Re: Login to a guix container

[Ricardo Wurmus]

Ryan Prior  writes:

> On January 24, 2021, Pjotr Prins  wrote:
>> I was just thinking that it should be possible to login with ssh into
>> a GNU Guix shell running in a container that gets fired up by the
>> sshd. I am thinking about a safe shell for fetching files. If this
>> works no chroot setup is required.
>>
>> Or is this a really dumb idea :)
>
> I haven't seen any serious audit investigating security properties of
> Guix containers. I do not think it's dumb to try this as an experiment,
> but I do think it would be malpractice to trust user data with this
> system before appropriately thorough evaluation.

In your requirements for an audit, how does a “Guix container” differ
from a “Linux container”?  Guix uses the kernel features like cloning
namespaces and unsharing the filesystem directly.  It merely mounts
individual store locations into the filesystem namespace.

“Malpractice” is a very big word for using user namespaces instead of
chroot without a “serious audit”.

-- 
Ricardo

Re: Login to a guix container

[Ryan Prior]

On January 24, 2021, Pjotr Prins  wrote:
> I was just thinking that it should be possible to login with ssh into
> a GNU Guix shell running in a container that gets fired up by the
> sshd. I am thinking about a safe shell for fetching files. If this
> works no chroot setup is required.
>
> Or is this a really dumb idea :)

I haven't seen any serious audit investigating security properties of
Guix containers. I do not think it's dumb to try this as an experiment,
but I do think it would be malpractice to trust user data with this
system before appropriately thorough evaluation.

Re: Qt 5.11 tarballs anyone?

[Ludovic Courtès]

Hi Tobias,

Tobias Geerinckx-Rice  skribis:

> There's also what looks like a comprehensive archive at 
> , although I didn't check the 
> hashes.

Yup, I’ve added that and sources.buildroot in commit
9d01749feaa1586b1caf449712116e7518bb2303 for posterity.

Thanks!

Ludo’.

Login to a guix container

[Pjotr Prins]

I was just thinking that it should be possible to login with ssh into
a GNU Guix shell running in a container that gets fired up by the
sshd. I am thinking about a safe shell for fetching files. If this
works no chroot setup is required.

Or is this a really dumb idea :)

Pj.

Re: Guix in Debian!

[Christopher Lemmer Webber]

This.  Is.  Huge.

THANK YOU for all your hard work here!

I wrote out why I think this is big news:

  https://octodon.social/@cwebber/105612900114421037

Vagrant Cascadian writes:

> So, a while back I mentioned that Guix was present in Debian
> "experimental":
>
>   https://lists.gnu.org/archive/html/guix-devel/2020-11/msg00254.html
>
> And it was useable for a brief window of time, but was broken due to
> some issues with guile-gnutls and guile-3.0:
>
>   https://bugs.debian.org/964284
>
> Somewhat deterred, I back-burnered it for a while while I focused on
> other things...
>
>
> Just a few days ago, I decided to attempt to get Guix into Debian's next
> release, and went with the fallback plan of building it against
> guile-2.2, and a few disabled tests later...
>
>   https://tracker.debian.org/guix
>
>
> If all goes well, it should migrate to "bullseye" in a few
> days. Hopefully in a few months "bullseye" will become Debian's stable
> release shipping with guix! Presumeably Guix will also eventually find
> itself in Ubuntu and other Debian derivatives...
>
>
> Now on Debian you should be able to:
>
>   apt install guix
>   guix install dpkg
>   guix environment --ad-hoc dpkg -- dpkg -i ./guix_1.2.0-3_amd64.deb
>
> It is almost like symmetry!
>
>
> Thanks for all the help and encouragement along the way, everyone!
>
>
> live well,
>   vagrant

Re: Questions regarding Python packaging

[Ryan Prior]

On January 23, 2021, Lars-Dominik Braun  wrote:
> [...] Remove pip and
> setuptools from python (saves almost 20MiB from the closure and avoids
> weird conflicts between python’s setuptools and python-setuptools) and
> turn them into (almost) ordinary packages. 

I think if we do that then Python will need a treatment similar to GCC,
where we don't expose the package and instead offer a compound package
(could be called "python-toolchain" or just "python") which includes pip
and setuptools. The last decades of python packaging have trained people
that when you install python you get pip and setuptools as well, I think
we should not try to be too clever and violate that assumption.

Also, for what it's worth, we already have python-minimal which doesn't
have pip, and it's only  

Re: Staging branch [substitute availability]

[Ekaitz Zarraga]

Hi,

> Freetype issue is fixed in version 9, but that
> has other problems, such as making it impossible to unbundle the dozens
> of libraries that we are currently unbundling [...] it is possible to
> backport the VTK commits that fix Freetype compatibility, but it will be
> a lot of work and a huge patch (it was a major cleanup IIRC)." I'm
> CC-ing Ekaitz Zarraga, who has been working on FreeCAD. I'm not sure
> what we can do about this problem in the short term. Marius, can you
> give more info about the bundling problem?


