Nix is mostly reproducible but does not require maintainers to sign their packages or commits, and most do not, which is a bare minimum for any security sensitive environment.
In Guix signing is mandated and it is mostly reproducible, but the choice of scheme and lack of base container images make it unapproachable for many.
Debian lead the way on signing and reproducibility, but package versions of things like rust are too far behind to be useful to most orgs.
Arch in contrast to these is IMO easy to package for, has recent well maintained signed packages, has well maintained OCI images published, and is rapidly improving on reproducibility.
Having at least one glibc distro that can meet this criteria is a big win for many use cases.
Different tools for different projects and threat models.
With all due respect to Nix/Guix, to me they swim uphill against the current of "worse is better" than UNIX is built upon. They are trying to tame the complexity of the world by making it declarative. A lofty, and a little too idealistic goal.
I much prefer the immutable approach (rpm-ostree) or even an unsophisticated approach like a Dockerfile, which is worse but much closer to the status quo, than to create a perfect world from scratch and hope that everybody follows the Light. Software is too large, complex, hacky, buggy and nuanced to expect it to fit into neat preordained categories. Because unless you do very simple things, you'll soon find yourself out of the happy path and have to resort to doing the hacky way anyway.
This is what some believe killed Lisp machines vs UNIX. I guess, like Lisp, in decades there will a vocal contingent of people lamenting the fact that we all run immutable Microsoft Kubernetes Ubuntu (MSKU) instead of using the more refined NixOS approach.
>> in decades there will a vocal contingent of people lamenting the fact that we all run immutable Microsoft Kubernetes Ubuntu (MSKU) instead of using the more refined NixOS approach.
You are, unfortunately, correct. Some of us still run illumos Unix (SmartOS), but we are a tiny minority. I hope that things can work out so that something other than the lowest common denominator is accessible enough to also have a pervasive footprint.
A lot of very crummy ideas are popular in ways that would not have been imaginable 15 years ago.
>> or even an unsophisticated approach like a Dockerfile
In a handful of "higher end" on the salary side of DevOps/SRE roles I have done, I managed to quietly do things with flake.nix -- next time around I'll do them with Guix. I can get Guix container images going, that's not hard for me.
But yeah, doing things non-Docker isn't too hard for us DevOps ninjas (what DevOps was in 2012, not the watered down thing today).
After doing flake.nix, I managed to get written company policy ratified by our legal team that all container images must be binary reproducible. That probably fell apart since I left, unless the high quality CTO I was serving is still there.
I am not sure if this is a tongue-in-cheek comment that's above my comedic pay grade, but if it is not:
This sounds like a lot of words that would otherwise mean nothing to any Nix/Guix user. It works. It is not "too idealistic goal", Nix repositories already contain more packages than any distribution around.
It is too late to throw the occasional uninspiring "you are too ambitious." Because they have been doing this for years now successfully.
lrvick|1 year ago
In Guix signing is mandated and it is mostly reproducible, but the choice of scheme and lack of base container images make it unapproachable for many.
Debian lead the way on signing and reproducibility, but package versions of things like rust are too far behind to be useful to most orgs.
Arch in contrast to these is IMO easy to package for, has recent well maintained signed packages, has well maintained OCI images published, and is rapidly improving on reproducibility.
Having at least one glibc distro that can meet this criteria is a big win for many use cases.
Different tools for different projects and threat models.
devaiops9001|1 year ago
This is very easy to solve for.
>> choice of scheme
There was more wisdom when everyone at least tacitly acknowledge that maybe not everyone should be touching servers.
sph|1 year ago
I much prefer the immutable approach (rpm-ostree) or even an unsophisticated approach like a Dockerfile, which is worse but much closer to the status quo, than to create a perfect world from scratch and hope that everybody follows the Light. Software is too large, complex, hacky, buggy and nuanced to expect it to fit into neat preordained categories. Because unless you do very simple things, you'll soon find yourself out of the happy path and have to resort to doing the hacky way anyway.
This is what some believe killed Lisp machines vs UNIX. I guess, like Lisp, in decades there will a vocal contingent of people lamenting the fact that we all run immutable Microsoft Kubernetes Ubuntu (MSKU) instead of using the more refined NixOS approach.
https://www.dreamsongs.com/WorseIsBetter.html
devaiops9001|1 year ago
You are, unfortunately, correct. Some of us still run illumos Unix (SmartOS), but we are a tiny minority. I hope that things can work out so that something other than the lowest common denominator is accessible enough to also have a pervasive footprint.
A lot of very crummy ideas are popular in ways that would not have been imaginable 15 years ago.
>> or even an unsophisticated approach like a Dockerfile
In a handful of "higher end" on the salary side of DevOps/SRE roles I have done, I managed to quietly do things with flake.nix -- next time around I'll do them with Guix. I can get Guix container images going, that's not hard for me.
But yeah, doing things non-Docker isn't too hard for us DevOps ninjas (what DevOps was in 2012, not the watered down thing today).
After doing flake.nix, I managed to get written company policy ratified by our legal team that all container images must be binary reproducible. That probably fell apart since I left, unless the high quality CTO I was serving is still there.
mrd3v0|1 year ago
This sounds like a lot of words that would otherwise mean nothing to any Nix/Guix user. It works. It is not "too idealistic goal", Nix repositories already contain more packages than any distribution around.
It is too late to throw the occasional uninspiring "you are too ambitious." Because they have been doing this for years now successfully.
devaiops9001|1 year ago
Guix has accomplished, as in put into real world practice, their ideas.