flock of birbs is a user on toot.cat. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
flock of birbs @dthompson
Follow

Guix can now produce relocatable application bundles. Unlike snap, flatpak, etc. the resulting bundles can be bit-reproducible and the user needs no additional software to run them since every distro can extract a tarball.

gnu.org/software/guix/blog/201

· Web · 16 · 23
@dthompson not that you can run them in GNOME any more haha

@dthompson It seems to provide no isolation but it's still a neat idea

@dthompson ...also please don't let users just randomly extract tarballs and not get updates because that would make it even worse than AppImage.

@espectalll note the caveat in the article: 'guix pack' is not a substitute for a package manager!

@espectalll 'guix pack' is to satisfy the (apparently necessary) use-case that sometimes people want to just share some binary hodgepodge thing and have it run on as many machines as possible.

@espectalll isolation is orthogonal to distributing binaries. does snappy or flatpak provide any isolation?

@dthompson Absolutely, they use containers for a reason

@espectalll I wrote a container implementation for guix that can do all sorts of isolation via namespaces.

@dthompson OK now you're convincing me to not use Flatpak... but still, how did you not know that?

@espectalll not know what? I think we're starting to get many subjects mixed together here.

@dthompson By "that" I mean that Snap and Flatpak use containers to provide isolation

@espectalll I just don't know all the features they have because I've never used them.

@dthompson Sure that, but it's quite a given if we're talking about containers, because it's inherent to the idea. Also I thought at first I thought you were the author of the article, but you're not so it's OK.

@espectalll it's not a given. "container" is actually a very vague term. Linux provides 6 namespaces for isolating processes from various global kernel resources and there's all sorts of permutations you can have.

@espectalll and that's not even getting into the subject of control groups.

@dthompson That's correct, but I don't see why would you try to use a container for executing applications otherwise.

@espectalll the article I linked describes why it's needed. it's for creating a new root file system. in guix, all the software lives in /gnu/store, so in order to provide a tarball that can be extracted to any directory and run, you need to first create a user namespace so you can chroot as an unprivileged user.

@espectalll this can be taken further by introducing further isolation, but the isolation required will vary depending on the software being run, so what guix has now is a good MVP, I think.

@dthompson I've never considered a chroot as a "container" tbh

@espectalll I hope you are starting to see why "container" can be a problematic word. everyone has a different definition. and in this case we're not talking about only a chroot, but a user namespace as well, and namespaces form the core of what people refer to as a container.

@dthompson Finally a project that doesn't jump onto the container hypetrain :rooAww:

@xj @dthompson Plan 9 is the OS of the gods anyway so comparing it with literally anything is beyond unfair :3deyes:

@xj @sn0w your bash script assumes theres a program called 'bwrap' on $PATH. I assume that is what is doing the actual namespace stuff?

@sn0w @dthompson

more seriously, i have a ~35 line bash implementation of appimage that uses tarballs as the image format. with some small modifications i could run these guix bundles inside of a secure sandbox.

https://source.heropunch.io/tomo/grid/src/branch/latest/grid

@xj @sn0w guix itself has secure sandbox code I wrote in 2015. A scheme procedure named call-with-container. `guix environment --container` uses it.

@dthompson @sn0w

as in compare/contrast or whatever. like an observation, not a value judgement.

a scheme program is, by definition, less portable than a bash script because bash is pretty much the standard UNIX shell. in the case of this sandbox code, you have to install fewer deps to make it work on "whatever linux distro".

@xj @sn0w sure, that is true, at least for the time being while guile lacks a native code compiler. my project has a different scope than yours, since I was adding features for people already using guix.

@dthompson @sn0w

as in compare/contrast or whatever. like an observation, not a value judgement.

a scheme program is, by definition, less portable than a bash script because bash is pretty much the standard UNIX shell. in the case of this sandbox code, you have to install fewer deps to make it work on "whatever linux distro".