Fork me on GitHub
#guix2022-03-21
>
Maxime Devos14:03:19

Nevermind, Slackbot answered!

Maxime Devos14:03:31

@logbot @pavlos @seancorfield: Answer to <https://clojurians-log.clojureverse.org/tools-deps/2022-01-15/1642213393.070600> (‘I'm curious about the process for upgrading stuff?’): In the ideal case, all you have to do is: checkout the guix repository, compile it, run "./pre-inst-env guix refresh -u the-package-that-you-want-to-update"

🙏 1
Maxime Devos14:03:07

In the ideal case, that ‘just works (TM)’, but it unfortunately doesn't work for all packages, e.g. it used to not work for minetest mods. It should, however, work for all pypi packages. I don't know how well it works for Clojure, but it should work for everything that has a git repository as source code and tags versions.

Maxime Devos14:03:14

‘It seems like packaging clojure-tools relies on community volunteers and that means they have to repackage every time there's a new release of the CLI?’ (https://clojurians-log.clojureverse.org/tools-deps/2022-01-15/1642213393.070600): It does not have to be repackaged --- assuming no complications (new dependencies etc.), all that's necessary is modifying the 'version' field and 'sha256' field of the package definition; the old package definition can be reused, it only has to be tweaked a bit.

Maxime Devos14:03:41

Additionally, it is not necessary to always update the package definition after an update. You only have to update it if you need the the new version of the CLI.

Maxime Devos14:03:12

I.e., I expect that most of the time, for most users, a slightly out-of-date version of the CLI will probably go unnoticed

Maxime Devos14:03:29

‘What happens if a community volunteer moves on, or even is off on vacation for a while? Doesn't that just block people from upgrading their clojure-tools in a timely manner?’

Maxime Devos14:03:58

There are no formal ‘developer’ or ‘maintainer’ hats, everyone can update packages in Guix, by sending an appropriate patch to the mailing list.

Maxime Devos14:03:31

Additionally, even if the package definition in Guix is out-of-date, you can easily locally define a variant of the package with the new version. E.g., put something like

(define old (specification->package "clojure-foo"))
(package
   (inherit old)
   (version "10.20.30") ; new version
   (source (origin
             (inherit (package-source old))
             (file-name ...)
             (url ...))))
in the package.scm, then do guix install -f "the package.scm" to install the new version of clojure-foo .

Maxime Devos14:03:00

Or even do "guix install --with-latest=clojure-foo clojure-foo" to automatically determine the newest version and install that (though that is not guaranteed to work, autoupdating is a bit fragile).

Maxime Devos14:03:01

‘It's like these package managers are stuck in the 1990s before the Java ecosystem appeared...’

Maxime Devos14:03:28

Guix does lots of new things! For example:

Maxime Devos14:03:04

You can choose to build everything from source (except for the bootstrap seed, which is gradually shrinking) (which has some security benefits, see later) (though you don't have to). That's not very practical on, say, Debian or Maven, but it's trivial on Guix: just remove http://ci.guix.gnu.org from the list of substitute servers, or pass --no-substitutes to "guix build".

Maxime Devos15:03:16

More fallbacks to avoid source code from going missing! Even if the substitute servers break down, the source code or binaries are removed from Maven, Maven disappears, Maven is blocked for whatever reason, ..., you'll still be able to install (and build) the software! Guix has multiple backup locations for source code: the copy at the official substitute servers (http://ci.guix.gnu.org), possibly a copy in the Software Heritage archives, possibly a copy on http://tarballs.nixos.org, the actual upstream locations and possibly some mirrors.

Maxime Devos15:03:26

Maven doesn't seem to have any backups at all. Source code mirroring and backups is not new, but Guix seems to do it to a greater extent.

Maxime Devos15:03:06

There are plans for distributing substitutes and source code over P2P, although the substitute part is currently untested and can probably be improved (performance-wise, storage, ...).

Wanja Hentze16:03:51

A somewhat more spicy rebuttal to the "stuck in the 90s" remark: You could instead argue that clojure's dependency management story is stuck at the Java model, whereas the language itself has left many other things from Java behind. I think the idea of specifying just a version number, not having anything in the way of a lockfile and just pulling from a central, well known repo is "place oriented programming".

