Re: Using Guix challenge for critical software? (resend)
On 29/11/2023 12:10, Julien Lepiller wrote: If you already have substituted it, you could rebuild it: guix build openssh --no-grafts --check (...) Thanks Julien (and Simon) - that unstuck me so I could publish my first post on Guix packaging: https://www.futurile.net/2023/11/28/guix-package-rebuilds/ Aiming to get more done over the holidays! Steve
Re: Using Guix challenge for critical software? (resend)
Hi, On mer., 29 nov. 2023 at 11:40, Steve George wrote: > Is there some way to build the package locally (without first removing it)? In addition to Julien’s answer, note that you can pass a manifest file. guix build -m critical-packages.scm guix build -m critical-packages.scm --no-grafts --check However, “guix challenge” does not accept a manifest file and that could be a wishlist. :-) Cheers, simon
Re: Using Guix challenge for critical software? (resend)
If you already have substituted it, you could rebuild it: guix build openssh --no-grafts --check Le 29 novembre 2023 12:40:50 GMT+01:00, Steve George a écrit : >Hi, > > > >How can I use 'guix challenge' to test critical software or packages that are >deep in the dependency tree? > > > >As I understand it, the purpose of Guix challenge is to test whether "binaries >provided by this [substitution] server really correspond to the source code it >claims to build" (from the manual). The obvious check then is to build the >package myself locally and then check if the substitution server give the same >result. To do that I do this: > > > >$ guix shell --container --nesting --development cbonsai --network nss-certs >-- \ > >guix build cbonsai --no-substitutes --no-grafts > >$ guix challenge --verbose cbonsai > > > >/gnu/store/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1 contents match: > > local hash: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28 > > > https://ci.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1: > 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28 > > > https://bordeaux.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1: > 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28 > > > >1 store items were analyzed: > >- 1 (100.0%) were identical > >- 0 (0.0%) differed > >- 0 (0.0%) were inconclusive > > > >All good so far. > > > >But, how do I test something that I depend on like OpenSSH? As I'm using it >(and it's critical to my system) I already have it installed locally from the >Substitution servers. Consequently, if I try to build it Guix informs me I >have it already. I can't really remove it from my system, and I don't think >there's a way to build it locally without first removing it. > > > >It seems at this point that I'm stuck. The only form of 'guix challenge' I can >do is to check whether the two Substitutions servers agree - but if I don't >trust the Guix developers this isn't a very good check. > > > >Is there some way to build the package locally (without first removing it)? Or >some clever way to run Guix challenge that I'm not seeing? > > > >Thanks, > > > >Futurile/Steve > >
Using Guix challenge for critical software? (resend)
Hi, How can I use 'guix challenge' to test critical software or packages that are deep in the dependency tree? As I understand it, the purpose of Guix challenge is to test whether "binaries provided by this [substitution] server really correspond to the source code it claims to build" (from the manual). The obvious check then is to build the package myself locally and then check if the substitution server give the same result. To do that I do this: $ guix shell --container --nesting --development cbonsai --network nss-certs -- \ guix build cbonsai --no-substitutes --no-grafts $ guix challenge --verbose cbonsai /gnu/store/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1 contents match: local hash: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28 https://ci.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28 https://bordeaux.guix.gnu.org/nar/lzip/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28 1 store items were analyzed: - 1 (100.0%) were identical - 0 (0.0%) differed - 0 (0.0%) were inconclusive All good so far. But, how do I test something that I depend on like OpenSSH? As I'm using it (and it's critical to my system) I already have it installed locally from the Substitution servers. Consequently, if I try to build it Guix informs me I have it already. I can't really remove it from my system, and I don't think there's a way to build it locally without first removing it. It seems at this point that I'm stuck. The only form of 'guix challenge' I can do is to check whether the two Substitutions servers agree - but if I don't trust the Guix developers this isn't a very good check. Is there some way to build the package locally (without first removing it)? Or some clever way to run Guix challenge that I'm not seeing? Thanks, Futurile/Steve
