Re: "guix potluck", a moveable feast

[Chris Marusich]

l...@gnu.org (Ludovic Courtès) writes:

> Beside, related to Chris’ comment, I’m a bit concerned about versioning
> in such a widely distributed repo.  The package graph in Guix has zero
> degrees of liberty: every package is connected to other packages; every
> Guix user sees the exact same graph.
>
> Here, we’d have to be more flexible and allow potluck.scm files to just
> say “import guile” or “import guile@2.0”; “import guile” might provide
> 2.0 on a machine running an older Guix, and it might give 2.2.9 on an
> up-to-date machine.
>
> IOW, we’re no longer describing one specific graph, but instead
> describing a family of graphs with some constraints.  The benefits are
> decentralization, but the main drawback is non-reproducibility: the
> result would depend on the user machine’s initial state.
>
> To work around that, I think the server should resolve package
> specifications when the potluck.scm file is submitted, and insert each
> package in the Guix package graph of the moment.  Does that make sense?
> Maybe that’s what you were describing when you talk about rewriting
> potluck.scm files so?

When you say "insert each package in the Guix package graph," do you
mean, "add the package definition to the Guix source tree"?

What if "the potluck" maintained a pointer to the version (i.e., the
commit) of the Guix package definitions that it uses as its "base"?
From time to time, the potluck could update its pointer to point to a
more recent version of Guix's package definitions.  In this way, every
version of the potluck would precisely specify the dependencies of all
the packages in that version of the potluck, including any transitive
dependencies that ultimately come from the official Guix package
definitions (as defined in the "base" version); there would be no
surprising version drift.  I wonder if that would work?

What if someone wants to add a package definition to the Guix source
tree which depends on a package that is defined in the potluck?

-- 
Chris


signature.asc
Description: PGP signature

Re: "guix potluck", a moveable feast

[Ludovic Courtès]

Hello!

Andy Wingo  skribis:

> As an interlude, here is how a user would enter an environment that has
> a potluck package "foo" using Guix (using a pack is also possible).  We
> start with setup steps:
>
>   (1) Install Guix as a user.  (This needs to be easier.)
>   (2) guix channel add potluck https://gitlab.com/potluck/potluck master
>   (3) guix channel enable potluck

So users would see the union of independent potluck “dishes”, right?

> A packaging language for stability and security
> ---
>
> So how do packages enter the potluck channel?  Good question, fictional
> reader!  This is the tricky bit.  There are some concerns here:
>
>   (1) The Guix API is not stable and has no plans to be stable.  This
>   works great for now because all packages are in one atomic
>   repository and people work on making the whole thing make sense
>   together.  One of the goals of the potluck effort is to
>   decentralize things a bit, so we have an impedance mismatch
>   between potluck packages and Guix itself.
>
>   (2) Potluck package definitions will live in many different git
>   repositories across the internet, and anyone should be able to
>   make a potluck package.  Some potluck package authors will be
>   malicious.  They could:
>
>1. Damage the server that manages the potluck channel
>
>2. Damage the users that run Guix commands with the potluck
>   channel enabled
>
>3. Damage the users that install potluck packages
>
>   I think we need to forget about 3, for now at least.  (Flatpak
>   solves this, more or less; Guix has ongoing work to do here I
>   think.)
>
> Both of these large issues point to the need for careful design of the
> language that potluck packages are written in.  The language that Guix
> packages are written in is inappropriate because of (1).  In particular
> we should not depend on which module a package comes from, and what
> identifier binds any given package.  For (2), packages are currently
> written in full Scheme, staged between the Guix command itself and the
> sandbox that runs inside guix-daemon.  Full Scheme might be OK in the
> daemon but it's not OK in the Guix command itself.
>
> Concretely I would propose that the language that potluck files are
> written in is like this:
>
>   (1) It's code, not inert data.
>
>   (2) It's a subset of Scheme, like core Guix packages.
>
>   (3) The general structure looks like this:
>
>   (import-guix-packages ((guile "guile@2.0")
>  (glibc "glibc")))
>   (import-potluck-packages ((foo "foo")))
>
>   (define bar
> (package
>   (name "guile-bar")
>   (version "1.0.0")
>   (build-system gnu-build-system)
>   (inputs `(("guile" ,guile))
>   )))

That makes sense to me.

The sandbox would have transitive access to a lot of modules; I wonder
if this might somehow make it easier to escape the sandbox, by
increasing the attack surface.  For instance,

  (source-module-closure '((guix packages)) #:select? (const #t))

contains (system foreign).  That’s probably more of a topic for
guile-devel though.

Beside, related to Chris’ comment, I’m a bit concerned about versioning
in such a widely distributed repo.  The package graph in Guix has zero
degrees of liberty: every package is connected to other packages; every
Guix user sees the exact same graph.

Here, we’d have to be more flexible and allow potluck.scm files to just
say “import guile” or “import guile@2.0”; “import guile” might provide
2.0 on a machine running an older Guix, and it might give 2.2.9 on an
up-to-date machine.

IOW, we’re no longer describing one specific graph, but instead
describing a family of graphs with some constraints.  The benefits are
decentralization, but the main drawback is non-reproducibility: the
result would depend on the user machine’s initial state.

To work around that, I think the server should resolve package
specifications when the potluck.scm file is submitted, and insert each
package in the Guix package graph of the moment.  Does that make sense?
Maybe that’s what you were describing when you talk about rewriting
potluck.scm files so?

