Re: Idea: Install script to better support improving contributor-friendliness of projects

[myglc2]

On 11/26/2017 at 15:35 Mark H Weaver writes:

> Hi,
>
> Никита Чураев <address@hidden> writes:
>
>> Here's how I want to use Guix and it is to increase
>> contributor-friendliness of a project, so that the user can simply run
>> a distribution-independent command to install all dependencies without
>> having to hunt for them with `apt` and `dnf` manually.
>>
>> Unfortunately, Guix itself is not very easy to install, and the
>> instructions are full of rather technical stuff like 'systemd' and
>> 'upstart'.
>>
>> https://www.gnu.org/software/guix/manual/html_node/Binary-Installation.html
>>
>> There should be a script like the one Haskell Stack uses:
>>
>> |curl -sSL https://get.haskellstack.org/ | sh|

Agreed, thank you for raising these issues.

As you point out, the current manual binary install imposes a minimum
bound on the technical sophistication and determination of Guix
"triers". The absence of an automated install effectively filters out
"less sophisticated" users. It no doubt strongly limits the rate of
adoption and size of the user base.

Something like you have suggested is a must to reach a larger audience.
Not having it is like an exclusionary fence around Guix.  If we are
committed to usability and availability of Guix for anyone, we should
provide an automated install. Why haven't we done this yet?  Probably
because no Guix developer has to in/uninstalled Guix on multiple
GNU/Linux distributions every day ;-)

> I can understand the appeal of such a convenient approach.  However,
> this practice of downloading a script via HTTPS and immediately running
> it as root without inspection puts you at considerable risk.  A
> man-in-the-middle with the resources to compromise or bribe *any*
> certificate authority in your trust store (the attacker could choose
> which one) could acquire a fraudulent certificate to impersonate our
> site, and then substitute in a different script than the one we
> provided.  Quite a few organizations are capable of such an attack
> today.
>
> Therefore, I believe it would be irresponsible for us to promote this
> style of installation.
>
> However, if there's sufficient interest, and if we could produce a
> sufficiently robust "auto-install" script, we could perhaps do something
> close to what you suggested.  We could provide a script along with a
> GnuPG digital signature.  We could ask the user to download the script,
> acquire our signing key, verify the signature on the script, and then
> run the script as root.

+1

WRT "sufficient interest", script users will be the prospective Guix
users that today hit a wall on the manual install.  This number no doubt
exceeds all Guix users today ;-)

ISTM, these are the downsides to releasing such a script:

1) increased "less sophisticated" Guix noob support load

2) stress-tests of Guix package management usability

3) increased hydra etal loads