From mboxrd@z Thu Jan 1 00:00:00 1970 From: Federico Beffa Subject: Re: Introducing =?utf-8?B?4oCYZ3VpeCBwYWNr4oCZ?= Date: Sun, 19 Mar 2017 18:13:14 +0100 Message-ID: <8737e9dwb9.fsf@lupo.i-did-not-set--mail-host-address--so-tickle-me> References: <87d1dodcnb.fsf@gnu.org> <87k27tv5sp.fsf@igalia.com> <87r320m0u5.fsf@gnu.org> <87efy0t0tv.fsf@igalia.com> <87a88n7pwq.fsf@gnu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38782) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cpeOO-0001CY-Pi for guix-devel@gnu.org; Sun, 19 Mar 2017 13:13:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cpeON-00064n-Qq for guix-devel@gnu.org; Sun, 19 Mar 2017 13:13:20 -0400 In-Reply-To: <87a88n7pwq.fsf@gnu.org> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?= =?utf-8?Q?s?= message of "Tue, 14 Mar 2017 18:02:13 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Ludovic =?utf-8?Q?Court=C3=A8s?= Cc: guix-devel ludo@gnu.org (Ludovic Court=C3=A8s) writes: > Hi! > > Andy Wingo skribis: > >> On Tue 14 Mar 2017 14:42, ludo@gnu.org (Ludovic Court=C3=A8s) writes: >> >>> If we remove /var/guix/profiles, users will have to actually type >>> /gnu/store/asasdfadfgsadfa-profile/bin/guile. This is not great, but I >>> don=E2=80=99t know what else could be done. We could profile a >>> /bin/guile =E2=86=92 /gnu/store/asasdfadfgsadfa-profile/bin/guile symli= nk, but >>> perhaps that=E2=80=99s risky too. >> >> As we were discussing in the channel, maybe it's OK for these binary >> installs to claim "/opt/gnu". Then we expose the profile in /opt/gnu, >> so you would run Guile as /opt/gnu/bin/guile. Additionally you could >> actually build against that Guile, which would be pretty neat. If the >> user untars multiple guix packs, /gnu/store easily absorbs the union, >> and /opt/gnu will adjoin any new profile directories/files and replace >> any overwritten links. >> >> We would have to make sure the union directory in /opt/gnu has all real >> directories and only symlink files, as per the recent patch on >> guix-devel. > > Commit 5895ec8aa234ec9a4ce68ab8f94e795807630168 takes a slightly > different approach (it doesn=E2=80=99t use the union thing). > > You can run: > > guix pack guile-next \ > --symlink=3D/opt/gnu/bin/guile=3Dbin/guile \ > --symlink=3D/opt/gnu/bin/guild=3Dbin/guild > > and that does what you would expect. > > In addition, /var/guix is no longer included by default. > > Let me know what you think! Say, developer A distributes such an archive A and developer B distributes archive B (a different program/library) and someone C installs both. Now developer A fixes a security hole and produces a new archive. How can C remove the library with the security hole from his system? If he just overlays the new version, the library with the security problem stays on the system and could be exploited. Deleting everything is also less than ideal. This seems to me similar to encouraging the much criticized practice of bundling required libraries with your program. Maybe 'pack' could at least include a 'remove-myself' thing. Or have you thought about the hole program life-cycle? Fede