-*- mode: org; coding: utf-8; -*- #+TITLE: Tentative GNU Guix Road Map Copyright © 2012, 2013, 2014, 2015 Ludovic Courtès Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. The goals of the GNU Guix project are two-fold: - to build a purely functional package manager, based on Nix and Guile; - to use it to build a practical 100% free software distribution of GNU/Linux and possibly other GNU variants, with a focus on the promotion and tight integration of GNU components–the GNU system. Since its inception, the project has gone a long way towards that goal. Below is a list of items we want for version "1.0" of the Guix System Distribution. There will be a few 0.x releases by then to give the new features more exposure and testing. You're welcome to discuss this road map on guix-devel@gnu.org or #guix on Freenode! * Features scheduled for 1.0 - larger & more robust build farm + we need a powerful, dedicated front-end + armhf-linux build machine + leave Hydra in favor of 'guix publish' + custom code? - more OS features + LVM support + encrypted root + configurable name service switch + whole-system unit tests, using VMs - more service definitions + mcron, postfix(?), wicd(?), etc. - better 'guix system' + 'reconfigure' should be able to restart non-essential services + support for '--list-generations' and '--delete-generations' - better 'guix pull' + using Git to fetch the source instead of re-downloading everything + build more quickly + install new .mo files and new manual + authentication of the Guix source: use signed commits? - simplified, purely declarative service list in 'operating-system' + it should be possible to inspect the service instance declarations and settings - GUIs + integrate guix-web? + guile-ncurses installer? - 'guix publish'? * Features for later - complete GNU/Hurd port - use content-based addressing when downloading substitutes to reduce bandwidth requirements + design nar v2 format where file contents are replaced by their hashes + leverage /gnu/store/.links - binary origin tracking + keep signatures in sqlite.db + preserve signatures upon import/export - peer-to-peer distribution of updates (GNUnet?) - more deterministic builds + identify & fix sources of non-determinism in builds + strengthen guix-daemon containers to further increase reproducibility + trusting-trust: bootstrap with different tool chains + fixed-point: re-bootstrap until fixed point is reached + distributed validation: compare contents of store items with others * resist a hydra.gnu.org compromise - reproducible containers: mix of 'guix environment' and 'guix system vm' - execute code with least privilege + build containers like guix-daemon does + provide a Plash-like interface in Bash - daemon rewritten in Guile - more shepherd integration + monitor network interfaces and start/stop events based on that + include a DHCP client written in Scheme c478fc66a562430fbf35aef42'>daemon: Address shortcoming in previous security fix for CVE-2024-27297....This is a followup to 8f4ffb3fae133bb21d7991e97c2f19a7108b1143. Commit 8f4ffb3fae133bb21d7991e97c2f19a7108b1143 fell short in two ways: (1) it didn’t have any effet for fixed-output derivations performed in a chroot, which is the case for all of them except those using “builtin:download” and “builtin:git-download”, and (2) it did not preserve ownership when copying, leading to “suspicious ownership or permission […] rejecting this build output” errors. * nix/libstore/build.cc (DerivationGoal::buildDone): Account for ‘chrootRootDir’ when copying ‘drv.outputs’. * nix/libutil/util.cc (copyFileRecursively): Add ‘fchown’ and ‘fchownat’ calls to preserve file ownership; this is necessary for chrooted fixed-output derivation builds. * nix/libutil/util.hh: Update comment. Change-Id: Ib59f040e98fed59d1af81d724b874b592cbef156 Ludovic Courtès 2024-03-11daemon: Protect against FD escape when building fixed-output derivations (CVE......This fixes a security issue (CVE-2024-27297) whereby a fixed-output derivation build process could open a writable file descriptor to its output, send it to some outside process for instance over an abstract AF_UNIX socket, which would then allow said process to modify the file in the store after it has been marked as “valid”. Vulnerability discovered by puck <https://github.com/puckipedia>. Nix security advisory: https://github.com/NixOS/nix/security/advisories/GHSA-2ffj-w4mj-pg37 Nix fix: https://github.com/NixOS/nix/commit/244f3eee0bbc7f11e9b383a15ed7368e2c4becc9 * nix/libutil/util.cc (readDirectory): Add variants that take a DIR* and a file descriptor. Rewrite the ‘Path’ variant accordingly. (copyFile, copyFileRecursively): New functions. * nix/libutil/util.hh (copyFileRecursively): New declaration. * nix/libstore/build.cc (DerivationGoal::buildDone): When ‘fixedOutput’ is true, call ‘copyFileRecursively’ followed by ‘rename’ on each output. Change-Id: I7952d41093eed26e123e38c14a4c1424be1ce1c4 Reported-by: Picnoir <picnoir@alternativebit.fr>, Théophane Hufschmitt <theophane.hufschmitt@tweag.io> Change-Id: Idb5f2757f35af86b032a9851cecb19b70227bd88 Ludovic Courtès 2023-01-09daemon: Improve error message for wrong hash sizes....* nix/libutil/hash.cc (parseHash): Show the hash algorithm name and expected size in the error message. * tests/derivations.scm ("fixed-output derivation, invalid hash size"): New test. Ludovic Courtès 2022-12-18daemon: Make "opening file" error messages distinguishable....* nix/libstore/build.cc (DerivationGoal::openLogFile): Customize "opening file" error message. * nix/libutil/hash.cc (hashFile): Likewise. * nix/libutil/util.cc (readFile, writeFile): Likewise. Ludovic Courtès