1. 21

  2. 7

    Oh, one more question about Guix, that I was reminded of by this article: does Guix have some solution for managing “secrets”? (E.g. stuff like passwords, including WiFi ones, etc.) AFAIK Nix/NixOS hasn’t really implemented one yet, and it proves to be especially tricky and non-trivial given some fundamental design decisions.

    1. 3

      NixOps has a good mechanism to handle secrets: https://nixos.org/nixops/manual/#idm140737322338896

      1. 1

        Stupid question but why do you want secrets storage support in the operating system, aren’t there are zillion solutions for that out there already?

        1. 3

          WiFi passwords, user passwords (the shadow file), passwords/tokens to various remote services (like Dropbox, or to stay more GNU, say Syncthing), and maaaany more.

          Not sure how much you know about Nix/NixOS and Guix, but they’re not only an OS per se; they also (or rather, primarily) give you the ability to reproducibly specify a full configuration of a host in a single file. So that in case you lose this host, you can just re-run the config on a different one, and have a nearly perfect mirror (except your actual data, which you still have to back up another way). Also, they allow easy tweaking of this config in a “live” manner.

          Thus, I’d totally want to use Guix to fully configure users, with their passwords; also WiFi passwords, and various other services running “in the background”. In somewhat different words: if there are zillion other solutions for that, I’m interested in one that would work seamlessly with Guix (or NixOS, but we’re talking Guix in this thread).

      2. 4

        Guix looks interesting. I love Nix, but the Guix command-line tools look to be nicer and more modern (though I think I like Nix’ lazy functional language more than Scheme), so it’s worth a try. I have two questions though:

        • Is there something similar to home-manager for Guix?
        • How do people deal with the purely free software stance? Between meltdown, spectre, and MDS, I would like microcode updates (in case UEFI firmware/BIOS hasn’t caught up). On some machines I probably need firmware for intel or amgpu drivers. And for work, I cannot live without CUDA. I can understand that Guix will never accept firmware blobs. But sometimes one needs them to get work done in a real-world environment. Are there any up to data channels for firmware and/or CUDA that people could recommend? (I only found outdated or incomplete repositories.)
        1. 1

          Guix is still in 1.0.x so while there may be answers for these questions as time goes on I would suspect that it may be too green for your needs. Being said, home-manager comes with a warning that should be taken seriously for production or work environments.

          This project is under development. I personally use it to manage several user configurations but it may fail catastrophically for you. So beware!

          1. 2

            Isn’t all of open-source, and also most of the consumer-grade commercial software, distributed with similar disclaimers, just maybe clothed in more legal-sounding words? You know, THE SOFTWARE IS PROVIDED "AS IS"...

            1. 2

              I think I remember seeing this written as “if it breaks, you get to keep both pieces” somewhere. :)

              1. 3

                Ahahaha, I like it! :D

                edit: This reminded me of another semi-joking phrasing of it I’ve seen somewhere:

                #include <std-disclaimer.h>
              2. 1

                Hmmm well kind of but not quite so tonally intense. lol

                1. 1

                  I’d risk a claim it’s also tonally intense, we’ve just became so accustomed to the usual phrasing, that we mentally skip it when we see some typical key words. And in case of home-manager, the phrasing is different enough to stand out.

                  Notably, I seem to remember this kind of disclaimers being lamented in quite a few “manifestos” and rants linked to from here and HN recently. Calling for more robust software and its development methods. See also the relevant xkcd.

                  1. 1

                    You’re definitely right regarding the absence of warranty writ large and if someone tells me “This might fail catastrophically for you” then to me that communicates something about where it is in the development life cycle. A quick look at the issues log to me validates this. It’s not a bad thing, in the “Hold|Assess|Trial|Adopt” model I would say it’s between Assess and Trial. I think it’s important to acknowledge where a technology is in the development cycle. Similarly if you’re worrying about how free software is going to affect your bottom line, perhaps this isn’t the technology for you. I love free software, I’m a huge fan and advocate. Part of being an advocate is managing expectations :) .

                    1. 1

                      I think I’ll stay at mostly “agree to disagree” position. To me, I don’t think it signals much. If I add any random third part lib/project to my dependencies, I would actually distrust something where author claims “my software is super secure” much more than this. And if it’s a bus-factor 1 FOSS project, I expect to most probably have to review and maintain it myself anyway, as far as my needs and use cases and bug discoveries go. Been there, done that. Not that I complain, I’m happy and grateful getting some boost to my work from a generous person on the Internet.