A Full-Source Bootstrap for NixOS

Wire Jansen

Introduction

Using computers requires trusting software
FOSS considered more trustworthy than proprietary software
- Source code can be audited

Trusting Compilers

Compilers must be trusted
- ”Reflections on Trusting Trust” by Ken Thompson [1]
Often built using themselves (self-hosting)
Can inject malware
- Patch itself during compilation
Bootstrapping

Nix

Package manager
- Hybrid approach
Functional [2]
Nix Language
NixOS: Linux distribution based on Nix [3]
Package set (Nixpkgs) rooted in bootstrapTools package [4]
- No cyclic dependencies
- Already small trust-base
- Suitable bootstrapping target

Research Questions

Is it possible to construct a full-source bootstrap chain for the Nix package manager?
Is it possible to construct a full-source bootstrap chain for Nixpkgs by replacing the bootstrapTools package?
How can these two bootstrap chains be combined to create a full-source bootstrap for NixOS?
Can the bootstrap chain be executed full offline?
Is it possible to create a NixOS ISO image that can be used to install the bootstrapped NixOS on other computers without having to run the full bootstrap on them first?
How can the bootstrap be adapted to architecures beyond x86-based systems?
Does the bootstrap chain still include any binaries besides the initial bootstrap seeds?

Background

Nix Store

All packages kept in Nix Store [2]
- /nix/store/<hash>-<name>
  - <hash> calculated from inputs
  - Globally unique
  - Change to inputs $\to$ change to store path $\to$ rebuild
Substitution
- Download pre-built path from substituter
  - Binary cache $\approx$ package repository
  - Other Nix store

Example Store Path:
/nix/store/aqbddpi6p0bjfdlgswjry90nnppn3sgjsqsy-bash-interactive-5.2p37/bin/bash

Nixpkgs

Collection of Nix packages [4]
Only FOSS enabled by default
stdenv
- Set of packages available for all nixpkgs builds
Built-in cross-compilation support

GNU Guix

Another functional package manager [5]
Guile Scheme
Guix System
- First full-source bootstrapped Linux distribution [6]
  - Bootstrapped from binary seed
    - Small enough to be human-auditable

minimal-bootstrap

Effort to implement Guix-like bootstrap for Nixpkgs
Abandoned since 2023
- Still part of Nixpkgs [4]

Aux Foundation

Aux: Alternative to the Nixpkgs ecosystem [7]
Aux Foundation: Basis of the Aux package set
- Bootstrapped from binary seed

live-bootstrap

Bootstraps minimal Linux OS [8]
- From binary seed
- Bootable seed: No existing OS required

Implementation

Design

Two independent parts
- Outer Bootstrap
  - Bootstraps Nix
- Inner Bootstrap
  - Assumes working Nix installation
  - Bootstraps NixOS

The Outer Bootstrap

Start with live-bootstrap
Implemented extensions
- List of additional bootstrap steps
Nix Extension
- Builds dependencies and Nix

The Inner Bootstrap

Build Aux Foundation
Create initial stdenv
- Linked against musl libc
Cross-compile gcc for glibc
Build bootstrapTools (i686-linux)
- No longer supported, NixOS does not build
Cross-compile bootstrapTools for x86_64-linux

The Combined Bootstrap

Start with outer bootstrap
Wrap inner bootstrap into NixOS extension
live-bootstrap is 32-bit
- Cross-compile 64-bit Linux and Nix
Build generic NixOS configuration and boot it
- Generate hardware-specific config (nixos-generate-config)
Rebuild system and reboot

Running Offline

live-bootstrap (and Nix extension) already work offline
NixOS extension required more work
- Sources not known before evaluation
- Extract URL and hash with Nix
- Where not possible:
  - Downloaded with existing Nix
    - Still allows for auditing the downloaded code

Results

RQ1
Is it possible to construct a full-source bootstrap chain for the Nix package manager?

Yes
(outer bootstrap)

Source + Binary Seed $\Rightarrow$ 32-bit x86 Linux OS with Nix

RQ2
Is it possible to construct a full-source bootstrap chain for Nixpkgs by replacing the `bootstrapTools` package?

