On Wed, May 24, 2017 at 06:25:40PM +0200, Jan Nieuwenhuizen wrote: > A friend of mine is having a second look at Guix (not SD yet) and one of > the most confusing things initially is `guix pull'. "When/how do I use > that," he asks...and I can only say: I'm not using that...I think we > want this to work--or something like this, we talked about this at > FOSDEM, but AFAIK everyone is using Guix with Git. `guix pull` is one of the primary tools of Guix. For those who are new to Guix, it should be described as a per-user `apt-get update`. That is, it updates the list of available packages. The finer differences and extra features are not important for new users to learn at the beginning. With the recent commit adding '--fallback' to `guix pull` [0], the main reason for Guix users who are not Guix developers to resort to Git has been removed. So, I use and recommend `guix pull`! Do you think the manual can be more clear about this? I'd really like to hear which parts of the manual your friend read. Maybe we need to rearrange or rewrite some sections. I think the most immediate problem with `guix pull` is that it doesn't support Git commit signature verification. So, you end up trusting different things: basically, a subset of the X.509 PKI vs PGP+SHA1 [1,2]. I think we can fix this while making `guix pull` use (guix git). Building Guix from Git is the normal way to develop Guix, and it avoids downloading a Guix tarball from Savannah in the default case, so developers will learn and use it, but it brings its own pitfalls. [0] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4902d3c4e0376974356481f222583580b49f39e1 [1] `guix pull` verifies the certificate of against the Let's Encrypt trust chain *only*. [2] If I understand correctly, Git commit signatures are of the SHA1 hash, not the actual commit data. So... not great if I'm correct, but it will get better as Git introduces a new hash function. And SHA1 collisions are rather obvious to detect, at least according the public research. An attempt at collision detection was added in Git 2.13.0. > He responds with: then *why* is it in the manual. I have no answer. > Possibly I'm wrong and/or my information is outdated? Since we are all Guix developers, we talk about developing Guix, but not as much the day-to-day use. So our impressions may not match actual usage patterns.