---

5.3.7 On Trusting Binaries

Today, each individual’s control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that the project run substitute servers are less of an interesting target. One way to help is by publishing the software you build using guix publish so that others have one more choice of server to download substitutes from (see Invoking guix publish).

Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. The guix challenge command aims to help users assess substitute servers, and to assist developers in finding out about non-deterministic package builds (see Invoking guix challenge). Similarly, the --check option of guix build allows users to check whether previously-installed substitutes are genuine by rebuilding them locally (see guix build --check). To force a full rebuild of a package (ignoring security updates via grafts (see Security Updates), if any grafts exist—which is not always the case), use --check together with --no-grafts (see --no-grafts). Because grafts are built as their own derivation, if the package you want to rebuild is subject to being grafted, merely using --check will only rebuild the grafting derivation, and not actually recompile the package.

In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on guix-devel@gnu.org.