Distributions
Reproducible builds and standalone GNU systems with Guix 0.9
Version 0.9 of the Guix package-management system was released on November 5. Since the previous major release in 2014, the Guix project has evolved to include not only the package manager itself, but the Guix Software Distribution (GuixSD) as well. With the large set of packages it supports, Guix already provides, in essence, a full operating-system layer that can be deployed and maintained on top of a minimal core Linux distribution. GuixSD goes one step further, and provides a Linux kernel and core OS components as well. Regardless of whether one uses GuixSD or simply installs individual packages with the Guix tools, the new release adds quite a bit of interesting new functionality, including automatic container provisioning, new tools for graphing package dependencies, and a mechanism for users to verify reproducible software packages.
A new distribution?
The underlying concepts of GuixSD have been in development for a while, but it is only in recent releases that the project's language has shifted to talking about GuixSD as a standalone system or distribution. The 0.7 release in July 2014 was the first to support standalone installation, while the 0.8.1 release in January 2015 was the first to refer to the standalone option as GuixSD. In February 2015, the Free Software Foundation (FSF) added GuixSD to its list of free-software distributions.
Despite the official FSF endorsement, GuixSD in its current state is not quite what most in the Linux realm would consider a usable distribution—a fact that the GuixSD manual notes as well. The installation process is manual, requiring the user to (for example) create the necessary disk partitions by hand and set up the network configuration on the command line. This is certainly not a show stopper, of course, although there is also a limited set of packages and system services available. PostgreSQL is the only SQL database package provided, nginx is the only web server, and neither KDE nor GNOME are packaged (although Xfce and Enlightenment are). In addition, there are some lower-level features still unavailable, such as Logical Volume Manager (LVM) and support for encrypted root partitions, that could prove to be critical for some users.
Nevertheless, GuixSD is rapidly shaping up to be a viable distribution; the number of packages included is on the rise, and the project has begun developing its own components. The first is the daemon-managing daemon (dmd), which handles service management and start-up. GuixSD uses the Linux-libre kernel, a GNU-maintained derivative of the mainline Linux kernel with all proprietary firmware blobs removed.
The second significant addition developed for GuixSD is the GuixSD services system. This is the platform-level framework for defining system services on the GuixSD distribution, analogous to the service definitions used by systemd. GuixSD services are defined using Scheme syntax with (key value) pairs. The current set of services defined for GuixSD is small, but the documentation provides several examples.
Advanced packaging
While the testing and development of GuixSD proceeds, Guix remains useful for those running other distributions as a package-management system. Among the new features implemented in the 0.9 release is Guix's own implementation of application containers. Specifically, the guix command-line tool can run several of its commands in containers that are spawned on-the-fly. The supported commands include environment, which is used to build a package in an isolated development environment, and system, which is used to build a full OS. Running
guix environment --container foo
creates a new virtual development environment in a container and bind-mounts directories within that environment containing the dependencies needed to build the package foo. This feature was implemented in order to help developers create reproducible builds; one of the Guix project's goals is to make source and binary packages interchangeable from the user's perspective. By eliminating the possibility that a discrepancy between source and binary packages will go undetected, the project hopes to make it demonstrable that the "corresponding source" (in GPL terminology) to a binary package has been released.
Performing all builds in an isolated environment is one step toward that goal, but such a build process is a tool for developers, not end users. Consequently, Guix 0.9 adds a reproducible-build verification tool. By running
guix challenge foo
a user can perform an automated build of the "foo" package from source and compare the resulting binary to the binary published on the Guix central repository.
In the event that a source build and a published binary do not match, there are several potential causes to consider. As the Debian reproducible-builds team has noted, after all, there can be many non-malicious sources of non-determinism in a build (including simple matters like including timestamps in the build output). The guix archive command will show where a completed build differs from the published binary package.
By default, guix challenge compares its local build results with the Guix package repository, but options are available to retrieve and build source from other servers as well. That opens up the door to spotting deterministic-build problems with upstream projects, as well as to detecting cases where a project fails to publish the full corresponding source to its package.
