[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: "guix potluck", a moveable feast

From: Ludovic Courtès
Subject: Re: "guix potluck", a moveable feast
Date: Sun, 02 Apr 2017 01:05:15 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux)


Andy Wingo <address@hidden> skribis:

> As an interlude, here is how a user would enter an environment that has
> a potluck package "foo" using Guix (using a pack is also possible).  We
> start with setup steps:
>   (1) Install Guix as a user.  (This needs to be easier.)
>   (2) guix channel add potluck master
>   (3) guix channel enable potluck

So users would see the union of independent potluck “dishes”, right?

> A packaging language for stability and security
> -----------------------------------------------
> So how do packages enter the potluck channel?  Good question, fictional
> reader!  This is the tricky bit.  There are some concerns here:
>   (1) The Guix API is not stable and has no plans to be stable.  This
>       works great for now because all packages are in one atomic
>       repository and people work on making the whole thing make sense
>       together.  One of the goals of the potluck effort is to
>       decentralize things a bit, so we have an impedance mismatch
>       between potluck packages and Guix itself.
>   (2) Potluck package definitions will live in many different git
>       repositories across the internet, and anyone should be able to
>       make a potluck package.  Some potluck package authors will be
>       malicious.  They could:
>        1. Damage the server that manages the potluck channel
>        2. Damage the users that run Guix commands with the potluck
>           channel enabled
>        3. Damage the users that install potluck packages
>       I think we need to forget about 3, for now at least.  (Flatpak
>       solves this, more or less; Guix has ongoing work to do here I
>       think.)
> Both of these large issues point to the need for careful design of the
> language that potluck packages are written in.  The language that Guix
> packages are written in is inappropriate because of (1).  In particular
> we should not depend on which module a package comes from, and what
> identifier binds any given package.  For (2), packages are currently
> written in full Scheme, staged between the Guix command itself and the
> sandbox that runs inside guix-daemon.  Full Scheme might be OK in the
> daemon but it's not OK in the Guix command itself.
> Concretely I would propose that the language that potluck files are
> written in is like this:
>   (1) It's code, not inert data.
>   (2) It's a subset of Scheme, like core Guix packages.
>   (3) The general structure looks like this:
>       (import-guix-packages ((guile "address@hidden")
>                              (glibc "glibc")))
>       (import-potluck-packages ((foo "foo")))
>       (define bar
>         (package
>           (name "guile-bar")
>           (version "1.0.0")
>           (build-system gnu-build-system)
>           (inputs `(("guile" ,guile))
>           ....)))

That makes sense to me.

The sandbox would have transitive access to a lot of modules; I wonder
if this might somehow make it easier to escape the sandbox, by
increasing the attack surface.  For instance,

  (source-module-closure '((guix packages)) #:select? (const #t))

contains (system foreign).  That’s probably more of a topic for
guile-devel though.

Beside, related to Chris’ comment, I’m a bit concerned about versioning
in such a widely distributed repo.  The package graph in Guix has zero
degrees of liberty: every package is connected to other packages; every
Guix user sees the exact same graph.

Here, we’d have to be more flexible and allow potluck.scm files to just
say “import guile” or “import address@hidden; “import guile” might provide
2.0 on a machine running an older Guix, and it might give 2.2.9 on an
up-to-date machine.

IOW, we’re no longer describing one specific graph, but instead
describing a family of graphs with some constraints.  The benefits are
decentralization, but the main drawback is non-reproducibility: the
result would depend on the user machine’s initial state.

To work around that, I think the server should resolve package
specifications when the potluck.scm file is submitted, and insert each
package in the Guix package graph of the moment.  Does that make sense?
Maybe that’s what you were describing when you talk about rewriting
potluck.scm files so?

> There is a particular concern about staging: there is staged Scheme code
> in these modules that runs inside build processes in guix-daemon.  I
> don't have any nice solution here.

What’s the problem anyway?  The build environment is a “sandbox” so it’s
not a problem if staged code attempts to do nasty things.

> A potluck channel manager
> -------------------------
> The "guix potluck manage-channel" command manages a registry of sources
> of potluck definitions and turns them into a git branch of package
> files.  This is the web service.
> The idea is that as a developer, you should be able to do:
>   guix potluck add master
> This causes the client to make a request to some web service, say
> running on, to register that git branch.

Souds good.

Thanks for getting it started!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]