Just uploaded my bachelor's thesis to GitHub!
In it, I detail how I created a bootstrap chain for @nixos_org which builds the whole system from a small hand-auditable binary seed.
Read the thesis: https://nzbr.github.io/nixos-full-source-bootstrap/thesis.pdf
Check out the code: https://github.com/nzbr/nixos-full-source-bootstrap
My post on the NixOS discourse: https://discourse.nixos.org/t/a-full-source-bootstrap-for-nixos/74801
I read this expectating to find a demonstration of applying the previous work of #GUIX to #nix but this actually goes further! o.o
TIL about #live_bootstrap, a minimal binary seed that you can *boot on physical hardware*, *builds a linux distribution from source* and then boots into it.
https://github.com/fosslinux/live-bootstrap
I did not know that this part of the chain had a working solution!
Amazing work on integrating Nix into all of that!
An attempt to provide a reproducible, automatic, complete end-to-end bootstrap from a minimal number of binary seeds to a supported fully functioning operating system. - fosslinux/live-bootstrap
Now the only missing part to the ultimate and complete source bootstrap is physically auditable hardware to run live-bootstrap on.
Does anyone know the state of the art in that?
IRIS (Infra-Red, *in situ*) is a technique for non-destructively inspecting the construction of a select but common type of chip. It can improve visibility into our hardware and provide supporting evidence of its correct construction, without desoldering chips or expensive analytical gear. This talk covers the theory behind IRIS, as well as some embodiments of the technique. I will also frame the relevance of IRIS in the face of various threat scenarios. Time permitting, I’ll also show how you can do it at home by peeking around a few chips as a demo.
While we're on the topic: work on minimal-bootstrap in #nixpkgs has actually been picked up again since this thesis was written (October 2025).
Not only that but, as of a few hours ago, the PR implementing the last step of hooking it up to become the actual bootstrap stdenv in Nixpkgs has been merged!
https://github.com/NixOS/nixpkgs/pull/479322
#fullsourcebootstrap #reproduciblebuilds #stage0 #minimalbootstrap #bootstrappablebuilds
Nice! Though it's a shame that I didn't manage to publish this earlier -- Could've maybe avoided some duplicate work
@Atemu @nzbr @nixos_org Congratulations!! 🎉
This is an important milestone for NixOS but also for free software in general!
Bravo. 👏
@nzbr @nixos_org Very cool! I’ve been wondering about how to do this for ages.
Right now, I can boot #NetBSD from a USB stick, then install NetBSD on to a completely zeroed disk with only binaries generated from source from that USB stick. I do this in part because compiling is a good stress test of a system.
Now if I could build everything on the USB stick from a small, hand-auditable (for certain values of hand) bootstrap, that’d be awesome.
Excellent work! Reading it now :)
Nice! If someone wants to try live-bootstrap with QEMU/bare images generated on a ZFS dataset (and possibly other CoW filesystems), there is a bug in the Python generator scripts which leads to corrupt images. I made a simple fix, which hopefully will be merged. https://github.com/fosslinux/live-bootstrap/pull/567
Trundle
Arson Copperflame
Atemu
mei
Matt Bernhard
Janneke
Ludovic Courtès
korkeala
Bitslingers-R-Us
Karl Pettersson
dunklecat