The Guix (almost) full-source bootstrap

[Posted May 2, 2023 by corbet]

The Guix project ("a transactional package manager and an advanced distribution of the GNU system") has announced a milestone toward its goal of bootstrapping an entire distribution from source:

If you run guix pull today, you get a package graph of more than 22,000 nodes rooted in a 357-byte program—something that had never been achieved, to our knowledge, since the birth of Unix.

This is an interesting exercise, but should also be a defense against "trusting trust" attacks. (Thanks to Ludovic Courtès and Andy Tai).

The Guix (almost) full-source bootstrap

Posted May 2, 2023 14:54 UTC (Tue) by NightMonkey (subscriber, #23051) [Link]

This is good news. I do hope that more traction happens for it. There's only one Vagrant Box for Guix, and it hasn't been updated in 2 years: . :( My hope would be more options and more updates. :)

The Guix (almost) full-source bootstrap

Posted May 2, 2023 16:46 UTC (Tue) by mb (subscriber, #50428) [Link] (3 responses)

Great project!

>Liberating, Dependable, Hackable

The last word didn't age so well in the last two decades. Oh well...

The Guix (almost) full-source bootstrap

Posted May 2, 2023 20:00 UTC (Tue) by ballombe (subscriber, #9523) [Link] (2 responses)

We should reclaim the word "hack".

The Guix (almost) full-source bootstrap

Posted May 3, 2023 13:08 UTC (Wed) by geert (subscriber, #98403) [Link]

Interestingly, the Good Old meaning is still alive in the popular term "life hack"...

The Guix (almost) full-source bootstrap

Posted May 3, 2023 15:10 UTC (Wed) by NightMonkey (subscriber, #23051) [Link]

I never let it go. :)

The Guix (almost) full-source bootstrap

Posted May 3, 2023 15:58 UTC (Wed) by IanKelling (subscriber, #89418) [Link] (2 responses)

This is amazing! I think there is a missing angle in the story: If the GPL requires source code + working build progams and scripts, and those build programs are GPL, which requires .... GUIX!

The Guix (almost) full-source bootstrap

Posted May 3, 2023 21:18 UTC (Wed) by JoeBuck (subscriber, #2330) [Link] (1 responses)

While reducing the amount of trusted code is great, this isn't a GPL requirement in any way. The GPL has an exception; from the GPL2 text:

However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

So artifacts produced by a proprietary compiler or static library routines were allowed. This was a compromise that had to made to make it legal to destribute GCC binaries for proprietary operating systems.

The Guix (almost) full-source bootstrap

Posted May 5, 2023 2:21 UTC (Fri) by IanKelling (subscriber, #89418) [Link]

I'm happy that you quoted a relevant section of the GPLv2, but I don't think it invalidates the point I was making (perhaps I wasn't clear). Program 1 is GPL, requires Program 2 to build it. Even if Program 2 is "normally distributed", if Program 2 is also GPL then it gets distributed and the GPL applies to it independently. Hence a chain. But, source distribution is not just a GPL requirement, it is a principle. Thus Guix is, in a way, advancing a frontier of software freedom.

The Guix (almost) full-source bootstrap

Posted May 5, 2023 18:39 UTC (Fri) by flussence (guest, #85566) [Link]

It'd be interesting to see this combined with what Oxide Computer is doing, because the end result would be bootstrapping in the original tech-jargon meaning of the word - everything from the initial state toggle switches upwards is accounted for (until someone opens a browser window on it :)