From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp12.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id wFQsLY8h/2OeDgEAbAwnHQ (envelope-from ) for ; Wed, 01 Mar 2023 10:57:35 +0100 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp12.migadu.com with LMTPS id aM8TLY8h/2PO+AAAauVa8A (envelope-from ) for ; Wed, 01 Mar 2023 10:57:35 +0100 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 929581EF6E for ; Wed, 1 Mar 2023 10:57:35 +0100 (CET) Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=jpoiret.xyz header.s=dkim header.b=JYMMcVZv; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=jpoiret.xyz ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1677664655; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Vdwvn8Hz/2ShafA/+2pmvVOWW6ANSLiyc8gSTTE2j4M=; b=EnG0mUNikFD1TvnLWR7lu5Pgct/GvIYETMdAevUr/EyfI1r8OgWyRzcp4Abbi6jGZd263/ Cm3C86XVdHZOUeEuSl17vnx6JK3BJk7h5cYlD1kg99Qhq6XX5IjxqBaWPGvZJh9ZGm9l9a LTNuUOv8L1CrLBz7B6NTBlBsp6uJ8ngielTM31c+D6Dmaqwwysh9qb1Ujwbo78SsP3SqJ3 ZF+P79pf8pXf5r366FfkL4eHmgfaLb1EQYEPC9jHnxIfWMj90xHJokPGnHm3IClKRB5aOa RFBxT6phBaC3bWnQpujmL/q11tnQmIUn9SEiT0E3MBt1m+wa7fPmSuECB1RyWw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=jpoiret.xyz header.s=dkim header.b=JYMMcVZv; spf=pass (aspmx1.migadu.com: domain of "guix-devel-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-devel-bounces+larch=yhetil.org@gnu.org"; dmarc=pass (policy=reject) header.from=jpoiret.xyz ARC-Seal: i=1; s=key1; d=yhetil.org; t=1677664655; a=rsa-sha256; cv=none; b=MqqkY0aDNIi3OMyYrxusiIZqrHE1NpjGiztmcSmXRvxPg2/xjNt8exjfcvwRDHiMF/dGd9 SyIfzbHzlvBmYfMIAQ4+2CeFcL1bbn6qK0efc2cd2VKFRYv4oRD5RWI6lzOUI1oyi7azPP wkXJnZiAC9E8y/Zuz//8lNqTPxGhHpqpoi1GviI26J/MMh6Wdyu6VO8vs9GJTI+gB5P8Ef kyMdvT9UgJVxri0PPBmk8tc1q66bFc05cw3I94Q/RGGFGENkDq4zDltS6qTLcy6CBnZ+HW rdlkwk28B8C8aWv+CC5XY/mSij25eqBSE26MscGbwQrg9ALFJaiYUb5ACxlFkw== Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1pXJCt-0003I9-9j; Wed, 01 Mar 2023 04:57:07 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pXJCo-0003Hs-6n for guix-devel@gnu.org; Wed, 01 Mar 2023 04:57:06 -0500 Received: from jpoiret.xyz ([206.189.101.64]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1pXJCm-0003jY-Hg for guix-devel@gnu.org; Wed, 01 Mar 2023 04:57:01 -0500 Received: from authenticated-user (jpoiret.xyz [206.189.101.64]) by jpoiret.xyz (Postfix) with ESMTPA id F1615185309; Wed, 1 Mar 2023 09:56:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpoiret.xyz; s=dkim; t=1677664617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=Vdwvn8Hz/2ShafA/+2pmvVOWW6ANSLiyc8gSTTE2j4M=; b=JYMMcVZvlpVQoS/U2plh1CVoa4UuEnw60A+QBKnswaY46QM2K4PFb4KBohbvVTk5gNZeAH BsCVUtqqG7JWJlo04A+ro9yQxgunNIFLT4izt+Ro3yvCMzKsgfsCGJ1rS5ciAFt0I/18Gp nhj3kiGjXawAwwg+qyhfyAmXaq56A2UVXnYg7LVDww90mR+EVpfvVCIOhQFmJ/x6A9B45s eEm/0VSSS1T8LMLg4AaYtQxxe3kVdvy/CGkzX6uBDAjPc0timeaIv5QhksIMWmJcs7rJ2+ 9O4/y4wpKjjLP1OMoS5BLf1h3ApaTyjLQ4PSdp61X6JY7Bso1G0dhWcbv6IrbA== From: Josselin Poiret To: Jonathan Frederickson , guix-devel@gnu.org Cc: christine@spritely.institute Subject: Re: Guix, Nix flakes, and object capabilities In-Reply-To: <871qm986fp.fsf@terracrypt.net> References: <871qm986fp.fsf@terracrypt.net> Date: Wed, 01 Mar 2023 10:56:47 +0100 Message-ID: <87356ookv4.fsf@jpoiret.xyz> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spamd-Bar: / Received-SPF: pass client-ip=206.189.101.64; envelope-from=dev@jpoiret.xyz; helo=jpoiret.xyz X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: X-Migadu-Spam-Score: -5.79 X-Spam-Score: -5.79 X-Migadu-Scanner: scn0.migadu.com X-Migadu-Queue-Id: 929581EF6E List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: guix-devel-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-TUID: 5++7pQQ7JFSh --=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi Jonathan, I'll only address the first part, because we already have a nice solution to that. Jonathan Frederickson writes: > Hello Guix, > > I recently had a discussion in #spritely on Libera.Chat about Guix and > Nix, and in particular a (relatively) new feature of Nix called flakes > that Guix doesn't currently have an analogue for. > > I've been a Guix user for a while, but I've only recently started > looking at using Guix for development via ~guix shell~ as in this blog > post by David Thompson[0]. The Guile port of Spritely has been using it, > so I've been trying it out for one of my own projects as a result. And > it seems pretty nice; you're using the same package definitions you > might use when contributing a package upstream to Guix, which feels > pretty natural as someone already pretty familiar with Guix as a user. > > However, I noticed something about the resulting dependency graph that > feels somewhat unsatisfying. When you define a package, the > dependencies you provide in e.g. ~inputs~ are references to > packages. And the way you get those is, of course, by importing > modules containing those packages. > > But the package you end up with each time you do that... depends on > which revision of Guix you're running when you run ~guix shell~! So if > I point someone to a project with a ~guix.scm~ file, they might not be > able to use it if their Guix revision is too old. (Or too new, if > packages have been renamed or removed.) More generally, it means that > they do not end up with the same dependency graph that I do. This > makes troubleshooting potentially tricky, because if something breaks > you have to check the resulting profile to see which versions of your > package's dependencies (and transitive dependencies) are actually > installed. But we do have a nice solution for this problem: `guix time-machine`! You can use a Guix from any commit you want alongside other channels, by just knowing what commits people are using. If projects do rely on specific versions of dependencies, they can distribute a channels.scm file to be consumed by `guix time-machine`. Now my personal opinion: you should note that it's a very bad idea in general to rely on specific versions of dependencies. Downstream consumers of your software should be able to use it with up-to-date dependencies, because they can provide security benefits, bugfixes, etc. Having version pinning like in go leads to dependency hell, and should be frowned upon. Best, =2D-=20 Josselin Poiret --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQHEBAEBCAAuFiEEOSSM2EHGPMM23K8vUF5AuRYXGooFAmP/IV8QHGRldkBqcG9p cmV0Lnh5egAKCRBQXkC5FhcaisFRC/4vpSwwEB3sMa7yy9fQnycp4C85QR34XgBy G7cWcyM/mMrdW67JIT6e7xuwN7TphqJhP57mJofvSZ+bo26pqZS6xmg/pDvGVfca fsb4kVQifA9ppLZnYwfM24+cM7P6EehVmIg/d8+Q6lGXm2NAroqq2ciERz6zBnWq t/b1DS/2UPYf/9N6edo4pgKMXqIXTaDaBWBfZTovwr2xIYFO6x4TtiRFNpMvHenc 4DM29/twX3hymveqsCDI+RUf+lh4o+LfInzdrtHIhPSfugVKEzcyeU80PoK1Sk7I 36uYMq+pEemIxvP4VuHsaYPYyoWrlMrSsQ81Hp/SxfvdF5cwrXbRD1Do7d+ydh6B vJAhYiktHv5CNifAPOFrUrE7OG2SEky2KkfdMr4ZxgeF/sIQhXWEKaTIG3FdSHIc kh/Xf0AJXHeI1NEBliQKHPi+nnKoINHyWgPwV+4yaOrCjYw+u3Y4RapgP8xnfqyP JCTBVEPqHFbxKLQG5squqICLGvavUGU= =+qCG -----END PGP SIGNATURE----- --=-=-=--