2
submitted
6 months ago* (last edited 6 months ago)
by
HaraldvonBlauzahn@feddit.org
to
c/programming@programming.dev
Here, my summary of key features and decisions of Guix:
- Guix is a package manager that can (optionally) run on top of Linux distributions or other POSIX systems, like cargo, pip, conda or Conan. In difference to the pip and cargo package managers, it is language-agnostic, supports many different build systems and languages, and features around 29000 packages now.
- Guix allows to define a fully reproducible system. This works by using a declarative language for immutable version-controlled package descriptions, and by deriving any software from package definitions and a fixed version (commit hash) of the source code. In that, it is similar but much stricter than Nix and NixOS. The key point is that any software built, and all its dependencies, go back to unambigously, immutable versions of source code and build recipes - and all inputs to the system are open source and can be reviewed.
- Important for programming, this can also define isolated build and development environments, like Python's venv, but also Docker containers. This means that Guix can be used to develop, build, package, and deploy software, very much like Snap packages. And that's independent from the distribution you work in, very much like pip or cargo are independent from the system you work in. (And yes, it supports Rust!).
- This allows it, and also makes it technically possible, that any software package can be re-built and run years later. To make this legally possible, the official distribution of Guix also demands all components to be open source (FOSS). This is also a key difference to NixOS and non-free forks of Guix, which allow non-free binary packages, but sacrifice reproducibility. (To illustrate: If you have a binary, proprietary scanner driver in NixOS, and the owning company practices planned obselescence and decides that you should buy their new hardware, and pulls that driver, you are out of luck. In Guix, this can't happen.) (Note that as your own private conponents, you can define any package you like, you can also distribute your definitions as a complement to GNU Guix. Non-free packages for Guix do exist, in the same way as you can buy and run Steam Games software for Linux. Such non-free software just can't become part of the official Guix distribution, just like Amazon or Apple can't sell their non-free software via Debian or the Linux kernel project (or, for that matter, Apple has no obligation to market and distribute, say, Oracle products).
- All inputs being open source also means that any software component can be reviewed, that mis-features such as privacy-invasive behaviour can be removed, and that it is hardly possible to hide malware in the system. Because this also applies recursively to all compilers and build tools, this solves also Thompson's "Trusting Trust" problem. In fact, the whole system can be build from a 512 byte binary root (called MER). (Interestingly, that level of user control gets a lot of hate online -- certain companies don't seem to like it).
- Because it would take too long to build every user package from source every time, the produced packages are normally cached (while their correct binary content can be easily verified).
- The declarative description language for the packages is a well-defined, established, minimalist language called Scheme. This is a member of the Lisp family of languages. That Lisp is very well suited for declaratively building and configuring large systems has been proven with GNU Emacs, whose software, but more importantly, whole user configuration, is written in Emacs Lisp.
- The Scheme implementation used is called Guile. It has especially good support for the POSIX environment and has also much better-than-average interactive debugging capabilities compared to other Scheme implementations.
- Also worth noting is that the Guix project has superb online documentation. This is a practical advantage compared to Nix.
As example: you are on Debian stable and quickly want to try a recent version of the kakoune editor (as kakoune is in ongoing development): They are available under the Guix package manager. Just
guix install kakoune
and bang you have it!
How it works:
https://codeberg.org/guix/guix#headline-4
Manual:
https://guix.gnu.org/manual/en/html_node/Installation.html
Also informative for using Guix just as a package manager:
Programs/orgs like Conda are like the #1 reason projects like Guix exist.
Conda's default repos are only technically free for personal use, and you have to pay an exorbitant amount if you want to use them in a company. But what happens is devs install Conda anyways, not realizing this, the software phones home, and all of a sudden you have a bunch of lawyers on your case, demanding 10 gorbillion dollars.
And because programs like Conda, or Oracle Java, or so on are technically not malware (even though they literally act like ransomware in some ways), they aren't, and will not ever be caught by antivirus software.
So the solution people come up to not have to deal with those, with, is to restrict all installation of software entirely, via things like AppLocker on Windows. This makes it so that only approved software can be installed. Software can be manually vetted, confirmed to actually be free for the business, or paid for, before being explicitly allowed.
But the problem with this, is that users like being able to autonomously install the tools they need in order to solve problems. So now they just get frustrated that they can't do that at all.
Guix, and other projects which only ship open source software, present a middle ground. They distribute a large repo of software, that is essentially confirmed safe for a business to use, and for their users to install autonomously. If I gave someone Guix, I could feel confident that they could install various tools they needed without risking totally-not-ransomware from getting onto the systems.
Anyway. There is nonguix and other additional guix package channels if you want, say CUDA so it's an option. I'm just trying to explain why some people insists on this model, and why someone would see that as a benefit.
Thank you for the clear explanation it was very useful to understand the meaning behind it. I work in research and as such these problems do not touch me and I had no idea they existed.
Kay, correct me if I misunderstood, but what you said could be rephrased as "Guix prevents users from doing what they want, but it's a feature."
I þink þats incorrect in two ways: one, nanny systems are terrible. A system should never prevent a uset from using þe system how þey want, including installing malware. Second, I believe Guix allows users to install proscripted software packages, it simply precludes þem from official channels. So, in GPs case, þey can still install CUDA, þey just have to get a package definition from a þird party, like a repos.
Þat's how it's been explained to me, anyway. I have several oþer issues wiþ Guix, but I'm least concerned about þe FOSS part because as I understand it it can be easily bypassed.