Page MenuHomePhabricator
Create Task
Maniphest T600

Integrating Guix/Nix Package Manager
Open, NormalPublic
Actions

Description

Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. It provides atomic upgrades and rollbacks, side-by-side installation of multiple versions of a package, multi-user package management and easy setup of build environments. Also makes packaging easier than Debian. It also supports compiler hardening flags.

https://nixos.org/nix/

GNU Guix is based on it with some modifications.

https://nixos.org/nix/

Pros:

  • Has the potential to solve our problem of including external binaries in a safe reproducible way without the Debian freeze restrictions.
  • Does not interfere with apt or the system config in any way.

Cons:

  • Usability impact of running two package managers to keep the system updated. Wrapper scripts or some other way to notify users may be needed.

Found the dev thread about GNU Guix's Debian packaging attempts mentioned in:

https://unix.stackexchange.com/questions/290423/can-guix-packages-be-delivered-to-other-distros

There was a GSoC 2016 project to get it into Debian but it didn't happen for many reasons.

There are good reasons why Guix and Nix do not follow the FHS but that means there will never be a package for them upstream. Attempts to conform to FHS caused Guix functionality to break and would mess up the nice clean install system it has:

https://lists.gnu.org/archive/html/guix-devel/2016-02/msg01126.html

Instead the guix project distributes a signed tarball with instructions to compile and install it which is far from optimal for us:

https://www.gnu.org/software/guix/manual/guix.html#Binary-Installation

Instead of trying to get into Debian, the devs talked about the possibility of providing a .deb via their own repository that does not follow Debian standards but is very convenient for people who want to bootstrap install Guix:

https://lists.gnu.org/archive/html/guix-devel/2016-02/msg01144.html

"Hosting a .deb file on our own server that users could download and
install with dpkg would be perfect for us."

The blocker for this is Ubuntu's build process requirements are different from Debian's and so they shelved the whole thing:

https://lists.gnu.org/archive/html/guix-devel/2016-02/msg01205.html

"Without a fully automated process to build .deb for several distros, I
don’t think we can offer to distribute .deb ourselves. :-/"

Here a Guix enthusiast discusses how to run Guix without compiling it. interesting but doesn't make it any easier in our case to distribute:

https://dustycloud.org/blog/guix-package-manager-without-make-install/

With this path blocked I decided to look at the Nix manager instead which is what Guix is based on anyway. And fortunately its a better situation. Signed Debian packages for stable are provided! and a script that fetches and validates the .deb. That means with some leg work it can be included in Whonix via our repos:

https://nixos.org/wiki/Installing_Nix_on_Debian

I looked at their package selection and it is impressive. Grsecurity, GNUnet and much more:

https://nixos.org/nixos/packages.html

Other interesting reads:

https://nixos.org/wiki/Hardened_NixOS#Features_in_development

https://www.reddit.com/r/NixOS/comments/4btjnf/fully_setting_up_a_custom_private_nix_repository/

Details

Impact
Normal

Related Objects

Event Timeline

HulaHoop created this task.Jan 12 2017, 2:44 AM
Herald added a project: Whonix. · View Herald TranscriptJan 12 2017, 2:44 AM
Herald added subscribers: entr0py, WhonixQubes, Patrick. · View Herald Transcript
Patrick added subscribers: marmarek, Ego.Jan 12 2017, 5:07 PM
HulaHoop closed this task as Invalid.Jan 18 2017, 4:15 PM
HulaHoop claimed this task.

The main and only purpose of getting Nix into Whonix was GNUnet. Now that Nix stopped making new debs, there is no point of considering this task further.

Closing.

HulaHoop renamed this task from Integrating Nix Package Manager to Integrating Guix/Nix Package Manager.Jan 20 2017, 4:25 PM
HulaHoop reopened this task as Open.
HulaHoop updated the task description. (Show Details)
HulaHoop added a comment.Jan 20 2017, 4:28 PM

GNUnet guys are looking into having the Guix devs provide debs.

HulaHoop mentioned this in T114: Permanent Takedown Attack Defender.Jan 23 2017, 12:01 AM
Patrick mentioned this in T644: replace tb-updater / curl-prgrs.Mar 10 2017, 7:33 PM
HulaHoop added a comment.Mar 13 2017, 10:47 PM

https://lists.torproject.org/pipermail/tor-dev/2017-March/011993.html

Unknown Object (User) added a subscriber: Unknown Object (User).Jun 25 2017, 7:12 PM
This comment was removed by Unknown Object (User).
HulaHoop added a comment.Jun 26 2017, 3:56 PM

Understood and thanks for chiming in :)

*e: Just to be sure and to refresh my memory from the email exchanges we had a couple of hundreds of emails ago: this is just about torbrowser, or was there more to it?

That was the main thing I believe. Its true I was exploring a grsec patched libre-linux kernel via Guix too but with recent developments its an obsolete idea (grsec gone private and KSPP mainlining everything).

