Today, each individual’s control over their own computing is at the
mercy of institutions, corporations, and groups with enough power and
determination to subvert the computing infrastructure and exploit its
weaknesses. While using substitutes can be convenient, we encourage
users to also build on their own, or even run their own build farm, such
that the project run substitute servers are less of an interesting
target. One way to help is by publishing the software you build using
guix publish so that others have one more choice of server to
download substitutes from (see Invoking guix publish).
Guix has the foundations to maximize build reproducibility
(see Features). In most cases, independent builds of a given
package or derivation should yield bit-identical results. Thus, through
a diverse set of independent package builds, we can strengthen the
integrity of our systems. The
guix challenge command aims to
help users assess substitute servers, and to assist developers in
finding out about non-deterministic package builds (see Invoking guix challenge). Similarly, the --check option of
build allows users to check whether previously-installed substitutes
are genuine by rebuilding them locally (see
guix build --check).
In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on email@example.com.