PG - Unleashing the Future of Development: The Secret World of Nix & Flakes

hey everyone thanks for coming to this talk um this is a bit of a um clickbait in real life because uh there is no secret Ro of Nicks and flakes but I hope it'll be interested enough for you to you know consider this oh by the way there's a QR code here that'll be one in next slide so if you want to follow along um you know go ahead so yeah this is our agenda for today this is where we're going to discuss uh basically um um what I want to talk about is you know why NY right why this is important to me why you should care about this so I started out with NYX about two years ago um it was

sort of um out of annoyance you know as a longtime Linux user specifically and a boont user I was frustrated what having to um after you know reinstalling uh this show having to install all my packages and stuff right you know regardless of whether or not I scripted up a solution right had um you know finicky scripts and and whatnot right to get my environment everything back uh to my Lykan uh over time I grew you know annoyed by that um and it just wasn't um good enough to to you know manage so I discovered nxs uh when I was sort of like in a Dev out space for a bit by mistake and I ignored it because I was

like why would I use this right this is a bit complicated right and it is right it's it's intimidating it's you know um very very steep has a very steep learning curve but it's we're checking out right it has a lot to offer you know if you're a user of uh home brew as a Mac User or a Linux user um Brew is just basically a package manager for Unix right it doesn't always only support Mac OS um you can use it on Linux as well but you can install uh packages uh you know same way you can use like apt which is specifically for Debian distributions or yum Etc um NY is like that right NY

started off as a package manager but also it's an operating system a build system and of course a language so yeah software security we next so there's a problem with software security um and the issue is it hasn't really changed that much in my opinion right we think of devops and we think of the problem that devops itself tries to solve right which is mainly a cultural issue right in the past uh developers you know would develop and then move the final product move the source to production right um but that's not efficient right you have to test your code right and devop is like we're going to change the culture of that we're gonna we're going to move

our code through different phases right before we push to production right we're going to test our code uh through different um you know different stages right dev then then uh testing then staging right and production so in my opinion um the way we develop now needs to be reformed right there are a bunch of tools that don't care about dependencies they especially don't care about security um and they don't really force a developer to think about

security so yeah this provides more regards to what I was talking about you know um about the current situation of development um you know a you're developer think about you know using a package manager like mpm right um out of the box what does it offer you um to track your dependencies or or or to place emphasis on um just you know caring about if they're up to date right um because your task I understand is just a code and you know maybe it's not your job to think about um you know if if security is important because you know you're not tasked but in my opinion n empowers you not to only think about that but it

helps to take you know some of that load off right some of that work away from you know you so NY as I mentioned as a package manager it started off as a pack package manager then became an operating system and of course it's a language so next to the operating system combines the language and the package manager um into one sort of like entity right so all these features are are built in together um when we talk about declarative um what it means to be declarative you have this conf configuration file that defines everything um you know what users access on the system the programs available you know what Keys uh each user should should have right public

keys and whatnot um you know what what uh desktop environment you want to use gnome um you know you can you can Define that declaratively so one configuration to R them all and that's what I like that's what I was looking for when I wanted to you know go away from bash scripts right and and and just have something that you know one file right that will allow me to um back up my system and move to somewhere else right whether it's a different machine or you know locally or a server that's this is you know this solves a lot of my issues personally I know it does for a lot of companies and other people as

well so some of the security benefits that you have for n NYX include sandboxing right isolation uh when we build a package it's in a sandbox it can be touched um when you think about um you know a derivation which is all n file is a n expression it's also called D derivation uh derivation it's just a set of instructions for how to build a package um NYX requires you define a lot we'll get in that into that later so yeah this is going to be an overview of Nyx and Nyx flakes I'll talk about NYX uh you know the I guess the classic um deriv derivation and then why NY flakes so yeah I mentioned NY is a

package manager um you can install any application you want similar to uh other package managers like apt or Brew but it also provides you with the you know with the ability to roll back you know if you think about the concept atomicity uh you can roll back to a previous version if you don't like um you know the changes that a new package provides or even in the example of nixos right if you build a new configuration you can also roll back uh your whole system based on you know uh new installed packages I will also talk about the next store later uh because the next store is where all the packages are stored and it

sort of makes um different not necessarily different opinions doesn't follow the the Unix hierarchy uh you know the fosm structure everything is stored in a separate location yeah so this is some of the things you know that I mentioned so something think about right for for n if you you know build a new configuration you're probably thinking man doesn't this take up a lot of space in my system right because if I build a package right or if I upgrade to a new package and I'm no longer using it will it just disappear and of course the answer is no right because we care about you know atomicity we care about um you know keeping things available right so we can

switch to them later on but if you don't need them you know NYX has a great command called NYX uh garbage collect and it'll just remove what you don't need freeing up space so it's not you know an issue so yeah Nick flakes are you know is a I guess modern way to think about um derivations um of course makes itself as portable right I can take a derivation I can share with someone but here's the issue you have to figure out how to build it right what if you know um what if there there no instructions given to me by you know the the the user right or the writer right if I get up

