Questions about Cuirass

Questions about Cuirass

[James Hobson]

Hello!

Currently evaluating guix for embedded systems at work. But I have a few questions that I can’t quite work out from the docs. Please feel no obligation to answer!

Please note that my guix journey is at its very beginning. I’ve not even had a go at packaging!

Question 1
We would need to host the guix substitute server in an airgapped environment. The server would contain plain guix packages, our in house packages, and maybe patched guix packages. Would that be possible without having to rebuild the entire guix package set? We don’t have so many build machines, especially not for armv7.

Question 2
Does cuirass garbage collect? Or is that done through guix gc? We would need to host the binary packages for maybe 3 revisions at a time in this air gapped server.

Question 3
Our software is sadly proprietary. Is there a way for guix build to selectively unpack and patch all non-proprietary sources so that we can provide it to anyone who asks? I feel like if this isn’t a thing already, I guess I can write it in scheme?

Thanks

James

Re: Questions about Cuirass

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 2513 bytes --]

On 20-10-2022 23:19, James Hobson wrote:
> Hello!
> 
> Currently evaluating guix for embedded systems at work. But I have a few questions that I can’t quite work out from the docs. Please feel no obligation to answer!
> 
> Please note that my guix journey is at its very beginning. I’ve not even had a go at packaging!
> 
> Question 1
> We would need to host the guix substitute server in an airgapped environment. The server would contain plain guix packages, our in house packages, and maybe patched guix packages. Would that be possible without having to rebuild the entire guix package set? We don’t have so many build machines, especially not for armv7.

You can tell Cuirass to only build a selection of packages (and their 
dependencies), by using a manifest, then not all of Guix is compiled but 
only what's necessary for your particular purpose.

Also, your Cuirass instance still needs access to the source code of the 
packages somehow, which will need to be somehow be squared with your 
'airgapped environment', though maybe 'copy over the result of guix 
build --sources=transitive" would be acceptable (*).

(*) except that this is after application of snippet; some kind of 
"--sources=raw,transitive" may be needed.

> Question 2 [...]

I don't know the answer to this.

> Question 3
> Our software is sadly proprietary. Is there a way for guix build to selectively unpack and patch all non-proprietary sources so that we can provide it to anyone who asks? I feel like if this isn’t a thing already, I guess I can write it in scheme?

I assume you meant 'patch all non-proprietary' -> 'patch out all 
proprietary', such that at least the free parts can be used?

In that case, this is done already in some package definitions in Guix, 
by a 'snippet' removing parts that are non-free, such that they are not 
built and are not part of "guix build --source". (See: ‘Snippets versus 
Phases’ in the documentation, though it doesn't mention non-free things 
directly).

The Guix user can still access the unpatched source code though, by 
inspecting the package definition and removing the snippet, so it looks 
to me like that option is only good for 'you aren't allowed to modify 
this part of the source code + guix build --source must produce 
something free', not for 'you aren't allowed to see or distribute this' 
situations.

Alternatively, you could avoid all this complexity by making your 
software free.

Greetings,
Maxime.

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]

Re: Questions about Cuirass

[James Hobson]

Sorry for not getting back to you.

Looks promising!

I wish I could release everything under a free license. Baby steps though! I’ve managed to release a few things under LGPL since I started! That’s 100% more than before!

But anyway. The biggest hurdle I see is that updating in an air gapped environment doesn’t seem supported because guix’s git url is hard coded. Does this need to be the case? If not, I might see if I can find an nice way of making this more configurable

James

> On 21 Oct 2022, at 11:01, Maxime Devos <maximedevos@telenet.be> wrote:
> 
> On 20-10-2022 23:19, James Hobson wrote:
>> Hello!
>> Currently evaluating guix for embedded systems at work. But I have a few questions that I can’t quite work out from the docs. Please feel no obligation to answer!
>> Please note that my guix journey is at its very beginning. I’ve not even had a go at packaging!
>> Question 1
>> We would need to host the guix substitute server in an airgapped environment. The server would contain plain guix packages, our in house packages, and maybe patched guix packages. Would that be possible without having to rebuild the entire guix package set? We don’t have so many build machines, especially not for armv7.
> 
> You can tell Cuirass to only build a selection of packages (and their dependencies), by using a manifest, then not all of Guix is compiled but only what's necessary for your particular purpose.
> 
> Also, your Cuirass instance still needs access to the source code of the packages somehow, which will need to be somehow be squared with your 'airgapped environment', though maybe 'copy over the result of guix build --sources=transitive" would be acceptable (*).
> 
> (*) except that this is after application of snippet; some kind of "--sources=raw,transitive" may be needed.
> 
>> Question 2 [...]
> 
> I don't know the answer to this.
> 
>> Question 3
>> Our software is sadly proprietary. Is there a way for guix build to selectively unpack and patch all non-proprietary sources so that we can provide it to anyone who asks? I feel like if this isn’t a thing already, I guess I can write it in scheme?
> 
> I assume you meant 'patch all non-proprietary' -> 'patch out all proprietary', such that at least the free parts can be used?
> 
> In that case, this is done already in some package definitions in Guix, by a 'snippet' removing parts that are non-free, such that they are not built and are not part of "guix build --source". (See: ‘Snippets versus Phases’ in the documentation, though it doesn't mention non-free things directly).
> 
> The Guix user can still access the unpatched source code though, by inspecting the package definition and removing the snippet, so it looks to me like that option is only good for 'you aren't allowed to modify this part of the source code + guix build --source must produce something free', not for 'you aren't allowed to see or distribute this' situations.
> 
> Alternatively, you could avoid all this complexity by making your software free.
> 
> Greetings,
> Maxime.
> <OpenPGP_0x49E3EE22191725EE.asc>

Re: Questions about Cuirass

[Maxime Devos]

[-- Attachment #1.1.1: Type: text/plain, Size: 1038 bytes --]



On 30-10-2022 13:50, James Hobson wrote:
> Sorry for not getting back to you.
> 
> Looks promising!
> 
> I wish I could release everything under a free license. Baby steps though! I’ve managed to release a few things under LGPL since I started! That’s 100% more than before!

Sounds good.
> 
> But anyway. The biggest hurdle I see is that updating in an air gapped environment doesn’t seem supported because guix’s git url is hard coded. Does this need to be the case? If not, I might see if I can find an nice way of making this more configurable

There is a default, yes, but it's not hardcoded, you can override it. 
Have a look at "Invoking 'guix pull'" in the manual, in particular its 
'--url=URL' argument.

> James
>
 > [...]

I prefer no top-posting; my e-mail client, and more generally almost all 
e-mail clients I think, keep a thread of previous messages.  I would 
prefer to not to have to scroll down to read the rest of the message 
only to discover there is none.

Greetings,
Maxime

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 929 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 236 bytes --]