Tammer Saleh changelog.com/posts

NixOS has one fatal flaw

Jerod’s Note: The short embedded below of Tammer Saleh on Ship It! created a firestorm of comments from folks who were unsatisfied with the lack of explanation behind his conclusion.

I caught up with Tammer at KubeCon NA 2023 and took the opportunity to ask him to clarify and defend the comment. This post is a fancied-up transcript of his response.

It’s better in audio where I read him some comments & we all have a good laugh. Play the audio.


NixOS has one fatal flaw, which is the usability of Nix.

(By the way, I really do love the passion in the Nix community. They created that, right? They created those comments. But Nix does have that fatal flaw of a really horrible learning curve and user experience.)

I’ve never talked to a single Nix advocate… for example, some of the people inside Shopify. Shopify was touted as a place that was going to use Nix holistically, throughout their entire developer experience… And they tried. They put a good effort into it, but I’ve talked to a lot of the engineers that said:

“No, it was too hard to understand, especially for our new engineers.”

And it just didn’t work.

That being said, I know there’s a lot of initiatives to fix Nix’s usability. That’s great! I want to see that happen, because I personally am actually very excited about some of the aspects of Nix. What it opens up. NixOS, sure, but just Nix as a package manager in general is just very interesting. It’s a really cool technology.

But also timing.

(I read some of those comments too, and for some reason, this message was lost. So what am I going to do? I’m going to say it again…)

Docker solved a lot of the problems that Nix is supposed to solve. There are ways to use Nix and Docker together, and a lot of the complaints I saw said: “He doesn’t understand Nix” or “He doesn’t understand Docker…”

I’d like to think I understand Docker.

If I don’t fully understand Nix… fair. But I did a lot of studying on it.

I think I understand Nix, too.

Docker is not just about running containers. It’s not just LXC. Docker solves three different problems. Running your container in a secure, multi-tenant fashion is definitely one of the problems Docker solves (docker run). It’s the most obvious. Packaging all of your dependencies into one unit of distribution is another huge problem that it solves (docker build). The third is as just a package distribution system (Docker Hub).

  1. Docker Build
  2. Docker Run
  3. Docker Hub

Nix solves the last two.

Nix solves packaging your application and its dependencies better than Docker does!

Too many people don’t understand that if you run docker build twice, and you’re not careful about your layer caches, you’re not going to get the same result. I hate that about Docker.

Do you remember BOSH? BOSH got that right. Nix is a better version of that. But still, Docker solves it for the masses. The masses don’t care about that one little niggly part of docker build. The masses are just like:

“Whatever. It’s Docker. It’s everywhere.”

And Docker Hub solves the distribution problem.

I want to install nginx, I just docker run nginx. Done.

Nix also solves the distribution problem, but Docker has more momentum. So everybody has a Docker image. Not everybody has a Nix package.


Jerod’s Note: I removed a sub-conversation about Nix “flakes” vs “packages”, ugly Dockerfiles & how Tammer likes YAML (🤢). Catch it in the audio or the transcript.


My point is: Docker does three things, Nix does two.

Nix does not solve the running in actual isolation. Nix solves the isolation of dependencies in a very good way, but it doesn’t solve running in namespaces, in cgroups, and security, and all of that. Nix doesn’t solve that.

So if you combine Nix and Docker, which - there’s that Nixery, which is a great project! That Docker registry that can make Docker images on the fly based upon the Nix packages… That’s a cool application of Nix.

I still believe that Nix has a future in today’s technology arena, but as an implementation detail. And I think there are some small teams that are basing everything on Nix, and they’re having a lot of success with that! But because of the learning curve I just don’t think it scales to any larger environment.

Nix is a fantastic system if you can adopt it in an isolated, hermetic environment.

But it’s not for the masses. Docker is for the masses.


Jerod Again: There you have it, Tammer’s answer to why he thinks NixOS has a fatal flaw. Did he acquit himself well? Or do you still think he’s wrong? Let us know in the comments!


Discussion

Sign in or Join to comment or subscribe

Player art
  0:00 / 0:00