- cross-posted to:
- guix@infosec.pub
- cross-posted to:
- guix@infosec.pub
You must log in or # to comment.
deleted by creator
It is a long article covering a bunch of things. But I’ll try to cover the items in the comments.
GUIX puts things in different location, making it incompatible with fhs standard. This important for guix to be able to implement its core features, namely these TWO
- guix can install/run multiple different versions of the same package (bash, firefox, whatever)
- guix can run/rollback your system/packages to a previously known state by swapping a link (and loading some settings)
The problem for the “consumer” here happens when they try to drop a binary they download from the internet and it fails to run because:
- it will not run because it cannot find the link loader lib/ld-linux-x86-64.so.2
- it cannot find something else where it expects (/bin/bash, /usr/lib64/libgtk.so, etc)
The article covers two solutions for this problem: the first is patchelf (but is only meaningful for link loader and libs) and the second is to run inside a container (guix shell --container --emulate-fhs). I should note here the container solution is not that different from e.g. flatpak or similar.
Now for my personal (and very biased) opinion. I do like that guix enforces this and that random binaries from the internet don’t simply run here.
Historically distros packaged software for various reasons - but one side effect of this is that package maintainers (i.e. your distro volunteers) vetted changes/updates, tested new releases and reported issues upstream (or patched it). For me this is an important part of Linux distros not being a monoculture.
Finally on a hopeful note. I don’t think this is insurmountable. The article mentions two things that already exist 1) guix packages that wrap binaries in containers and 2) guix import that does auto imports for libraries. In principle there could be a tool that glues these two to automate it but this will probably happen in one of the projects that packages binaries (nonguix probably).
deleted by creator
There’s also the fully reproducible build starting from a 357 byte seed file (cpu-specific) + guile library, to generate a full blown fully reproducible OS
https://guix.gnu.org/en/blog/2023/the-full-source-bootstrap-building-from-source-all-the-way-down/
deleted by creator
Yeah, that trusting trust paper really opened my eyes on how compiler development works through a series of hacks
No, it’s a common gripe.
I wish GUIX would just symlink libraries to standard paths instead of having to educate every single downstream tool where everything is with Env Variables
Is it such a big ask to expect bash to exist at /bin/bash?
deleted by creator
I just think the declarative syntax is cool, and is easier to read than Nix
But you typically run different commands in different shells, so if you needed to run different gcc’s, you could just create a customized chroot for each shell and make sure that all the tools are where they should be (/usr/bin/ /lib etc)
@tetris11 Typically but not always. Oftentimes guix runs on top of a foreign distribution, and then a chroot jail might be unhelpful.
how so? a chroot jail is a chroot jail. As long as you’ve got all your toys where they should be, what difference does it make to the distro?
@tetris11 Because guix as a general rule knows nothing about the underlying operating system, so you can’t expect it to set things up as you describe.
oh, true. In my head chroot is just proc/sys/dev binding, but you’re right that there are OS specific paths there too
Very informative post. I ran stuff before in guix container but learned about patchelf. Also agree on rust ecosystem of sprawling dependencies. Brings all the drawbacks of Python and JS into systems domain.
