Port Guix for reproducible builds

[pizzamaker]

The GNU Guix package manager ensures reproducible builds with hashes, supports transactional upgrades and roll-backs, unprivileged package management, and garbage collection. Guix uses low-level mechanisms from the Nix package manager, except that packages are defined as native Guile modules, using extensions to the Scheme language.

Having it on Qubes would be a great assurance that binaries can be trusted, and that users may not install proprietary, and thus, untrustworthy software from the repository.

[andrewdavidwong]

So it's a package manager like DNF? Would this be a replacement for DNF? In dom0 or in templates? Or both?

[andrewdavidwong]

So it's a package manager like DNF? Would this be a replacement for DNF? In dom0 or in templates? Or both?

[mfc]

my guess would be that the primary target for Guix/Nix would be as the distribution and package manager for dom0:

https://nixos.org/wiki/NixOS_and_Xen

[mfc]

my guess would be that the primary target for Guix/Nix would be as the distribution and package manager for dom0:

https://nixos.org/wiki/NixOS_and_Xen

[adrelanos]

This is a very big request. A bit like suggesting to Debian "use dnf" or
to Fedora "use apt". Possible in theory, but practically impossible due
to limited manpower / funding. At the moment it would mean to port each
and every Fedora package to the new format and have them all build by
Qubes OS project. I don't think it can be realistically done at the
Qubes OS project level. It would be possible indirectly, by porting dom0
to some base distribution that is using Guix.

[adrelanos]

This is a very big request. A bit like suggesting to Debian "use dnf" or
to Fedora "use apt". Possible in theory, but practically impossible due
to limited manpower / funding. At the moment it would mean to port each
and every Fedora package to the new format and have them all build by
Qubes OS project. I don't think it can be realistically done at the
Qubes OS project level. It would be possible indirectly, by porting dom0
to some base distribution that is using Guix.

[rlupton20]

I don't think it's as big as suggested given the way that nix(/guix) works. One can already put nix on top of a linux distro or macOSX and it will just work. The key thing is the set of nix expressions, which is completely independent of the base distribution. This means a lot of work has already been done in nixpkgs.

I think once there is a description of how to build the various qubes components and modify a vanilla (not necessarily rpm based) xen system, the nixy/guixy folk could probably quite easily make this happen.

I'd like to commit some time to it, but I'm not sure I have any for a while. Is there an overview somewhere of all the bit that make qubes work? In particular, what does one need to do to a vanilla distribution to reach qubes?

[rlupton20]

I don't think it's as big as suggested given the way that nix(/guix) works. One can already put nix on top of a linux distro or macOSX and it will just work. The key thing is the set of nix expressions, which is completely independent of the base distribution. This means a lot of work has already been done in nixpkgs.

I think once there is a description of how to build the various qubes components and modify a vanilla (not necessarily rpm based) xen system, the nixy/guixy folk could probably quite easily make this happen.

I'd like to commit some time to it, but I'm not sure I have any for a while. Is there an overview somewhere of all the bit that make qubes work? In particular, what does one need to do to a vanilla distribution to reach qubes?

[marmarek]

Very recently similar information was added on Debian wiki:
https://wiki.debian.org/Qubes/Devel
Basically a list of packages needed to run Qubes dom0/VM.

[marmarek]

Very recently similar information was added on Debian wiki:
https://wiki.debian.org/Qubes/Devel
Basically a list of packages needed to run Qubes dom0/VM.