Re: Using Guix challenge for critical software? (resend)

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using Guix challenge for critical software? (resend)

From:	Julien Lepiller
Subject:	Re: Using Guix challenge for critical software? (resend)
Date:	Wed, 29 Nov 2023 13:10:58 +0100
User-agent:	K-9 Mail for Android

If you already have substituted it, you could rebuild it:

guix build openssh --no-grafts --check

Le 29 novembre 2023 12:40:50 GMT+01:00, Steve George <steve@futurile.net> a 
écrit :
>Hi,
>
>
>
>How can I use 'guix challenge' to test critical software or packages that are 
>deep in the dependency tree?
>
>
>
>As I understand it, the purpose of Guix challenge is to test whether "binaries 
>provided by this [substitution] server really correspond to the source code it 
>claims to build" (from the manual). The obvious check then is to build the 
>package myself locally and then check if the substitution server give the same 
>result. To do that I do this:
>
>
>
>$ guix shell --container --nesting --development cbonsai --network nss-certs 
>-- \
>
>    guix build cbonsai --no-substitutes --no-grafts
>
>$ guix challenge --verbose cbonsai
>
>
>
>/gnu/store/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1 contents match:
>
>  local hash: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
>
>  
> https://ci.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1:
>  1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
>
>  
> https://bordeaux.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1:
>  1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
>
>
>
>1 store items were analyzed:
>
>    - 1 (100.0%) were identical
>
>    - 0 (0.0%) differed
>
>    - 0 (0.0%) were inconclusive
>
>
>
>All good so far.
>
>
>
>But, how do I test something that I depend on like OpenSSH? As I'm using it 
>(and it's critical to my system) I already have it installed locally from the 
>Substitution servers. Consequently, if I try to build it Guix informs me I 
>have it already. I can't really remove it from my system, and I don't think 
>there's a way to build it locally without first removing it. >
>
>
>It seems at this point that I'm stuck. The only form of 'guix challenge' I can 
>do is to check whether the two Substitutions servers agree - but if I don't 
>trust the Guix developers this isn't a very good check.
>
>
>
>Is there some way to build the package locally (without first removing it)? Or 
>some clever way to run Guix challenge that I'm not seeing?
>
>
>
>Thanks,
>
>
>
>Futurile/Steve
>
>

[Prev in Thread]

Current Thread

[Next in Thread]

Using Guix challenge for critical software? (resend), Steve George, 2023/11/29
- Re: Using Guix challenge for critical software? (resend), Julien Lepiller <=
- Re: Using Guix challenge for critical software? (resend), Simon Tournier, 2023/11/30

Prev by Date: Using Guix challenge for critical software? (resend)
Next by Date: Re: Setting up multiple NICs
Previous by thread: Using Guix challenge for critical software? (resend)
Next by thread: Re: Using Guix challenge for critical software? (resend)
Index(es):
- Date
- Thread