Sorry for the delay in the answer.
I have no clue about what we can do. All the work I did with Freecad was
related with other inputs and I didn't need to touch freetype.

I don't know how I can help. If you have any specific question I'll do
my best to try to answer it.


Regards,
Ekaitz

Re: Qt 5.11 tarballs anyone?

[Ludovic Courtès]

Ludovic Courtès  skribis:

> It’s been two years since commit
> 0791437f972caa7e48de91ad5cb150a614f617c2 but we lost key tarballs from
> that time, in particular Qt 5.11.2 tarballs, which are no longer
> available at .

Right after sending this message, I found’em all at
 and related URLs.  They’re now
back at ci.guix.

Now to actually build this code…

Ludo’.

Re: Questions regarding Python packaging

[Tanguy LE CARROUR]

Hi Lars,


Excerpts from Lars-Dominik Braun's message of January 23, 2021 1:34 pm:
>> Done! :-)
>> I've eventually succeeded in ("properly") packaging a software managed
>> with Poetry. And I've learned quite a lot on the way!
> oh, I see. I’ve actually been trying to replace python-build-system with
> a python-build based build. Attached is my current work in progress. I
> cannot quite build python-build, ,

?!
My `python-build` seems to work:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=45931


> because I’m lacking support for python-flit

I also had a problem with `python-flit`, but it was when I was working
on `python-typer`:
https://debbugs.gnu.org/cgi/bugreport.cgi?bug=45935

This is why I didn't build it from the source.


> but I think the general idea is clear: Remove pip and
> setuptools from python (saves almost 20MiB from the closure and avoids
> weird conflicts between python’s setuptools and python-setuptools) and
> turn them into (almost) ordinary packages. Then use setuptools to
> bootstrap itself, bootstrap python-build with setuptools and use
> python-build to build evrey other packages using python-build-system.

Wow, the rest is way out of my comfort zone! But I'll read it carefully
and try to help if I can!

Best regards,

-- 
Tanguy

Re: Qt 5.11 tarballs anyone?

[Tobias Geerinckx-Rice]

Ludovic Courtès 写道：
Does anyone happen to have these tarballs?  I’d like to 
re-inject them

on ci.guix.


I see you(?)'ve found them and done so already:

--8<---cut here---start->8---
~ λ guix build 
/gnu/store/sx529mnxcdy3amgyhri2w72328m8l98w-qtmultimedia-everywhere-src-5.11.2.tar.xz.drv

...
substitute: updating substitutes from 
'https://guix.tobias.gr'... 100.0%
substitute: updating substitutes from 
'https://ci.guix.gnu.org'... 100.0%
substituting 
/gnu/store/z6flb2k839zvpajha5j179kph1hsfcrq-qtmultimedia-everywhere-src-5.11.2.tar.xz...
downloading from 
https://ci.guix.gnu.org/nar/z6flb2k839zvpajha5j179kph1hsfcrq-qtmultimedia-everywhere-src-5.11.2.tar.xz 
...
qtmultimedia-everywhere-src-5.11.2.tar.xz  3.5MiB 
16.3MiB/s 00:00 [##] 100.0%

--8<---cut here---end--->8---

Anyway, they should be available on guix.tobias.gr as well.

There's also what looks like a comprehensive archive at 
, although I didn't check the 
hashes.


Kind regards,

T G-R


signature.asc
Description: PGP signature

Qt 5.11 tarballs anyone?

[Ludovic Courtès]

Hi Guix!

It’s been two years since commit
0791437f972caa7e48de91ad5cb150a614f617c2 but we lost key tarballs from
that time, in particular Qt 5.11.2 tarballs, which are no longer
available at .

You can try for instance with:

  guix build \
  
/gnu/store/sx529mnxcdy3amgyhri2w72328m8l98w-qtmultimedia-everywhere-src-5.11.2.tar.xz.drv

(This will substitute the .drv and then try to build it.)

Does anyone happen to have these tarballs?  I’d like to re-inject them
on ci.guix.

This is a reminder of how important Disarchive is!
(See .)

Ludo’.

Re: Guix in Debian!

[david larsson]

This is great news!

I have to mention that I experienced a bug using Guix on Debian not so 
long ago that broke my Debian host install completely. I could only 
restore my Debian system via snapshot after. This happened when creating 
a Guix container and using Guix from inside it. May be worth looking 
into fixing that before Guix gets included in Debian, as to not make a 
bad first impression on possibly many Debian users.


https://lists.gnu.org/archive/html/bug-guix/2021-01/msg4.html

Best regards,
David

Re: Guix in Debian!

[Konrad Hinsen]

On 24/01/2021 05:04, Vagrant Cascadian wrote:

Now on Debian you should be able to:

   apt install guix
   guix install dpkg
   guix environment --ad-hoc dpkg -- dpkg -i ./guix_1.2.0-3_amd64.deb

It is almost like symmetry!


Wow, that's excellent news. Probably the biggest to improvement to 
onboarding new users since... forever, as far as I am concerned ;-)



Thanks,

  Konrad