Re: A package search engine for a curated list of channels

Wed, 04 May 2022 15:59:05 -0700 

2022-04-27 / 20:37 / rek...@elephly.net:

> See https://github.com/UMCUGenetics/hpcguix-web. It handles the
> constant updates to all Guix channels and the search. You’re welcome
> to contribute to it, e.g. to add an API, suggest changes in how
> results are displayed, etc.
>
> An example deployment can be found at https://guix.mdc-berlin.de
>
> Guix has a service for it that makes deployment easy.
>
> You’ll see that it lists packages from guix-science and other channels,
> e.g. https://guix.mdc-berlin.de/package/rstudio-server

For the record: hpcguix-web is a really nice program but it does not
offer sandboxing. Thus, it'd be a lot of work to make sure the channels
do not contain code that executes malicious commands on the server which
runs hpcguix-web.

An alternative would be to implement some kind of isolation. But
channels and package declarations are just scheme/guile code, so they
will probably always be able to run arbitrary commands on the server.

Another approach would be isolation. For each channel, we could run
hpcguix-web inside a Docker-container so that there's some isolation.
Then, we'd need to run another web-service which "bundles" the
packages.json files of all single-channel, dockerized hpcguix-web
instances. But:

    (1.) Does Docker really offer sufficient isolation?

    (2.) AFAIK, inside a operating-system-declaration with a
    docker-service, it's not possible to declare further / nested
    operating-systems which shall be run inside docker-containers. This
    would be awesome. We could write something like this then:

--8<---------------cut here---------------start------------->8---
          (operating-system
            (services (list
              ;; ...
              (service docker-service-type (docker-configuration
                (images (map
                  (lambda (chan)
                    (operating-system
                      (services (list
                        ;; ...
                        (service hpcguix-web-service-type
                          (hpcguix-web-configuration
                            (specs
                              #~(begin
                                  (use-modules (guix channels))
                                  (define site-config
                                    (hpcweb-configuration (channels
                                      (list chan))))))))))))
                  some-long-list-of-channels)))))))
--8<---------------cut here---------------end--------------->8---

Reply via email to