l...@gnu.org (Ludovic Courtès) writes: > All in all, from experience with NixOS, while security upgrades are more > demanding on Nix-based systems, they are not much of an issue in > practice.
Thanks for explaining. However I don't see how a locally built binary would fit into this? They would either be insecure or not work after an OS upgrade, wouldn't they? Since they refer to libraries in paths that no longer exists. Or am I missing something? Does guix have some mechanism to handle a set of installed packages and their versions? I'm thinking that you'd might want to lock down the system to match a particular suite of tested software combinations, but receive security upgrades for those packages, but not receive other upgrades and certainly not receive the latest version of every package. This would match how normal OS releases work. The important thing is that the set of installed packages should come from some server somewhere, manually selected by the contributors to the project, and that the list can be modified over time and updated automatically by machines. On the feasibility side, I would have higher hopes for something that were able to re-use the work that has gone into dpkg/rpm packaging because that would re-use of existing packages, to get a usable system rapidly. Maintaining build descriptions for those 20.000+ free software packages out there is a huge amount of work. Personally, I'd be happy to use something based on Debian/Ubuntu but profiled for GNU [1]. But I support all work that leads to more technically interesting GNU-free OSes. /Simon [1] I know about gNewSense but there are no releases in several years...