| ▲ | Removing Guix from Debian(lwn.net) |
| 129 points by 6581 a day ago | 48 comments |
| |
|
| ▲ | yjftsjthsd-h a day ago | parent | next [-] |
| > For example, he has had to maintain various Guile dependencies, and deal with the fact that Guix uses ""fairly old"" GCC versions whereas Debian usually ships the latest GCC version available for a given release. It's odd that guix is both rolling release but also uses older GCC versions; usually I'd expect those from very different cultures. |
| |
| ▲ | pxc a day ago | parent [-] | | It seems that it doesn't build with releases of GCC from April 2025 onward, at least with default settings, because it doesn't build with the C23/C++23 standards. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1096790 Maybe such changes are more substantial than the typical differences between GCC releases? | | |
| ▲ | yjftsjthsd-h a day ago | parent | next [-] | | Surely if that's all they would just build with an explicit -std=whatever setting? | | | |
| ▲ | vincent-manis 21 hours ago | parent | prev [-] | | I recently custom-built Guile for my Arch system, and found that it won't build with GCC 15, but will with 14, which is the only other version in the Arch repository. I think that the Guile maintainers will need to get busy fixing the incompatibilities in question, before GCC 16 appears. |
|
|
|
| ▲ | Arcuru a day ago | parent | prev | next [-] |
| > According to Debian's popularity contest (popcon) statistics, there are not quite 230 systems with Guix installed. |
| |
| ▲ | JohnFen a day ago | parent | next [-] | | But most people using Debian turn popcon off. I don't at all doubt that Guix is not used by most people, but I'm quite certain the number of users is well above 230. | | |
| ▲ | cestith a day ago | parent | next [-] | | The locales package has over 265k installs in the same recent report that lists 231 copies of guix. That’s less than 0.09% or so. | | |
| ▲ | yjftsjthsd-h a day ago | parent [-] | | By the same virtue, https://qa.debian.org/popcon.php?package=firefox only lists 5749 installs of firefox. I'd take it with a grain of salt. | | |
| ▲ | jsight 21 hours ago | parent | next [-] | | Firefox-esr seems to be much more common (~118k): https://qa.debian.org/popcon.php?package=firefox-esr | |
| ▲ | cestith 4 hours ago | parent | prev | next [-] | | Besides the point already made about firefox-esr being the default package for Firefox, here are a couple of other points. First, that also means there are 5749 installations of non-default Firefox compared to 231 of guix. Secondly, popcon works on servers and headless systems without X or Wayland. Those systems still use a package manager, and sometimes several. A graphical web browser like Firefox is unlikely to be installed without a GUI. I’ve seen plenty of systems with Snap, Flatpak, or Nix installed besides the OS-related apt, aptible, apt-get, rpm, yum, dnf, and language-related tools like pip, EasyInstall, rubygems, Bundler, cpanm, npm, cargo, OPAM, Composer, go get, or sbt with no GUI. | |
| ▲ | dspillett 20 hours ago | parent | prev | next [-] | | That is still more than an order of magnitude higher (2.17% rather than 0.09%). And FF ESR is the more common by far (44.5%) as it is the default, people only install the other FF package if they have specific need to be closer to the leading edge. The build environments for the two will be very close, at least compared to the oddities being reported in the Guix requirements, so the hassle of maintaining FF and FF-ESR compared to just one of them is not going to be comparatively large compared to maintaining packages for just one of the pair. | |
| ▲ | Ologn 21 hours ago | parent | prev | next [-] | | It lists 118698 installs of firefox-esr. https://qa.debian.org/popcon.php?package=firefox-esr | | |
| ▲ | omniglottal 4 hours ago | parent [-] | | Yes, and these numbers have been established as what we in the industry call "invalid". |
| |
| ▲ | 21 hours ago | parent | prev [-] | | [deleted] |
|
| |
| ▲ | Valodim 21 hours ago | parent | prev | next [-] | | Can't really complain if their usage stats aren't taken into account then, I'd say? | | |
| ▲ | lucb1e 21 hours ago | parent | next [-] | | Or just to take the raw data with a grain of salt because some people care about privacy and haven't had time to read up on what the privacy policy is for example. That doesn't automatically mean these people stop being worth considering as legit users of the software | | | |
| ▲ | 0_gravitas 21 hours ago | parent | prev | next [-] | | It's not a complaint, it's just a fact to consider. | |
| ▲ | 11 hours ago | parent | prev [-] | | [deleted] |
| |
| ▲ | gorgoiler a day ago | parent | prev | next [-] | | For comparison, git has ~155,000 installs and the common base packages have ~266,000: https://popcon.debian.org/index.html | |
| ▲ | dspillett 20 hours ago | parent | prev [-] | | You just have to assume that the install balance between those with it on is not massively different to the install balance between those who do not. This might not be the safest application of statistics, but it is the best available. If more Guix users want to be seen and counted, to show how much of a need there might be to keep it despite the current issues, then there is a simple thing they can do… Or a less simple thing: the “without a community nor help” part seems rather significant to me in “But the Debian package maintainer has the almost impossible task to backport all the security fixes without a community nor help behind [maintaining it] and as things are going, this will probably lead to the Debian guix package being removed”. |
| |
| ▲ | stocksinsmocks 20 hours ago | parent | prev [-] | | Perhaps, but there is a certain charm in a single individuals obsessive devotion to a problem nobody else sees. I like that the Linux ecosystem is weird. |
|
|
| ▲ | kwk1 a day ago | parent | prev | next [-] |
| I've been meaning to share these results in a more appropriate place, but for what it's worth, the proof-of-concept script for the recent Guix CVEs bisects to a Jan 2023 commit, so it's not clear that released versions are affected. 4cf1acc7f30 + cherry-picked 71171538e12 + 1c78f71beb3 + a49536e3200 + 7f237f3e6ca |
|
| ▲ | Eduard 19 hours ago | parent | prev | next [-] |
