From: Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: guix-devel@gnu.org, Vivien Kraus <vivien@planete-kraus.eu>
Subject: Re: Bootstrap a GNU source distribution from git
Date: Sun, 6 Oct 2024 00:57:47 +0200 [thread overview]
Message-ID: <20241006005747.06a16840@primary_laptop> (raw)
In-Reply-To: <9DD4B472-70C8-489F-B86E-23891365E9C6@tobias.gr>
[-- Attachment #1: Type: text/plain, Size: 2535 bytes --]
On Tue, 01 Oct 2024 10:20:54 +0000
Tobias Geerinckx-Rice <me@tobias.gr> wrote:
> >Since Guix also checks the hash of the source code an idea to improve
> >things could also be to modify Guix to allow the use of external
> >tools to bootstrap the download of source code through version
> >control and for instance download git from git.
>
> I don't understand what you mean by this, or what 'modify Guix' means
> and why it would be needed?
We currently have something like that:
> (define-public git-minimal
> (package
> (name "git-minimal")
> (version "2.46.0")
> (source (origin
> (method url-fetch)
> (uri (string-append
> "mirror://kernel.org/software/scm/git/git-" version ".tar.xz"))
> (sha256
> (base32
> "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz"))))
> [...]
If we replace with something like that:
> (define-public git-minimal
> (package
> (name "git-minimal")
> (version "2.46.0")
> (source
> (origin
> (method git-fetch)
> (uri
> (git-reference
> (url "https://git.kernel.org/pub/scm/git/git.git"))
> (commit "<some hash>")))
> (file-name (git-file-name name version))
> (sha256
> (base32
> "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz"))))
> [...]
Then we have at least 2 issues.
The first one is that we might end up with circular dependencies inside
the Guix source code somehow that creates issues when building packages
and/or guix, etc. But that might be fixable with some work.
However if I understand well, that circular dependency would not create
any security/reproducibility issue since we would already have a base32
hash of the source code of "git-minimal".
And so if for instance someone packages Guix on a foreign distribution,
we could imagine some system(s) where the the git source code is somehow
provided to Guix as a dependency, and so once built, Guix would be able
to use that provided source code by verifying its hash and then using
it to build git, and enabling Guix to download subsequent packages
using git.
This could then be extended to all the packages that git depend on, and
with that we'd then be able to use git a lot more without security
issues.
The downside is that as always someone needs to be interested in it,
and find the time to work on it. It also might make building Guix
harder.
Denis.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2024-10-05 23:36 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-29 17:52 Bootstrap a GNU source distribution from git Vivien Kraus
2024-09-30 21:43 ` Denis 'GNUtoo' Carikli
2024-10-01 10:20 ` Tobias Geerinckx-Rice
2024-10-05 22:57 ` Denis 'GNUtoo' Carikli [this message]
2024-11-14 11:02 ` Ludovic Courtès
2024-10-06 7:50 ` Janneke Nieuwenhuizen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241006005747.06a16840@primary_laptop \
--to=gnutoo@cyberdimension.org \
--cc=guix-devel@gnu.org \
--cc=me@tobias.gr \
--cc=vivien@planete-kraus.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).