From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:470:142:3::10]:42503) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ibBGZ-00069r-Mx for guix-patches@gnu.org; Sat, 30 Nov 2019 17:31:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ibBGY-0003O5-Lg for guix-patches@gnu.org; Sat, 30 Nov 2019 17:31:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:57537) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ibBGY-0003Nx-G0 for guix-patches@gnu.org; Sat, 30 Nov 2019 17:31:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1ibBGY-0006g1-DL for guix-patches@gnu.org; Sat, 30 Nov 2019 17:31:02 -0500 Subject: [bug#38441] [PATCH 0/5] Record operating system provenance info Resent-Message-ID: Received: from eggs.gnu.org ([2001:470:142:3::10]:42414) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1ibBFs-0005nX-PZ for guix-patches@gnu.org; Sat, 30 Nov 2019 17:30:21 -0500 From: Ludovic =?UTF-8?Q?Court=C3=A8s?= Date: Sat, 30 Nov 2019 23:30:13 +0100 Message-Id: <20191130223013.14257-1-ludo@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org Sender: "Guix-patches" To: 38441@debbugs.gnu.org Cc: Ludovic =?UTF-8?Q?Court=C3=A8s?= Hello Guix! This patch series allows ‘guix system’ to record provenance info about a system in its output: the system itself (e.g., /run/current-system) now contains three more files: “channels.scm”, “configuration.scm”, and “provenance” (a summary of the first two files.) That means you can always inspect a deployed system to find its own “source”. In some cases, you can even run something like: guix time-machine \ -C /var/guix/profiles/system-N-link/channels.scm -- \ system reconfigure \ /var/guix/profiles/system-N-link/configuration.scm to rebuild generation N of your system. Pretty cool, no? :-) Otherwise you can simply run: guix system describe to see where your OS comes from. Provenance tracking is implemented as a service. The service is automatically added by ‘guix system init’, ‘reconfigure’, and by ‘guix deploy’. For other commands, one can pass ‘--save-provenance’ to turn it on. This was long overdue! This has interesting implications on trustworthiness: you can distribute a VM/Docker image with provenance info, and anyone can reproduce it and ensure they obtain the same bits (well, ideally, because I guess a few steps may still not be bit-reproducible). Thoughts? Thanks, Ludo’. Ludovic Courtès (5): services: Add 'provenance-service-type'. guix system: Use 'provenance-service-type', add "--save-provenance". machine: Add provenance tracking to each machine operating system. guix system: "list-generations" displays provenance info. guix system: Add "describe" action. doc/guix.texi | 109 +++++++++++++++++++++++++++++++++++++--- gnu/machine.scm | 7 ++- gnu/services.scm | 87 ++++++++++++++++++++++++++++++++ gnu/system.scm | 10 ++++ guix/scripts/pull.scm | 1 + guix/scripts/system.scm | 107 ++++++++++++++++++++++++++++++++------- 6 files changed, 293 insertions(+), 28 deletions(-) -- 2.24.0