Planet Guix

Part 1 of an introduction to regular expressions in Guile Scheme: metacharacters and character sets

Many applications are packaged in OCI images but not in Guix. A good subset of them is written either in NodeJS, Go, Rust or languages that, as a general approach, encourage applications to have huge dependency graphs.

After thinking about multi-stage Debian rebuilds I wanted to implement the idea. Recall my illustration:

Remember the XZ Utils backdoor? One factor that enabled the attack was poor auditing of the release tarballs for differences compared to the Git version controlled source code. This proved to be a useful place to distribute malicious data.

Can Guix's G-expressions make for a superior Make-like build tool? Here's a proof-of-concept implementation imagining such a future.

“Does it really need to run as root?” When talking to system administrators of large supercomputers about installing Guix and having its build daemon run as root, this question would quickly come up—and rightfully so. We’re happy to announce that guix-daemon can now run without root privileges by taking advantage of Linux’s unprivileged user namespaces, a feature now available even on some of the most conservative supercomputers.

I rebuilt (the top-50 popcon) Debian and Ubuntu packages, on amd64 and arm64, and compared the results a couple of months ago. Since then the Reproduce.Debian.net effort has been launched. Unlike my small experiment, that effort is a full-scale rebuild with more architectures. Their goal is to reproduce what is published in the Debian archive.

Giacomo Leidi's talk at Guix.Social covering how to run Docker and OCI containers in Guix: bringing together the easy distribution of Docker containers, and the capabilities of Guix's declarative configuration. All part of his Gocix project (https://github.com/fishinthecalculator/gocix) which provides ready made services for Prometheus, Bonfire, Grafana, Forgejo and others.

Around a year ago I discussed two concerns with software release archives (tarball artifacts) that could be improved to increase confidence in the supply-chain security of software releases. Repeating the goals for simplicity:

In this post we'll see how to install and configure Prosody, an open-source XMPP server. We will be deploying Prosody on a Hetzner cloud instance, provisioned and configured with Guix and the powerful guix deploy command.