Re: Bootstrap a GNU source distribution from git

[Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>]

[-- Attachment #1: Type: text/plain, Size: 2535 bytes --]

On Tue, 01 Oct 2024 10:20:54 +0000
Tobias Geerinckx-Rice <me@tobias.gr> wrote:
> >Since Guix also checks the hash of the source code an idea to improve
> >things could also be to modify Guix to allow the use of external
> >tools to bootstrap the download of source code through version
> >control and for instance download git from git.
> 
> I don't understand what you mean by this, or what 'modify Guix' means
> and why it would be needed?

We currently have something like that:
> (define-public git-minimal
>   (package
>     (name "git-minimal")
>     (version "2.46.0")
>     (source (origin
>              (method url-fetch)
>              (uri (string-append
> "mirror://kernel.org/software/scm/git/git-" version ".tar.xz"))
>              (sha256
>               (base32
>                "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz"))))
> [...]

If we replace with something like that:
> (define-public git-minimal
>   (package
>     (name "git-minimal")
>     (version "2.46.0")
>     (source
>       (origin
>         (method git-fetch)
>         (uri 
>           (git-reference
>             (url "https://git.kernel.org/pub/scm/git/git.git"))
>             (commit "<some hash>")))
>         (file-name (git-file-name name version))
>         (sha256
>           (base32
>             "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz"))))
> [...]

Then we have at least 2 issues.

The first one is that we might end up with circular dependencies inside
the Guix source code somehow that creates issues when building packages
and/or guix, etc. But that might be fixable with some work.

However if I understand well, that circular dependency would not create
any security/reproducibility issue since we would already have a base32
hash of the source code of "git-minimal".

And so if for instance someone packages Guix on a foreign distribution,
we could imagine some system(s) where the the git source code is somehow
provided to Guix as a dependency, and so once built, Guix would be able
to use that provided source code by verifying its hash and then using
it to build git, and enabling Guix to download subsequent packages
using git.

This could then be extended to all the packages that git depend on, and
with that we'd then be able to use git a lot more without security
issues.

The downside is that as always someone needs to be interested in it,
and find the time to work on it. It also might make building Guix
harder.

Denis.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]