Re: Update on distro bootstrapping with Guix

[Ludovic Courtès]

Hi Simon,

Simon Josefsson <address@hidden> skribis:

> Great, I'd love to use a technically appealing GNU-approved distro.  The
> issue I identified early on with the NixOS ideas is how to deal with
> security upgrades.  IIRC, the old response was that this is an open
> issue and further research is required.  How do you deal with security
> upgrades in Guix?

Guix uses the same software deployment model as Nix, so the situation is
the same.

The “problem” with Nix & Guix is that, suppose a security patch is
applied to libc, every application needs to be rebuilt, not just libc.
Conversely, if a security patch is applied to Apache httpd, Linux, or
any other leaf in the dependency graph, only that package needs to be
rebuilt.

In practice, the build farm rebuilds everything (building all of Nixpkgs
takes typically less than a day on hydra.nixos.org.)  Then, in case of a
libc upgrade, users have to upgrade all the packages they installed;
those that are not upgraded are still vulnerable.  When they upgrade,
they normally get pre-built binaries from the build farm.

So the cost for users are network bandwidth, and disk space.  Disk space
turns out not to be an issue: it is “cheap”, and older versions of the
packages will eventually be garbage-collected anyway.  The bandwidth
requirements tend to be reasonable, because Nix is able to download
binary patches, which mitigate the issue.

All in all, from experience with NixOS, while security upgrades are more
demanding on Nix-based systems, they are not much of an issue in
practice.

Thanks,
Ludo’.