Fediverse

34605 readers

1396 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to [email protected]!

Rules

Posts must be on topic.
Be respectful of others.
Cite the sources used for graphs and other statistics.
Follow the general Lemmy.world rules.

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration)

founded 2 years ago

MODERATORS

[email protected]

Bonfire & Guix, a love story -- fishinthecalculator (fishinthecalculator.me)

submitted 3 days ago by [email protected] to c/[email protected]

7 comments fedilink hide all child comments

cross-posted from: https://lemmy.ml/post/31718711

Always wanted to selfhost your Fediverse instance but were always worried about system administration trauma?

Do you ever have to run around your flat, picking up all the leftover parentheses from yesterday's party with your hosting coop coworkers?

Then you are probably the right person, check out this post about fearless Bonfire hosting on a Guix System. You'll learn that taking care of a community is much more manageable when you let computer do the boring work for you.

Set up HTTPS, automatic backups, automatic nightly upgrades and join the awesome Bonfire community without a single worry on losing data from your instance.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 2 points 3 days ago* (last edited 3 days ago) (4 children)

I don't have any experience with guix, so I will not express any opinions towards that.

However, regarding NixOS:

Yes, as a person with experience in the Nix language, I can confirm it's awful
The documentation of NixOS is a known issue, and there are currently efforts to improve it
Talking about the trustability of binaries, by doing a quick search, I read that Guix builds are reproducible. This is true for NixOS as well. All upstreamed packages must have their version and the hash of the code (or artifact), to allow verification
The community of NixOS is opting to maintaining flakes, because:
- Some applications can simply not be built following the Nix guidelines. Examples are some electron apps (like Falkor) and apps that have weird toolchains (like bubblejail)
- The reviewing process takes way too long, and PRs for upstreaming are often ignored. This forces a lot of people to just PR a flake.nix to the application, or maintain their own overlays (overlays are like overriding the available packages, while flakes are more like distributing Nix code in general)

[–] [email protected] 3 points 3 days ago* (last edited 3 days ago) (3 children)

My point on binaries was not really about reproducibility as nowadays most distros have reproducible builds: Arch, Debian, RHEL, SUSE and probably more. My point is that packages in Guix are bootstrapped from a very small binary seed, something like 357 bytes, which highly mitigates the risk of Trusting Trust attacks

[–] [email protected] 2 points 3 days ago (2 children)

It's the first time I see the concept of bootstrappability in the context of security.

Is it really worth the effort?

There are multiple ways to run a supply chain attack. With bootstrappability, one can be sure that the compiler is trusted, but what about the code that the compiler compiles? There was this recent attack to XZ utils, which shows that more attention is needed on the code being merged and compiled.

I think that this just creates a false sense of security.

Contrary to that, I had read about a BSD team (I think FreeBSD) that reviews all the code before each release. This way they have achieved ~5 RCE exploits throughout their entire history.

[–] [email protected] 2 points 2 days ago

I think it's worth the effort since it prevents numerous risks at the root, for sure it's not enough. I agree that bootstrapping wouldn't necessarily solve the XZ attack, but I think that should be solved by big tech paying FOSS maintainers enough or at all to prevent them from burning out.

About the BSD experience that looks like a big amount of work but definitely worth it, I'm sure they didn't ship many packages as Guix ships but I guess the projects have different goals and requirements.

load more comments (1 replies)