rfcs VS distroless

I'm afraid the letter spread some misinformation: The meson RFC has in fact not been approved: https://github.com/NixOS/rfcs/pull/132

You may consider this view biased, but we have this: https://srid.ca/nixos-mod

* September 2023: The "Nix Community Survey 2023" is looking for gender data, and the mods don't like that most contributors are men.

* November 2023: The moderation team tries to institute a Code of Conduct https://github.com/NixOS/rfcs/pull/114 ... and they get their way

* November 2023: Some are not happy about it: https://discourse.nixos.org/t/moderation-team-accountability... -- the moderators talk about their "authority" and of course lock and hide the thread. It's "disruptive" and "off-topic", you see.

* This sort of activity continues -- moderators consolidating and increasing their power, citing how they need the power to control "concern trolls" and such -- and now in April 2024, we get https://save-nix-together.org/

The "anonymous contributors" want to drive out the NixOS founder entirely, so that _they_ are in charge. They want "to hold people accountable for bad behaviour at all levels" and lament having "responsibility without authority" - in other words, they want power, power, power. They want power over everyone. Their justification is that they believe they have the moral high ground, and they deserve to lord it over everyone else.

Hold onto that hard power, Eelco, and tell this lot to fork the project. Let's see how they enjoy moderating noxious.org instead of nixos.org

https://old.reddit.com/r/NixOS/comments/1ceiz36/thoughts_on_...

And the RFC to improve the situation:

https://github.com/NixOS/rfcs/pull/175

> (after eelco ignored the PR for quite a while, also!)

Clicking that link takes us to a PR that was opened on 2024-02-02. The initial response from the Nix author comes 7 minutes later. Puck has multiple back and forths with other members Github, but her next interaction with the Nix author comes the next day on 2024-02-03. This is also the first time in the conversation where she "reminds him ... to even read her PR message". There's a second interaction later that same day during which she does similar, but it's worth noting this is pointing to a different message and appears to be less a "reminder to read" and more re-iterating what they feel is their argument against the Nix author's own arguments. Puck then continues to have back and forth with other commenters but as of today, there has been no further comments from the Nix author after 2024-02-03, and no further comments from Puck after 2024-02-08.

This hardly to my mind qualifies either as "having to remind him multiple times to even read her PR message at all" or "after eelco ignored the PR for quite a while, also!" So as I said it's a fairly weak claim, and feels more like a "bastard eating crackers" reaction to the PR than an actual showing of poor behavior.

As for the "Meson example", I didn't ignore it. As I stated in my comment, I had at that point read two of the referenced discussions in detail, and thus commented on them. I didn't comment in the "Meson example" for the simple reason that I hadn't read it.

I have read it now, and equally find it confusing.

1) The claim in the letter is that the proposal has "passed RFC, for five years", yet the RFC itself only appears to have been opened 2022-08-24. It's been a while since grade school for me, and I'll admit COVID has warped all our sense of time, but I'm pretty sure 2022 is not 5 years ago.

2) The first completed working implementation of the change doesn't appear to have been done until 2023-01-18 (https://github.com/NixOS/rfcs/pull/132#issuecomment-13874661...). Again this is much less than 5 years old.

3) On 2023-03-20, the author of the PR for this change states:

> the RFC has made it past most of the early stages and the current goal is to achieve parity with the current buildsystem before replacing it.

(https://github.com/NixOS/rfcs/pull/132#issuecomment-14768433...)

Again, this doesn't seem to fit at all with the claim that the proposal has "passed RFC, for five years"

4) On 2023-11-01, the Nix author themselves asks for updates on the RFC implementation, an action which doesn't seem congruent with someone who is willy nilly single handedly blocking things and being a disruption to the process. And the author of the PR states:

>the main block is actually a lack of free time for the main devs!

(https://github.com/NixOS/rfcs/pull/132#issuecomment-17890770...)

This doesn't seem to point to evidence that the Nix author is single handedly holding up this process.

5) On 2024-03-21 the PR author notes:

> currently working on adding support to build nix-perl, waiting for assistance

(https://github.com/NixOS/rfcs/pull/132#issuecomment-20135356...)

Not to sound like a broken record, but if the issue isn't finished as of a few weeks ago, it can hardly be considered to be held up by the Nix author for 5 years.

