Nix and NixOS
Nixpkgs Clarity: Correcting Nix package license metadata
<p>Nixpkgs is massive with the largest, most up-to-date collection of Nix packages, powering reproducible systems and forming the backbone of many projects. But there's a problem: Nix packages' license metadata is a mess. </p>
<p>Nix's license tracking uses a custom license ID system that doesn't match the best practice of using SPDX license expressions standards, inconsistently referencing SPDX or ScanCode LicenseDB. The metadata often falls out of sync with the actual code or misrepresents what's really licensed, and packagers typically only check the top-level declared license and skip the file-level details where the real complexity hides. For an ecosystem built on correctness and reproducibility, this is a gap we need to close.</p>
<p>Nixpkgs Clarity fixes this with state-of-the-art automated license detection. We're correcting and standardizing license metadata across the entire Nixpkgs collection, aligning with SPDX best practices, and making sure what we declare actually matches what's in the code. This matters because accurate license data is critical for software supply chain security, CRA compliance, and anyone who needs to responsibly reuse Nixpkgs packages in production.</p>
<p>This talk shows how we're detecting and correcting license metadata across Nixpkgs, and what changes when you finally have accurate license data. We'll share how we are tackling the unique challenges of Nixpkgs at scale, with tens of thousands of packages, Nix's functional approach to package definitions, and automated detection in a way that maintainers can trust and verify. </p>
<p>If you care about making Nixpkgs even more reliable and supply chain ready, come see how we're bringing Nix's correctness principles to Nix packages' license metadata.</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ua2118 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>devroom opening</p>
|
| 1/31/26 |
<p>Since 2015, IndieHosters has specialized in hosting and making accessible free software as a service, from blogs and forums to wikis and online collaboration tools, with a core mission to enable people and organizations to always keep control over their data and privacy in order to achieve data sovereignty.</p> <p>To support this mission, we created libre.sh, a framework of tools that enables us to host free software at scale. It has evolved quite a bit since our initial talk at FOSDEM 2017. ...
|
| 1/31/26 |
<p>Our digital lives are increasingly fragmented across numerous centralised online services. This model concentrates power, leaving us with minimal technical control over our personal data and online identities. The long-term permanence of these platforms is uncertain, and their commercial incentives are often misaligned with user interests. We propose inverting this model: instead of centralising our data in proprietary silos, let’s centralise our presence under our own control using open, ...
|
| 1/31/26 |
<p>With TAPPaaS we are building a small, composable private cloud for homes, communities and small organisations. It should feel like an enterprise‑grade packaged solution, but be built fully with FOSS and declarative Nix/NixOS tooling. Our current design is a 2‑node cluster with a third backup node, using Proxmox as cluster manager, NixOS and flakes for all VMs running platform services. All changes go through GitOps workflows, and services are packaged as NixOS modules that share central ...
|
| 1/31/26 |
<p>Reproducibility remains one of the largest challenges in benchmarking distributed systems, especially when hardware, kernel settings, and dependency versions vary between tests. This talk presents a NixOS-based approach for constructing deterministic, portable benchmark environments for large-scale data infrastructure. We show how Nix’s declarative system configuration, content-addressed builds, and reproducible packaging model allow engineers to isolate performance variables and eliminate ...
|
| 1/31/26 |
<p>NixOS reproducibility monitoring has historically been limited to the ISO images we ship, because they are a package set small enough to be rebuilt on a single machine. In this talk, we introduce <a href="https://github.com/nix-community/lila">LILA</a>, a decentralized reproducibility monitoring infrastructure for the NixOS community, aimed at removing this limit and allowing a collaborative monitoring of the entirety of nixpkgs!</p>
|
| 1/31/26 |
<p>The OCaml language package manager, Opam, has support for interfacing with system package mangers to provide dependencies external to the language. Supporting Nix required re-thinking the abstractions used to interface with traditional package managers, but enables using Opam for development easy whilst benefitting from Nix's reproducible system dependencies. This provides one example of how Nix interfaces with other software development and deployment technologies.</p> <p>Get in touch at ...
|
