⚠ If you’re using #Guix, consider upgrading ‘guix-daemon’ now 👇 Fellow hacker Reepca (Caleb Ristvedt) found two related vulnerabilities allowing for a takeover of the build user accounts used by guix-daemon, which in turn could let anyone interfere with build processes. Comrades, the #Guix Science channels have moved from GitHub to Codeberg 👇 Migration was very easy and complete, with pull requests migrated without loss. We have yet to see how contributors can resume work on PRs opened pre-migration, but it looks great so far! # #Guix trick borrowed from Nix folks: the comma shell function, So you can type “, supertuxkart” or “, objdump -T whatever” in your shell and it will do the right thing! That feeling when you’re like “yay! that bug’s not in my code!”… and then you realize that you’re probably going to have to roll up your sleeves and fix it anyway. Finn Landweber published their bachelor thesis on #Git repo authentication for #Nix, inspired by #Guix’s, and it’s well worth a read! Chapter 4 has all the implementation details of git-verify, itself available here: FFmpeg’s ‘configure’ suggests reporting bugs on IRC. Refreshingly casual. (Maybe back in the day it said “call Fabrice at +33 6 1234”?) @civodul ahahah I'm going to add that kind of things in my software. No discord no shit. Let's go back to: send postal mail to this address @civodul Much rather see this than "join our Discord." ...or even using the GitHub issue tracker, these days. Bad news for #bootstrapping: Rust is likely going to be required to build #QEMU And it’s already required for virtiofsd: With all its benefits over C/C++ in terms of memory safety, Rust still depends on itself to be built*, and Rust’s packaging approach is a nightmare for distros of a magnitude close to that of npm. * This can be worked around but it doesn’t come for free: https://guix.gnu.org/en/blog/2018/bootstrapping-rust/ #Guix, the package manager that doesn’t need a SAT solver to figure out its dependency graph. Call for contributions to the #Guix infrastructure 👇 Many areas where you can help, with different time commitments and prerequisites: funding & spending, hardware hosting, system administration, and coding. @civodul > Improve infra monitoring For balancing traffic there is HAProxy in the (gnu packages high-availability) module which misses written service. That module contains base packages for clustering as well, all missing services. @civodul perhaps we need to organize a fundraising drive for infra costs? I can help organize and promote that! Public Service Announcement: Several #Guix web sites and services are currently down. Glad to be joining the fine #Guix London Meetup crowd led by @futurile and @fabionatali for a discussion about Guix, Guile, and life at 7PM CEST today!
Show previous comments
@civodul @futurile @fabionatali @civodul @futurile @fabionatali That's really good news indeed. I registered to the online meeting and notified my colleagues from Russian Guix community about the oncoming meeting too; maybe some of them will be joining as well. Recently (past week?), #Guix proper passed the 30K package limit, all free software! Third-party channels bring tens of thousands more packages. For scientific usage: https://hpc.guix.info/channels It’s 2024. The ACM and its friends are still ripping public money, asking authors for $1,000 to make their paper “open access”. One word: parasites. @redstarfish @civodul It’s even more disgusting than that because #acm.org is a restricted access #Cloudflare site. Some people are allowed to reach it and some are not. Good news for declarative config fans: finally there’s a #Guix System service to deploy home environments! Thanks to Richard Sent for implementing it, based on code by @abcdw. It’s now possible to create a #Guix System instance where the default ‘guix’ command sees the channels of your choosing: This is particularly useful if you want to create a ready-to-use system image. @civodul Hi, thamks. That's great news! When and how does that "guix" get "pulled" please? @civodul Also, I can't use the custom system channels yet because my Guix is several months behind. How do I disable authentication for the pull, please? @civodul @jas4711 As I use the extended GNU build system for my own personal projects, I find it a bit frustrating that the PO files would not be present in the source tree, but I understand that if they were, then we would have a big bunch of undesirable “Update PO translation” commits. As for Gnulib more specifically, I have noticed that in several places, you can safely commit (semi-)generated files, and rely on syntax-check to detect when they should be updated. @civodul @jas4711 I've been carrying and developing reproducible source tarball patches for Autotools and GNU Mes for quite some time, party courtesy of Timothy Sample. I'm embarrassed and confused that after over 10y of Reproducible Builds, GNU and Autotools still need to get used to these ideas (and don't seem to make any progress at all). My friends, I made a terrific (terrible?) discovery that goes by the name ‘sdlpop’: I spent hours on this as a kid and it was great, even though I’m not sure I ever went past level 2 (I didn’t today). “Adventures on the quest for long-term reproducible deployment” On addressing build reproducibility problems on “old” packages, in particular time-related, to ensure #ReproducibleBuilds and #ReproducibleResearch with #Guix. |
I have yet to read it carefully but it sure sounds fun!
@stikonas @janneke @monnier