I have been using Guix distro for couple of months on VM within Qubes (HVM) and i will report here issues that i faced using it:
No question that Guix package manager so as the distro is great way to have the latest upgrades available, This will solve as well issues like this: (i wont mention what are the benefits of having guix, there is website users can check and see)
But guix wont come without issues as well:
- TLS/DNS issues for the package manager/website
The package manager rely on git which is hosted on gnu.org called savannah, It misses many security features related to TLS so as DNS:
** Sent an email to webmasters[at]gnu.org on 11/9/2020 with no reply until now.
** Opened ticked on guix ticketing system date 11/4/2021 #47823, Still no action been taken until now.
** No support provided yet to Hidden Services #47647
- Guix Package Manager Security
** Guix doesnt support yet or properly MAC (SElinux):
and no support mentioned for apparmor.
** Guix doesnt sandbox their packages, I have suggested to implement a design which help put the packages into isolated VM but it seems wont happen unless someone contribute to do it #43770
Note: There is a project working on implementing this idea on Nix called Spectrum:
The current plan is to implement compartmentalization in Spectrum by running each application inside crosvm, the hypervisor used by ChromiumOS.
- Guix package manager usability
Since guix will download the source code and build it in user machine it will drain the resources to the level which exceed the resources provided by average PCs and some other issues:
** LibreOffice upgrade will freeze the machine (OOM,EarlyOOM needed but not yet added) #47717
** Icedove wont build due to the need of high resources #48273
** Using Guix commands for updates can lead to unknown crashes (only once happened) #47782
** If there is a failure build for one package the whole entire upgrade process will cut off #48166
** Guix Package Manager tested on Debian 11 it wont show or run the installed application from guix #48796
** It give messages which if you do what it says (copy/paste to what need to be done) it wont work #47724 ← wont fix.
- Guix packages
** Icecat after one upgrade it came out with no icons for the extensions and fixing it need manual work or more work from icecat maintainer to fix it #48169. The issue actually known from 18/9/2020 #43487.
** Some packages wont give proper readings because it didnt expect to see not traditional stuff like the very long path read of the package using htop/top #47749.
- GuixSD the distro (currently called guix only)
** Has its own service manager called Shepherd. (Not an issue, But just something different from what used traditionally in known GNU/Linux Distros).
** You cant install it using guided GUI way unless there is internet connection in the installation process. No support yet for static ip configuration within the installation process #37005 , #43049.
** No support for live mode or testing to the distro before installation only guided installation similar to debian #47631 (wont fix).
** To install the distro with static ip you need to install it using cli way but the issue with the documentation is not really easy for end user if hes average or want to use copy/paste steps #47630.
** If the internet went off during the installation of the distro there is no reversible way to fix it #47714
** The distro comes with bloated packages (not necessary packages) which we dont see by default in minimal distro like debian (packages like mesa, nouveau…etc).
** You cant delete system packages using guix package manager, instead you do it manually #47748.
** Annoying bug after the installation (using cli way) that prevent the NetworkManager to save network preferences (you need to do the manual commands every time after reboot to have internet connection) #47687.
** Guix commands for update/upgrade are not friendly chosen #47971. ← Wont fix
** Due to the feature which save generation/cache for the packages it wont work well with low disk space (not less than 100-200 GB) which makes it sorta hard to be used on light VMs or Mobile devices. Requested feature to have the ability to disable the caching and keep only the rolling/continues upgrade for the packages #47846.
** No simple firewall by default like ufw/gufw #47645.
- Guix Ticketing system/Bug tracker is a disaster
Its purely email based ticketing system which mean:
** You cant modify what have been sent
** If you want to close or reopen the ticket you need to do it with special way (no clear docs saying that in guix) e.g:
Ticket can be reopened by sending a message containing “reopen 47748” to <control[at]debbugs.gnu.org>.
** Not useful for old or weak resources PCs
** Not useful for low/limited disk space
** Not useful for slow Internet Connection
** No friendly installation for static ip cases yet.
** I wouldnt call it friendly distro (yet, as maybe in the future this change)
** I wouldnt consider it stable for production, I still see it in beta phase.
** I wouldnt consider it secure as there is no way invented yet to secure the installed packages.
- How it can be useful to whonix?
Only way i can think of now is to use guixsd as whonix host but not whonix main distro why:
** Host can be minimalised to specific packages only to make it running this will reduce the impact of storage issue
** We can say that whonix host can require high resources pc, But it would be very bad experience if we say whonix main distro require high resources pc (imagine each VM ws/gw should at least has 8GB or more of ram with 100+GB storage)
** It will resolve new hypervisor package issues specially like vbox one (roll back feature to the older version can be temporary solution until whonix fix the issue for the newest one)
** Host kernel , DE ,…etc will be always running the latest upgrades available.
we cant use guixsd to be the distro for main whonix os due to the issues above.