Why Vega

Most binary caches ask you to trust whoever holds the signing key. Vega is built so you do not have to.

When Nix substitutes a build from a cache, it checks that the cache signed it with a key you trust. It does not rebuild the output from source. The cache is therefore a trust anchor: whatever it signs with a trusted key, your machine installs. cache.nixos.org works because you trust the NixOS Foundation's builders; a Cachix cache works because you trust its owner. If that key is stolen or misused, you install whatever the holder signed, and nothing about the binary tells you it is wrong.

Vega signs a build into its shared cache only after independent builders have rebuilt the same derivation and produced the same output, and it records every attestation in a public, append-only log. You can check that record yourself. The guarantee comes from independent agreement and a log you can verify, not from trusting the operator.

When a private cache is the right tool

If you are one team building for yourselves, a private cache (Cachix, attic, or your own bucket) is simpler and does everything you need. You already trust your own builds, so independent corroboration adds nothing. Reach for Vega when the people relying on a build do not all trust each other, or the publisher.

Where independent corroboration matters

The problem underneath

A reproducible build is one that anyone can recreate from the same source and get byte-for-byte identical output. Without that property, a compromised cache can serve a backdoored binary under a legitimate store path, and a signature only says who signed it, not whether the content is honest. Independent reproduction, recorded in a transparency log, is what closes the gap. It is the idea behind Certificate Transparency, applied to the Nix store. Trustix explored it for Nix; Vega runs it as a service.