lila
Decentralized Reproducible-Builds Verification for the NixOS ecosystem
FOSDEM 2026
Julien Malka — @luj@chaos.socialArnout Engelen — @raboof@merveilles.town
Supply Chain Security
Supply Chain Security
Last year...
BUT
- 15,000 hours of build time on 10 machines
- Done by a single actor = trust in a single 3rd party
- Not sustainable
lila
hash collection
- collect signatures from independent rebuilders
- reproducibility reporting
- 2024: start
- 2025: Sovereign Tech Fund
- 2026: https://reproducible.nixos.org
reproducible.nixos.org
reproducible.nixos.org
reproducible.nixos.org
reproducible.nixos.org
What's next
how you can help
Become a rebuilder
Fix reproducibility issues
Further development
Wanna learn more?
Check Lila out: reproducibility.nixos.social
Our MSR'26 Paper