From mboxrd@z Thu Jan  1 00:00:00 1970
From: Leo Famulari <leo@famulari.name>
Subject: Re: =?utf-8?B?V2hhdOKAmXM=?= next?
Date: Wed, 24 May 2017 17:45:39 -0400
Message-ID: <20170524214539.GA26320@jasmine>
References: <877f16z9eo.fsf@gnu.org>
 <874lwaql17.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z"
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:50318)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dDe6E-0004M0-5y
	for guix-devel@gnu.org; Wed, 24 May 2017 17:45:48 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <leo@famulari.name>) id 1dDe6A-0003yf-Sa
	for guix-devel@gnu.org; Wed, 24 May 2017 17:45:46 -0400
Content-Disposition: inline
In-Reply-To: <874lwaql17.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Jan Nieuwenhuizen <janneke@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>


--7AUc2qLy4jB3hD7Z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Wed, May 24, 2017 at 06:25:40PM +0200, Jan Nieuwenhuizen wrote:
> A friend of mine is having a second look at Guix (not SD yet) and one of
> the most confusing things initially is `guix pull'.  "When/how do I use
> that," he asks...and I can only say: I'm not using that...I think we
> want this to work--or something like this, we talked about this at
> FOSDEM, but AFAIK everyone is using Guix with Git.

`guix pull` is one of the primary tools of Guix. For those who are new
to Guix, it should be described as a per-user `apt-get update`. That is,
it updates the list of available packages. The finer differences and
extra features are not important for new users to learn at the
beginning.

With the recent commit adding '--fallback' to `guix pull` [0], the main
reason for Guix users who are not Guix developers to resort to Git has
been removed.

So, I use and recommend `guix pull`!

Do you think the manual can be more clear about this? I'd really like to
hear which parts of the manual your friend read. Maybe we need to
rearrange or rewrite some sections.

I think the most immediate problem with `guix pull` is that it doesn't
support Git commit signature verification. So, you end up trusting
different things: basically, a subset of the X.509 PKI vs PGP+SHA1 [1,2].
I think we can fix this while making `guix pull` use (guix git).

Building Guix from Git is the normal way to develop Guix, and it avoids
downloading a Guix tarball from Savannah in the default case, so
developers will learn and use it, but it brings its own pitfalls.

[0]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4902d3c4e0376974356481f222583580b49f39e1

[1] `guix pull` verifies the certificate of <git.savannah.gnu.org>
against the Let's Encrypt trust chain *only*.

[2] If I understand correctly, Git commit signatures are of the SHA1
hash, not the actual commit data. So... not great if I'm correct, but it
will get better as Git introduces a new hash function. And SHA1
collisions are rather obvious to detect, at least according the public
research. An attempt at collision detection was added in Git 2.13.0.

> He responds with: then *why* is it in the manual.  I have no answer.
> Possibly I'm wrong and/or my information is outdated?

Since we are all Guix developers, we talk about developing Guix, but not
as much the day-to-day use. So our impressions may not match actual
usage patterns.

--7AUc2qLy4jB3hD7Z
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEsFFZSPHn08G5gDigJkb6MLrKfwgFAlkl/wAACgkQJkb6MLrK
fwjuMQ/9EjcOncRJp6/SlZTMKzLxePzdtGReDJlGBg10EvoU2yDVy/+IQKH+U5wg
vl35yE7V/h/vL3EWccEhfuO0zjUeBUHkFXSwquGEzNOsp3bAeBeANf2Q+2qW3rMv
krENuu+VoXV/W91TbO94ONF5yGi5Zvxkp9shzITfwGnTnDe9FjmZ4ZaK2xox6Gi2
067/2mLI22lK1HtOrhCwrrI4RbOJtakOowvyk7WLNtA/M27M5/w45sxua0dul5wA
es5qKrmJhTc4nyCGXLl9/pTYJ9TEM/tfldh1SkAEctCD9+tKMCfwf07ar7sRlFpv
DAEbc8n4b9gFkOSzqLbzKF8xGqSmcfad+QKjiysSBXBVquWfobW5pongRDrLwLKb
w7SbyJgoaT9hKlumNmdEXz/y6d7PhtRnOzD5jEqZ6x2ZNDPoyzd6UUD5gbc3+ppf
LtwQD6+HHQCb1X9RK96aen3gP0KYC3cc8AP1A+0C6ASjDsQW8Wpp+Ry4kalvvvU+
3Tk3EE1CwefAEWUfpK6NWe8krUCrX9tNK/BNrgBonkmKSwIhJbCymmFWq8/vqSvm
rfKRH+LalDotv8zosnd/RZNzX/euDugSFDZmqwORy4mYKijfYdH/mwzaERLkjFiJ
G/CtDv6P/9fnjNXVLi/lSDeblWP9e4iE2CwQXfZevJAqAzIWvTA=
=g8nV
-----END PGP SIGNATURE-----

--7AUc2qLy4jB3hD7Z--