Hello Ludo,
On March 5, 2026 4:44:54 PM GMT+01:00, "Ludovic Courtès" <[email protected]> wrote: >Hello Guix! > >During the Guix Days session about bootstrapping¹, I suggested that we >finally bite the bullet and avoid building from tarballs that contain >pre-built binaries—typically autotools-generated files, Info files, >sometimes HTML or PDF files. > >There are several reasons: > > 1. We go to (very) great lengths to build everything from source, and > this exception had become the elephant in the room. Debian and > live-bootstrap (among others) paved the way. > > 2. Tarballs that include generated code are an attack vector, as we > have seen with XZ-Utils. > > 3. Not the main motivation, but it turns out that archiving and > retrieving Git checkouts from SWH is less convoluted than dealing > with tarballs. > >I have created a milestone to keep track of progress: > > https://codeberg.org/guix/guix/milestone/66679 > >There’s a laborious but easy part with packages close to the leaves. >And then there are trickier parts close to the root, in >‘commencement.scm’—though again we can take inspiration from >live-bootstrap for these. > >If we eventually replace many tarballs with ‘git-fetch’, then we’ll have >to require a version of guix-daemon recent enough to have >“builtin:git-download”, to break the cycle. > Note that QA explicitly disables it and replacing any dependency of git-minimal with git-fetch causes OOM on evaluation. So this can be just one tarball, not many. It has happened recently on Gnome team branch. I think a good way forward would be trying to remove as many dependencies as possible from git minimal. Currently it even requires python iirc. >Thoughts? In general sounds good. Rutherther > >Ludo’. > >¹ >https://codeberg.org/guix/maintenance/src/branch/master/doc/guix-days-2026/shared-cryptpad-guix-days-2026.md#refreshing-bootstrap
