Re: A real-life test of long-term reproducibility

unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed

From: zimoun <zimon.toutoune@gmail.com>
To: "Konrad Hinsen" <konrad.hinsen@fastmail.net>,
	"Ludovic Courtès" <ludo@gnu.org>
Cc: Guix Devel <guix-devel@gnu.org>
Subject: Re: A real-life test of long-term reproducibility
Date: Mon, 05 Sep 2022 11:32:38 +0200	[thread overview]
Message-ID: <87fsh6rwsp.fsf@gmail.com> (raw)
In-Reply-To: <m17d2iuup8.fsf@fastmail.net>

Hi Konrad,

On lun., 05 sept. 2022 at 09:49, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:
> Hi Ludo and Simon,
>
>> On Fri, 02 Sep 2022 at 15:17, Ludovic Courtès <ludo@gnu.org> wrote:
>>
>>> Here you would need ‘--allow-downgrades’.
>>
>> Maybe time-machine could advertise of this option?
>
> And explain what it's about. I don't consider myself an absolute
> beginner with Guix, but I don't understand what's going on here!

Well, it is documented. ;-) The entry of ’time-machine’ [1] is the
manual says:

        The general syntax is:

            guix time-machine options… -- command arg…

        where command and arg… are passed unmodified to the guix command
        of the specified revision. The options that define this revision
        are the same as for guix pull (see Invoking guix pull):

then the entry of ’guix pull’ [2] explains the option:

        --allow-downgrades

          Allow pulling older or unrelated revisions of channels than
          those currently in use.

          By default, guix pull protects against so-called “downgrade
          attacks” whereby the Git repository of a channel would be
          reset to an earlier or unrelated revision of itself,
          potentially leading you to install older, known-vulnerable
          versions of software packages.

Last, a blog post [3] provides some details.

I agree it could be improved.  Any suggestion? :-)


1: https://guix.gnu.org/manual/devel/en/guix.html#Invoking-guix-time_002dmachine
2: https://guix.gnu.org/manual/devel/en/guix.html#Invoking-guix-pull
3: https://guix.gnu.org/en/blog/2020/securing-updates/


> OK, now I do a well... but should users need to understand the
> developers' git workflow?

I agree.


> Ultimately, the issue here is that guix works on the implementation
> level of git commit references, whereas the development process uses an
> abstraction layer on top of it. Maybe "guix pull" and "guix
> time-machine" should acquire some built-in intelligence when given a tag
> instead of a hash? Issue a warning when an inappropriate tag is given,
> and suggest a correction?

Well, the tags are there and usable.  But, Guix relies on guile-git and
uses string->oid; which supporting hash-commit and not string-tag.
That’s a technical limitation which could be easily improved, I guess.

Even, we could imagine local Git-tags using “guix git tag” and reuse
them via the time-machine.  Some code are around for “guix git log” (see
branch wip-guix-log [4]).

(However, although convenient, Git-tag is extrinsic (mutable) and thus it
is not suitable for long-term, where intrinsic (immutable) seems
preferred.)

4: https://git.savannah.gnu.org/cgit/guix.git/log/?h=wip-guix-log


Cheers,
simon

next prev parent reply	other threads:[~2022-09-05  9:37 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-08-04  8:43 A real-life test of long-term reproducibility Konrad Hinsen
2022-08-04 15:35 ` blake
2022-08-19  9:34   ` zimoun
2022-08-07 20:53 ` Ludovic Courtès
2022-08-08  5:21   ` Timothy Sample
2022-08-08  8:44   ` Konrad Hinsen
2022-08-19 10:25     ` zimoun
2022-08-22 11:34       ` Konrad Hinsen
2022-08-08  8:49   ` Konrad Hinsen
2022-09-02 13:17     ` Ludovic Courtès
2022-09-02 14:18       ` zimoun
2022-09-05  7:49         ` Konrad Hinsen
2022-09-05  9:32           ` zimoun [this message]
2022-09-05  9:51       ` Ludovic Courtès
2022-09-07 15:39         ` Konrad Hinsen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87fsh6rwsp.fsf@gmail.com \
    --to=zimon.toutoune@gmail.com \
    --cc=guix-devel@gnu.org \
    --cc=konrad.hinsen@fastmail.net \
    --cc=ludo@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).