Hello, I believe these accusations are wrong, as I and others have already tried to explain Jean-Louis on IRC.
To correct any misunderstandings, I’ll summarize a few relevant points
about Guix and that distinguish it from most other package managers.
• Guix is inherently a source-based tool: all it provides is a bunch
of executable recipes to build packages.
As an optimization, users can choose to fetch pre-built binaries as
substitutes for local builds. This is often a good idea since
building GCC, LibreOffice and all that takes a long time, but it can
be enabled/disabled at any time.
See
<https://www.gnu.org/software/guix/manual/html_node/Substitutes.html>.
• The source, including patches, used to build a package is specified
in the package definition:
<https://www.gnu.org/software/guix/manual/html_node/Defining-Packages.html>.
For instance, the ‘pulseaudio’ package has a couple of patches, as
can be seen at:
http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/pulseaudio.scm#n115
https://www.gnu.org/software/guix/packages/#pulseaudio
The ‘guix build --source foo’ command returns the source code of
‘foo’ with all patches applied.
• By design, Guix provides a direct correspondence between source and
build results. “Source” is taken very broadly: it includes source
tarballs, build scripts, and in fact the whole graph of dependencies
that produce the result.
This is the foundation of functional package management, explained
at:
https://www.gnu.org/software/guix/manual/html_node/Introduction.html
https://www.fsf.org/blogs/community/fsf-announces-support-for-gnu-guix
https://arxiv.org/pdf/1305.4584v1
• Thanks to this direct mapping, users who use substitutes do not have
to trust third-party binary servers. They can challenge binaries
that those servers provide using ‘guix build --check’ or ‘guix
challenge’.
See <https://savannah.gnu.org/forum/forum.php?forum_id=8407>, for a
discussion on this and reproducible builds.
I’m happy to answer additional questions!
Ludo’.
signature.asc
Description: PGP signature
