IRC channel logs
2025-07-08.log
back to list of logs
<umanwizard>Hi all. Is there a good way to get emacs to enter a guix shell when in a particular directory? For example, if I am editing files under ~/code/foo , I want emacs to have all the environment variables I would get from running `guix shell -D foo` . <ieure>umanwizard, I believe emacs-guix has a set-emacs-environment facility. <postroutine>When I reconfigure my system, or my home, does a copy of my config.scm is put in the store ? <postroutine>Is it put in a derivation dedicated to the config, or in a derivation with other files ? <Rutherther>postroutine: sorry I dont understand what you are asking <postroutine>If I understand it, everything put in the store is saved in a derivation. Is it correct ? <podiki>you can do guix gc --referrers /gnu/store/....config.scm to see where it is referred to; including the system derivation <postroutine>But, if I remember correctly, everything in the store is readable by all users of the system ? <postroutine>That mean, if any of the system service I enable and config contain a password in its config, any user on my system can retrieve this password. <postroutine>That include system container and also other system if I share my store with `guix publish` ? <Rutherther>postroutine: yes, exactly, you shouldnt use secrets directly in your config or in anything that would leave them in the store <postroutine>But, even the simple config of some software should not be readable by all users, like the OpenSSH server config. And in a home environment config, if any user could read my config files they could access a lot of data that should remain private. Like the ssh client config that would leak every host I know and a lot of info about thems. <postroutine>If I use Guix System and Guix Home on a single user personal computer, like my desktop, and don't use container for a shell or a system, that limit the risk. But, on a server, it would cause a lot of problems. <postroutine>Do you know if there is a plan to implement a way for Guix System and Guix Home to keep private the config files they manage or generate ? <Rutherther>postroutine: I dont understand what you mean everything in the store is saved In derivation... I have no idea what that means <Rutherther>postroutine: there are derivation (.drv) files in the store, but not everything and there is nothing 'stored in it' except for instructions that say how to realize that derivation <Rutherther>postroutine: there already is such implementation, just not in guix channel <postroutine>Ok, let me take an example: If I use Guix Home and, in a home-environment services, I add a `home-openssh-service-type` to configure my ssh client. I configure the list of hosts I know with every necessary infos like host-name, user, port, identity-file, etc. When I run the command `guix home reconfigure home-config.scm`, it will generate the config file for my ssh client, put it in the /gnu/store and c <postroutine>reate a symbolic link from my home directory. But, as everything in the store is readable by all users of the system, any user could know my ssh client config and so the hosts I can connect to with a lot of details. <postroutine>And same with Guix System if I use it to configure my ssh server: Any user on my system could read the config of my ssh server. <postroutine>Which is a big problem. And I would like to know if it's planed to add to Guix System and Guix Home a way to avoid that. <postroutine>Do you know if it's discussed somewhere or if patches have been sent ? I've become a huge fan of Guix since few weeks and I'm very curious to learn all I can find. <postroutine>Thank you very much for your replies. 😁 I'm sorry if I sound insistent. 😆 <azval>I checked ZFS for Guix on root (/) but I am not sure to understand the issue with it, why it cant be in Guix and mostly evolve in NonGuix for the kernel module and whats the issue with "providing binary blob", like the user would need to compile it him/herself, but why ? <csantosb>lilyp: do we consider #77714 or better refresh it in codeberg ? there is a new v2.7.0 around <azval>also I was wondering, in the case in which there is a riscv laptop for which I install Guix, how could I make a substitute that compile those packages so that the laptop doesnt have to spend hours on it ? (if Guix supports riscv in the future, but here could be ARM) <nigko>sneek: later tell tazjin: I have read your draft https://tazj.in/blog/trying-guix with interest! In the section "Archtectural differences" between Nix and Guix you describe the profiles as being baked into guix CLI. I think the channels are backed into guix CLI, not the profiles. Profiles can be easily created/built/changed/combined without rebuilding the guix command, see <attila_lendvai>azval, the manual has details on how to enable substitutes. IIRC they even find each other automagically on the local network. look for guix-publish-service-type <sneek>Welcome back civodul, you have 1 message! <sneek>civodul, noe says: if he could run the etc/teams.scm sync-codeberg script when he has time <apoorv569>I'm trying to package a software and it installed a config file which it