Hacker News new | past | comments | ask | show | jobs | submit login

Hydra is arguably one of the scariest parts of Nix: A giant, bespoke CI system written in C++.

Arguably it shouldn't exist. Nix can and should easily slot into any CI tool.




And, unlike nixpkgs, Hydra is pretty unfriendly to contributions.

There is one master trusted public key for nix:

    6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
It is hardwired into the nix source code and every (unpatched) build of nix from the last decade or so. There is no revocation system. There is no public key infrastructure. If that key gets compromised, there is no backup plan. I love Nix, but this is batshit crazy.

The Hydra instance has access to the corresponding private key. So the people who merge changes to Hydra are understandably paranoid. Unfortunately this has turned the codebase into a mess.


> There is one master trusted public key .. It is hardwired into the nix source code .. There is no revocation system .. The Hydra instance has access to the private key

> it is built in C++


There are couple of CI/CD systems being produced by startups that aim to fill that role, based on BuildKit/Docker. For now, Nix is still way better than they are in many ways, with the notable exception of Windows support.

Maybe visible interest in them can push forward Nix community developer interest in polishing Nix for the same use cases.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: