unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed
From: Steve George <steve@futurile.net>
To: help-guix@gnu.org
Subject: Using guix challenge for critical software?
Date: Wed, 29 Nov 2023 08:04:47 +0000	[thread overview]
Message-ID: <ZWbwn-yRxHmulFkX@t25sg> (raw)

Hi,

How can I use `guix challenge` to test critical software or packages that are deep in the dependency tree?

As I understand it, the purpose of Guix challenge is to test whether "binaries provided by this [substitution] server really correspond to the source code it claims to build" (from the manual). The obvious check then is to build the package myself locally and then check if the substitution server give the same result. To do that I do this:

$ guix shell --container --nesting --development cbonsai --network nss-certs -- \
    guix build cbonsai --no-substitutes --no-grafts
$ guix challenge --verbose cbonsai

/gnu/store/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1 contents match:
  local hash: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
  https://ci.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
  https://bordeaux.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28

1 store items were analyzed:
    - 1 (100.0%) were identical
    - 0 (0.0%) differed
    - 0 (0.0%) were inconclusive

All good so far.

But, how do I test something that I depend on like OpenSSH? As I'm using it (and it's critical to my system) I already have it installed locally from the Substitution servers. Consequently, if I try to build it Guix informs me I have it already. I can't really remove it from my system, and I don't think there's a way to build it locally without first removing it. 

It seems at this point that I'm stuck. The only form of 'guix challenge' I can do is to check whether the two Substitutions servers agree - but if I don't trust the Guix developers this isn't a very good check.

Is there some way to build the package locally (without first removing it)? Or some clever way to run Guix challenge that I'm not seeing?

Thanks,

Futurile/Steve


                 reply	other threads:[~2023-11-29  8:06 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZWbwn-yRxHmulFkX@t25sg \
    --to=steve@futurile.net \
    --cc=help-guix@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).