[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: What’s next?
|
From: |
Leo Famulari |
|
Subject: |
Re: What’s next? |
|
Date: |
Wed, 24 May 2017 17:45:39 -0400 |
|
User-agent: |
Mutt/1.8.2 (2017-04-18) |
On Wed, May 24, 2017 at 06:25:40PM +0200, Jan Nieuwenhuizen wrote:
> A friend of mine is having a second look at Guix (not SD yet) and one of
> the most confusing things initially is `guix pull'. "When/how do I use
> that," he asks...and I can only say: I'm not using that...I think we
> want this to work--or something like this, we talked about this at
> FOSDEM, but AFAIK everyone is using Guix with Git.
`guix pull` is one of the primary tools of Guix. For those who are new
to Guix, it should be described as a per-user `apt-get update`. That is,
it updates the list of available packages. The finer differences and
extra features are not important for new users to learn at the
beginning.
With the recent commit adding '--fallback' to `guix pull` [0], the main
reason for Guix users who are not Guix developers to resort to Git has
been removed.
So, I use and recommend `guix pull`!
Do you think the manual can be more clear about this? I'd really like to
hear which parts of the manual your friend read. Maybe we need to
rearrange or rewrite some sections.
I think the most immediate problem with `guix pull` is that it doesn't
support Git commit signature verification. So, you end up trusting
different things: basically, a subset of the X.509 PKI vs PGP+SHA1 [1,2].
I think we can fix this while making `guix pull` use (guix git).
Building Guix from Git is the normal way to develop Guix, and it avoids
downloading a Guix tarball from Savannah in the default case, so
developers will learn and use it, but it brings its own pitfalls.
[0]
https://git.savannah.gnu.org/cgit/guix.git/commit/?id=4902d3c4e0376974356481f222583580b49f39e1
[1] `guix pull` verifies the certificate of <git.savannah.gnu.org>
against the Let's Encrypt trust chain *only*.
[2] If I understand correctly, Git commit signatures are of the SHA1
hash, not the actual commit data. So... not great if I'm correct, but it
will get better as Git introduces a new hash function. And SHA1
collisions are rather obvious to detect, at least according the public
research. An attempt at collision detection was added in Git 2.13.0.
> He responds with: then *why* is it in the manual. I have no answer.
> Possibly I'm wrong and/or my information is outdated?
Since we are all Guix developers, we talk about developing Guix, but not
as much the day-to-day use. So our impressions may not match actual
usage patterns.
signature.asc
Description: PGP signature
- Re: What’s next?, (continued)
Re: What’s next?, Catonano, 2017/05/24
Re: What’s next?, Jan Nieuwenhuizen, 2017/05/24
Re: What’s next?,
Leo Famulari <=
- Re: What???s next?, Pjotr Prins, 2017/05/25
- Re: What???s next?, Ludovic Courtès, 2017/05/27
- Re: What's next?, Pjotr Prins, 2017/05/28
- Re: What's next?, Ludovic Courtès, 2017/05/28
- Re: What's next?, Roel Janssen, 2017/05/28
- Re: What's next?, Ludovic Courtès, 2017/05/30
- Re: What's next?, Pjotr Prins, 2017/05/30
Re: What's next?, Maxim Cournoyer, 2017/05/28
Re: What???s next?, Maxim Cournoyer, 2017/05/28
Re: What???s next?, Ricardo Wurmus, 2017/05/28