Guix’s reproducible builds and transactional filesystem offer a compelling model for supply chain security, yet the friction of managing complex dependencies could hinder widespread adoption of this approach for critical infrastructure. How might we balance the purity of immutable environments with the need for rapid, localized patching in high-risk scenarios?
Guix provides security patches. You can also define your own derived packages and patch them. Or fork the distro and build it with a different kernel and base packages, like the nonguix fork does. Or add an own patched OpenSSL library.
But what such approaches come down to in practice is that maintaining a forked distribution is a lot of work. For most people, the sane approach is to build on an existing distro.
It is not an easy problem. For example, the buildroot distro which is popular for embedded devices, AFAIK has only one release every six months.
Guix’s reproducible builds and transactional filesystem offer a compelling model for supply chain security, yet the friction of managing complex dependencies could hinder widespread adoption of this approach for critical infrastructure. How might we balance the purity of immutable environments with the need for rapid, localized patching in high-risk scenarios?
Guix provides security patches. You can also define your own derived packages and patch them. Or fork the distro and build it with a different kernel and base packages, like the nonguix fork does. Or add an own patched OpenSSL library.
But what such approaches come down to in practice is that maintaining a forked distribution is a lot of work. For most people, the sane approach is to build on an existing distro.
It is not an easy problem. For example, the buildroot distro which is popular for embedded devices, AFAIK has only one release every six months.
Guix provides grafting for that case.