From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id UHAcD3jNAWewDgEA62LTzQ:P1 (envelope-from ) for ; Sat, 05 Oct 2024 23:36:24 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:58f0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1.migadu.com with LMTPS id UHAcD3jNAWewDgEA62LTzQ (envelope-from ) for ; Sun, 06 Oct 2024 01:36:24 +0200 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=cyberdimension.org header.s=dkim header.b=q02VtxHt; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1728171384; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=21W+xUcSk5Qpm2WYgL9wtLSHIBHzgaWWCCrKczUAidc=; b=gu0KTkN4MCXlJdrj8TDg0vflcOXz+NVTXh4KdVaJD1l6BIxET2mcuS7SwWS51wUZ1v9f0k XFmH1kap7w04pQ/ChIwA1x9KRSZrHeIoMkAv9i4ukirMrWBLcRHOLB6cqMYX+RyOYNhdb5 nwWQiFiRz97sqeEnHBz1WTUvCb7A0S9vL5hS9DzotO4t+yLx07hf5RvD6g7zzPmKDA8wTJ Msqxha8nTg5VJFwTqtq5Vo3fNKXzfX99g6xS6A0Vxs/N0sIMzhdchS4jkKb7EMTovsVdAV 5uIMZOrIA+omW+fE9QDseDyQXSsP8s/65VYn0267D8w6Y8nN9SifdHjHUgLoHA== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=cyberdimension.org header.s=dkim header.b=q02VtxHt; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=none ARC-Seal: i=1; s=key1; d=yhetil.org; t=1728171384; a=rsa-sha256; cv=none; b=DuNvtuOgYNNlDPnT5Kik68CEUWzlHC3L0RkvhtW+qG5HTQJ/AbTVl1KT9McLaOufpdAEPR mzRNP9DrYZcCoGFMfKNq7AgC7Grdl4GoqbHRnnOSuY3HrfM2Z+/Y41hAzGstn+ASEoxH1K q5Jg9uwi5aYajhz82Hih1Dzed4sguIQvHcoAPI+jvIzv6fjTOGbGhUKFBMovgZRlfcQK3v wY6pWj2p5LRDTL3thPtfBYzh/rPxaRP9Q9KduEVv9LVXQDPSvRFXZJ8iwl8kKjw38KT/T3 j7qAp3nTFaq3QMbY9wEuCTBvp5Pj1f+zl/7Pcz9KHArqHNbJe+nNyQ3T9/rfgA== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id CBC8F8F67D for ; Sun, 06 Oct 2024 01:36:23 +0200 (CEST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sxDjG-00031R-1Y; Sat, 05 Oct 2024 18:58:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sxDjC-00030w-8Y for guix-devel@gnu.org; Sat, 05 Oct 2024 18:58:22 -0400 Received: from cyberdimension.org ([79.143.250.36] helo=rockpro64.cyberdimension.org) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_CHACHA20_POLY1305:256) (Exim 4.90_1) (envelope-from ) id 1sxDj9-00010X-FF for guix-devel@gnu.org; Sat, 05 Oct 2024 18:58:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; s=dkim; bh=cKHSmJVU+ELVf36 UUWCXA8LgCEf5JX3n5z7N/hDr890=; h=references:in-reply-to:subject:cc:to: from:date; d=cyberdimension.org; b=q02VtxHtgZdev1IwEaLB7esJ5nldyrbM6gX rZ+4hyL+daxXccPfLm4ep2wnZ+mNBylKhvYQo1kjNe2QZ41/fs14qWJLz7oJTZAPtp7Cje MIrEh6ACNe4x8kpOaFp6Qkul6EsDmNsUj5VijnapohRs3hNsdUSbmX5MESSETiXpIVAa8S 0embHp5Gkc+5EGwmCdP+RAUmDkYuabozAySQ2ETbCxJHELWTR9aOSOQLCH3fCOmRZCxTAR SylNaAkTKe/PLZJSECW2r3omdA3gqPPeaWmAnV98Tkqq3G7crR4MaM35eX0Xh9JsoVJH2N tt4NC2AWWMQkaHm/WCUgYkTazSw== Received: from primary_laptop (localhost [127.0.0.1]) by rockpro64.cyberdimension.org (OpenSMTPD) with ESMTP id 8142d813; Sat, 5 Oct 2024 22:58:14 +0000 (UTC) Date: Sun, 6 Oct 2024 00:57:47 +0200 From: Denis 'GNUtoo' Carikli To: Tobias Geerinckx-Rice Cc: guix-devel@gnu.org, Vivien Kraus Subject: Re: Bootstrap a GNU source distribution from git Message-ID: <20241006005747.06a16840@primary_laptop> In-Reply-To: <9DD4B472-70C8-489F-B86E-23891365E9C6@tobias.gr> References: <20240930234306.1609bf7a@primary_laptop> <9DD4B472-70C8-489F-B86E-23891365E9C6@tobias.gr> X-Mailer: Claws Mail 4.3.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="Sig_/6GRG4HtLfUIG=AoKNIchpMt"; protocol="application/pgp-signature"; micalg=pgp-sha256 Received-SPF: pass client-ip=79.143.250.36; envelope-from=GNUtoo@cyberdimension.org; helo=rockpro64.cyberdimension.