From mboxrd@z Thu Jan  1 00:00:00 1970
From: myglc2@gmail.com
Subject: Re: Idea: Install script to better support improving
	contributor-friendliness of projects
Date: Tue, 28 Nov 2017 12:33:32 -0500
Message-ID: <86bmjm1f6b.fsf@g1.i-did-not-set--mail-host-address--so-tickle-me>
References: <311dec57-62fd-a88d-19d4-2eae9041ef97@gmail.com>
	<87bmjook1w.fsf@netris.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:53441)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <myglc2@gmail.com>) id 1eJjlO-0003dV-Dz
	for guix-devel@gnu.org; Tue, 28 Nov 2017 12:33:49 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <myglc2@gmail.com>) id 1eJjlJ-0002Uu-2q
	for guix-devel@gnu.org; Tue, 28 Nov 2017 12:33:42 -0500
Received: from mail-wm0-x231.google.com ([2a00:1450:400c:c09::231]:38975)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <myglc2@gmail.com>) id 1eJjlI-0002UE-PW
	for guix-devel@gnu.org; Tue, 28 Nov 2017 12:33:36 -0500
Received: by mail-wm0-x231.google.com with SMTP id i11so1017067wmf.4
	for <guix-devel@gnu.org>; Tue, 28 Nov 2017 09:33:36 -0800 (PST)
In-Reply-To: <87bmjook1w.fsf@netris.org> (Mark H. Weaver's message of "Sun, 26
	Nov 2017 15:35:07 -0500")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Mark H Weaver <mhw@netris.org>
Cc: =?utf-8?B?0J3QuNC60LjRgtCwINCn0YPRgNCw0LXQsg==?= <lamefun.x0r@gmail.com>, guix-devel@gnu.org

On 11/26/2017 at 15:35 Mark H Weaver writes:

> Hi,
>
> =D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0 =D0=A7=D1=83=D1=80=D0=B0=D0=B5=D0=B2=
 <lamefun.x0r@gmail.com> writes:
>
>> Here's how I want to use Guix and it is to increase
>> contributor-friendliness of a project, so that the user can simply run
>> a distribution-independent command to install all dependencies without
>> having to hunt for them with `apt` and `dnf` manually.
>>
>> Unfortunately, Guix itself is not very easy to install, and the
>> instructions are full of rather technical stuff like 'systemd' and
>> 'upstart'.
>>
>> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.h=
tml
>>
>> There should be a script like the one Haskell Stack uses:
>>
>> |curl -sSL https://get.haskellstack.org/ | sh|

Agreed, thank you for raising these issues.

As you point out, the current manual binary install imposes a minimum
bound on the technical sophistication and determination of Guix
"triers". The absence of an automated install effectively filters out
"less sophisticated" users. It no doubt strongly limits the rate of
adoption and size of the user base.

Something like you have suggested is a must to reach a larger audience.
Not having it is like an exclusionary fence around Guix.  If we are
committed to usability and availability of Guix for anyone, we should
provide an automated install. Why haven't we done this yet?  Probably
because no Guix developer has to in/uninstalled Guix on multiple
GNU/Linux distributions every day ;-)

> I can understand the appeal of such a convenient approach.  However,
> this practice of downloading a script via HTTPS and immediately running
> it as root without inspection puts you at considerable risk.  A
> man-in-the-middle with the resources to compromise or bribe *any*
> certificate authority in your trust store (the attacker could choose
> which one) could acquire a fraudulent certificate to impersonate our
> site, and then substitute in a different script than the one we
> provided.  Quite a few organizations are capable of such an attack
> today.
>
> Therefore, I believe it would be irresponsible for us to promote this
> style of installation.
>
> However, if there's sufficient interest, and if we could produce a
> sufficiently robust "auto-install" script, we could perhaps do something
> close to what you suggested.  We could provide a script along with a
> GnuPG digital signature.  We could ask the user to download the script,
> acquire our signing key, verify the signature on the script, and then
> run the script as root.

+1

WRT "sufficient interest", script users will be the prospective Guix
users that today hit a wall on the manual install.  This number no doubt
exceeds all Guix users today ;-)

ISTM, these are the downsides to releasing such a script:

1) increased "less sophisticated" Guix noob support load

2) stress-tests of Guix package management usability

3) increased hydra etal loads