Wanja Hentze16:03:03

That is: both the upstream developers and the downstream consumers of a package care about this place called "org.foo/bar v.1.2.3".

Maxime Devos15:03:18

‘What I like about brew on Linux is that I can install any version of the Clojure CLI, as soon as it is released by the core team -- and I can install prerelease versions just as easily as stable versions, and I can switch back and forth between them easily.’

Maxime Devos15:03:45

That's ... pretty much the case for Guix as well? Multiple versions of the same package can be packaged in Guix, then the user can do "guix install clojure-cli@some-version-i-choose". And packaging new versions of packages is (with some exceptions) trivial, you don't even have to submit things upstream (here, upstream=Guix).

Maxime Devos15:03:05

I mean, looking at, say, https://github.com/Homebrew/homebrew-core/commit/2c2593b049f8ec80242d88e16c62671553deba17#, it seems like even in brew you have to modify the version and hash, so it seems like updating things with brew is the same amount of work as updating things with Guix.

Maxime Devos15:03:45

Some more general stuff on ‘why use package managers like Guix or Debian’: security! What if an upstream turns out to be malicious and put malware in the binaries (which is virtually undetectable if done properly until it's too late) or the source code (see NPM compromise)? What if upstream lists an old version of a package among its dependencies, and it turns out to have a vulnerability (log4j) -- in a package manager like Guix and Debian, Guix and Debian can easily fix the vulnerability without having to modify anything in the upstreams.

Maxime Devos15:03:59

During the review process, the reviewer can look at the source code to prevent this (malicious) kind of trouble.

Maxime Devos15:03:12

The upstream code might be broken, and needs to be patched in Guix! E.g., the upstream code might try to run "/bin/ls", even though "/bin/ls" does not exist in Guix and needs to be replaced with an appropriate "/gnu/store/.../bin/ls" filename.

Maxime Devos15:03:54

What if an user wants to install an application that depends on both Clojure libraries (which are on Maven) and Python libraries (which are on pypi)? If the user were told to use the Clojure tools and pypi, then it seems to me that that would be very very cumbersome, wouldn't a simple apt-get install some-app or apt-get install some-app be better?

pavlosmelissinos15:03:18

not necessarily because debian doesn't solve the dependency hell problem (guix does though)

pavlosmelissinos15:03:17

I don't think it's an issue in Clojure (because of how maven stores/picks up artifacts locally) but it is in Python (which why they have virtual environments that have to be managed manually)

Maxime Devos15:03:54

‘This is all basically same as Debian, that redoes all this same work with their own slightly different build system that makes slightly different versions of libs too. They chunk it up into periodic release trains’ --> Guix doesn't do periodic releases (technically, some commits are tagged with some version number, but that's more of a milestone for blog posts etc.), just do "guix pulll" to get the latest version of guix. Also, the build system is completely different from Debian.

Wanja Hentze15:03:46

Hi, Nix user here 🙂 Thanks a lot for taking the time to write all of this out, I very much agree!

2
Wanja Hentze15:03:47

For those reading along: Nix and Guix share a lot of design philosophy, so most of these points apply to both

Wanja Hentze15:03:57

Here's another, very practical reason we're trying to move our builds to a pure build system: Upstreams like Maven central or clojars have rate limits, and if you're not very careful, it's very easy to run into these if you run a lot of builds in CI/CD. We have a cache system set up for .m2, but it's quite delicate and it broke again recently, leaving us with many pipeline failures due to rate limit errors.

Wanja Hentze16:03:54

Running your own Maven repo to mirror upstream is an idea, but it's very bothersome and stateful. Serving a Nix or Guix store is comparatively easy (it's just a bunch of immutable files!) and it's not specific to the Java ecosystem - you can use it for all kinds of builds!

Wanja Hentze16:03:51

A somewhat more spicy rebuttal to the "stuck in the 90s" remark: You could instead argue that clojure's dependency management story is stuck at the Java model, whereas the language itself has left many other things from Java behind. I think the idea of specifying just a version number, not having anything in the way of a lockfile and just pulling from a central, well known repo is "place oriented programming".

Wanja Hentze16:03:03

That is: both the upstream developers and the downstream consumers of a package care about this place called "org.foo/bar v.1.2.3".