foodogsquared/wiki
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/wiki.git synced 2025-02-07 06:19:03 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
gh-pages
wiki/literature.courtesPackagingGrail2021.html
github-actions[bot] ae43040901 Deploy to GitHub pages
2022-07-29 15:41:17 +00:00

40 lines
18 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE html><html><head><meta name="viewport" content="width=device-width"/><meta charSet="utf-8"/><title>The Packaging Grail</title><script src="https://polyfill.io/v3/polyfill.min.js?features=es6"></script><script id="MathJax-script" async="" src="https://cdn.jsdelivr.net/npm/mathjax@3/es5/tex-mml-chtml.js"></script><script type="text/x-mathjax-config">
MathJax = {
tex: {
inlineMath: [ [&#x27;$&#x27;,&#x27;$&#x27;], [&#x27;\(&#x27;,&#x27;\)&#x27;] ],
displayMath: [ [&#x27;$$&#x27;,&#x27;$$&#x27;], [&#x27;[&#x27;,&#x27;]&#x27;] ]
},
options = {
processHtmlClass = &quot;math&quot;
}
}
</script><meta name="next-head-count" content="6"/><link rel="preload" href="/wiki/_next/static/css/52fc2ba29703df73922c.css" as="style"/><link rel="stylesheet" href="/wiki/_next/static/css/52fc2ba29703df73922c.css" data-n-g=""/><noscript data-n-css=""></noscript><link rel="preload" href="/wiki/_next/static/chunks/main-ae4733327bd95c4ac325.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/webpack-50bee04d1dc61f8adf5b.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/framework.9d524150d48315f49e80.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/commons.0e1c3f9aa780c2dfe9f0.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/pages/_app-8e3d0c58a60ec788aa69.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/940643274e605e7596ecea1f2ff8d83317a3fb76.4841a16762f602a59f00.js" as="script"/><link rel="preload" href="/wiki/_next/static/chunks/pages/%5B%5B...slug%5D%5D-1aa198f87ede1cd0e1dc.js" as="script"/></head><body><div id="__next"><main><h1>The Packaging Grail</h1><section class="post-metadata"><span>Date: <!-- -->2021-12-28 21:27:18 +08:00</span><span>Date modified: <!-- -->2022-06-21 12:14:07 +08:00&gt;</span></section><nav class="toc"><ol class="toc-level toc-level-1"><li class="toc-item toc-item-h1"><a href="/wiki/literature.courtesPackagingGrail2021#synopsis" class="toc-link toc-link-h1">Synopsis</a></li><li class="toc-item toc-item-h1"><a href="/wiki/literature.courtesPackagingGrail2021#potential-problems" class="toc-link toc-link-h1">Potential problems</a></li><li class="toc-item toc-item-h1"><a href="/wiki/literature.courtesPackagingGrail2021#presenters-wish" class="toc-link toc-link-h1">Presenter&#x27;s wish</a></li></ol></nav><p>:properties:
:id: 30d6a3d2-42f3-4f49-8d4c-bf433dc82350
:roam<sub>refs</sub>: [<a href="cite:@courtesPackagingGrail2021">cite:@courtesPackagingGrail2021</a>]
:end:
</p><h1 id="synopsis">Synopsis</h1><ul><li><p>a primer to <a href="/wiki/2020-08-19-08-21-44">Guix package manager</a> and its goals
</p><ul><li><p>it is free as in <a href="/wiki/2021-07-22-14-25-13">Free software</a></p></li><li><p>a universal package manager that tries to cover all dependencies from different programming languages similar to <a href="/wiki/tools.nix">Nix package manager</a></p></li><li><p>transparent through the <a href="/wiki/2020-09-14-10-46-15">Reproducible builds</a> initiative integrating it into the package manager (e.g., <code class="inline-verbatim">guix challenge</code>)
</p></li></ul></li><li><p>focus on isolated builds leading to bit-identical builds and <a href="roam:Bootstrappable builds">roam:Bootstrappable builds</a> (building everything from source) enforcing further transparency and more security (e.g., &quot;Trusting trust&quot; attacks, creating backdoors through compiler bugs)
</p></li><li><p>making efforts to reduce the binary blobs required to boot an operating system from scratch through GNU Mes
</p></li><li><p>the balance to the right way versus pragmatism;
other solutions may present to be faster and more convenient versus doing things the &quot;right way&quot; (e.g., comparing Pytorch package from Guix built from source versus Pypi containing prebuilt binaries; see <a href="/wiki/Potential%20problems">Potential problems</a>);
in this case, Guix is drawing the line by providing tools to make packaging easier (e.g., <code class="inline-verbatim">guix import</code>)
</p></li></ul><h1 id="potential-problems">Potential problems</h1><ul><li><p>binary packages in package repositories (e.g., <code class="inline-verbatim">torch</code> package in Pypi) </p><ul><li><p>developer-uploaded binaries which may contain other modifications and harder to verify
</p></li><li><p>no indication of sources from random binaries
</p></li><li><p>licenses issues may pop up
</p></li></ul></li><li><p>no standard way to reproduce builds and verify so anyone can upload anything;
this can create supply chain issues
</p><ul><li><p>see the left-pad issue from npm that happened years ago
</p></li></ul></li><li><p>with project-specific and language-specific package managers (e.g., npm, cargo, pip), a lot of the overall reach of the software can feel isolated;
