[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Using Guix challenge for critical software? (resend)

From: Steve George
Subject: Using Guix challenge for critical software? (resend)
Date: Wed, 29 Nov 2023 11:40:50 +0000


How can I use 'guix challenge' to test critical software or packages that are 
deep in the dependency tree?

As I understand it, the purpose of Guix challenge is to test whether "binaries 
provided by this [substitution] server really correspond to the source code it 
claims to build" (from the manual). The obvious check then is to build the 
package myself locally and then check if the substitution server give the same 
result. To do that I do this:

$ guix shell --container --nesting --development cbonsai --network nss-certs -- 
    guix build cbonsai --no-substitutes --no-grafts
$ guix challenge --verbose cbonsai

/gnu/store/mgc2i6yxm2zbqf8yx8x5f4ig4nbii2cv-cbonsai-1.3.1 contents match:
  local hash: 1vws4ywn1gcgpnm1pfr5rz4hv769ccvnyj5drpnnway7bg0ckh28

1 store items were analyzed:
    - 1 (100.0%) were identical
    - 0 (0.0%) differed
    - 0 (0.0%) were inconclusive

All good so far.

But, how do I test something that I depend on like OpenSSH? As I'm using it 
(and it's critical to my system) I already have it installed locally from the 
Substitution servers. Consequently, if I try to build it Guix informs me I have 
it already. I can't really remove it from my system, and I don't think there's 
a way to build it locally without first removing it. 

It seems at this point that I'm stuck. The only form of 'guix challenge' I can 
do is to check whether the two Substitutions servers agree - but if I don't 
trust the Guix developers this isn't a very good check.

Is there some way to build the package locally (without first removing it)? Or 
some clever way to run Guix challenge that I'm not seeing?



reply via email to

[Prev in Thread] Current Thread [Next in Thread]