Unknown Object (User) added a comment.Jul 3 2017, 8:31 AM
This comment was removed by Unknown Object (User).
HulaHoop added a comment.Jul 15 2017, 1:23 AM

We are preparing for a major point release so nothing on this front is planned from our side in the short to medium term. We are on the lookout for anything coming from your side whenever you feel like it.

Unknown Object (User) added a comment.Oct 30 2017, 7:52 PM
This comment was removed by Unknown Object (User).
iry added a subscriber: iry.Feb 20 2018, 8:17 PM
Unknown Object (User) added a comment.Mar 8 2018, 12:00 PM
This comment was removed by Unknown Object (User).
Unknown Object (User) added a comment.Mar 16 2018, 10:57 AM
This comment was removed by Unknown Object (User).
HulaHoop added a comment.Mar 19 2018, 9:15 PM

Awesome progress thanks for the updates :) Right, the advantage of Guix is precisely that it doesn't follow FHS. Its worth trying to ask for an exception from upstream no matter how slim the chances - at least there's more of a chance than never asking at all.

Do you know if Gentoo or Arch document their technical implementation of Guix? I would also like your help in writing a proposal outlining the exact details of an exception on Debian that would work for you and Nix potentially. I will focus on Guix because they are Free Software focused but its still good to keep the door open for those who make different choices.

Unknown Object (User) added a comment.Mar 19 2018, 9:56 PM
This comment was removed by Unknown Object (User).
HulaHoop added a comment.Mar 22 2018, 12:33 PM

A switch to /opt/ seems like a great compromise that can shut up the FHS zealots. Is this something the Guix guys can do or is it for the adopting distro to handle?

Unknown Object (User) added a comment.Apr 29 2018, 12:35 PM
This comment was removed by Unknown Object (User).
HulaHoop added a comment.EditedMay 18 2018, 1:17 PM

If you would have read the chat content (which I assume you didn't), you would see some insight into the problems and what possible solutions there are.

I actually did. Some of it may be over my head by I'm getting there:) I think if Debian wants to customize Guix to conform to their "standard" they would probably be OK with running their own substitute mirror. Would you see this as a good thing or something that introduces fragmentation?

Sorry if this is taking longer than it should. I want to nail down the fine details and find the best solution before writing a proposal. This way I won't have to edit it and lose mind-share in the process.

Unknown Object (User) added a comment.Jul 19 2018, 3:12 PM
This comment was removed by Unknown Object (User).
Unknown Object (User) added a comment.Jul 19 2018, 3:19 PM
This comment was removed by Unknown Object (User).
HulaHoop added a comment.EditedJul 22 2018, 4:23 PM

@ng0 I wrote a proposal draft. Feel free to improve it before I post:

Hello Dear Debian Coders and Maintainers,

I will propose a process for integrating GNU Guix into Debian and working around potential roadblocks that have made the process difficult in the past.

For those unfamiliar, Guix is a package manager that supports reproducible builds, transactional upgrades and roll-backs, unprivileged package management, per-user profiles and more (please see: https://www.gnu.org/software/guix/manual/html_node/Features.html).

It uses Guile scheme to define package structure and system configurations. Its unique self-contained package installation allows it to be used seamlessly on any Linux distro while making sure no conflicts between it and the distro's default package manager arises. As an official GNU project it supports nothing but libre software so it should be compatible with DFSG. Also having Guix in Debian will allow access to more recent versions on software that is developed too rapidly to be otherwise practically usable from the official repos (for example GNUnet).

Potential problems and the way forward:

The fact that the default repo path is /gnu/store conflicts with Debian's strict FHS guidelines. A solution is to mount or patch /gnu/store to use /opt/guix. However this would break use of the official binary buildfarms and would require Debian to host its own independent instance that works with our customized paths.

There are some missing build/runtime dependencies such as guile-git and guile-ssh that would need packaging first but its not possible without more widespread interest:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850644

A good starting point for a Guix deb package is this latest effort:
https://github.com/detrout/debian-guix

If you have any further suggestions or requests please post them and the Guix people would be interested to collaborate on whatever it takes to realize this.

I hope to kick-start a dialogue/interest in this project so please share your thoughts. Thanks.

HulaHoop removed HulaHoop as the assignee of this task.Aug 16 2018, 3:16 PM
Patrick added a comment.Jul 6 2019, 10:40 AM

Any update?

If there was either,

a) signed deb of guix, or even better
b) a signed deb package repository (reprepro) of guix.

That would allow integrating it into Whonix easily.

Recently a non-controversial way of adding compiled software to Whonix was found:

https://forums.whonix.org/t/policy-for-inclusion-of-compiled-software/6635

Violations of FHS aren't great but acceptable, i.e. guix would be added to Whonix anyhow.

Unknown Object (User) removed a subscriber: Unknown Object (User).Feb 24 2022, 9:12 PM
Whonix OLD Issue Tracker · PLEASE DO NOT POST NEW TICKETS HERE · OLD Issue Tracker - Unread Notifications · OLD Issue Tracker - Feed · OLD Issue Tracker - Open Issues · NEW Issue Tracker · Homepage · Blog · Forum · Legal · Imprint · Privacy Policy · Terms of Use · Disclaimer