|
|
Subscribe / Log in / New account

GNU Guix 1.2.0 released

[Posted November 23, 2020 by ris]

GNU Guix, a functional package manager and associated free software distribution, was introduced eight years ago. The 1.2.0 release celebrates the anniversary. "A major highlight in this release is the ability to authenticate channels, which probably makes Guix one of the safest ways to deliver complete operating systems today. This was the missing link in our 'software supply chain' and we’re glad it’s now fixed. The end result is that guix pull and related commands now cryptographically authenticate channel code that they fetch; you cannot, for instance, retrieve unauthorized commits to the official Guix repository."
to post comments

GNU Guix 1.2.0 released

Posted Nov 24, 2020 8:17 UTC (Tue) by hailfinger (subscriber, #76962) [Link] (8 responses)

The release notes linked in the announcement suggest that Guix is 15 years behind Debian (Secure APT in 2005) in authenticating distribution contents. I sincerely hope that this is just a misunderstanding on my part.

GNU Guix 1.2.0 released

Posted Nov 24, 2020 13:32 UTC (Tue) by civodul (guest, #58311) [Link] (7 responses)

I think it is. :-)

(Author here.) Binaries in Guix (called "substitutes") have been authenticated for years. But what the announcement mentions here is a way for users to authenticate updates to the source of Guix that they receive via "guix pull". The feature in fact works for authenticating Git repositories in general: you run "git pull" and then "guix git authenticate" verifies that you fetched authentic code according to the repo's rules.

It's not directly comparable to Debian and other binary distros because what they deliver, primarily, are build products and associated metadata; conversely, what Guix delivers, primarily, is the source code of the whole distro.

GNU Guix 1.2.0 released

Posted Nov 24, 2020 13:51 UTC (Tue) by pabs (subscriber, #43278) [Link] (6 responses)

Debian authenticates both binaries and source via the same mechanism: OpenPGP signed Release files then a hash chain: Release -> Packages/Sources -> .deb (binary) / .dsc (source).

GNU Guix 1.2.0 released

Posted Nov 24, 2020 14:28 UTC (Tue) by jak90 (subscriber, #123821) [Link] (1 responses)

While Debian publishes and signs all the sources that lead to packaged software, there's often no clear link how the "upstream" archive is procured (especially when upstream has been long dead or is exclusively a VCS), and how a wholesome collection of source/binary packages bundled as a distribution and signed by the project's master key correlates to the individual maintainer's package version history.

GNU Guix 1.2.0 released

Posted Nov 25, 2020 12:02 UTC (Wed) by pabs (subscriber, #43278) [Link]

It seems like the same is true of any distribution.

Debian's solution to this problem is to include upstream signing keys in the source package in the debian.tar.gz component and the upstream signature (orig.tar.gz.asc) alongside their tarball (orig.tar.gz).

I'm not sure I understood what you were getting at in the second half of your sentence.

GNU Guix 1.2.0 released

Posted Nov 25, 2020 13:36 UTC (Wed) by civodul (guest, #58311) [Link] (3 responses)

The analogy would be: Debian stores 'debian/rules' and similar files under version control; when one clones or pulls from that repository, the checkout is not authenticated.

GNU Guix 1.2.0 released

Posted Nov 25, 2020 22:48 UTC (Wed) by ballombe (subscriber, #9523) [Link] (2 responses)

> Debian stores 'debian/rules' and similar files under version control;
Well but Debian does not...

GNU Guix 1.2.0 released

Posted Nov 26, 2020 18:50 UTC (Thu) by jak90 (subscriber, #123821) [Link] (1 responses)

You're right about that, but the infrastructure would be there. Debian has VCS storage for developers on Salsa and has supported a Git-based format for source packages since 2011.
https://wiki.debian.org/GitSrc
The last question actually touches on the same point as this, although just regarding the integrity of upstream.

GNU Guix 1.2.0 released

Posted Nov 27, 2020 0:05 UTC (Fri) by pabs (subscriber, #43278) [Link]

Salsa is optional and orthogonal to the Debian archive. In practice the Git-based source package format has never been used and isn't allowed in the Debian archive because the Debian ftp-masters do not want to have to review the entire git history for new packages. Another git related thing Debian has is Dgit, which is similar to Launchpad's bzr stuff in that it imports the source packages from the archive into git. It doesn't have much adoption though.

https://browse.dgit.debian.org/
https://wiki.debian.org/DgitFAQ
https://salsa.debian.org/dgit-team/dgit


Copyright © 2020, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds