Re: guix gc, any way to delete only packages that aren't required to build anything?

[Mark H Weaver <mhw@netris.org>]

Hi Joshua,

Joshua Branson <jbranso@fastmail.com> writes:

> Mark H Weaver <mhw@netris.org> writes:
>
>> Pierre Neidhardt <mail@ambrevar.xyz> writes:
>>
>> On my GuixSD system where substitutes are completely disabled and I
>> build everything locally, I've been running my Guix daemon with both
>> --gc-keep-derivations=yes and --gc-keep-outputs=yes for years.  Here's
>> the relevant excerpt of my OS config:
>>
>
> May I ask why you choose not to use substitutes? 

It's part of a (likely futile) effort to protect the integrity of my
laptops from powerful adversaries, to prevent my private cryptographic
keys from being stolen, and to try to prevent my machine from being used
to insert vulnerabilities into the source code of projects that I
contribute to.  I also keep my laptops with me at all times.

Unfortunately, the US government claims the authority to secretly demand
physical access to servers, and to forbid those coerced from telling
anyone what happened.  See:

  https://en.wikipedia.org/wiki/National_security_letter

I'm not sure about the policies of other governments, but even without
such policies, there are probably windows of time where the physical
security of colocated servers could be breached by bribing employees at
the hosting site.  I doubt there is much restraint in the use of these
methods today, besides a desire to avoid detection.  As a result, any
traditional build farm based on colocated servers is vulnerable to
compromise by powerful adversaries.

There are some additional benefits to building everything locally and
passing using the 'guix-daemon' options above.  It means that my
/gnu/store always contains the complete source code of everything on my
system, including everything needed the bootstrap from the bootstrap
binaries.  It also means that I always have a complete set of build logs
for everything on my system.

      Mark