deration like what flags do I need to build it with what options do I need right uh flake is basically another level of of that right it sort of like fixes the problems associated with that you don't have to do any guesswork everything is defined everything is sort of like given to you right it create it increases um portability so here's here's where I I'll say uh regarding you know the current state right of Nyx itself so there are two commands one is NYX hyen build and one is just NYX build you're probably wondering like why do you need two commands to you know build a package in NYX right so niyen build is the modern

way right it tries to fix all all the mistakes that niyen build um created all the things that it doesn't address it tries to address them tries to fix them of course yes you still have used n h been build because uh you know default. n files still exist right um if you look at n packages which is like a huge collection of uh just you know packages in general you know if you if you think about um if you think about DN or um uh a arch user repository right you have a repository of packages like think about your favorite pack package um let's let's say um MC Vim uh whatever you know package you use uh NYX has a huge

repository on GitHub that repository is called NYX packages and it has a bunch of package I think it's like number two I think it's number two second to the Aur so it's pretty huge you know lots of contributors uh lots of you know developers and and you know it's it's really useful and it's sort of um a build and block of foundation um when it comes to derivations or flakes you can build a flake remotely you don't have to clone it right it it comes with a special command you can you can run a flake you can show a flake and see what outputs it provides you but I have to to having to actually like copy

and paste the flake and then open a file and paste in this contents or just CL in a repository right um something to mention is NYX packages NYX packages is a monor repo right so if you were to clone it yourself you know you're going to be waiting um a couple minutes depending on your network connection and system in general so unless you're looking to contribute to the repositor itself you probably don't want to do that um but that's not even necessary to mention actually because um if you have NX installed anyway you can just install a package you don't have to actually clone repository but that's just something to keep in mind um so I

probably should have mentioned this in the beginning um this talk is only 25 minutes there's a lot of things I'm not going to cover you're not going to leave out of here and be a n expert right this is just to show you hey this is what's possible this is what's available to you this is what you can do when you go home um when you go to work um for you you know for your personal project something to just you know think about I want to look at different aspects or show you different aspects of Nyx itself and you can choose just you know what to pay attention to if you go home and you know

uninstall brew and just use NYX as a brew replacement you know personally I'll be disappointed but that's your perogative right you have that freedom to do it but you'll be you'll be sitting on a technology that's way more powerful than what you're using it for so yeah this is a traditional NYX expression um something I I you know realized when I was looking back at these slides was I actually did uh link to a configuration example configuration. NX so config configuration. n is also just a derivation right and these are just instructions on how to build you know a package uh configuration not configuration. in specifically is how to build a system you can as I mentioned

previously the f the user Define a desktop environment uh if you wanted to um assign you know s s key to a user you can do that programmatically through the Nyx expression the Nyx language you can think about all the things you can do in Unix from invoking you know a shell on login for a specific user right think about your little uh environment variables right custom environment variables or dot files you know this also one of my my pet pe's right it's so difficult to manage all these little things right as as Unix users we love to customize stuff we love to Freedom that it provides us but you know management is not very easy sometimes and you get

lazy right in my opinion this is one you know the one tool through them all because it provides us with all these benefits you don't have to rely on any other third party tool because this can also be your operating system right and provide you with these uh you know um features so the first link is just a example of the configuration syntax uh you can also write a flake write flake. to do the same thing there's some examples on GitHub if you wanted to look at my GitHub you can too but you know there there are many ways to do this and the second one is just a link to this specific derivation um and this one is just for I

believe a python package so I'm not going to click on it just because this is a you know this is a presentation anything go wrong my computer can freeze or it just won't look quick enough and the time is ticking here but what I want to show you here is like we're just defining how to build a p a python package right we have the name of the package right well first we have the arc set right um you know dependencies that we need so when we say something is functional right we care about its inputs and its outputs right Nick expects you know first it expects in in regards to security for you to have a hash right it

can't do anything if you don't have an ash and we'll get back to that later but we see we have the arc set and then we have instructions for how to build this specific python package and we have you know version information and we have uh you know we're using F from F from crit lab so I guess you can imagine what that means right where grabbing this package from gitlab there's also many other Fetchers like fetch from GitHub we're defining uh the user the owner and uh the package name of course the the version and the hash that I mentioned that's really really important and these are some uh build phase options like pre pre-configure

which might look familiar to you know Unix users Among Us um when building packages but also pay attention to that the meta section right uh we have a homepage description and all this other stuff and think about like what it means right we'll get into sbom later but all this stuff is really important uh for [Music] esbon yeah and this is similar to the previous example uh that one was the classic example the derivation this is the Nyx flake example this is the Modern Way um I should mentioned that NYX flakes are experimental but that doesn't mean that you shouldn't use them you should totally use next flakes they're they're really fun and they're extremely

