Many applications are packaged in OCI images but not in Guix. A good subset of them is written either in NodeJS, Go, Rust or languages that, as a general approach, encourage applications to have huge dependency graphs.
After thinking about multi-stage Debian rebuilds I wanted to implement the idea. Recall my illustration:
Remember the XZ Utils backdoor? One factor that enabled the attack was poor auditing of the release tarballs for differences compared to the Git version controlled source code. This proved to be a useful place to distribute malicious data.
Can Guix's G-expressions make for a superior Make-like build tool? Here's a proof-of-concept implementation imagining such a future.
“Does it really need to run as root?” When talking to system
administrators of large supercomputers about installing Guix and having
its build daemon run as root, this question would quickly come up—and
rightfully so. We’re happy to announce that guix-daemon can now run
without root privileges by taking advantage of Linux’s unprivileged
user namespaces, a feature now available even on some of the most
conservative supercomputers.
I rebuilt (the top-50 popcon) Debian and Ubuntu packages, on amd64 and arm64, and compared the results a couple of months ago. Since then the Reproduce.Debian.net effort has been launched. Unlike my small experiment, that effort is a full-scale rebuild with more architectures. Their goal is to reproduce what is published in the Debian archive.
Giacomo Leidi's talk at Guix.Social covering how to run Docker and OCI containers in Guix: bringing together the easy distribution of Docker containers, and the capabilities of Guix's declarative configuration. All part of his Gocix project (https://github.com/fishinthecalculator/gocix) which provides ready made services for Prometheus, Bonfire, Grafana, Forgejo and others.
Around a year ago I discussed two concerns with software release archives (tarball artifacts) that could be improved to increase confidence in the supply-chain security of software releases. Repeating the goals for simplicity:
In this post we'll see how to install and configure Prosody, an open-source XMPP
server. We will be deploying Prosody on a Hetzner cloud instance, provisioned
and configured with Guix and the powerful guix deploy command.
Guix-HPC is a collaborative effort to bring reproducible software deployment to scientific workflows and high-performance computing (HPC). Guix-HPC builds upon the GNU Guix software deployment tools and aims to make them useful for HPC practitioners and scientists concerned with dependency graph control and customization and, uniquely, reproducible research.