LWN: Comments on "Removing Guix from Debian"

I'd say it's fine to remove Guix from official APT repos

joeljuca — Sun, 14 Sep 2025 19:46:40 +0000

I think whoever is using Guix to manage packages outside the APT scope is fine with managing Guix itself, so I'm good with Guix being removed from APT official repos. The Guix project can always maintain a dedicated APT repo in case people really want to have an easy APT-based installation option for it.

Guix users are quite CLI-savvy, so they should be OK with running a small pack of commands instead of a `apt-get install`...

I hope Guix is OK

Lennie — Fri, 05 Sep 2025 11:49:10 +0000

It's the only system at the moment (in the world for any operating system I think), which can do a 'full source bootstrap':

https://guix.gnu.org/en/blog/2023/the-full-source-bootstr...

I think they got both amd64 and maybe also RISC-V working.

A detailed look:

https://simon.tournier.info/posts/2023-10-01-bootstrappin...

A talk from last year about the RISC-V progress:

https://archive.fosdem.org/2024/schedule/event/fosdem-202...

Fasttrack time?

hmh — Thu, 04 Sep 2025 11:15:57 +0000

Apparently it would qualify for fasttrack.debian.net, yes.

Do note the "debian.*net*" part, it is run by Debian Developers, but not really official Debian infrastructure, so YMMV.

I would personally use it without worries, but it is best to be upfront about this.

A daemon process?

phlogistonjohn — Wed, 03 Sep 2025 20:38:58 +0000

podman does not use a daemon by default. I think you can enable one but it's not the typical deployment AFAIK. It's one of the major architectural differences from docker.

A daemon process?

ebee_matteo — Wed, 03 Sep 2025 10:36:06 +0000

You mean, like docker or podman do? :-D

A daemon process?

taladar — Wed, 03 Sep 2025 07:39:54 +0000

Probably also helps if the CLI is just a client for the daemon in terms of avoiding complex locking issues between multiple CLI calls in different terminals.

Popcon Dark Figure

taladar — Wed, 03 Sep 2025 07:38:37 +0000

If a significant number of people using popcon have already updated to trixie they are likely unrepresentative of the majority of Debian users who are certainly less on the bleeding edge. It is too early for trixie to have support in all third party repositories and applications for a significant percentage of e.g. the server users to update to it already.

Fasttrack time?

DemiMarie — Wed, 03 Sep 2025 07:08:30 +0000

Fasttrack seems to be the beat place for stuff like this.

Popcon Dark Figure

LtWorf — Wed, 03 Sep 2025 06:14:55 +0000

But they won't be representative…

The way forward

emptymargin — Wed, 03 Sep 2025 01:51:05 +0000

If you're one of the ignoble 230 like I am, it's worth mentioning that Guix has updated its manual with what to do in this situation:

<https://guix.gnu.org/manual/devel/en/html_node/Upgrading-...>

A daemon process?

neggles — Tue, 02 Sep 2025 22:54:42 +0000

AIUI this is so the daemon can run as a different, unprivileged user, so a badly-behaved build won't have permission to mess up your filesystem or read your home directory. On paper it'd also allow sharing one set of build directories and outputs between multiple users on the same system.

Popcon Dark Figure

ballombe — Tue, 02 Sep 2025 19:27:53 +0000

From the FAQ: <https://popcon.debian.org/FAQ>
The server automatically extracts the report from the email or HTTP and stores it in a database for a maximum of 20 days or until the host sends a new report.

So each days, only submissions younger than 20 days are considered for the statistic of the day.
The graphs are only provided to give an historical perspective. For example, that bookworm peaked at almost 16k submissions before the release of trixie.

Popcon Dark Figure

jzb — Tue, 02 Sep 2025 19:18:51 +0000

I'm not sure where the 20 days figure comes from? I was looking at the "Statistics per distributions reporting to Debian" on the Stable reports tab: it says "Submissions by distributions (last 12 months)" in the bottom graph, with a figure of 134,711 on the left-hand side. I don't see any reports/graphs that are a 20-day time period on that page, nor on the other tab.

Popcon Dark Figure

ballombe — Tue, 02 Sep 2025 18:52:29 +0000

It is not 12 months, it is 20 days!
bookworm count is going down from 160000 because users are upgrading to Trixie

Vuln proof-of-concept issues

kkremitzki — Tue, 02 Sep 2025 17:37:57 +0000

I've been meaning to share these results in a more appropriate place, but for what it's worth, the proof-of-concept script for the recent Guix CVEs bisects to a Jan 2023 commit, so it's not clear that released versions are affected.

4cf1acc7f30 + cherry-picked 71171538e12 + 1c78f71beb3 + a49536e3200 + 7f237f3e6ca

A daemon process?

daroc — Tue, 02 Sep 2025 16:09:56 +0000

Guix uses a separate build daemon in order to better isolate builds. The builds are done by an unprivileged user that can only see the source of the package and nothing else.

A daemon process?

jafd — Tue, 02 Sep 2025 15:59:09 +0000

> the guix-daemon, which is a program that is used to build software and access the store where successful builds are kept.

Am I the only one who finds it quite strange that to “build software and access the store where successful builds are kept”, a daemon process is required in the first place?

Popcon Dark Figure

muase — Tue, 02 Sep 2025 15:35:12 +0000

Ok, but that is already sufficient to put that number into relation – 200 of roundabout 135,000 gives reasonable context if we assume that the 135k are roughly representative. Thank you!

Popcon Dark Figure

jzb — Tue, 02 Sep 2025 14:56:35 +0000

If you visit the main popcon pages you'll find stats on how many systems are participating in popcon and how many submissions there are. The "stable reports" tab suggests that about 135K bookworm systems have checked in in the past 12 months. Whether 135K is 10%, 20%, etc. of all installs I have no idea.

Popcon Dark Figure

rschroev — Tue, 02 Sep 2025 14:45:07 +0000

The statistics are available at https://popcon.debian.org/

Popcon Dark Figure

muase — Tue, 02 Sep 2025 14:34:51 +0000

> According to Debian's popularity contest (popcon) statistics, there are not quite 230 systems with Guix installed. Popcon statistics only hint at the actual number of package installs, but assuming they are approximately accurate, then removing Guix will not inconvenience a significant number of Debian users.

Do we have a meta-statistic or interpolated number how many systems participate in the popularity context? As it is disabled by default – and Linux-users maybe tend to be more privacy focused – I'd imagine there is quite a number of unreported installations.