Guix is intending to at least provide a way to unify them (as it is one of the goals, after all)
</p></li><li><p>mostly related to software testing — e.g., missing test dependencies,
</p></li><li><p>hosted source can be different from upstream;
</p></li></ul><h1 id="presenters-wish">Presenter&#x27;s wish</h1><ul><li><p><strong>move non-free software</strong>;
at the very least, move it to another repository to let people make informed decisions;
not only this cannot be reproduced well but also impedes security
</p><ul><li><p>as far as I can remember, this is considered from the Flathub maintainers when it will eventually be a popular host of apps for both free and proprietary apps
</p></li></ul></li><li><p><strong>disallow developer-uploaded binaries</strong>;
the talk presented an example with the previous case with Debian allowing it some time ago;
if it is allowed, at least provide a way to reproduce it;
</p></li><li><p><strong>accurate licensing info</strong></p></li><li><p><strong>accurate package data from repositories</strong> (e.g., dependencies, license)
</p></li><li><p><strong>good description/synopsis</strong></p></li></ul></main></div><script id="__NEXT_DATA__" type="application/json">{"props":{"pageProps":{"metadata":{"date":"2021-12-28 21:27:18 +08:00","date_modified":"2022-06-21 12:14:07 +08:00\u003e","language":"en","source":""},"title":"The Packaging Grail","hast":{"type":"root","children":[{"type":"element","tagName":"nav","properties":{"className":"toc"},"children":[{"type":"element","tagName":"ol","properties":{"className":"toc-level toc-level-1"},"children":[{"type":"element","tagName":"li","data":{"hookArgs":[{"type":"element","tagName":"h1","properties":{"id":"synopsis"},"children":[{"type":"text","value":"Synopsis"}]}]},"properties":{"className":"toc-item toc-item-h1"},"children":[{"type":"element","tagName":"a","properties":{"className":"toc-link toc-link-h1","href":"/literature.courtesPackagingGrail2021#synopsis"},"children":[{"type":"text","value":"Synopsis"}]}]},{"type":"element","tagName":"li","data":{"hookArgs":[{"type":"element","tagName":"h1","properties":{"id":"potential-problems"},"children":[{"type":"text","value":"Potential problems"}]}]},"properties":{"className":"toc-item toc-item-h1"},"children":[{"type":"element","tagName":"a","properties":{"className":"toc-link toc-link-h1","href":"/literature.courtesPackagingGrail2021#potential-problems"},"children":[{"type":"text","value":"Potential problems"}]}]},{"type":"element","tagName":"li","data":{"hookArgs":[{"type":"element","tagName":"h1","properties":{"id":"presenters-wish"},"children":[{"type":"text","value":"Presenter's wish"}]}]},"properties":{"className":"toc-item toc-item-h1"},"children":[{"type":"element","tagName":"a","properties":{"className":"toc-link toc-link-h1","href":"/literature.courtesPackagingGrail2021#presenters-wish"},"children":[{"type":"text","value":"Presenter's wish"}]}]}]}]},{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":":properties:\n:id: 30d6a3d2-42f3-4f49-8d4c-bf433dc82350\n:roam"},{"type":"element","tagName":"sub","properties":{},"children":[{"type":"text","value":"refs"}]},{"type":"text","value":": ["},{"type":"element","tagName":"a","properties":{"href":"cite:@courtesPackagingGrail2021"},"children":[{"type":"text","value":"cite:@courtesPackagingGrail2021"}]},{"type":"text","value":"]\n:end:\n"}]},{"type":"element","tagName":"h1","properties":{"id":"synopsis"},"children":[{"type":"text","value":"Synopsis"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"a primer to "},{"type":"element","tagName":"a","properties":{"href":"/2020-08-19-08-21-44"},"children":[{"type":"text","value":"Guix package manager"}]},{"type":"text","value":" and its goals\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"it is free as in "},{"type":"element","tagName":"a","properties":{"href":"/2021-07-22-14-25-13"},"children":[{"type":"text","value":"Free software"}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"a universal package manager that tries to cover all dependencies from different programming languages similar to "},{"type":"element","tagName":"a","properties":{"href":"/tools.nix"},"children":[{"type":"text","value":"Nix package manager"}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"transparent through the "},{"type":"element","tagName":"a","properties":{"href":"/2020-09-14-10-46-15"},"children":[{"type":"text","value":"Reproducible builds"}]},{"type":"text","value":" initiative integrating it into the package manager (e.g., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"guix challenge"}]},{"type":"text","value":")\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"focus on isolated builds leading to bit-identical builds and "},{"type":"element","tagName":"a","properties":{"href":"roam:Bootstrappable builds"},"children":[{"type":"text","value":"roam:Bootstrappable builds"}]},{"type":"text","value":" (building everything from source) enforcing further transparency and more security (e.g., \"Trusting trust\" attacks, creating backdoors through compiler