| why not bring Debian's guix version to closely follow vanilla guix's releases? Is it because Debian wants to guarantee that a Debian release (such as trixie) only provides packages that stick to at most bugfix versions such that there are no breaking changes introduced? |
| |
| ▲ | kwk1 18 hours ago | parent [-] | | It could have been possible to upload something like a 1.4.0+git2025mmdd package, if not for the timing of the CVE announcement with regards to Debian's release freeze. |
|
|
| ▲ | tucnak a day ago | parent | prev [-] |
| It's a shame that yet another project (bcachefs in Linux kernel) and now guix are getting ostracized out of mismanagement... on whoever's part, although in all honestly, and this is a hot take mind you; guix should either be run on bare metal, to take advantage of its bootstrap-from-source, thus avoiding debian in the first place, OR be running as guest, in some fantasical gnu hurd environment, thus forgoing linux. I say this as a long-term guix user. |
| |
| ▲ | yjftsjthsd-h a day ago | parent | next [-] | | > It's a shame that yet another project (bcachefs in Linux kernel) and now guix are getting ostracized out of mismanagement... on whoever's part, I'm not even sure it's mismanagement, just incompatible approaches. Debian ships a coherent system, with a minimal (preferably one) versions of each library per version of the distro, and each version of the distro is maintained together for a fairly long time with as close as possible to only bug fixes as changes. And that's 100% valid in its own context. Guix apparently prefers rolling release. That's also 100% valid in its own context. But those two contexts don't mix well, through no fault of either party. > although in all honestly, and this is a hot take mind you; guix should either be run on bare metal, to take advantage of its bootstrap-from-source, thus avoiding debian in the first place, While I also see the appeal to going pure guix, the cross pollination is good for both projects, especially (IMHO) guix. This provided a gentler on-ramp to using guix at a smaller scale without the flying leap that is switching distros outright, and (per the article) the Debian maintainer(s?) have found reproducibility problems while doing their work which is quite valuable to guix. > OR be running as guest, in some fantasical gnu hurd environment, thus forgoing linux. Subhurds are really cool, but I would argue there are lots of practical uses that don't really need to go that far. | |
| ▲ | giancarlostoro a day ago | parent | prev | next [-] | | > I say this as a long-term guix user. Curious, what is your need / use case? I typically just stick to the package manager for whatever OS I install, if I don't like theirs, I find a new OS. | | |
| ▲ | zelphirkalt a day ago | parent | next [-] | | Not the GP, but: For Guix in general? That's easy to answer: (1) Making things reproducible. That is one of the main reasons. And not only installed system packages. You can also use it to build reproducible projects you develop, if the dependencies are available on Guix. (2) The other one is installing software, that your distribution doesn't have in standard repos. | | | |
| ▲ | trelane a day ago | parent | prev [-] | | If you install guix as a user, it augments or overrides the software available on your base system. It helps a lot on Chromebooks, where it's not straightforward to get a recent release. It also helps to get up-to-date packages if you're a regular user and your admin doesn't have them for some reason (maybe RHEL or Ubuntu LTS.) Or even just if your admin doesn't have the packages installed. | | |
| ▲ | felixg3 a day ago | parent [-] | | I feel like that brew, or better yet, nix are great options for userspace applications in Linux and macOS | | |
| ▲ | trelane a day ago | parent [-] | | Sure, there are other options for this. But this is certainly a use case for guix, which is what the poster was asking about. |
|
|
| |
| ▲ | msgodel a day ago | parent | prev [-] | | Just using Guix requires a pretty substantial amount of administrative work. I'd imagine maintaining it is even more intense and that's why they're running into issues like this. You have to be pretty slow to be outrun by Debian of all distros. | | |
| ▲ | terminalbraid a day ago | parent | next [-] | | It's not the slowness of releases, it's the fact they don't release any stable version with just security fixes. They only make new cumulative releases. Debian's model is to fix a version for their release and do security patches on that, not to push out the latest version. | | |
| ▲ | guga42k 21 hours ago | parent [-] | | I would guess this is the same reason why one can't change git repo history without affecting people working with the repo. Merkle tree all over the store. | | |
| ▲ | lmz 16 hours ago | parent [-] | | Merkle trees don't prohibit release / patch-only branches. Or multiple heads in general. |
|
| |
| ▲ | spit2wind 20 hours ago | parent | prev [-] | | What do you mean by "Just using Guix requires a pretty substantial amount of administrative work." Like, as a user downloading packages, or a person packaging an application? As a user downloading a package, it's been super easy for me and it's been years of running Guix with little to no issue (yet the benefits of rolling release, rollbacks, installing multiple versions of a given software etc.). As for using it to package an application, I found the challenges mainly in the documentation. This was years ago and a lot of work has gone into improving the docs. I'm curious what your experience has been. | | |
| ▲ | ocdtrekkie 17 hours ago | parent [-] | | FWIW, not the OP but doing a guix pull after getting it from APT took several hours to crash out every time I wanted to just try using guix for something, and the ISO to install it from upstream was multiple gigabytes which seemed wild. I put a couple days into it and never actually got to try it. It's hard to have an opinion of a platform you haven't used but based on how bloated just starting it seemed to be I was unimpressed. | | |
| ▲ | pxc 12 hours ago | parent [-] | | > the ISO to install it from upstream was multiple gigabytes which seemed wild. For the record, the Guix System install media is less than 1 GB. And the Guix installer from upstream looks to be 100 MB right now. |
|
|
|
|