The new release also adds several new package-management commands. The guix graph command will compute the dependency graph for any package, outputting the result in Graphviz format. It can thus be piped directly into Graphviz's dot command to produce a visualization of the package's dependencies. The default output omits implicit dependencies (such as system libraries and basic Unix utilities) as well bootstrapping dependencies, but both can be added to the graph output via command-line switches.
All things considered, Guix has made considerable progress simply as a package manager in the past few years. There are now more than 2600 packages available in the repository. But the addition of tools to reproducibly build those packages and for users to verify that reproducibility is, arguably, the bigger accomplishment—the move toward reproducible builds is a goal that many distributions share. It will also be interesting to observe how GuixSD develops as a distribution. It is still quite early, perhaps too soon to compare GuixSD to other free-software distributions, but providing access to a pure-free-software system and to verifiable package builds will no doubt attract a lot of attention in the months and years to come.
Brief items
Distribution quote of the week
Firefox OS 2.5 developer preview
Mozilla has announced the availability of a developer preview for version 2.5 of Firefox OS. New features include an add-on mechanism, tracking protection, and more. There is also a version of the system packaged as an Android app, allowing it to be tried on an Android device without wiping Android itself. "If you’re curious to see what Firefox OS is all about, or just interested in testing out new features, the Firefox OS 2.5 Developer Preview app makes it very simple to get started with very little risk involved. By downloading the app, you can experience Firefox OS and explore many of its capabilities, without flashing hardware. If you decide you’re done trying it out, the app can be removed as simply as any other app."
Red Hat delivers Software Collections 2.1
Red Hat has announced the availability of Red Hat Software Collections 2.1. Red Hat Developer Toolset 4 was also released. "Applications built with Red Hat Software Collections can be deployed into production with greater confidence, as most software collections and components are supported for three years. In addition to Red Hat Enterprise Linux 6 and 7, applications built with Red Hat Software Collections can also be deployed to Red Hat Enterprise Linux Atomic Host and OpenShift, Red Hat’s Platform-as-a-Service (PaaS) offering, giving more choice and flexibility for application portfolios."
Distribution News
Fedora
Fedora Elections - Nomination period is now open
Nominations are open for seats on the Fedora Engineering Steering Committee (FESCo), Fedora Council, Environment and Stacks working group, and Fedora Ambassadors Steering Committee (FAmSCo). The nomination period ends November 23.
Newsletters and articles of interest
Distribution newsletters
- DistroWatch Weekly, Issue 636 (November 16)
- openSUSE Tumbleweed – Review of the week (November 13)
- Ubuntu Kernel Team newsletter (November 17)
- Ubuntu Weekly Newsletter, Issue 442 (November 15)
Refined player: Fedora 23's workin' it like Monday morning (The Register)
The Register reviews Fedora 23. "Once you've got Fedora WorkStation installed the first thing you'll likely notice is GNOME 3.18. GNOME may be upstream from Fedora, but Fedora has long been where GNOME turns to showcase new features and Fedora 23 is no different. Among the changes in GNOME 3.18 are faster searching, first-class support for integrating Google Drive in Nautilus, support for light sensors (handy on laptops since you can lower the back light setting and extend battery life) and improved Wayland support. More on Wayland in a minute, but some other new features in GNOME 3.18 deserve mention."
Netrunner Rolling 2015.11 Linux distro is here (BetaNews)
BetaNews takes a look at Netrunner Rolling. "One of my favorite distros, however, is not particularly popular, but it should be. Netrunner is a brilliant KDE-focused operating system that works well for beginners and experts alike. Despite KDE's arguably confusing settings, I really like it as an operating system for someone transitioning from Windows. It feels familiar, is very polished, and comes loaded with great software. The latest version of its Manjaro/Arch-based rolling variant is now available and it looks great. Beginners should sit this out, however, and stick with the more-stable Kubuntu-based variant."
Page editor: Rebecca Sobol
Next page:
Development>>