On 2026-03-05, Janneke Nieuwenhuizen wrote: > Ludovic Courtès writes: > >> During the Guix Days session about bootstrapping¹, I suggested that we >> finally bite the bullet and avoid building from tarballs that contain >> pre-built binaries—typically autotools-generated files, Info files, >> sometimes HTML or PDF files. ... >> I have created a milestone to keep track of progress: >> >> https://codeberg.org/guix/guix/milestone/66679
Maybe we can start with the upstream guix tarball... at least making it a goal for a future release... :) I remember trying to do this when packaging Guix for Debian and it was non-trivial at the time and I eventually just started running "make dist" and whatnot... >> If we eventually replace many tarballs with ‘git-fetch’, then we’ll have >> to require a version of guix-daemon recent enough to have >> “builtin:git-download”, to break the cycle. >> >> Thoughts? > > We discussed it, and I'm very happy with this--possibly somewhat bold?--move, > thanks! Agreed, sounds great and many thanks! > As a slightly [un]related note though, wasn't the XZ-Utils attack made > primarily in Git, or was the creation of a tarball involved? Not to say > that running the auto*tools generated code is bad, and could "easily" be > backdoored (more easily than to hide it in the auto*tools source files). It was both... part of it was shipped in tests that were actually present in git, but part of it was added in "autogenerated" bits only present in the upstream tarball. live well, vagrant
signature.asc
Description: PGP signature