look s for in `/etc` dir and the prefix it installs to in the store. This config needs to user editable as well. How should I handle this? copying to the prefix in store won't be a good idea as the store is read only AFAIK. Do I let to it copy its config to `/etc`? if so can the package definition copy a file to `/etc` i.e outside the prefix? <sneek>tazjin, nigko says: I have read your draft https://tazj.in/blog/trying-guix with interest! In the section "Archtectural differences" between Nix and Guix you describe the profiles as being baked into guix CLI. I think the channels are backed into guix CLI, not the profiles. Profiles can be easily created/built/changed/combined without rebuilding the guix command, see <tazjin>nigko: somebody pointed out earlier that the channels aren't "baked in" as such, but rather that the guile load path is somehow configured in the profile with the right channel, but I'm still a bit fuzzy on the technical details <tazjin>anyways, other question: I saw that there are a few ci.guix/bordeaux substituter mirrors, is there any information about how to set one up? <nigko>tazjin: 'guix pull' not only adds .scm modules from all the current channels to the GUILE_LOAD_PATH environment variable, but also compiles these modules to Guile bytecode (.go files). In addition it also performs some additional heavy calculation when it performs notorious "Computing Guix derivation" phase. <tazjin>nigko: yeah, I'd like to know how people have set these up <nigko>You can configure them with --substitute-urls option (many guix commands has it) or system wide. <tazjin>I mean literally setting up one of the mirror servers <nigko>tazjin: OK, then you may want to look at 'guix publish' command. <tazjin>no that'd run a substituter for my local store, but the mirrors of the official bordeaux etc. are configured to redistribute the nars/narinfos with the same signatures <tazjin>and I'm wondering if there's some existing automation for setting that up <tazjin>my employer hosts a bunch of distribution mirrors, and we could add guix there depending on how it's set up. Most of the existing distribution mirrors synchronise with some upstream rsync endpoint, but there's a few different ways of doing it <noe>I think there’s rsync but you could also use the nar-herder for this <noe>cbaines has the knowledge <tazjin>cbaines: would be great to know, if there's some example of a public config for this somewhere that would also help <tazjin>I just checked how our other distro mirrors work, and 90% of them just point `rclone` at some URL <cbaines>unfortunately the nar-herder doesn't facilititate a rsync mirror at the moment <cbaines>there's also not great documentation on setting up a mirror with the nar-herder currently <tazjin>cbaines: if there was an endpoint on bordeaux listing all available narinfo hashes in whatever format, we would be able to set something up <tazjin>(even if its behind auth or whatever, if it is considered too expensive to make available publically) <tazjin>cbaines: also, do you know approximately how much storage space bordeaux currently occupies? <cbaines>the database itself is 22G, and it contains information about 29.5TiB of nars <futurile>cbaines: are you going to the Guix Social tonight? <futurile>I'm in London so I actually get to attend irl! <futurile>tazjin: someone in Japan just set up a mirror, there was a discussion on guix-devel, they might have more information on what they did <futurile>hah hah ironically I did what Ludo did, didn't vote for my own GCD! Duh! (even remembered yesterday and didn't do it) <futurile>a sign of my total disorganisation right now - multi-tasking whee! <efraim>guix gc: freed 1408382723/536870912 GiB <efraim>oops, that's not what it's supposed to print <tazjin>cbaines: is it possible that the `nar_size` column in the narinfos table in that DB is ... wrong? <tazjin>or maybe there's something about compressed vs. uncompressed going on here <cbaines>tazjin, nar_size represents the uncompressed nar (which is what the hash is also over) <cbaines>the size for the compressed files that are downloaded is given separately <tazjin>cbaines: guessed correctly then) here's what we're planning: to test the setup, we'd like to mirror the last month of x86_64 packages (this seems to be approximately 350GiB of downloads from bordeaux), then refine diffing logic and iron out potential kinks before we do a larger sync <tazjin>cbaines: questions: 1) should we coordinate about when we start this sync / limit the bandwidth somehow / anything like that? 2) how often does the dump update? <mehrad>Hi, I have been struggling with `gnu/packages/dotnet.scm:51:12: error: #{ %make-origin-procedure/abi-check}#: unbound variable` error while using `guix time-machine ... -- shell ...