Nix is a powerful package manager for Linux and other Unix systems that makes package management reliable and reproducible. It provides atomic upgrades and rollbacks, side-by-side installation of multiple versions of a package, multi-user package management and easy setup of build environments. Also makes packaging easier than Debian. It also supports compiler hardening flags.
GNU Guix is based on it with some modifications.
* Has the potential to solve our problem of including external binaries in a safe reproducible way without the Debian freeze restrictions.
* Does not interfere with apt or the system config in any way.
* Usability impact of running two package managers to keep the system updated. Wrapper scripts or some other way to notify users may be needed.
Found the dev thread about GNU Guix's Debian packaging attempts mentioned in:
There was a GSoC 2016 project to get it into Debian but it didn't happen for many reasons.
There are good reasons why Guix and Nix do not follow the FHS but that means there will never be a package for them upstream. Attempts to conform to FHS caused Guix functionality to break and would mess up the nice clean install system it has:
Instead the guix project distributes a signed tarball with instructions to compile and install it which is far from optimal for us:
Instead of trying to get into Debian, the devs talked about the possibility of providing a .deb via their own repository that does not follow Debian standards but is very convenient for people who want to bootstrap install Guix:
"Hosting a .deb file on our own server that users could download and
install with dpkg would be perfect for us."
The blocker for this is Ubuntu's build process requirements are different from Debian's and so they shelved the whole thing:
"Without a fully automated process to build .deb for several distros, I
don’t think we can offer to distribute .deb ourselves. :-/"
Here a Guix enthusiast discusses how to run Guix without compiling it. interesting but doesn't make it any easier in our case to distribute:
With this path blocked I decided to look at the Nix manager instead which is what Guix is based on anyway. And fortunately its a better situation. Signed Debian packages for stable are provided! and a script that fetches and validates the .deb. That means with some leg work it can be included in Whonix via our repos:
I looked at their package selection and it is impressive. Grsecurity, GNUnet and much more:
Other interesting reads: