paepcke.de    +    + 🇪🇺

https://nixcademy.com/posts/secure-supply-chain-with-nix/

#nix #nixos #FormalVerifcation

Demonstrably Secure Software Supply Chains with Nix

Discover how Nix can revolutionize your software supply chain security, enabling verifiable integrity and offline rebuilds from source.

Nixcademy
May 12, 2025 at 6:07pmWeb
Show threadRaito BezariusMay 12, 2025
@paepcke hm where is the formal verification in the blog post?
Show threadpaepcke.de    +    + 🇪🇺May 13, 2025

@raito

The project behind this blog post allows a formal input validation (maybe the better wording) by generate a single (fixed-) source file that is able to reproduce the full system build offline and air-gapped.

When your (nix-) project strictly uses reproduce able builds formulas, you will end up on every offline proof build with a bit-by-bit verify-able result.

The project skip the last step (sadly, similar to nixos current state) to manifest the output correctness with a single hash (eg. by building a hash tree over the produced output binaries) and leaves the last step (output verification) to the agency trusted toolchain.

https://github.com/applicative-systems/secure-supply-chain

GitHub - applicative-systems/secure-supply-chain: Secure Software Supply Chain Demonstration with Nix

Secure Software Supply Chain Demonstration with Nix - applicative-systems/secure-supply-chain

GitHub