FAQ
Answers to the questions people ask about Vega.
What is Vega?
Vega is a Nix binary cache whose globally-trusted entries are gated by independent reproduction and recorded in a public, append-only RFC 9162 Merkle transparency log, so you can verify them rather than trust the operator. See Why Vega.
How do I use Vega?
Add https://vega-cache.dev as a substituter and its public key to trusted-public-keys (see Configuration). To publish your own builds, use the vega CLI: nix run github:Ad-Astra-Computing/vega-agent#vega -- login, then vega push (see Caching your builds).
How do I verify a Vega build?
Run vega verify /nix/store/<hash>-name: it checks the cache's signature against a key you already trust, verifies the signed tree head and the build's RFC 9162 inclusion proof, and re-derives the NAR hash to confirm the bytes. To do it by hand, fetch the signed tree head at https://vega-cache.dev/log/sth, request an inclusion proof, and check the Merkle proof and tree-head signature yourself. See Transparency log.
How is Vega different from Cachix or a private cache?
With Cachix or a private cache you trust the cache owner: whatever their key signs, you install. Vega's shared tier instead requires independent reproduction plus agreement among distinct builders, and publishes a transparency log, so trust is derived from verification rather than from one key holder. See Why Vega.
How is Vega different from cache.nixos.org?
cache.nixos.org serves builds from the NixOS Foundation's trusted builders. Vega mirrors it and adds a shared tier whose entries are independently reproduced and transparency-logged, plus per-owner and scoped social trust.
Is Vega free?
Yes.
What does the Vega public key sign?
The global (shared) key signs a build only after Vega has independently reproduced it and it has cleared the promotion gates. Per-owner and per-consumer keys sign narrower scopes and are not globally trusted. See Reproducibility.
What does the transparency log prove?
That every attestation is publicly recorded in an append-only Merkle log: inclusion proofs show a build is in the log, and consistency proofs show the log was only appended to, never rewritten. See Transparency log.
Canonical endpoints
| What | Where |
|---|---|
| Substituter | https://vega-cache.dev |
| Public key | see Configuration |
| Signed tree head | https://vega-cache.dev/log/sth |
| Inclusion proof | https://vega-cache.dev/log/proof/inclusion/<index> |
| Consistency proof | https://vega-cache.dev/log/proof/consistency?first=<m>&second=<n> |
| Human transparency log | https://vega-cache.dev/log |