From: Leo Famulari <leo@famulari.name>
To: Jan Nieuwenhuizen <janneke@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>
Subject: Re: What’s next?
Date: Wed, 24 May 2017 17:45:39 -0400 [thread overview]
Message-ID: <20170524214539.GA26320@jasmine> (raw)
In-Reply-To: <874lwaql17.fsf@gnu.org>
[-- Attachment #1: Type: text/plain, Size: 2398 bytes --]
On Wed, May 24, 2017 at 06:25:40PM +0200, Jan Nieuwenhuizen wrote:
> A friend of mine is having a second look at Guix (not SD yet) and one of
> the most confusing things initially is `guix pull'. "When/how do I use
> that," he asks...and I can only say: I'm not using that...I think we
> want this to work--or something like this, we talked about this at
> FOSDEM, but AFAIK everyone is using Guix with Git.
`guix pull` is one of the primary tools of Guix. For those who are new
to Guix, it should be described as a per-user `apt-get update`. That is,
it updates the list of available packages. The finer differences and
extra features are not important for new users to learn at the
beginning.
With the recent commit adding '--fallback' to `guix pull` [0], the main
reason for Guix users who are not Guix developers to resort to Git has
been removed.
So, I use and recommend `guix pull`!
Do you think the manual can be more clear about this? I'd really like to
hear which parts of the manual your friend read. Maybe we need to
rearrange or rewrite some sections.
I think the most immediate problem with `guix pull` is that it doesn't
support Git commit signature verification. So, you end up trusting
different things: basically, a subset of the X.509 PKI vs PGP+SHA1 [1,2].
I think we can fix this while making `guix pull` use (guix git).
Building Guix from Git is the normal way to develop Guix, and it avoids
downloading a Guix tarball from Savannah in the default case, so
developers will learn and use it, but it brings its own pitfalls.
[0]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4902d3c4e0376974356481f222583580b49f39e1
[1] `guix pull` verifies the certificate of <git.savannah.gnu.org>
against the Let's Encrypt trust chain *only*.
[2] If I understand correctly, Git commit signatures are of the SHA1
hash, not the actual commit data. So... not great if I'm correct, but it
will get better as Git introduces a new hash function. And SHA1
collisions are rather obvious to detect, at least according the public
research. An attempt at collision detection was added in Git 2.13.0.
> He responds with: then *why* is it in the manual. I have no answer.
> Possibly I'm wrong and/or my information is outdated?
Since we are all Guix developers, we talk about developing Guix, but not
as much the day-to-day use. So our impressions may not match actual
usage patterns.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-05-24 21:45 UTC|newest]
Thread overview: 114+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-24 13:11 What’s next? Ludovic Courtès
2017-05-24 13:23 ` Ricardo Wurmus
2017-05-27 10:01 ` Ludovic Courtès
2017-05-27 21:44 ` Ricardo Wurmus
2017-05-28 20:44 ` Ludovic Courtès
2017-05-28 21:36 ` Ricardo Wurmus
2017-05-30 15:55 ` Ludovic Courtès
2017-05-24 15:52 ` Brendan Tildesley
2017-05-27 10:04 ` Ludovic Courtès
2017-05-28 20:41 ` Maxim Cournoyer
2017-05-30 15:17 ` Ludovic Courtès
2017-06-03 21:16 ` Maxim Cournoyer
2017-05-24 16:09 ` Catonano
2017-05-24 16:25 ` Jan Nieuwenhuizen
2017-05-24 18:40 ` Adonay Felipe Nogueira
2017-05-24 19:34 ` Catonano
2017-05-24 19:56 ` Ricardo Wurmus
2017-05-30 0:09 ` myglc2
2017-05-24 21:47 ` Leo Famulari
2017-05-24 21:45 ` Leo Famulari [this message]
2017-05-25 8:11 ` What???s next? Pjotr Prins
2017-05-27 10:16 ` Ludovic Courtès
2017-05-28 7:30 ` What's next? Pjotr Prins
2017-05-28 20:48 ` Ludovic Courtès
2017-05-28 22:05 ` Roel Janssen
