GNU Guix 1.2.0 released
We are pleased to announce the release of GNU Guix version 1.2.0, right in time to celebrate the eighth anniversary of Guix!
The release comes with ISO-9660 installation
images,
a virtual machine
image,
and with tarballs to install the package manager on top of your
GNU/Linux distro, either from
source or
from
binaries.
Guix users can update by running guix pull
.
It’s been almost 7 months since the last release, during which 200 people contributed code and packages, and a number of people contributed to other important tasks—code review, system administration, translation, web site updates, Outreachy mentoring, you name it!
There’s been more than 10,200 commits in that time frame and it is the challenge of these release notes to summarize all that activity.
Before reading any further, sit back and play this very special release tune, Ode to One Two Oh (lyrics) brought to you by your friendly Guix team—see credits below!
Security
A major highlight in this release is the ability to authenticate
channels, which probably makes Guix one of the safest ways to deliver
complete operating systems today. This was the missing link in our
“software supply chain” and we’re glad it’s now fixed. The end result
is that guix pull
and related commands now cryptographically
authenticate channel code that they fetch; you cannot, for instance,
retrieve unauthorized commits to the official Guix repository. We
detailed the design and
implementation
back in July. The manual explains what you need to know as a
user
and as a channel
author.
There’s also a new guix git authenticate
command
to use this authentication mechanism for arbitrary Git repositories!
Coupled to that, guix pull
and guix system reconfigure
now detect
potential system downgrades or Guix downgrades and raise an error.
This ensures you cannot be tricked into downgrading the software in your
system, which could potentially reintroduce exploitable vulnerabilities
in the software you run.
With these safeguards in place, we have added an unattended upgrade
service
that, in a nutshell, runs guix pull && guix system reconfigure
periodically. Unattended upgrades and peace of mind.
Another important change from a security perspective that we’re proud of is the reduction of binary seeds to 60 MiB on x86_64 and i686, thanks to tireless work on GNU Mes, Gash, and related software.
On the same security theme, the build daemon and origin
programming
interface
now accept new cryptographic hash functions (in particular SHA-3 and
BLAKE2s) for “fixed-output
derivations”—so
far we were unconditionally using SHA256 hashes for source code.
User experience
We want Guix to be accessible and useful to a broad audience and that
has again been a guiding principle for this release. The graphical
system
installer
and the script to install Guix on another
distro
have both received bug fixes and usability improvements. First-time
users will appreciate the fact that guix help
now gives a clear
overview of the available commands, that guix
commands are less
verbose by default (they no longer display a lengthy list of things that
they’ll download), and that guix pull
displays a progress bar as it
updates its Git checkout. guix search
, guix system search
, and
similar commands now invoke a pager automatically (less
by default),
addressing an oft-reported annoyance.
Performance improved in several places. Use of the new “baseline
compiler” that landed in
Guile 3.0.4
leads to reduced build times for Guix itself, which in turn means that
guix pull
is much less resource-hungry. Performance got better in
several
other
areas, and more work is yet to
come.
We’re giving users more flexibility on the command line, with the
addition of three package transformation
options:
--with-debug-info
(always debug in good
conditions!),
--with-c-toolchain
, and --without-tests
. Transformations are now
recorded in the profile and replayed upon guix upgrade
. Furthermore,
those options now operate on the whole dependency graph, including
“implicit” inputs, allowing for transformations not possible before,
such as:
guix install --with-input=python=python2 python-itsdangerous
Last, the new (guix transformations)
module provides an interface
to the transformation options available at the command
line,
which is useful if you want to use such transformations in a manifest.
The reference manual has been expanded: there’s a new “Getting Started” section, the “Programming Interface” section contains more info for packagers. We added code examples in many places; in the on-line copy of the manual, identifiers in those code snippets are clickable, linking to the right place in the Guix or Guile manuals.
Last but not least, the manual is fully translated into French, German, and Spanish, with partial translations in Russian and Chinese. Guix itself is fully translated in those three languages and partially translated in eleven other languages.
Packs, GNU/Hurd, disk images, services, …
But there’s more! If you’re interested in bringing applications from
Guix to Guix-less machines, guix pack -RR
now supports a new ‘fakechroot’ execution engine for relocatable
packs, and the ability to choose among different engines at run time
with the GUIX_EXECUTION_ENGINE
variable. The fakechroot
engine
improves performance compared to the proot
engine,
for hosts that do not support unprivileged user namespaces.
Support for whole-system cross-compilation—as in
guix system build --target=arm-linux-gnueabihf config.scm
—has been
improved. That, together with a lot of porting work both for packages
and for the Guix System machinery, brings the hurd-vm
service—a
cross-compiled Guix GNU/Hurd system running as a virtual machine under
GNU/Linux.
This in turn has let us start work on native GNU/Hurd support.
Related to this, the new (gnu image)
module implements a flexible
interface to operating system images; from the command line, it is
accessible via guix system disk-image --image-type=TYPE
.
Several image types are supported: compressed ISO-9660, qcow2
containing ext4 partitions, ext2 with Hurd options, and so on. This is
currently implemented using
genimage
.
In addition to those already mentioned, a dozen of new system services are available, including services for Ganeti, LXQt, R Shiny, Gemini, and Guix Build Coordinator.
2,000 packages have been added, for a total of more than 15K packages; 3,652 were upgraded. The distribution comes with GNU libc 2.31, GCC 10.2, GNOME 3.34, Xfce 4.14.2, Linux-libre 5.9.3, and LibreOffice 6.4.6.2 to name a few. There’s also a new build system for packages built with Maven (bootstrapping Maven in Guix was the topic of a talk at the Guix Days last week).
The NEWS
file
lists additional noteworthy changes and bug fixes you may be interested
in.
Try it!
You can go ahead and download this new version and get in touch with us.
Speaking of which, our Debian ambassador told
us
that you will soon be able to apt install guix
if you’re on Debian or a
derivative distro!
Enjoy!
Credits
Ricardo Wurmus (grand stick, synthesizer, drums, vocals, lyrics) — Luis Felipe (illustration) — Vagrant Cascadian (Debian packaging, lyrics) — Festival (back vocals)
About GNU Guix
GNU Guix is a transactional package manager and an advanced distribution of the GNU system that respects user freedom. Guix can be used on top of any system running the Hurd or the Linux kernel, or it can be used as a standalone operating system distribution for i686, x86_64, ARMv7, and AArch64 machines.
In addition to standard package management features, Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles, and garbage collection. When used as a standalone GNU/Linux distribution, Guix offers a declarative, stateless approach to operating system configuration management. Guix is highly customizable and hackable through Guile programming interfaces and extensions to the Scheme language.
Sauf indication contraire, les billets de blog de ce site sont la propriété de leurs auteurs respectifs et publiés sous les termes de la licence CC-BY-SA 4.0 et ceux de la GNU Free Documentation License (version 1.3 ou supérieur, sans section invariante, sans texte de préface ni de postface).