Yes
(inner bootstrap)

i686-linux Nix + Source + Binary Seed $\Rightarrow$ bootstrapTools

RQ3
How can these two bootstrap chains be combined to create a full-source bootstrap for NixOS?

Yes
(combined bootstrap)

Only 64-bit x86
- Needed to extend NixOS bootstrap
Tested in VM and on physical hardware
- ~17h in VM

RQ4
Can the bootstrap chain be executed full offline?

Yes

No NIC attached to VM
Physical hardware required internet
- Hardware detection installed additional packages
Not executable online
- Source code availability problems

RQ5
Is it possible to create a NixOS ISO image that can be used to install the bootstrapped NixOS on other computers without having to run the full bootstrap on them first?

ISO can be built
Installing from ISO is possible
- Still needs to build large portion of the bootstrap
  - Build dependencies not included in ISO
- Source availability problems
  - Sources must be copied to live system

RQ6
How can the bootstrap be adapted to architecures beyond x86-based systems?

No native compilation
- live-bootstrap and Aux Foundation only support 32-bit x86
- Missing bootstrapTools
Cross-compilation
- Entire system
- ISO
  - Bootable on Raspberry Pi 4 (with UEFI)

RQ7
Does the bootstrap chain still include any binaries besides the initial bootstrap seeds?

Yes

e.g. rustc (Rust compiler)
- Dependency of NixOS
- Built from pre-compiled rustc binary
Some Bootstraps exist, but not implemented in Nixpkgs
- Rust,[9] Java[10]

Conclusion

Usability

Initial Installation
- High computational cost
- Limited hardware support
  - Only x86_64
  - No UEFI
Adding Packages
- Similar to other source-based package managers
Updating
- Manual Nixpkgs update
- Rebuilds

Future Work

Integration into Nixpkgs (minimal-bootstrap)
Optimization
Replace remaining bootstrap binaries
- Implement existing bootstrap chains

References

[1]

K. Thompson, “Reflections on trusting trust,” Communications of the ACM, vol. 27, no. 8, pp. 761–763, Aug. 1984, doi: 10.1145/358198.358210.

[2]

E. Dolstra, “The purely functional software deployment model,” Utrecht University, Netherlands, 2006. [Online]. Available: http://dspace.library.uu.nl/handle/1874/7540

[3]

A. Hemel, “NixOS: the Nix based operating system,” Zenodo, 2006. doi: 10.5281/zenodo.12906987.

[4]

“Nixpkgs: Nix Packages collection & NixOS.” GitHub. Accessed: Jul. 21, 2025. [Online]. Available: https://github.com/NixOS/nixpkgs/tree/92c2e04a475523e723c67ef872d8037379073681

[5]

“Guix: Transactional package manager, declarative GNU/Linux distribution, reproducible deployment tool, and more!” Codeberg. Accessed: Sep. 25, 2025. [Online]. Available: https://codeberg.org/guix/guix

[6]

J. Nieuwenhuizen and L. Courtès, “The Full-Source Bootstrap: Building from source all the way down,” Apr. 26, 2023. Accessed: Sep. 25, 2025. [Online]. Available: https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/

[7]

J. Hamilton and others, “Aux Foundation: A full binary bootstrap chain for Nix.” Mar. 30, 2025. Accessed: Sep. 25, 2025. [Online]. Available: https://git.auxolotl.org/auxolotl/foundation

[8]

S. Tyler and others, “live-bootstrap.” GitHub. Accessed: Sep. 25, 2025. [Online]. Available: https://github.com/fosslinux/live-bootstrap

[9]

D. Tolnay, “Bootstrapping rustc from source.” Accessed: Dec. 13, 2025. [Online]. Available: https://github.com/dtolnay/bootstrap

[10]

Bootstrappable Builds, “From C++ to Java.” Accessed: Dec. 13, 2025. [Online]. Available: https://www.bootstrappable.org/projects/java.html

[1]