[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Using Guix challenge for critical software? (resend)
From: |
Julien Lepiller |
Subject: |
Re: Using Guix challenge for critical software? (resend) |
Date: |
Wed, 29 Nov 2023 13:10:58 +0100 |
User-agent: |
K-9 Mail for Android |
If you already have substituted it, you could rebuild it:
guix build openssh --no-grafts --check
Le 29 novembre 2023 12:40:50 GMT+01:00, Steve George <steve@futurile.net> a
écrit :
>Hi,
>
>
>
>How can I use 'guix challenge' to test critical software or packages that are
>deep in the dependency tree?
>
>
>
>As I understand it, the purpose of Guix challenge is to test whether "binaries
>provided by this [substitution] server really correspond to the source code it
>claims to build" (from the manual). The obvious check then is to build the
>package myself locally and then check if the substitution server give the same
>result. To do that I do this:
>
>
>
>$ guix shell --container --nesting --development cbonsai --network nss-certs
>-- \
>
> guix build cbonsai --no-substitutes --no-grafts
>
>$ guix challenge --verbose cbonsai
>
>
>
>/gnu/store/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1 contents match:
>
> local hash: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
>
>
> https://ci.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1:
> 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
>
>
> https://bordeaux.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1:
> 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28
>
>
>
>1 store items were analyzed:
>
> - 1 (100.0%) were identical
>
> - 0 (0.0%) differed
>
> - 0 (0.0%) were inconclusive
>
>
>
>All good so far.
>
>
>
>But, how do I test something that I depend on like OpenSSH? As I'm using it
>(and it's critical to my system) I already have it installed locally from the
>Substitution servers. Consequently, if I try to build it Guix informs me I
>have it already. I can't really remove it from my system, and I don't think
>there's a way to build it locally without first removing it. >
>
>
>It seems at this point that I'm stuck. The only form of 'guix challenge' I can
>do is to check whether the two Substitutions servers agree - but if I don't
>trust the Guix developers this isn't a very good check.
>
>
>
>Is there some way to build the package locally (without first removing it)? Or
>some clever way to run Guix challenge that I'm not seeing?
>
>
>
>Thanks,
>
>
>
>Futurile/Steve
>
>