`. The packages I'm loading are simple R packages that do not have any .Net dependencies. Have anyone any idea how this could be resolved? I have a minimal toy example to reproduce the issue. <cbaines>tazjin, the database dump should update every 24 hours, there is also another endpoint available where the nar-herder can be queried for changes, which allow nar-herder instances mirroring to keep their local databases up to date without having to download the whole dump again <cbaines>tazjin, I don't think you need to coordinate starting to mirror the nars, providing there's some backoff in the case of errors it should be fine <tazjin>cbaines: can you tell me more about that endpoint? I think for a first version the dump should be good enough, but it would be good to avoid having to redownload the dump of course. <cbaines>tazjin, keeping the database up to date is something the nar-herder already handles though, so you might want to consider running the nar-herder to keep the database up to date, even if you don't use the other functionality <cbaines>longer term, I'd like to expand the nar-herder functionality to allow mirroring subsets of the nars more easily <tazjin>cbaines: it's much easier for me to deploy a custom thing that does this than talk to security about auditing nar herder <tazjin>such are the constraints of big orgs! <tazjin>cbaines: sorry about all the questions, just want to avoid unverified assumptions :) the recent-changes endpoint seems to be capped at 8192 results. Is there a good rule of thumb for what the maximum period between syncs is to avoid staying below this? <tazjin>in particularly I'm thinking that something like a glibc update could probably easily cache bust more packages than that <cbaines>I'm not quite sure what you're asking, but generally you just keep hitting the endpoint, advancing the since datetime forward based on the last event you've processed <cbaines>then you should get all the events, even if you hit the response limit <tazjin>that makes more sense than what I was thinking initially <cbaines>that page you linked to is hosted on bayfront, a machine in Frnace <identity>mehrad: you mean version control? it should be in the guix repo <mehrad>The script failed at `systemctl stop gnu-store.mount` step and I had to do it manually. I want to send a patch/PR to catch the issue and inform the user about what to do rather than a generic and confusing journalctl error. Therefore, I'm looking the git forge that it is hosted on <apoorv569>Can someone help me with this software I am packaging? It wants to install a default config under `/etc` directory and when run from command line even looks for its config under `/etc`, but AFAIK package definition cannot install/copy any file outside of the prefix they install to in the store.. how would I handle such scenario? <apoorv569>I tried manually copying the file to `/etc` and I got error, `system-error "copy-file" "~A" ("Permission denied") (13)` <apoorv569>is there another package that tries to do the same? that I can look at as an example? <apoorv569>it also wants create a lock file under `/var` which has the same issue.. <apoorv569>also the config file has to editable by the user. <identity>apoorv569: packages can not put stuff under /etc without a service, so what is the problem? <apoorv569>identity: Yes, my question is that what should I do? the package wants a config present.. should I replace install phase and just not place a config? but it still would need a config file present.. <identity>apoorv569: well, the example config goes in the package, then you put the actual config under /etc with a system service <apoorv569>identity: I see. the software has hardcoded the path to `/etc` so placing the example config under the prefix won't do much, but I guess its a good practice to put it there. <apoorv569>what about the lock file it wants to create under var? packages can create those by them selves? or do I need to patch the path to lock file as well? <apoorv569>meaning are package allowed to write under `/var` directory? <Rutherther>apoorv569: no... as you already pointed out, packages only write to the store under their own prefix <apoorv569>Rutherther: no, not that. I meant when you run the program it wants to create a lock file under `/var`.. are packages allowed to do that? <Rutherther>I don't understand how that relates to... guix packages? or what are you referring to by 'packages'? <Rutherther>that is runtime permissions issue... so I don't know how that is relevant to anything here <futurile>apoorv569: the difference is one is runtime 'putting things under var' and one is 'package install' <apoorv569>I see. OK, I'll try it out, and see it works. I'll write a system service for this as well perhaps some configuration block as well. <postroutine>I don't know where to tell it: When I try to visit lists.gnu.org in my browser, I get a time out. <vntsuyo>has anybody attempted to package windows applications with wine? <vntsuyo>that's something I really wanted to do when I was on nixos <ieure>postroutine, The GNU infrastructure is in bad shape. <apteryx>ieure: is it? It's being hammered by millions of bots, yes. <apteryx>vntsuyo: I've never seen such thing attempted but I guess it could be done. <futurile>Eeep that seems serious! Was wondering why my email wasn't getting through <efraim>wait wait wait wait, (assq 'cpu-tining (package-properties this-package)) works‽ I've been looking for something that that for years <efraim>... now I need to remember what I was going to use it for :( <efraim>writing