2017-05-30 15:19 ` Ludovic Courtès
2017-05-30 20:15 ` Pjotr Prins
2017-05-29 2:31 ` Maxim Cournoyer
2017-05-28 20:37 ` What???s next? Maxim Cournoyer
2017-05-28 21:34 ` Ricardo Wurmus
2017-05-30 15:14 ` Ludovic Courtès
2017-05-25 14:57 ` What’s next? Chris Marusich
2017-05-25 18:32 ` Leo Famulari
2017-05-25 20:01 ` Ricardo Wurmus
2017-05-25 20:41 ` Adonay Felipe Nogueira
2017-05-27 10:13 ` Ludovic Courtès
2017-05-29 23:28 ` myglc2
2017-06-08 14:35 ` Ricardo Wurmus
2017-05-27 10:09 ` Ludovic Courtès
2017-10-04 15:12 ` Release! Ludovic Courtès
2017-10-05 19:18 ` Release! Christopher Baines
2017-10-06 13:01 ` Release! Ludovic Courtès
2017-10-09 7:25 ` Release! Christopher Baines
2017-10-09 16:25 ` Release! Ludovic Courtès
2017-10-06 18:30 ` Release! Ricardo Wurmus
2017-10-06 23:31 ` Release! David Pirotte
2017-10-07 9:18 ` Release! Hartmut Goebel
2017-10-07 12:21 ` Release! David Pirotte
2017-10-07 21:30 ` Release! Ricardo Wurmus
2017-10-08 13:08 ` Release! Hartmut Goebel
2017-10-07 4:06 ` [PATCH] DRAFT: build: Compile scheme modules in batches (was Re: Release!) Mark H Weaver
2017-10-07 19:35 ` Efraim Flashner
2017-10-08 9:19 ` Ricardo Wurmus
2017-10-08 12:03 ` Ricardo Wurmus
2017-10-08 13:26 ` Ricardo Wurmus
2017-10-09 7:38 ` Ludovic Courtès
2017-10-09 11:32 ` Ricardo Wurmus
2017-10-10 6:52 ` Ricardo Wurmus
2017-10-09 7:42 ` Ludovic Courtès
2017-10-09 7:53 ` Release! Ludovic Courtès
2017-11-20 22:07 ` Release! Ludovic Courtès
2017-11-30 10:40 ` Release! Ludovic Courtès
2017-12-01 2:57 ` Release! Maxim Cournoyer
2017-12-01 18:30 ` Release! Leo Famulari
2017-12-01 19:32 ` Release! Ricardo Wurmus
2017-12-04 8:53 ` Release! Ludovic Courtès
2017-12-04 8:58 ` ISO image available for testing! Ludovic Courtès
2017-12-04 21:35 ` Christopher Baines
2017-12-04 22:34 ` Ludovic Courtès
2017-12-05 22:47 ` Ludovic Courtès
2017-12-06 0:52 ` Mark H Weaver
2017-12-06 1:17 ` Ben Woodcroft
2017-12-06 2:16 ` native-inputs ending up as run-time references [was: ISO image available for testing!] Tobias Geerinckx-Rice
2017-12-06 3:18 ` Leo Famulari
2017-12-06 3:48 ` Tobias Geerinckx-Rice
2017-12-06 8:04 ` ISO image available for testing! Mark H Weaver
2017-12-06 8:14 ` Ludovic Courtès
2017-12-06 16:29 ` Tobias Geerinckx-Rice
2017-12-07 20:09 ` Christopher Baines
2017-12-07 21:19 ` Ludovic Courtès
2017-12-04 8:52 ` Release! Ludovic Courtès
2017-12-05 2:47 ` Release! Maxim Cournoyer
-- strict thread matches above, loose matches on Subject: below --
2021-05-15 17:47 What’s next? Ludovic Courtès
2021-05-15 18:08 ` Julien Lepiller
2021-05-18 19:30 ` Leo Famulari
2021-05-18 21:19 ` Julien Lepiller
2021-05-18 20:25 ` Ludovic Courtès
2021-05-19 15:39 ` Katherine Cox-Buday
2021-05-19 16:22 ` Ricardo Wurmus
2021-05-15 20:24 ` Efraim Flashner
2021-05-16 18:25 ` raingloom
2021-05-16 22:06 ` Joshua Branson
2021-05-17 20:13 ` Ludovic Courtès
2021-05-21 11:07 ` Efraim Flashner
2021-05-26 13:26 ` Ludovic Courtès
2021-05-16 4:09 ` Maxim Cournoyer
2021-05-16 8:57 ` Pierre Neidhardt
2021-05-16 18:18 ` Christopher Lemmer Webber
2021-05-17 5:43 ` Pierre Neidhardt
2021-05-16 13:38 ` Maxime Devos
2021-05-16 16:08 ` Vagrant Cascadian
2021-05-16 16:26 ` Svante Signell
2021-05-17 14:45 ` Leo Famulari
2021-05-18 2:35 ` Joshua Branson
2021-05-18 14:05 ` Leo Famulari
2021-05-22 23:11 ` raingloom
2021-05-24 22:32 ` Joshua Branson
2021-05-17 12:36 ` zimoun
2021-05-18 3:37 ` Bone Baboon
2021-05-18 13:08 ` Bone Baboon
2021-05-18 20:24 ` Ludovic Courtès
2021-05-18 16:44 ` Maxime Devos
2021-05-16 12:24 Brendan Tildesley
2021-05-17 20:25 ` Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170524214539.GA26320@jasmine \
--to=leo@famulari.name \
--cc=guix-devel@gnu.org \
--cc=janneke@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).