> There is a particular concern about staging: there is staged Scheme code
> in these modules that runs inside build processes in guix-daemon.  I
> don't have any nice solution here.

What’s the problem anyway?  The build environment is a “sandbox” so it’s
not a problem if staged code attempts to do nasty things.

> A potluck channel manager
> -
>
> The "guix potluck manage-channel" command manages a registry of sources
> of potluck definitions and turns them into a git branch of package
> files.  This is the web service.
>
> The idea is that as a developer, you should be able to do:
>
>   guix potluck add https://gitlab.com/wingo/foo master
>
> This causes the client 

Re: "guix potluck", a moveable feast

[ng0]

Christopher Allan Webber transcribed 1.8K bytes:
> Andy Wingo writes:
> 
> > Hi!
> 
> Hi!
> 
> > potluck.guixsd.org needs to be isolated from other hosts because it will
> > load potluck.scm files from untrusted sources; we hope the sandbox works
> > but we need a bit of defense-in-depth.
> 
> Well now I see the motivation behind (ice-9 sandbox) ... :)
> 
> > As I mentioned, I think it would be nice to be able to install some
> > potluck packages directly from git, without requiring those packages to
> > make releases and update the potluck.scm.  But until then, we can make
> > it so that the source is fixed in the potluck.scm as it is with other
> > Guix packages, and therefore that any update to potluck.scm in the
> > source git branch registered with potluck.guixsd.org constitutes a new
> > release which replaces the old one.  A developer should signal
> > potluck.guixsd.org about the update via a re-invocation of "guix potluck
> > add".  Maybe "guix potluck add" could remember the branch, dunno.
> >
> > Anyway!  The result of the "guix potluck channel-manager" is a stream of
> > guix modules as a continually updated git tree -- a guix channel.  I am
> > thinking that we need to rewrite these files to be more "normal" -- like
> > starting with a (define-module), but a #:pure module and an appropriate
> > set of imports to enforce the sandbox.  We should be able to compile
> > this module, to prevent the potluck channel from slowing things down.
> > So basically the channel-manager rewrites the potluck.scm files.
> 
> It sounds nice!
> 
> One challenge though... what do we do about multiple channels
> introducing version skew?  (Maybe I'm abusing that term?)  This isn't
> something we've dealt with before in Guix... if my channel adds
> something that depends on your channel's package definition, do I
> explicitly set a revision for your channel?  Otherwise else, your
> channel could change as you upgrade your software version, and that
> might unexpectedly break my channel...
> 
I think there's something we can learn from Gentoo here.
You might or might not know their 'overlays' (I don't know the exact
gentoo rfc when they introduced them but it's been very long ago).
They do this kind of thing. They have no opinion other than that
'portage', in Guix terms 'master branch at savannah', takes the highest
priority by default. You can explicitly change this.
If you start using a specific overlay and use a software recipe from it
which does exists in multiple overlays, it's like this:
- if you don't edit the specific file which tells portage about this
  recipe, it picks the highest stable version.
- if you get rid of stable and allow everything, it picks the highest
  version and has no opinion from where it comes.
- if you specifically point out the overlay for it, it picks the version
  from there, no questions asked. well actually it asks questions if you
  tell it to do so ;)

So I think we could have some way to define the priority of the channel,
a value to define stable / unstable (similar to Gentoo's "experimental"
and "official" classification of overlays).

No warranty that this is accurate, I tried to explain Gentoo overlays
without assuming too much or explaining too much of it.
In case I misunderstood the question, enjoy your 2 minutes of
'Things Gentoo did excellent'.

Re: "guix potluck", a moveable feast

[Christopher Allan Webber]

Andy Wingo writes:

> Hi!

Hi!

> potluck.guixsd.org needs to be isolated from other hosts because it will
> load potluck.scm files from untrusted sources; we hope the sandbox works
> but we need a bit of defense-in-depth.

Well now I see the motivation behind (ice-9 sandbox) ... :)

> As I mentioned, I think it would be nice to be able to install some
> potluck packages directly from git, without requiring those packages to
> make releases and update the potluck.scm.  But until then, we can make
> it so that the source is fixed in the potluck.scm as it is with other
> Guix packages, and therefore that any update to potluck.scm in the
> source git branch registered with potluck.guixsd.org constitutes a new
> release which replaces the old one.  A developer should signal
> potluck.guixsd.org about the update via a re-invocation of "guix potluck
> add".  Maybe "guix potluck add" could remember the branch, dunno.
>
> Anyway!  The result of the "guix potluck channel-manager" is a stream of
> guix modules as a continually updated git tree -- a guix channel.  I am
> thinking that we need to rewrite these files to be more "normal" -- like
> starting with a (define-module), but a #:pure module and an appropriate
> set of imports to enforce the sandbox.  We should be able to compile
> this module, to prevent the potluck channel from slowing things down.
> So basically the channel-manager rewrites the potluck.scm files.

It sounds nice!

One challenge though... what do we do about multiple channels
introducing version skew?  (Maybe I'm abusing that term?)  This isn't
something we've dealt with before in Guix... if my channel adds
something that depends on your channel's package definition, do I
explicitly set a revision for your channel?  Otherwise else, your
channel could change as you upgrade your software version, and that
might unexpectedly break my channel...

Re: RFC: (ice-9 sandbox)

[Christopher Allan Webber]

Wow!  With this I suppose we could implement something like 
  http://mumble.net/~jar/pubs/secureos/secureos.html
?