GuixSD Distro preview

I have been using Guix distro for couple of months on VM within Qubes (HVM) and i will report here issues that i faced using it:

No question that Guix package manager so as the distro is great way to have the latest upgrades available, This will solve as well issues like this: (i wont mention what are the benefits of having guix, there is website users can check and see)

But guix wont come without issues as well:

  • TLS/DNS issues for the package manager/website: The package manager rely on git which is hosted on gnu.org called savannah, It misses many security features related to TLS so as DNS:

    • Sent an email to webmasters[at]gnu.org on 11/9/2020 with no reply until now.

    • Opened ticked on guix ticketing system date 11/4/2021 #47823, Still no action been taken until now.

    • No support provided yet to Hidden Services #47647

  • Guix Package Manager Security

    • Guix doesnt support yet or properly MAC (SElinux):

and no support mentioned for apparmor.

  • Guix doesnt sandbox their packages, I have suggested to implement a design which help put the packages into isolated VM but it seems wont happen unless someone contribute to do it #43770

Note: There is a project working on implementing this idea on Nix called Spectrum:

The current plan is to implement compartmentalization in Spectrum by running each application inside crosvm, the hypervisor used by ChromiumOS.

  • Guix package manager usability: Since guix will download the source code and build it in user machine it will drain the resources to the level which exceed the resources provided by average PCs and some other issues:

    • LibreOffice upgrade will freeze the machine (OOM,EarlyOOM needed but not yet added) #47717

    • Icedove wont build due to the need of high resources #48273

    • Using Guix commands for updates can lead to unknown crashes (only once happened) #47782

    • If there is a failure build for one package the whole entire upgrade process will cut off #48166

    • Guix Package Manager tested on Debian 11 it wont show or run the installed application from guix #48796

    • It give messages which if you do what it says (copy/paste to what need to be done) it wont work #47724 ← wont fix.

  • Guix packages

    • Icecat after one upgrade it came out with no icons for the extensions and fixing it need manual work or more work from icecat maintainer to fix it #48169. The issue actually known from 18/9/2020 #43487.

    • Some packages wont give proper readings because it didnt expect to see not traditional stuff like the very long path read of the package using htop/top #47749.

  • GuixSD the distro (currently called guix only)

    • Has its own service manager called Shepherd. (Not an issue, But just something different from what used traditionally in known GNU/Linux Distros).

    • You cant install it using guided GUI way unless there is no internet connection in the installation process. No support yet for static ip configuration within the installation process #37005 , #43049.

    • No support for live mode or testing to the distro before installation only guided installation similar to debian #47631 (wont fix).

    • To install the distro with static ip you need to install it using cli way but the issue with the documentation is not really easy for end user if hes average or want to use copy/paste steps #47630.

    • If the internet went off during the installation of the distro there is no reversible way to fix it #47714

    • The distro comes with bloated packages (not necessary packages) which we dont see by default in minimal distro like debian (packages like mesa, nouveau…etc).

    • You cant delete system packages using guix package manager, instead you do it manually #47748.

    • Annoying bug after the installation (using cli way) that prevent the NetworkManager to save network preferences (you need to do the manual commands every time after reboot to have internet connection) #47687.

    • Guix commands for update/upgrade are not friendly chosen #47971. ← Wont fix

    • Due to the feature which save generation/cache for the packages it wont work well with low disk space (not less than 100-200 GB) which makes it sorta hard to be used on light VMs or Mobile devices. Requested feature to have the ability to disable the caching and keep only the rolling/continues upgrade for the packages #47846.

    • No simple firewall by default like ufw/gufw #47645.

  • Guix Ticketing system/Bug tracker is a disaster, Its purely email based ticketing system which mean:

    • You cant modify what have been sent

    • If you want to close or reopen the ticket you need to do it with special way (no clear docs saying that in guix) e.g:

Ticket can be reopened by sending a message containing “reopen 47748” to <control[at]debbugs.gnu.org>.

  • Infrastructure Stability

  • Conclusion

    • Not useful for old or weak resources PCs
    • Not useful for low/limited disk space
    • Not useful for slow Internet Connection
    • No friendly installation for static ip cases yet.
    • I wouldnt call it friendly distro (yet, as maybe in the future this change)
    • I wouldnt consider it stable for production, I still see it in beta phase.
    • I wouldnt consider it secure as there is no way invented yet to secure the installed packages.
  • How it can be useful to whonix? Well the only way i can think of now is to use guixsd as whonix host but not whonix main distro why:

    • Host can be minimalised to specific packages only to make it running this will reduce the impact of storage issue

    • We can say that whonix host can require high resources pc, But it would be very bad experience if we say whonix main distro require high resources pc (imagine each VM ws/gw should at least has 8GB or more of ram with 100+GB storage)

    • It will resolve new hypervisor package issues specially like vbox one (roll back feature to the older version can be temporary solution until whonix fix the issue for the newest one)

    • Host kernel , DE ,…etc will be always running the latest upgrades available.

we cant use guixsd to be the distro for main whonix os due to the issues above.

2 Likes

Dunno. Unless you can point me to a weak dependencies or similar feature.

See related Whonix development wiki entry guix.

Dunno. Unless you can point me to a weak dependencies or similar feature.

talked to them and they answered:

Guix doesn’t have the concept of conflicts or recommendations at all,
so everything is ‘fixed’. Package A either refers to package B or it
doesn’t.
If Guix upstream has packaged A to require B, and you don’t like
that, you could create a custom A variant with (say) --disable-b if A
supports that. But there’s no ‘Installing A will ask you whether you
want B, and if so will treat B as a heisendep of A’ nonsense like in
Debian and I’m grateful for it.
Removing a Guix package can’t remove other packages. Guix doesn’t
work like that.
Guix knows what needs to remain in /gnu/store because it has a record
of all references.
“guix upgrade” operates on user profiles such as ~/.guix-profile
“guix system reconfigure” builds a system (it also ends up in
/gnu/store) and switches the current system symlink to the new one,
restarts some services etc

So i believe it fix that debian issue.

Patrick via Whonix Forum:

@nurmagoz via Whonix Forum:

Dunno. Unless you can point me to a weak dependencies or similar feature.

talked to them and they answered:

Guix doesn’t have the concept of conflicts or recommendations at all,
so everything is ‘fixed’. Package A either refers to package B or it
doesn’t.

Sounds like it has no weak dependencies feature.

If Guix upstream has packaged A to require B, and you don’t like
that, you could create a custom A variant with (say) --disable-b if A
supports that.

Not sure what that means. Building a custom package?

But there’s no ‘Installing A will ask you whether you
want B, and if so will treat B as a heisendep of A’ nonsense like in
Debian and I’m grateful for it.

That I very much agree with. Debian Recommends: are heisendep. Similar
heisenbug. You’ll never know if users got the Recommends:ed packages
or not.

I don’t like Debian “heisendep” but a weak dependencies feature would be
great.

Additional point:

  • No easy way to install an outside package (not from guix) for example if user downloaded TB from TorProject he cant open it/wont work. (user need to use tools like PatchELF to change stuff because libs/glibc not the same as in normal distros).

This is the same with nixos,fedora silverblue not only in guix.

1 Like