On Tue, 01 Oct 2024 10:20:54 +0000 Tobias Geerinckx-Rice <m...@tobias.gr> wrote: > >Since Guix also checks the hash of the source code an idea to improve > >things could also be to modify Guix to allow the use of external > >tools to bootstrap the download of source code through version > >control and for instance download git from git. > > I don't understand what you mean by this, or what 'modify Guix' means > and why it would be needed?
We currently have something like that: > (define-public git-minimal > (package > (name "git-minimal") > (version "2.46.0") > (source (origin > (method url-fetch) > (uri (string-append > "mirror://kernel.org/software/scm/git/git-" version ".tar.xz")) > (sha256 > (base32 > "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz")))) > [...] If we replace with something like that: > (define-public git-minimal > (package > (name "git-minimal") > (version "2.46.0") > (source > (origin > (method git-fetch) > (uri > (git-reference > (url "https://git.kernel.org/pub/scm/git/git.git")) > (commit "<some hash>"))) > (file-name (git-file-name name version)) > (sha256 > (base32 > "15bzq9m6c033qiz5q5gw1nqw4m452vvqax30wbms6z4bl9i384kz")))) > [...] Then we have at least 2 issues. The first one is that we might end up with circular dependencies inside the Guix source code somehow that creates issues when building packages and/or guix, etc. But that might be fixable with some work. However if I understand well, that circular dependency would not create any security/reproducibility issue since we would already have a base32 hash of the source code of "git-minimal". And so if for instance someone packages Guix on a foreign distribution, we could imagine some system(s) where the the git source code is somehow provided to Guix as a dependency, and so once built, Guix would be able to use that provided source code by verifying its hash and then using it to build git, and enabling Guix to download subsequent packages using git. This could then be extended to all the packages that git depend on, and with that we'd then be able to use git a lot more without security issues. The downside is that as always someone needs to be interested in it, and find the time to work on it. It also might make building Guix harder. Denis.
pgpRsdI92RclF.pgp
Description: OpenPGP digital signature