Skip to content

OceanSprint 2025 Sprint Report

Today we concluded the fifth iteration of Ocean Sprint, a dedicated week of Nix development hosted in the Canary Islands.

OceanSprint 2025

We are grateful to all sponsors whose contributions made this event possible, allowing participants to fully concentrate on development work.

OceanSprint 2025

Report

NixOS Module System Enhancements

Contributors: @mightyiam, @aforemny, @roberth, @hsjobeki

  • Developed new WIP builtins.catchEvalError for robust error catching, to enable serialisation of evaluated NixOS/home-manager/other configurations.
  • Worked on Nixpkgs lib functions for diffing module configurations through deep evaluation using the above.
  • Added free-floating definitions via mkDefinition #390983
  • Enhanced module introspection capabilities, making attrsOf and submodule and listOf options. This unblocks problems like 'module diffing' or having better LSP support. preparing PRs for merging #390952 #391544

Nix enhancements

devenv

Contributors: @sandydoo, @domenkozar

  • Prepared devenv 1.5 release, including overlays and enhanced AI generation. #1776
  • Added eval cache busting and telemetry warnings (#1776).
  • Fixed issues related to garbage collection (#1766).
  • Reimplemented development environment activation that results into noticable speedups (#1789):
    • Linux: 500ms -> 150ms
    • macOS: 1300ms -> 300ms

Snix (formerly Tvix)

Contributors: @flokli, @raitobezarius, @edef1c, @vkryachko, @Kranzes, @adisbladis, @brainrake, @domenkozar

  • Announced a Tvix fork, Snix.
  • Continue setting up and fixing Snix CI and development infrastructure
  • Doc, contribution guidelines and DX improvements
  • Fixes to snix-nix-daemon, enabling local-overlay-store functionality.
  • Fixes to snix-build, building many more store paths.
  • Ported local-overlay-store to Lix to use Snix with Lix.
  • snix-eval-jobs, the Snix version of nix-eval-jobs, made progress on evaluation correctness.
  • Continued porting builtins.fetchTree and builtins.fetchgit to Snix.
  • Hosted a local fetch-through binary cache powered by snix-store at oceansprint.tvix.store during the sprint.
  • Enhanced Snix CLI and eval infrastructure; improved logging and test infrastructure.

Test Driver improvements

Contributors: @tfc, @ma27, @bew

  • Improved NixOS test driver assertion errors, streamlining debugging and enhancing clarity (#390996).
  • Developed a module for an SSH backdoor into the VM tests and re-used the breakpoint hook for interactive debugging within VM tests running in the sandbox (#392030, #392117).
  • Fixed the test driver on macOS after latest changes on master broke it #391581
  • Improved the driverInteractive workflow on macOS #391589

FOD Tracker

Contributors: @multivac61, @JulienMalka, @adisbladis

  • Prototyped FOD reproducibility tracker, evaluated 351,597 FODs from nixpkgs.
  • Published fod-oracle as a monitoring platform for nixpkgs.
  • Example: Query FODs by nixpkgs commit https://api.fod-oracle.org/api/commit/3161da368eccd9bde13deb1168bb16a29735151e/fods
  • The following API endpoints are available:
    • GET /api/health - Health check
    • GET /api/revisions - List all nixpkgs revisions
    • GET /api/revisions/{id} - Get details for a specific revision
    • GET /api/revision/{rev} - Get details for a specific revision by git hash
    • GET /api/fods - List FODs (with pagination)
    • GET /api/fods/{hash} - Find FODs by hash
    • GET /api/commit/{commit}/fods - List all FODs associated with a specific nixpkgs commit hash (with pagination)
    • GET /api/stats - Get database statistics
    • GET /api/compare - Compare FODs between revisions

Nix Build Provenance and Supply Chain Security

Contributors: @arianvp, @mschwaig, @JulienMalka

  • Released working prototype of nix-attest for publishing in-toto attestations from GitHub CI.
  • Published early prototype of laut signature format proposal and tool, for stricter verification of dependency trees, so the community can work on it in public together.
  • @mschwaig and @JulienMalka started integrating laut with lila in this PR.
  • @arianvp and @mschwaig discussed how they could link up their work as well.
  • @JulienMalka wrote a blog on detecting the XZ backdoor.
  • We fixed sigstore python package in nixpkgs: https://github.com/NixOS/nixpkgs/pull/391693