it here so I don't forget: make package(s) use psABI OR tuning, but not both <tazjin>cbaines: two more questions, if you don't mind <tazjin>1) in what cases are nars uploaded without compression? or are there always compressed and uncompressed versions? <tazjin>2) our mirror uses subdirectories for various distros (e.g. $host/debian hosts the debian stuff), do you happen to know if guix will mind a subdirectory path? <tazjin>(the second one I'll answer myself in a little while, but maybe you know off the bat) <tazjin>ah that was easy to test, yes, 2) works fine <cbaines>tazjin, what nars are available (and whether they're compressed) can vary, at some point the bordeaux build farm stopped using compression where the store item was a compressed tarball <cbaines>there's often not uncompressed versions, although there could be if the nar-herder did the decompression (which is something I've considered) <tazjin>does guix retain the strange nix behaviour, where a cache server decides its own priority? <cbaines>I think the Guix substituter just takes the URLs you give it in order <cbaines>however it might switch between servers and compressions based on huristics <tazjin>Nix does this weird thing where each cache serves a cache-info file that has a numeric priority <tazjin>and it doesn't provide any client overrides afaik <attila_lendvai>so, what's the current situation with clang-toolchain and -m32? it doesn't seem to work out of the box (ld: cannot find crtbeginS.o: No such file or directory) <attila_lendvai>i can compile a -ffreestanding binary that directly talks to the kernel, so it's probably only due to how the guix package is assembled <lilyp>csantosb: the commit log is missing from v2; if you're willing to add that, you can go ahead <PotentialUser-51>hello, is there an example of how point guix to codeberg instead of savannah? I just installed guix from ubuntu's apt repository and guix pull seems to be timing out when pulling from savannah <ieure>PotentialUser-51, `guix describe -f channels > channels.scm' -- then edit the file to change the URL to git.guix.gnu.org and remove the `commit' field; then `guix pull -C channels.scm'. <PotentialUser-51>hmmmm apparently the guix package from apt is too old to run guix describe, I had initially tried to use the guix-install.sh script but that was hanging after identifying I was on an x86_64 system <ekaitz>does anyone use icedove with an external gpg key provider? <csantosb>ekaitz: I had to check what icedove is; apparently it is obsoleted by thunderbird for whatever the reason <csantosb>ekaitz: I just did a quick search and I landed in a couple of french sites, where they mention is is replaced <ekaitz>its the thunderbird equivalent we have <csantosb>"Transitional package", whatever it means <ieure>csantosb, "transitional packages" in Debian are ones used to migrate users to new packages, they're typically empty other than maybe a README. They replace the old package and depend on the new one, so upgrading shifts users to the new stuff. <csantosb>ieure: so they're pushing users towards thunderbird, away from icedove, right ? <ekaitz>i think i will just add gpgme to the deps <ieure>csantosb, I guess? I don't use either. But Debian is allowed to distribute Firefox and moved everyone off their rebrand, I assume the same is likely with Thunderbird. <ekaitz>also i found that icedove doens't find my graphics card and tries to use libEGL... <ekaitz>something in my x11 is being waylandized <ekaitz>in any case it looks like i'm the only icedove user in the whole guix userbase <ekaitz>i also fixed the desktop file a while ago, and it had a very annoying bug <csantosb>I just noticed we don't have thunderbird in the repos; makes sense to have icedove, then <ieure>csantosb, Yeah. The Mozilla trademark policy prevents most branded redistribution. My understanding is that Debian can do it because the packages are maintained by Mozilla employees. <ieure>Same reason Guix doesn't have Firefox. Though I wouldn't use it even if it did. <identity>anything that was not built Mozilla employees can not be called ‘Firefox’, so you have to use Mozilla's binaries, which is, uh <csantosb>Another topic, the dumb question of the day: when building a package, where are the sources ? /homeless-shelter/source ? <csantosb>I have a `Error: file-missing ("Cannot open load file" "No such file or directory" "/homeless-shelter/source/tests/casual-lib-test-utils.el")` <ieure>csantosb, I believe it's in /tmp somewhere. /homeless-shelter is the badly-named thing $HOME is set to in the build environment, and generally means the thing you're building has bad assumptions about disk layout. <csantosb>It's "/tmp/guix-build-emacs-casual-2.7.0.drv-0/...". Wow. <ieure>Yeah, seems about right. It shouldn't matter. <ieure>...I wonder if the daemon is vulnerable to races creating that path. <vagrantc>my understanding was directories were trickier to trigger race conditions with, but that is a vauge, very old memory <postroutine>Impossible to open '~/…/guix/.git/objects/pack/tmp_pack_7FLLlY' in read: No file or directory of this name <ieure>postroutine, Repeatable? ex. if you try again, does it work?