foodogsquared/wiki
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/wiki.git synced 2025-01-31 07:57:57 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
f69b8d9cd7
wiki/notebook/literature.packagingconPackagingGrailLudovic2021.org
Gabriel Arazas cde9112a9d Update literature notes
2022-01-11 16:22:02 +08:00

3.1 KiB
Raw Blame History

The Packaging Grail - Ludovic Courtès | PackagingCon 2021

Synopsis

  • a primer to Guix package manager and its goals

    • it is free as in Free software
    • a universal package manager that tries to cover all dependencies from different programming languages similar to Nix package manager
    • transparent through the Reproducible builds initiative integrating it into the package manager (e.g., guix challenge)
  • focus on isolated builds leading to bit-identical builds and roam:Bootstrappable builds (building everything from source) enforcing further transparency and more security (e.g., "Trusting trust" attacks, creating backdoors through compiler bugs)
  • making efforts to reduce the binary blobs required to boot an operating system from scratch through GNU Mes
  • the balance to the right way versus pragmatism; other solutions may present to be faster and more convenient versus doing things the "right way" (e.g., comparing Pytorch package from Guix built from source versus Pypi containing prebuilt binaries; see /foodogsquared/wiki/src/commit/f69b8d9cd7605f94bc27bdd1552facf433187fef/notebook/Potential%20problems); in this case, Guix is drawing the line by providing tools to make packaging easier (e.g., guix import)

Potential problems

  • binary packages in package repositories (e.g., torch package in Pypi) 1

    • developer-uploaded binaries which may contain other modifications and harder to verify
    • no indication of sources from random binaries
    • licenses issues may pop up

  • no standard way to reproduce builds and verify so anyone can upload anything; this can create supply chain issues

    • see the left-pad issue from npm that happened years ago
  • with project-specific and language-specific package managers (e.g., npm, cargo, pip), a lot of the overall reach of the software can feel isolated; Guix is intending to at least provide a way to unify them (as it is one of the goals, after all)
  • mostly related to software testing — e.g., missing test dependencies,
  • hosted source can be different from upstream; 2

Presenter's wish

  • move non-free software; at the very least, move it to another repository to let people make informed decisions; not only this cannot be reproduced well but also impedes security
  • disallow developer-uploaded binaries; the talk presented an example with the previous case with Debian allowing it some time ago; if it is allowed, at least provide a way to reproduce it;
  • accurate licensing info
  • accurate package data from repositories (e.g., dependencies, license)
  • good description/synopsis
1

There's also PyQt-Qt6 package from Pypi.

2

I personally think the binaries from Visual Studio Code is another example.