useful as I mentioned you can build a NY flakes nyf flake remotely you don't actually have to download a file or copy um you know the the the plag itself um if you have X installed here's a command at the bottom for example uh if you want to see what the outputs for you know this um awsh package just do n flake show uh GitHub and then you know Cav is the owner and then the repo is awsh uh we can see that this you know built on Darwin right built on Linux and different architecture supported and when I was looking at back at this I realized that actually didn't have um in the in the flake itself it

didn't actually Define a Dev shell so I went back and added the dev shell just to make it easier as a as a better example but the code on the left will still build a Dev shell oh actually explain what a Dev shell is so there's a command called n develop right which will put you in environment with all the dependencies of the package so you can you know develop on it so forget about installing um forget about installing a dependency I you know just think about when you're you know writing code you need uh a dependency to build your application forget about installing that systemwide right I'm just having this one file that'll just have it available in this

isolated environment um so let's think about this from a security perspective if you were to install a library or a system right that relies on other packages that library was you know had a vulnerability right it will just increase the tax surface right this library that depends on other applications but if you have this you don't have to necessarily worry about that because you know it's all in one place yeah and this is the Nyx Val system basically you know the whole all the outputs of your application are hashes and this how it verifies you know um via Integrity that what you built is secure right so every everything that you build everything that you build

you know you always get the same result all the outputs will never change essentially is what I'm trying to say um you know you look at something like Docker Docker isn't very um reliable right the output when you do Docker Bild it really depends on the environment right if the environment changes um you know your package is not going to build accurately right like works on my system is definitely a thing that's that Docker doesn't solve but NY solves right for Docker you have to look at other things right the text right if the image changes um you know you can't expect the same results you know for you to to get the same results so NX you know fixes

that so let's look out salsa before we uh dive into esom so when we're talkinging about Source Integrity we're talking about you know the hashen aspect of Nyx right n expects a hash right to verify that you know the the packages that you give it you know are you know not necessarily secure but um verifiable right so this is also another example of for derivation but we're skipping all the arc sets we're skipping everything we're just looking at you know um the python package right and the name um if you try build this for a hash it's going to complain it's going to give you a hash and then that's the hash that you um paste

in so when we talk about Bill script Integrity um we talk about we want to focus on you know the things that are provided to us right as as you know next users next you know Builders um so you know basically if I have you know for example this derivation right if I want to build it right NYX has different features like sandboxing uh that ensures that regardless of what happens to my system right the package will not be affected right uh the build the build output the build uh result and actually that's part of the Integrity part bu environment Integrity uh Integrity right the sandboxing right which goes back to my Docker example which you know Docker

doesn't um support or actually um provide so Providence and reproducibility you know I can I can send a flake right to someone uh someone can grabb a package uh and build on a different system and they'll always get the same output they always get the same result result nothing um you know will change right you can you can build it as many times as you want um as long as the package um doesn't change right dependencies don't change the build you know you know is reproducible uh something I want to mention to um let's let's you know so okay so there's there's a term uh so some of you are probably thinking you know why would I use those build system

there there other build systems right um you know I guess you you can say one of the drawbacks right of Nyx is it will build every component of a package right if something changes it's going to build a whole package right even if it's just a small component it's going to have to build the whole again so that's probably you know the downside um there are other build systems I I imagine someone will probably um you know ask about that um but we can get to that later yeah so it's also uh a NYX level four right so we have this derivation right and it's going to show us um you know where it is in next store

and of course connects with sbot

right this just an example of the output so uh if you look at derivation if we you know just choose a a random package and our next store it'll give us all these options right the environmental V variables that are provided right and some different options that are within the ration themselves uh including the name so basically everything that's defined um all the arguments in the derivation the outputs we see here so I wanted to focus on static and dynamic analysis um there are you know I know this like important topic for some people and there are programs that you can actually like make use of in N itself this is something that isn't done

automatically or built in but it's something that can enhance your Nick's experience so you know we just have different tools like clang and V grind right you can integrate them within you know your NYX Flakes and now we're going to get to sbom because if you remember um when I showed you like simple flake uh you know we have the meta section not to mention the outputs of next store and how it provides you with all this information right is essentially doing what es bombs can do so I I figured I'd link to this blog post here next as software identifier because I think it's the perfect conclusion for this presentation because it basically sums up uh what I've been

trying to talk about right you know why why you would use this you know um of course there are tools um that you can use for sbom themselves but n also like provides you with that with those outputs right with that information um and below are those additional tools as well yeah so this is the conclusion um if you want to install NY go to the Nyx installer I recommend a terminate systems installer if you want to learn NY go to N.D if you want to try NYX maybe replace your uh OS uh go to NX .org um thanks to cyber Chen for helping me prepare cyber Jenny for helping me uh prepare for this presentation um she

worked with me a lot um this is proven CL proven ground I'm a first time speaker so um this was you know good first time experience yeah thanks so much any questions question