Hi, Ekaitz Zarraga <eka...@elenq.tech> skribis:
> On 2024-04-04 21:48, Attila Lendvai wrote: >> all in all, just by following my gut insctincts, i was advodating >> for building everything from git even before the exposure of this >> backdoor. in fact, i found it surprising as a guix newbie that not >> everything is built from git (or their VCS of choice). > > That has happened to me too. > Why not use Git directly always? Because it create{s,d} a bootstrapping issue. The “builtin:git-download” method was added only recently to guix-daemon and cannot be assumed to be available yet: https://issues.guix.gnu.org/65866 > In the bootstrapping it's also a problem, as all those tools > (autotools) must be bootstrapped, and they require other programs > (compilers) that actually use them. And we'll be forced to use git, > too, or at least clone the bootstrapping repos, git-archive them > ourselves and host them properly signed. At least, we could challenge > them using git (similar to what we do with the substitutes), which we > cannot do right now with the release tarballs against the actual code > of the repository. I think we should gradually move to building everything from source—i.e., fetching code from VCS and adding Autoconf & co. as inputs. This has been suggested several times before. The difficulty, as you point out, will lie in addressing bootstrapping issues with core packages: glibc, GCC, Binutils, Coreutils, etc. I’m not sure how to do that but… > In live-bootstrap they just write the build scripts by hand, and > ignore whatever the ./configure script says. That's also a reasonable > way to tackle the bootstrapping, but it's a hard one. Thankfully, we > are working together in this Bootstrapping effort so we can learn from > them and adapt their recipes to our Guix commencement.scm module. This > would be some effort, but it's actually doable. … live-bootstrap can probably be a good source of inspiration to find a way to build those core packages (or some of them) straight from a VCS checkout. And here the trick will be to find a way to do that in a concise and maintainable way (generating config.h and Makefiles by hand may prove unmaintainable in practice.) Ludo’.