I don’t plan to make this part of the guix command for now. But once https://codeberg.org/guix/guix/pulls/6595 , it will be available as a Guix package and once installed guix compose would be available among the other guix commands like system or pack

Thank you! Yes that would be the next step: having the ability to spawn transient Shepherd services wrapping OCI containers. They’d be gone on reboot but also podman compose does so I believe.

You’re a quitter and you do bad choices

You must be great at parties

Omg they automated big 4. Good job!

Companies do run multiple containers/pods on the same host. That is what Kubernetes does

I think it’s worth the effort since it prevents numerous risks at the root, for sure it’s not enough. I agree that bootstrapping wouldn’t necessarily solve the XZ attack, but I think that should be solved by big tech paying FOSS maintainers enough or at all to prevent them from burning out.

About the BSD experience that looks like a big amount of work but definitely worth it, I’m sure they didn’t ship many packages as Guix ships but I guess the projects have different goals and requirements.

My point on binaries was not really about reproducibility as nowadays most distros have reproducible builds: Arch, Debian, RHEL, SUSE and probably more. My point is that packages in Guix are bootstrapped from a very small binary seed, something like 357 bytes, which highly mitigates the risk of Trusting Trust attacks

I find Guix far better on almost every remark, in no particular order:

• as you said some part of the Nix community is made of techbros (even if Guix attracts some fossbros as well)
• the way governance is structured in the Nix community is brittle, just see the drama from which all the new Nix forks spawned
• better documentation. The doc for Nix is scattered, the Guix manual, albeit not perfect, is much more complete
• the Guile language is far clearer than Nix, also you don’t have to use it only for package recipes, you can build full applications with it
• the Guix story around trustability of binaries is far better (checkout how Guix boostrapps everything), entires classes of vulnerabilities are prevented by design
• the Guix UX is far better designed imho, the command line is intuitive and well documented and features are easily composable
• the community is not diverging, as is the case for Nix flakes
• Guix as well provides OCI integration, check out the point about enabling gocix

Totally Guix, it has no systemd and is able to roll back to the last working in case you break anything somehow

Defintely this, it’s also the best option to run Fediverse instances such as Bonfire https://fishinthecalculator.me/blog/bonfire--guix-a-love-story.html

This. Thank you. @PotatoesFall you can check out my personal instance to see the microblogging flavour in action: bonfire.fishinthecalculator.me

It’s already someplace, not sure if that is the place you expect them to be but check out my personal instance bonfire.fishinthecalculator.me .

Can someone explain how this can/would work for a Lemmy user?

Very similarly to how you now can interact with Mastodon instances

could this connect to Lemmy somehow, or would that require an integration between bonfire and Lemmy?

It could, maybe it already somewhat can . It shouldn’t require now nor never an explicit integration as they should be able to speak the same language (ActivityPub) . you can try interacting with my personal instance bonfire.fishinthecalculator.me .

How would instances of bonfire decide whether to connect or federate with Lemmy or vice versa?

I don’t know about Lemmy but bonfire can have block list both at the instance and the user level, so the admin can provide defaults but then each user is able to customize them

It is really important to state it if this proposal resonates with you and you support it! Do take the time to send an email if you’d like this to happen!

I would say bonfirenetworks.org

I feel like IRC is yet another obstacle to newcomers, in addition to email based git flow, debbugs, guile stack traces and zero editor (or very early WIP) integration except for Emacs. This is literally vendor lock-in. I’ve been contributing for years and now i almost have no trouble, but it was painful and I don’t think it is fair to expect everyone to go through all this while with Nix you just need to open a PR.

What is the point of building a completely free system, that does not try to extract value from users, and actually tries to emancipate them by offering a trusted computing ecosystem, if no one gets to enjoy it because you made it so inaccessible that people are not able to use it? I’m exaggerating but I think you get the point. Now with efforts like the survey it looks like a fresh breath of air just entered the project, and the situation with contributions is a little better than a couple of years ago. I really hope we can pull an effort to make the bar for using and contributing Guix a little lower than it currently is, I am convinced that if we make some effort more people could liberate their computing environment with Guix

I feel kind of bad about this but I refuse to join Guix IRC. I use mailing list out of frustration but these communication channels are the proof that Guix is not only a nice, useful and open project but it has born a project for fossbro babyboomers. It is a golden walled garden for themselves , I don’t feel ok in that space.

EDIT: I’ve answered a little emotionally. Let me clarify, I believe most Guix maintainers act of of good will and they want to find some communication platform which is inclusive for everyone (since it is clear also to rocks that IRC is good only for someone born before 1990, so it is good for people aged >= 35) . Some of the maintainers, and some most noisy members of the community make it so bad for everyone else but themselves that, having so much explicit and soft power, the discussion about moving away from communication protocols older than CDs was closed stating “everything is perfect as it is, we reach exactly the right set of people, we do not care of increasing the userbase or making the community more inclusive”.

Maybe the point is that you cannot demand that the whole world knows the same set of concepts as you do. Otherwise just learn to remove cancer by yourself instead of forcing a person that studied decades to get down their trone and do their job

Would be pretty useful, as far as I know there is no way to change /etc/{subuid,subgid} in the system configuration without manually editing.

Well I had to make one :) it is being tracked on https://issues.guix.gnu.org/72337 . You can define subuid and subgid ranges like so:

(use-modules (gnu system shadow)      ;for 'subids-service-type'
                         (gnu system accounts))   ;for 'subid-range'

(operating-system
  (services
    (list
      (simple-service 'alice-bob-subids
                      subids-service-type
                      (subids-extension
                        (subgids
                         (list
                          (subid-range (name "alice"))))
                        (subuids
                         (list
                          (subid-range (name "alice"))
                          (subid-range (name "bob")
                                       (start 100700)))))))))

which would yield

# cat /etc/subgid
root:100000:65536
alice:165536:65536


# cat /etc/subuid
root:100000:700
bob:100700:65536
alice:166236:65536

Another annoyance with podman on guix is making / a shared mount doesn’t work so changes in mounts aren’t propagated.

I think I solved that by using a Shepherd service run on boot calling mount --make-shared / . I didn’t do extensive testing of mounts but I’m currently using this on my systems as it’s set up in my personal channel. By adding the following to my own system config

(use-modules (small-guix system accounts)
                         (small-guix services containers))

(service iptables-service-type)
(service rootless-podman-service-type
               (rootless-podman-configuration
                (subgids
                 (list (subid-range (name "alice"))))
                (subuids
                 (list (subid-range (name "alice"))))))

I’m able to run the following rootless Podman hello world

$ podman run -it --rm docker.io/alpine cat /etc/*release*
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.20.2
PRETTY_NAME="Alpine Linux v3.20"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"

and with guix shell podman-compose I’m able to run this Podman compose hello world:

$ mkdir data
$ echo hello world > data/index.html
$ podman compose up -d

...

exit code: 0
$ curl localhost:8080
hello world

So some kind of mount appears to work. Thank you for your feedback and feel free to try the service from my own channel if you are interested in providing more or in trying rootless podman on the Guix System.

A little too pitchy imho. It is just a regular linux distro with each system update creating a new fs snapshots .

Just use Nix/Guix lmao