From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: =?utf-8?B?V2hhdOKAmXM=?= next? Date: Wed, 24 May 2017 17:45:39 -0400 Message-ID: <20170524214539.GA26320@jasmine> References: <877f16z9eo.fsf@gnu.org> <874lwaql17.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:50318) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1dDe6E-0004M0-5y for guix-devel@gnu.org; Wed, 24 May 2017 17:45:48 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1dDe6A-0003yf-Sa for guix-devel@gnu.org; Wed, 24 May 2017 17:45:46 -0400 Content-Disposition: inline In-Reply-To: <874lwaql17.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Jan Nieuwenhuizen Cc: guix-devel --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, May 24, 2017 at 06:25:40PM +0200, Jan Nieuwenhuizen wrote: > A friend of mine is having a second look at Guix (not SD yet) and one of > the most confusing things initially is `guix pull'. "When/how do I use > that," he asks...and I can only say: I'm not using that...I think we > want this to work--or something like this, we talked about this at > FOSDEM, but AFAIK everyone is using Guix with Git. `guix pull` is one of the primary tools of Guix. For those who are new to Guix, it should be described as a per-user `apt-get update`. That is, it updates the list of available packages. The finer differences and extra features are not important for new users to learn at the beginning. With the recent commit adding '--fallback' to `guix pull` [0], the main reason for Guix users who are not Guix developers to resort to Git has been removed. So, I use and recommend `guix pull`! Do you think the manual can be more clear about this? I'd really like to hear which parts of the manual your friend read. Maybe we need to rearrange or rewrite some sections. I think the most immediate problem with `guix pull` is that it doesn't support Git commit signature verification. So, you end up trusting different things: basically, a subset of the X.509 PKI vs PGP+SHA1 [1,2]. I think we can fix this while making `guix pull` use (guix git). Building Guix from Git is the normal way to develop Guix, and it avoids downloading a Guix tarball from Savannah in the default case, so developers will learn and use it, but it brings its own pitfalls. [0] https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4902d3c4e0376974356481f222583580b49f39e1 [1] `guix pull` verifies the certificate of against the Let's Encrypt trust chain *only*. [2] If I understand correctly, Git commit signatures are of the SHA1 hash, not the actual commit data. So... not great if I'm correct, but it will get better as Git introduces a new hash function. And SHA1 collisions are rather obvious to detect, at least according the public research. An attempt at collision detection was added in Git 2.13.0. > He responds with: then *why* is it in the manual. I have no answer. > Possibly I'm wrong and/or my information is outdated? Since we are all Guix developers, we talk about developing Guix, but not as much the day-to-day use. So our impressions may not match actual usage patterns. --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkl/wAACgkQJkb6MLrK fwjuMQ/9EjcOncRJp6/SlZTMKzLxePzdtGReDJlGBg10EvoU2yDVy/+IQKH+U5wg vl35yE7V/h/vL3EWccEhfuO0zjUeBUHkFXSwquGEzNOsp3bAeBeANf2Q+2qW3rMv krENuu+VoXV/W91TbO94ONF5yGi5Zvxkp9shzITfwGnTnDe9FjmZ4ZaK2xox6Gi2 067/2mLI22lK1HtOrhCwrrI4RbOJtakOowvyk7WLNtA/M27M5/w45sxua0dul5wA es5qKrmJhTc4nyCGXLl9/pTYJ9TEM/tfldh1SkAEctCD9+tKMCfwf07ar7sRlFpv DAEbc8n4b9gFkOSzqLbzKF8xGqSmcfad+QKjiysSBXBVquWfobW5pongRDrLwLKb w7SbyJgoaT9hKlumNmdEXz/y6d7PhtRnOzD5jEqZ6x2ZNDPoyzd6UUD5gbc3+ppf LtwQD6+HHQCb1X9RK96aen3gP0KYC3cc8AP1A+0C6ASjDsQW8Wpp+Ry4kalvvvU+ 3Tk3EE1CwefAEWUfpK6NWe8krUCrX9tNK/BNrgBonkmKSwIhJbCymmFWq8/vqSvm rfKRH+LalDotv8zosnd/RZNzX/euDugSFDZmqwORy4mYKijfYdH/mwzaERLkjFiJ G/CtDv6P/9fnjNXVLi/lSDeblWP9e4iE2CwQXfZevJAqAzIWvTA= =g8nV -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z--