Reproducible builds and standalone GNU systems with Guix 0.9

LWN.net needs you! Without subscribers, LWN would simply not exist. Please consider signing up for a subscription and helping to keep LWN publishing

Version 0.9 of the Guix package-management system was released on November 5. Since the previous major release in 2014, the Guix project has evolved to include not only the package manager itself, but the Guix Software Distribution (GuixSD) as well. With the large set of packages it supports, Guix already provides, in essence, a full operating-system layer that can be deployed and maintained on top of a minimal core Linux distribution. GuixSD goes one step further, and provides a Linux kernel and core OS components as well. Regardless of whether one uses GuixSD or simply installs individual packages with the Guix tools, the new release adds quite a bit of interesting new functionality, including automatic container provisioning, new tools for graphing package dependencies, and a mechanism for users to verify reproducible software packages.

A new distribution?

The underlying concepts of GuixSD have been in development for a while, but it is only in recent releases that the project's language has shifted to talking about GuixSD as a standalone system or distribution. The 0.7 release in July 2014 was the first to support standalone installation, while the 0.8.1 release in January 2015 was the first to refer to the standalone option as GuixSD. In February 2015, the Free Software Foundation (FSF) added GuixSD to its list of free-software distributions.

Despite the official FSF endorsement, GuixSD in its current state is not quite what most in the Linux realm would consider a usable distribution—a fact that the GuixSD manual notes as well. The installation process is manual, requiring the user to (for example) create the necessary disk partitions by hand and set up the network configuration on the command line. This is certainly not a show stopper, of course, although there is also a limited set of packages and system services available. PostgreSQL is the only SQL database package provided, nginx is the only web server, and neither KDE nor GNOME are packaged (although Xfce and Enlightenment are). In addition, there are some lower-level features still unavailable, such as Logical Volume Manager (LVM) and support for encrypted root partitions, that could prove to be critical for some users.

Nevertheless, GuixSD is rapidly shaping up to be a viable distribution; the number of packages included is on the rise, and the project has begun developing its own components. The first is the daemon-managing daemon (dmd), which handles service management and start-up. GuixSD uses the Linux-libre kernel, a GNU-maintained derivative of the mainline Linux kernel with all proprietary firmware blobs removed.

The second significant addition developed for GuixSD is the GuixSD services system. This is the platform-level framework for defining system services on the GuixSD distribution, analogous to the service definitions used by systemd. GuixSD services are defined using Scheme syntax with (key value) pairs. The current set of services defined for GuixSD is small, but the documentation provides several examples.

Advanced packaging

While the testing and development of GuixSD proceeds, Guix remains useful for those running other distributions as a package-management system. Among the new features implemented in the 0.9 release is Guix's own implementation of application containers. Specifically, the guix command-line tool can run several of its commands in containers that are spawned on-the-fly. The supported commands include environment , which is used to build a package in an isolated development environment, and system , which is used to build a full OS. Running

guix environment --container foo

creates a new virtual development environment in a container and bind-mounts directories within that environment containing the dependencies needed to build the package foo. This feature was implemented in order to help developers create reproducible builds; one of the Guix project's goals is to make source and binary packages interchangeable from the user's perspective. By eliminating the possibility that a discrepancy between source and binary packages will go undetected, the project hopes to make it demonstrable that the "corresponding source" (in GPL terminology) to a binary package has been released.

Performing all builds in an isolated environment is one step toward that goal, but such a build process is a tool for developers, not end users. Consequently, Guix 0.9 adds a reproducible-build verification tool. By running

guix challenge foo

a user can perform an automated build of the "foo" package from source and compare the resulting binary to the binary published on the Guix central repository.

In the event that a source build and a published binary do not match, there are several potential causes to consider. As the Debian reproducible-builds team has noted, after all, there can be many non-malicious sources of non-determinism in a build (including simple matters like including timestamps in the build output). The guix archive command will show where a completed build differs from the published binary package.

By default, guix challenge compares its local build results with the Guix package repository, but options are available to retrieve and build source from other servers as well. That opens up the door to spotting deterministic-build problems with upstream projects, as well as to detecting cases where a project fails to publish the full corresponding source to its package.

The new release also adds several new package-management commands. The guix graph command will compute the dependency graph for any package, outputting the result in Graphviz format. It can thus be piped directly into Graphviz's dot command to produce a visualization of the package's dependencies. The default output omits implicit dependencies (such as system libraries and basic Unix utilities) as well bootstrapping dependencies, but both can be added to the graph output via command-line switches.

All things considered, Guix has made considerable progress simply as a package manager in the past few years. There are now more than 2600 packages available in the repository. But the addition of tools to reproducibly build those packages and for users to verify that reproducibility is, arguably, the bigger accomplishment—the move toward reproducible builds is a goal that many distributions share. It will also be interesting to observe how GuixSD develops as a distribution. It is still quite early, perhaps too soon to compare GuixSD to other free-software distributions, but providing access to a pure-free-software system and to verifiable package builds will no doubt attract a lot of attention in the months and years to come.

