The Packaging Grail

Date: 2021-12-28 21:27:18 +08:00Date modified: 2022-06-21 12:14:07 +08:00>

:properties: :id: 30d6a3d2-42f3-4f49-8d4c-bf433dc82350 :roam_refs: [cite:@courtesPackagingGrail2021] :end:

Synopsis

a primer to Guix package manager and its goals
- it is free as in Free software
- a universal package manager that tries to cover all dependencies from different programming languages similar to Nix package manager
- transparent through the Reproducible builds initiative integrating it into the package manager (e.g., guix challenge)
focus on isolated builds leading to bit-identical builds and roam:Bootstrappable builds (building everything from source) enforcing further transparency and more security (e.g., "Trusting trust" attacks, creating backdoors through compiler bugs)
making efforts to reduce the binary blobs required to boot an operating system from scratch through GNU Mes
the balance to the right way versus pragmatism; other solutions may present to be faster and more convenient versus doing things the "right way" (e.g., comparing Pytorch package from Guix built from source versus Pypi containing prebuilt binaries; see Potential problems); in this case, Guix is drawing the line by providing tools to make packaging easier (e.g., guix import)

binary packages in package repositories (e.g., torch package in Pypi)
- developer-uploaded binaries which may contain other modifications and harder to verify
- no indication of sources from random binaries
- licenses issues may pop up
no standard way to reproduce builds and verify so anyone can upload anything; this can create supply chain issues
- see the left-pad issue from npm that happened years ago
with project-specific and language-specific package managers (e.g., npm, cargo, pip), a lot of the overall reach of the software can feel isolated; Guix is intending to at least provide a way to unify them (as it is one of the goals, after all)
mostly related to software testing — e.g., missing test dependencies,
hosted source can be different from upstream;

move non-free software; at the very least, move it to another repository to let people make informed decisions; not only this cannot be reproduced well but also impedes security
- as far as I can remember, this is considered from the Flathub maintainers when it will eventually be a popular host of apps for both free and proprietary apps
disallow developer-uploaded binaries; the talk presented an example with the previous case with Debian allowing it some time ago; if it is allowed, at least provide a way to reproduce it;
accurate licensing info
accurate package data from repositories (e.g., dependencies, license)
good description/synopsis