Slashdot Mirror
Guix Gets Grafts: Timely Delivery of Security Updates
paroneayea writes: GNU Guix, the functional package manager (and with GuixSD, distribution) got a nice feature yesterday: timely delivery of security updates with grafts. Guix's new grafts feature recursively produces re-linked packages as dependencies without waiting for all to compile when a time-sensitive security upgrade is an issue. This came just in time for this week's OpenSSL security issues, and has been successfully tested by the community. It worked so well that it was able to reproduce the ABI break issue that other traditional distributions experienced also!
GNU doesn't like dynamically linking to libraries, instead preferring to statically link all the code. This results in (obviously) all statically linked packages having to be recompiled from scratch every time something in a core package (like OpenSSL) changes.
Now, however they've figured out a way to dynamically link dependent packages so that their statically linked packages will recompile correctly. Oh, and wanton disabling SSLv2 breaks shit.
Custom electronics and digital signage for your business: www.evcircuits.com
The news seems to be something like this:
- GNU has a package manager. Didn't know that.
- The package manager is functional in many ways.
- Because it's functional in many ways, it also sucks in some ways.
- They managed to reduce the suckage, which is good for them.
What would be news for me is something like this:
- Why do I care?
It's a relatively new thing (2012) so I'm guessing most haven't heard of it. The GNU folks took an existing package manager, Nix and modified it to use Guile Scheme instead of Nix's own language for describing functions (packages). You're right that it's functional (in the functional programming sense), which gives it its own set of pros and cons compared to traditional package managers.
As for why you might care, this comment on SN briefly covers what it means to be a functional package manager, including some of the pros and cons of it. It's about Nix, not Guix, but since Guix is based on Nix the information should apply equally to both. It's kind of long so I don't want to copy/paste the whole thing here, but it focuses heavily on the "why should I care?" aspect so it's worth a read if you're seriously curious about what's interesting about Guix or Nix.
Not mentioned in the writeup is that, because they're so new, documentation can be difficult to come by and it's all command line. Might be a mood killer for some, but I've found it worth the trouble so far.
thank you for finally explaining wtf the thing is that you want to tell us more about. congratulations slashdot, you did it!
Anons need not reply. Questions end with a question mark.
This isn't a topic I follow closely, and so when I saw "functional package manager" I didn't immediately make the association with "functional programming". The SN comment was enlightening.
This is a case where insider terminology ("functional package manager") not only fails to convey meaning to outsiders, it doesn't even provide a hint that the outsiders are missing something -- "functional" masquerades quite well as a bit of marketing fluff. ("We're not like the dysfunctional PMs you've had to put up with in the past!") So, the fact that you don't get a bunch of "what does THAT mean?" comments doesn't mean that the summary has done a good job; in fact, the opposite is more likely.
I'm sorry about your butthurt, but it's not my fault that your devs don't understand how to name things in a fashion that it doesn't require 20 minutes to puzzle out and leave you feeling dissatisfied even then.
Il n'y a pas de Planet B.