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Scanner: mx11.migadu.com X-Migadu-Spam-Score: 4.34 X-Spam-Score: 4.34 X-Migadu-Queue-Id: CBC8F8F67D X-TUID: 2kzTAIZQsN/j --Sig_/6GRG4HtLfUIG=AoKNIchpMt Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 01 Oct 2024 10:20:54 +0000 Tobias Geerinckx-Rice wrote: > >Since Guix also checks the hash of the source code an idea to improve > >things could also be to modify Guix to allow the use of external > >tools to bootstrap the download of source code through version > >control and for instance download git from git. >=20 > I don't understand what you mean by this, or what 'modify Guix' means > and why it would be needed? We currently have something like that: > (define-public git-minimal > (package > (name "git-minimal") > (version "2.46.0") > (source (origin > (method url-fetch) > (uri (string-append > "mirror://kernel.org/software/scm/git/git-" version ".tar.xz")) > (sha256 > (base32 > "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz")))) > [...] If we replace with something like that: > (define-public git-minimal > (package > (name "git-minimal") > (version "2.46.0") > (source > (origin > (method git-fetch) > (uri=20 > (git-reference > (url "https://git.kernel.org/pub/scm/git/git.git")) > (commit ""))) > (file-name (git-file-name name version)) > (sha256 > (base32 > "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz")))) > [...] Then we have at least 2 issues. The first one is that we might end up with circular dependencies inside the Guix source code somehow that creates issues when building packages and/or guix, etc. But that might be fixable with some work. However if I understand well, that circular dependency would not create any security/reproducibility issue since we would already have a base32 hash of the source code of "git-minimal". And so if for instance someone packages Guix on a foreign distribution, we could imagine some system(s) where the the git source code is somehow provided to Guix as a dependency, and so once built, Guix would be able to use that provided source code by verifying its hash and then using it to build git, and enabling Guix to download subsequent packages using git. This could then be extended to all the packages that git depend on, and with that we'd then be able to use git a lot more without security issues. The downside is that as always someone needs to be interested in it, and find the time to work on it. It also might make building Guix harder. Denis. --Sig_/6GRG4HtLfUIG=AoKNIchpMt Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEeC+d2+Nrp/PU3kkGX138wUF34mMFAmcBxGsACgkQX138wUF3 4mP+5w//baDelr1GkFrjGBB2J8GCLQqaVY1oLRoyWDayjGF1rwKBOjDmRr/KSfX3 nDf7X2J+pDanCkgKxUzIGVN3xOZa5dnzPucqstbEHFRi4EZWffRFROLP0M7ooDQw Ot9Vw1D8EyIc7zZiZa9CZ/0JpTyywPlCYcBgS++DRT6lf9tevLhEPtnE+0ljVyfE emHM/Q6bSVY8P6C3aQLwLjbAmbwp1Osvk5m3XflIguWzoaHroiG9M8eaKrK+p3UN Z+ZhQzbdXqATkaN4akvsR/GSreHvVDI3wXJNWrbcE0+iEm+Gqu9s53hFfWvhmORL i7FHxaCLggF0Crs4yDanOngwrKlx9MSIcG/XWFvBVlqbaFhfrP/oGaqGKdAIRly9 C6N2xSLkd3d7rSF7er1zjQynbdoubZFLvX1F/TZP46343DtAgwHxLaJ5qoOyE90d Zn9buV3I6cTMrOI7EPuumsRvUP8bd3uqg+KUlR1E1Oxnh1yscwybx7gp7nj1WDwQ prWG1CZIYTo/PJY9CKzn1lT5Ii3Oi2Lps/X1Z1GZf5/FkM8v/B3PrD5g3aUS33g9 23YH2MO6LbBQRDpLP8mQIj7bbQElPJU1PAioNhT+mQIcxYGJxY5eEkBd/nz7FsPp 6c72g03g+aUhW+JLeDOBM+lMEpXQ7CAKX9y4EW6SnATWTfCFQq8= =T6qv -----END PGP SIGNATURE----- --Sig_/6GRG4HtLfUIG=AoKNIchpMt--