Late binding in python3Packages

Contributors: @SomeoneSerge, @collinarnett, @adisbladis

  • An experiment at instantiating the entirety of python3Packages using pyproject-nix instead of the current buildPythonPackage+pypa{Build,Install}Hook
  • The new package set exposes a shim buildPythonPackage that moves runtime dependencies from derivation to passthru and uses pyproject-nix's resolveBuildSystem.
  • This way, we can
    • reuse Nixpkgs' recipes that rely on the buildPythonPackage interface, but
    • eliminate rebuilds caused by changing runtime dependencies,
    • support "cyclic" dependencies (which only seemed cyclic because we didn't used to distinguish between build- and run-time dependencies at the same layer as upstream python),
    • and resolve multi-tenancy issues such as those caused by major version upgrades in numpy and pydantic.
  • The current progress is tracked in https://github.com/collinarnett/nixpkgs/tree/feat/python-late-binding
    • At the time of writing it's already possible to build e.g. python312PackagesNG.requests, but not python312PackagesNG.mkVirtualEnv { requests = [ ]; }
    • This still suffers from legacy python's setup hooks leaking into derivations and breaking builds
    • Some derivations assuming implicit wheel or flit-core native build inputs are still not taken care of
  • With this project the contributors also learned more about internals of the Nixpkgs' python ecosystem
  • Related work and literature:
    • https://pyproject-nix.github.io/pyproject.nix/

Unbreaking apache-airflow

Contributors: @collinarnett

  • Worked towards fixing the build process of apache-airflow and its legacy Flask dependency.

gobuild.nix Development

Contributors: @katexochen, @britter

  • Improved gobuild.nix to provide a local directory that can be used as GOPROXY via file URL instead of linking the source of dependencies into a vendor directory.
  • Developed code generation tool for streamlined packaging of Go dependencies. Pointing it to the dependency you want to package, it will generate Nix code for that package and all its dependencies.

Darwin Sandboxing

Contributors: @joshheinrichs-shopify

  • Explored loosening sandbox-exec profiles on Darwin to allow it to be enabled by default; discovered another PR #12570 which addresses similar concerns.

Bashless Activation & Minimal NixOS

Contributors: @nikstur, @blitz, @willibutz, @britter

  • Developed nixos-init a system for bashless initialization of NixOS. This will be completely opt-in by setting system.nixos-init.enable = true;. This, however, still needs a lot of small cleanup to be done all over Nixpkgs.
  • Developed kernel patches for EROFS as initrd and general initrd cleanups in the kernel.
  • Deduplicated the content of initrd and /nix/store for further space savings, because everything that's already in the initrd doesn't need to be in /nix/store.

Clang-built Linux Kernel

Contributors: @blitz, @joshheinrichs-shopify

  • Successfully built kernels with LLVM/Clang (#390631).
  • Addressed issue cross-compiling Cargo from aarch64 -> x86_64.

A Plumbing meetup for Nix implementations

Contributors : @edef, @roberth, @fricklerhandwerk, @flokli, @raitobezarius

  • Interest for closer cross pollination efforts between the implementations
  • Sharing more components like conformance test suites

Last but not least

  • Socionomics panel:
    • Discussed Nix governance and social structures (notes).
    • Started a section on the "broader ecosystem" on the NixOS homepage, listing reimplementations and inspired projects: https://github.com/NixOS/nixos-homepage/pull/1703
    • Discussed newsletters and revolutionary pamphlets! Perhaps this could be aligned with @a-kenji's Teams' Reports effort?
  • libstore build code cleanup (@L-as).
  • Pareto Security: Enabled easy security checks for NixOS users (@zupo).
  • Yarn + Nix Integration: Enabled yarn package manager to use /nix/store cache (@adrian-gierakowski).
  • keep-sorted in nixpkgs: Integrated keep-sorted into nixpkgs CI to ensure order in large files (@katexochen)
  • Tests for the Gradle and Maven packages: Added some nixpkgs tests for Gradle and Maven - the two major build systems for Java/JVM development (@britter)

A Special Thanks

A special acknowledgment to all sponsors, participants, and contributors who made this Oceansprint productive and exciting. Your support and collaboration are deeply appreciated!