Add Guix to recommended immutable desktop OS

Summary

GNU Guix is an advanced but powerful distribution that focuses on user freedom, it uses a declarative syntax to create configurations that allow for system wide reproducible builds.

It shares a lot of the principles of NixOS, currently recommended, but I think it’s still worth including it due to it’s unique emphasis on free software. I realize the goal of PrivacyGuides is not to create an exhaustive list of alternatives but this would make a nice addition to the list, for those interested in taking the concept of having full control of their system a step further. It would also be the first and only distribution listed in PG that is exclusively made of free software.

Features

  • Is developed by the GNU Project and endorsed by the Free Software Foundation.
  • Adheres to the GNU Free System Distribution Guidelines.
  • Contains exclusively free software. Uses the Linux-libre kernel and the GNU Shepherd initialization system.
  • Provides state-of-the-art package management features such as transactional upgrades and roll-backs, reproducible build environments, unprivileges package management and per-user profiles.
  • Supports stateless, reproducible operating system configuration using declarative syntax in a single text file.
  • Uses a popular programming language that is easy to learn and use for configuring the system.
  • Has a very good documentation and reference materials.

External resources

Some interesting and useful resources to learn about Guix in more detail and from the perspective of more experienced people, including one of the developers of Debian. I thought I’d include these links to make it easier to evaluate what Guix is and what is has to offer, from different perspectives.

1 Like

Guix uses the Linux-libre kernel, which isn’t recommended by PG:

The Guix package manager also doesn’t seem to provide up-to-date packages, or packages at all for things like Firefox, or Chromium.

2 Likes

I didn’t realize that about the Linux-libre kernel…

About the packages, there’s also the alternative to use non-free guix repositories: GitHub - nonguix/nonguix: Nonguix mirror – pull requests ignored, please use upstream for that

Not sure why you’d use an distro if you weren’t gonna use its package manager, though. Now you’re also trusting this third party for your packages.

It’s just an option you have, same thing as Fedora with non-free repositories if the default ones don’t have something you need. There’s also the flatpak & friends alternatives.

Full-Source Bootstrap

Reproducible builds alone cannot ensure the source-to-binary correspondence: the compiler could contain a backdoor, as demonstrated by Ken Thompson in Reflections on Trusting Trust. To address that, Guix goes further by implementing so-called full-source bootstrap: for the first time, literally every package in the distribution is built from source code, starting from a very small binary seed. This gives an unprecedented level of transparency, allowing code to be audited at all levels, and improving robustness against the “trusting-trust attack” described by Ken Thompson.

Except it’s not. You can make H264 etc work just fine by installing gstreamer1-plugin-openh264 and mozilla-openh264 which are in that Cisco repository that Fedora ships.

The main reason we don’t recommend libre distributions is because x86_64 is an encumbered platform and we think security updates in the form of microcode are better to have than not have.

The main issue with Guix was you needed the kernel, from a third party repo.

The other thing to keep in mind, is that just because something isn’t listed on PG doesn’t mean it is inherently bad for privacy. In the case of Linux distributions they’re all pretty much equal.

Guix requires special knowledge and nobody on the team (or even in our community probably uses it). Also it’s not likely to ever support mandatory access control systems.

4 Likes

I’m very interested in using Guix, but I have some workarounds I’m thinking to address these concerns:

  1. Use nonguix to get around strict libre requirements and the non-libre kernel
  2. Install AppArmor and set it up.

This seems like patching the most critical security issues - what do you think?

1 Like