buildproducts[] | .path"' ``` ) - **Level 1 — Visitor of the garden 👣:** Add the `ca-derivations` and `ca-references` experimental Nix features to your `/etc/nix/nix.conf`. This *shouldn't* change anything, except make Nix take different (ca-compatible) code-paths to do the same thing. If it changes (or breaks) something, then congratulations, you’ve spotted a bug! - **Level 2 — Explorer of the world 🤠:** Mark some individual derivations as “content addressed”.\ On a recent-enough nixpkgs, this should be as simple as setting `__contentAddressed = true` in your call to `mkDerivation`. If you encounter a derivation that works as input-addressed but not as content-addressed, then it’s (probably) a Nix bug. - **Level 3 — Raider of the unknown 🐲:** Switch to a fully content-addressed system.\ Entering this new world is as easy as passing `config.contentAddressedByDefault = 1` when evaluating nixpkgs. Be warned that although there’s a [hydra instance testing *some stuff*](https://hydra.ngi0.nixos.org/jobset/ca-test/nixpkgs), it’s not a channel blocker, and [its associated binary cache](https://cache.ngi0.nixos.org) won't contain everything you're used to. So you’ll have to rebuild most of your system yourself and you *might* encounter some unexpected breakages. You can use the binary cache `cache.ngi0.nixos.org` to speed up your builds. To do so, merge the following into your `nix.conf`: ``` substituters = https://cache.ngi0.nixos.org/ trusted-public-keys = cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA= ``` And like above, anything that used to work but doesn’t anymore is probably a bug, so please do submit it! # What’s next? All this testing will give us more insight on how to finalize and stabilize the design, which in turn will feed the [RFC](https://github.com/NixOS/rfcs/pull/62) in case it needs to be refined. Then the big next milestone is to use this directly on https://hydra.nixos.org and populate the official binary cache with a fully content-addressed nixpkgs. And (eventually) make this the default.