Nixpkgs is massive with the largest, most up-to-date collection of Nix packages, powering reproducible systems and forming the backbone of many projects. But there's a problem: Nix packages' license metadata is a mess.

Nix's license tracking uses a custom license ID system that doesn't match the best practice of using SPDX license expressions standards, inconsistently referencing SPDX or ScanCode LicenseDB. The metadata often falls out of sync with the actual code or misrepresents what's really licensed, and packagers typically only check the top-level declared license and skip the file-level details where the real complexity hides. For an ecosystem built on correctness and reproducibility, this is a gap we need to close.

Nixpkgs Clarity fixes this with state-of-the-art automated license detection. We're correcting and standardizing license metadata across the entire Nixpkgs collection, aligning with SPDX best practices, and making sure what we declare actually matches what's in the code. This matters because accurate license data is critical for software supply chain security, CRA compliance, and anyone who needs to responsibly reuse Nixpkgs packages in production.

This talk shows how we're detecting and correcting license metadata across Nixpkgs, and what changes when you finally have accurate license data. We'll share how we are tackling the unique challenges of Nixpkgs at scale, with tens of thousands of packages, Nix's functional approach to package definitions, and automated detection in a way that maintainers can trust and verify.

If you care about making Nixpkgs even more reliable and supply chain ready, come see how we're bringing Nix's correctness principles to Nix packages' license metadata.