Conversation

Notices

1. Embed this notice
   Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Sunday, 26-Jan-2025 00:42:25 JST Ludovic Courtès

   ‘guix container run’ for least-authority program execution:
   https://issues.guix.gnu.org/75595

   Yay? Meh?

   #Guix

   • Embed this notice
     Janneke (janneke@todon.nl)'s status on Sunday, 26-Jan-2025 01:07:04 JST Janneke

     in reply to

     @civodul am I going too far overboard if I think this is a very interesting step towards providing the kind of security that #QubesOs seeks to provide?

     In any case this looks amazing to me, kudos!

   • Embed this notice
     Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Sunday, 26-Jan-2025 06:48:02 JST Ludovic Courtès

     in reply to

     • Fabio Natali

     @fnat Sort of, yes. With ‘guix shell’ you end up with long command lines that you have to figure out by yourself (passing the right ‘--share’ and ‘-E’ flags, etc.).

     Here ‘guix container run’ can guess based on the dependencies of what you want to run.

   • Embed this notice
     Fabio Natali (fnat@social.coop)'s status on Sunday, 26-Jan-2025 06:48:03 JST Fabio Natali

     in reply to

     @civodul Big yay!

     If I understand correctly, this improves the user experience but, functionally, it's what can be achieved via `guix shell`?

   • Embed this notice
     Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Sunday, 26-Jan-2025 06:49:20 JST Ludovic Courtès

     in reply to

     • Janneke

     @janneke QubesOS goes way beyond that, but in a way it’s a step in that direction, sure!

   • Embed this notice
     Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 27-Jan-2025 05:02:02 JST Ludovic Courtès

     in reply to

     • kris

     @kris I suppose some of the interface that’s currently private could move to (guix least-authority) for example. It’s just that providing a clean Scheme-level interface requires more thought.

   • Embed this notice
     kris (kris@todon.eu)'s status on Monday, 27-Jan-2025 05:02:04 JST kris

     in reply to

     @civodul I'm trying to write some logic around guix shell containers now and this looks great!

     One thing though, both the guix shell and this seems to assume you want to call it from the command line always, using srfi-37, which makes i t awkward to call from guile scripts. At the moment i'm generating a bash file and running it, and this is obviously not great.

     Would it not be possible to have an entrypoint for guile with keyword args in front?

   • Embed this notice
     Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 27-Jan-2025 05:11:10 JST Ludovic Courtès

     in reply to

     On this topic, while I was looking for something else :-) I found that Lix (and Nix?) has what they call “installables”, which ‘nix run’ runs in a container:
     https://git.lix.systems/lix-project/lix/src/branch/main/lix/nix/run.md

     ‘nix run’ seems to have the same goal as the wrapper produced by ‘guix pack -R’: mapping the store at the right place in the application’s namespace. It’s not about running an application with the least authority.

   • Embed this notice
     Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Monday, 27-Jan-2025 07:51:57 JST Ludovic Courtès

     in reply to

     • Else, Someone

     @nobody ‘run.cc’ has that chroot-helper thing with ‘unshare’ calls. :-)

   • Embed this notice
     Else, Someone (nobody@mastodon.acm.org)'s status on Monday, 27-Jan-2025 07:51:58 JST Else, Someone

     in reply to

     @civodul Nah `nix run` (`man nix3-run`) is just a less inconsistent version of `nix-shell --run`, there's no containers there