Reproducibility

A shared-cache binding requires independent agreement and an independent rebuild, not a single party's word.

Input-addressed store paths are global: the openssl path is the same hash for everyone, and Nix trusts a cache's signature to mean "this is the legitimate output of that derivation". So signing a path into the shared cache is the security-critical decision.

Two tiers

TierSigns withPromotes when
Tenanta per-tenant keya verified build, immediately, into the tenant's own namespace
Sharedthe global Vega keydistinct, reputation-weighted owners agree on one output and Vega independently reproduces it

What gates a shared signature

The Vega reproducer

The independent rebuild is performed by vega-reproducer, an open builder Vega operates. It rebuilds the agreed derivation from source, and the NAR hash it produces (computed by nix, not asserted by any attester) is what the master key signs. Because the reproducer is public, you can audit exactly how Vega arrives at a shared signature rather than take it on faith.

Sybil resistance

When a build diverges

If independent builds of the same derivation produce different outputs, the build is non-reproducible. Vega marks the output diverged, shows it on the status page, and never signs it into the shared tier. Divergence is a signal, not a failure: it means the source is not yet bit-for-bit reproducible.

The status page reports the verdict (diverged) and which builders disagree. It does not yet show a byte-level diff of the two outputs: that comparison (with diffoscope) runs in the reproduction worker, not at the edge. The causes are a small, well-understood set from reproducible-builds.org, each with a standard fix:

After applying a fix, push again from CI; once two builders agree on the new output, the divergence clears.

Revocation

A signed shared binding is removable, and every revocation is recorded in the transparency log alongside the promotion it undoes:

The public, signed revocation list is at /api/revocations, which a Vega-aware client can consult; a revoked path is removed from the shared cache and cannot be silently re-promoted.

A shared binding therefore asserts that the output was independently rebuilt and agreed on, and that the record is auditable; it is not a claim that the source itself is benign.