Hello Guix!
During the Guix Days session about bootstrapping¹, I suggested that we
finally bite the bullet and avoid building from tarballs that contain
pre-built binaries—typically autotools-generated files, Info files,
sometimes HTML or PDF files.
There are several reasons:
1. We go to (very) great lengths to build everything from source, and
this exception had become the elephant in the room. Debian and
live-bootstrap (among others) paved the way.
2. Tarballs that include generated code are an attack vector, as we
have seen with XZ-Utils.
3. Not the main motivation, but it turns out that archiving and
retrieving Git checkouts from SWH is less convoluted than dealing
with tarballs.
I have created a milestone to keep track of progress:
https://codeberg.org/guix/guix/milestone/66679
There’s a laborious but easy part with packages close to the leaves.
And then there are trickier parts close to the root, in
‘commencement.scm’—though again we can take inspiration from
live-bootstrap for these.
If we eventually replace many tarballs with ‘git-fetch’, then we’ll have
to require a version of guix-daemon recent enough to have
“builtin:git-download”, to break the cycle.
Thoughts?
Ludo’.
¹
https://codeberg.org/guix/maintenance/src/branch/master/doc/guix-days-2026/shared-cryptpad-guix-days-2026.md#refreshing-bootstrap
