wiki/notebook/literature.courtesPackagingGrail2021.org

:properties:
:id:       30d6a3d2-42f3-4f49-8d4c-bf433dc82350
:roam_refs: [cite:@courtesPackagingGrail2021]
:end:
#+title: The Packaging Grail
#+date: 2021-12-28 21:27:18 +08:00
#+date_modified: 2022-06-21 12:14:07 +08:00>
#+published: 2021-11-23
#+author: Ludovic Courtès
#+source: https://youtu.be/tcTOkXlE_ac
#+language: en

* Synopsis
- a primer to [[id:be917383-84c4-4bf5-9ca0-b04bfb778f4f][Guix package manager]] and its goals
  - it is free as in [[id:e8c1218f-35a4-4dd3-a174-5d8f848b74b2][Free software]]
  - a universal package manager that tries to cover all dependencies from different programming languages similar to [[id:3b3fdcbf-eb40-4c89-81f3-9d937a0be53c][Nix package manager]]
  - transparent through the [[id:fe9e21bc-3b38-4d0f-a785-253248a38ed7][Reproducible builds]] initiative integrating it into the package manager (e.g., =guix challenge=)
- focus on isolated builds leading to bit-identical builds and [[roam:Bootstrappable builds]] (building everything from source) enforcing further transparency and more security (e.g., "Trusting trust" attacks, creating backdoors through compiler bugs)
- making efforts to reduce the binary blobs required to boot an operating system from scratch through GNU Mes
- the balance to the right way versus pragmatism;
  other solutions may present to be faster and more convenient versus doing things the "right way" (e.g., comparing Pytorch package from Guix built from source versus Pypi containing prebuilt binaries; see [[Potential problems]]);
  in this case, Guix is drawing the line by providing tools to make packaging easier (e.g., =guix import=)

* Potential problems
- binary packages in package repositories (e.g., =torch= package in Pypi) [fn:: There's also =PyQt-Qt6= package from Pypi.]
  - developer-uploaded binaries which may contain other modifications and harder to verify
  - no indication of sources from random binaries
  - licenses issues may pop up
- no standard way to reproduce builds and verify so anyone can upload anything;
  this can create supply chain issues
  - see the left-pad issue from npm that happened years ago
- with project-specific and language-specific package managers (e.g., npm, cargo, pip), a lot of the overall reach of the software can feel isolated;
  Guix is intending to at least provide a way to unify them (as it is one of the goals, after all)
- mostly related to software testing — e.g., missing test dependencies,
- hosted source can be different from upstream;
  [fn:: I personally think the binaries from Visual Studio Code is another example.]

* Presenter's wish
- *move non-free software*;
  at the very least, move it to another repository to let people make informed decisions;
  not only this cannot be reproduced well but also impedes security
  - as far as I can remember, this is considered from the Flathub maintainers when it will eventually be a popular host of apps for both free and proprietary apps
- *disallow developer-uploaded binaries*;
  the talk presented an example with the previous case with Debian allowing it some time ago;
  if it is allowed, at least provide a way to reproduce it;
- *accurate licensing info*
- *accurate package data from repositories* (e.g., dependencies, license)
- *good description/synopsis*
Update literature notes 2022-01-11 08:22:02 +00:00			`:properties:`
			`:id: 30d6a3d2-42f3-4f49-8d4c-bf433dc82350`
Fix literature notes 2022-06-21 11:17:38 +00:00			`:roam_refs: [cite:@courtesPackagingGrail2021]`
Update literature notes 2022-01-11 08:22:02 +00:00			`:end:`
Fix literature notes 2022-06-21 11:17:38 +00:00			`#+title: The Packaging Grail`
Update literature notes 2022-01-11 08:22:02 +00:00			`#+date: 2021-12-28 21:27:18 +08:00`
Fix literature notes 2022-06-21 11:17:38 +00:00			`#+date_modified: 2022-06-21 12:14:07 +08:00>`
Update literature notes 2022-01-11 08:22:02 +00:00			`#+published: 2021-11-23`
			`#+author: Ludovic Courtès`
			`#+source: https://youtu.be/tcTOkXlE_ac`
			`#+language: en`

			`* Synopsis`
			`- a primer to [[id:be917383-84c4-4bf5-9ca0-b04bfb778f4f][Guix package manager]] and its goals`
			`- it is free as in [[id:e8c1218f-35a4-4dd3-a174-5d8f848b74b2][Free software]]`
			`- a universal package manager that tries to cover all dependencies from different programming languages similar to [[id:3b3fdcbf-eb40-4c89-81f3-9d937a0be53c][Nix package manager]]`
			`- transparent through the [[id:fe9e21bc-3b38-4d0f-a785-253248a38ed7][Reproducible builds]] initiative integrating it into the package manager (e.g., =guix challenge=)`
			`- focus on isolated builds leading to bit-identical builds and [[roam:Bootstrappable builds]] (building everything from source) enforcing further transparency and more security (e.g., "Trusting trust" attacks, creating backdoors through compiler bugs)`
			`- making efforts to reduce the binary blobs required to boot an operating system from scratch through GNU Mes`
			`- the balance to the right way versus pragmatism;`
			`other solutions may present to be faster and more convenient versus doing things the "right way" (e.g., comparing Pytorch package from Guix built from source versus Pypi containing prebuilt binaries; see [[Potential problems]]);`
			`in this case, Guix is drawing the line by providing tools to make packaging easier (e.g., =guix import=)`

			`* Potential problems`
			`- binary packages in package repositories (e.g., =torch= package in Pypi) [fn:: There's also =PyQt-Qt6= package from Pypi.]`
			`- developer-uploaded binaries which may contain other modifications and harder to verify`
			`- no indication of sources from random binaries`
			`- licenses issues may pop up`
			`- no standard way to reproduce builds and verify so anyone can upload anything;`
			`this can create supply chain issues`
			`- see the left-pad issue from npm that happened years ago`
			`- with project-specific and language-specific package managers (e.g., npm, cargo, pip), a lot of the overall reach of the software can feel isolated;`
			`Guix is intending to at least provide a way to unify them (as it is one of the goals, after all)`
			`- mostly related to software testing — e.g., missing test dependencies,`
			`- hosted source can be different from upstream;`
			`[fn:: I personally think the binaries from Visual Studio Code is another example.]`

			`* Presenter's wish`
			`- move non-free software;`
			`at the very least, move it to another repository to let people make informed decisions;`
			`not only this cannot be reproduced well but also impedes security`
Fix literature notes 2022-06-21 11:17:38 +00:00			`- as far as I can remember, this is considered from the Flathub maintainers when it will eventually be a popular host of apps for both free and proprietary apps`
Update literature notes 2022-01-11 08:22:02 +00:00			`- disallow developer-uploaded binaries;`
			`the talk presented an example with the previous case with Debian allowing it some time ago;`
			`if it is allowed, at least provide a way to reproduce it;`
			`- accurate licensing info`
			`- accurate package data from repositories (e.g., dependencies, license)`
			`- good description/synopsis`