@dthompson ...also please don't let users just randomly extract tarballs and not get updates because that would make it even worse than AppImage.

@espectalll note the caveat in the article: 'guix pack' is not a substitute for a package manager!

@espectalll 'guix pack' is to satisfy the (apparently necessary) use-case that sometimes people want to just share some binary hodgepodge thing and have it run on as many machines as possible.

@espectalll isolation is orthogonal to distributing binaries. does snappy or flatpak provide any isolation?

@dthompson Absolutely, they use containers for a reason

@espectalll I wrote a container implementation for guix that can do all sorts of isolation via namespaces.

@dthompson OK now you're convincing me to not use Flatpak... but still, how did you not know that?

@espectalll not know what? I think we're starting to get many subjects mixed together here.

@dthompson By "that" I mean that Snap and Flatpak use containers to provide isolation

@espectalll I just don't know all the features they have because I've never used them.

@dthompson Sure that, but it's quite a given if we're talking about containers, because it's inherent to the idea. Also I thought at first I thought you were the author of the article, but you're not so it's OK.

@espectalll it's not a given. "container" is actually a very vague term. Linux provides 6 namespaces for isolating processes from various global kernel resources and there's all sorts of permutations you can have.

@espectalll and that's not even getting into the subject of control groups.

@dthompson That's correct, but I don't see why would you try to use a container for executing applications otherwise.

@espectalll the article I linked describes why it's needed. it's for creating a new root file system. in guix, all the software lives in /gnu/store, so in order to provide a tarball that can be extracted to any directory and run, you need to first create a user namespace so you can chroot as an unprivileged user.

@espectalll this can be taken further by introducing further isolation, but the isolation required will vary depending on the software being run, so what guix has now is a good MVP, I think.

@dthompson I've never considered a chroot as a "container" tbh

@espectalll I hope you are starting to see why "container" can be a problematic word. everyone has a different definition. and in this case we're not talking about only a chroot, but a user namespace as well, and namespaces form the core of what people refer to as a container.

@xj @dthompson Plan 9 is the OS of the gods anyway so comparing it with literally anything is beyond unfair

@xj @sn0w your bash script assumes theres a program called 'bwrap' on $PATH. I assume that is what is doing the actual namespace stuff?

@xj @sn0w guix itself has secure sandbox code I wrote in 2015. A scheme procedure named call-with-container. `guix environment --container` uses it.

@xj @sn0w okay?

@xj @sn0w sure, that is true, at least for the time being while guile lacks a native code compiler. my project has a different scope than yours, since I was adding features for people already using guix.