Hello, Ludovic Courtès writes: > Ekaitz Zarraga skribis: > >> On 2024-04-04 21:48, Attila Lendvai wrote: >>> all in all, just by following my gut insctincts, i was advodating >>> for building everything from git even before the exposure of this >>> backdoor. in fact, i found it surprising as a guix newbie that not >>> everything is built from git (or their VCS of choice). >> >> That has happened to me too. >> Why not use Git directly always? > > Because it create{s,d} a bootstrapping issue. The > “builtin:git-download” method was added only recently to guix-daemon and > cannot be assumed to be available yet: > > https://issues.guix.gnu.org/65866 This fortunately will help a lot with the "everything built from git" part of the "whishlist", but what about the not zero occurrences of "other upstream VCSs"? [...] > I think we should gradually move to building everything from > source—i.e., fetching code from VCS and adding Autoconf & co. as inputs. > > This has been suggested several times before. The difficulty, as you > point out, will lie in addressing bootstrapping issues with core > packages: glibc, GCC, Binutils, Coreutils, etc. I’m not sure how to do > that but… does it have to be an "all of nothing" choiche? I mean "continue using release tarballs" vs "use git" for "all"? If using git is unfeaseable for bootstrapping reasons [1], why not cointinue using release tarballs with some _extra_ verifications steps and possibly add some automation steps to "lint" to help contributors and committers check that there are not "quasi-binary" seeds [2] hidden in release tarballs? WDYT? [...] Grazie! Gio' [1] or other reasons specific to a package that should be documented when needed, at least with a comment in the package definition [2] the autogenerated files that are not pragmatically verifiable -- Giovanni Biscuolo Xelera IT Infrastructures