bugs)\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"making efforts to reduce the binary blobs required to boot an operating system from scratch through GNU Mes\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"the balance to the right way versus pragmatism;\n other solutions may present to be faster and more convenient versus doing things the \"right way\" (e.g., comparing Pytorch package from Guix built from source versus Pypi containing prebuilt binaries; see "},{"type":"element","tagName":"a","properties":{"href":"/Potential%20problems"},"children":[{"type":"text","value":"Potential problems"}]},{"type":"text","value":");\n in this case, Guix is drawing the line by providing tools to make packaging easier (e.g., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"guix import"}]},{"type":"text","value":")\n"}]}]}]},{"type":"element","tagName":"h1","properties":{"id":"potential-problems"},"children":[{"type":"text","value":"Potential problems"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"binary packages in package repositories (e.g., "},{"type":"element","tagName":"code","properties":{"className":["inline-verbatim"]},"children":[{"type":"text","value":"torch"}]},{"type":"text","value":" package in Pypi) "}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"developer-uploaded binaries which may contain other modifications and harder to verify\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"no indication of sources from random binaries\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"licenses issues may pop up\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"no standard way to reproduce builds and verify so anyone can upload anything;\n this can create supply chain issues\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"see the left-pad issue from npm that happened years ago\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"with project-specific and language-specific package managers (e.g., npm, cargo, pip), a lot of the overall reach of the software can feel isolated;\n Guix is intending to at least provide a way to unify them (as it is one of the goals, after all)\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"mostly related to software testing — e.g., missing test dependencies,\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"hosted source can be different from upstream;\n "}]}]}]},{"type":"element","tagName":"h1","properties":{"id":"presenters-wish"},"children":[{"type":"text","value":"Presenter's wish"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"move non-free software"}]},{"type":"text","value":";\n at the very least, move it to another repository to let people make informed decisions;\n not only this cannot be reproduced well but also impedes security\n"}]},{"type":"element","tagName":"ul","properties":{},"children":[{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"text","value":"as far as I can remember, this is considered from the Flathub maintainers when it will eventually be a popular host of apps for both free and proprietary apps\n"}]}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"disallow developer-uploaded binaries"}]},{"type":"text","value":";\n the talk presented an example with the previous case with Debian allowing it some time ago;\n if it is allowed, at least provide a way to reproduce it;\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"accurate licensing info"}]}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"accurate package data from repositories"}]},{"type":"text","value":" (e.g., dependencies, license)\n"}]}]},{"type":"element","tagName":"li","properties":{},"children":[{"type":"element","tagName":"p","properties":{},"children":[{"type":"element","tagName":"strong","properties":{},"children":[{"type":"text","value":"good description/synopsis"}]}]}]}]}]},"backlinks":[]},"__N_SSG":true},"page":"/[[...slug]]","query":{"slug":["literature.courtesPackagingGrail2021"]},"buildId":"Ie9t5zutrXP6Of75Cb5xF","assetPrefix":"/wiki","nextExport":false,"isFallback":false,"gsp":true}</script><script nomodule="" src="/wiki/_next/static/chunks/polyfills-99d808df29361cf7ffb1.js"></script><script src="/wiki/_next/static/chunks/main-ae4733327bd95c4ac325.js" async=""></script><script src="/wiki/_next/static/chunks/webpack-50bee04d1dc61f8adf5b.js" async=""></script><script src="/wiki/_next/static/chunks/framework.9d524150d48315f49e80.js" async=""></script><script src="/wiki/_next/static/chunks/commons.0e1c3f9aa780c2dfe9f0.js" async=""></script><script src="/wiki/_next/static/chunks/pages/_app-8e3d0c58a60ec788aa69.js" async=""></script><script src="/wiki/_next/static/chunks/940643274e605e7596ecea1f2ff8d83317a3fb76.4841a16762f602a59f00.js" async=""></script><script src="/wiki/_next/static/chunks/pages/%5B%5B...slug%5D%5D-1aa198f87ede1cd0e1dc.js" async=""></script><script src="/wiki/_next/static/Ie9t5zutrXP6Of75Cb5xF/_buildManifest.js" async=""></script><script src="/wiki/_next/static/Ie9t5zutrXP6Of75Cb5xF/_ssgManifest.js" async=""></script></body></html>
Reference in New Issue View Git Blame Copy Permalink