I agree that one of the links in the open letter is to a comment on a PR from 2019, which is indeed 5 year ago, and does indeed contain the Nix author commenting that they are skeptical of the change because "he doesn't know meson but knows his own build system". But given that there's an entire wealth of history on the topic since then, including progress on the feature that appears completely unobstructed by the Nix author and an open PR that is a mere 3 weeks old for a current implementation, I find myself again unconvinced of this rampant bad behavior on the part of the Nix author. And I reiterate again that these complaints are very weak and don't do much to support the open letter at best, and act as contrary evidence at worst.

Again there might be other context to be had that is missing, but if one is going to write a massive "open letter" complaining about bad behavior, I expect the links in that letter to point to actual bad behavior, and or provide the relevant context necessary to show how what appears to be normal dissent is a passive aggressive continuation of obstruction. I have to assume the links one provides in an open letter is their strongest evidence, and if this is all the authors have... I am unconvinced.

Nix with dynamic derivations (RFC92) could potentially beat this curse.

https://github.com/NixOS/rfcs/blob/master/rfcs/0092-plan-dyn...

See: A plan to stabilize the new CLI and Flakes incrementally https://github.com/NixOS/rfcs/pull/136

NixOS recently introduced "problem" infrastructure to deal with such problems more gracefully and explicitly:

https://github.com/NixOS/rfcs/blob/master/rfcs/0127-issues-w...

For some more context: Flawed as they are, Flakes solve a large number of problems Nix experiences without them. This is why I, and presumably many others, use them even in their current experimental state.

An RFC was recently accepted to commit to forming a plan towards stabilization of Flakes: https://github.com/NixOS/rfcs/pull/136

Personally, I don't believe there won't be any breaking changes, but I also believe that the stabilization of Flakes is still a ways away and hope that there will be a reasonable migration path.

lots of questions here regarding what this product is. I guess i can provide some information for the context, from a perspective of an outside contributor.

Chainguard Images is a set of hardened container images.

They were built by the original team that brought you Google's Distroless (https://github.com/GoogleContainerTools/distroless)

However, there were few problems with Distroless:

1. distroless were based on Debian - which in turn, limited to Debian's release cadence for fixing CVE.

2. distroless is using bazelbuild, which is not exactly easy to contrib, customize, etc...

3. distroless images are hard to extend.

Chainguard built a new "undistro" OS for container workload, named Wolfi, using their OSS projects like melange (for packaging pkgs) and apko (for building images).

The idea is (from my understanding) is that

1. You don't have to rely on upstream to cut a release. Chainguard will be doing that, with lots of automation & guardrails in placed. This allow them to fix vulnerabilties extremely fast.

> If you have one image based on Ubuntu in your stack, you may as well base them all on Ubuntu, because you only need to download (and store!) the common base image once

This is only true if your infrastructure is static. If your infrastructure is highly elastic, image size has an impact on your time to scale up.

Of course, there are better choices than Alpine to optimize image size. Distroless (https://github.com/GoogleContainerTools/distroless) is a good example.

The same as our code dependencies, container updates can include security patches and bug fixes and improvements. However, they can also include breaking changes and it is crucial you test them thoroughly before putting them into production. Wherever possible, I recommend using the distroless base image which will drastically reduce both your image size, your risk vector, and therefore your maintenance version going forward.

# Use a large Node.js base image to build the application and name it "build" FROM node:18-alpine as build WORKDIR /app # Copy the package.json and package-lock.json files into the working directory before copying the rest of the files # This will cache the dependencies and speed up subsequent builds if the dependencies don't change COPY package*.json /app # You might want to use yarn or pnpm instead RUN npm install COPY . /app RUN npm run build # Instead of using a node:18-alpine image, we are using a distroless image. These are provided by google: https://github.com/GoogleContainerTools/distroless FROM gcr.io/distroless/nodejs:18 as prod WORKDIR /app # Copy the built application from the "build" image into the "prod" image COPY --from=build /app/.output /app/.output # Since this image only contains node.js, we do not need to specify the node command and simply pass the path to the index.mjs file! CMD ["/app/.output/server/index.mjs"]

Lots of examples without the entire OS as other comments mention, an example would be Googles distroless[0]

[0]: https://github.com/GoogleContainerTools/distroless

Docker doesn't do this all the time. Distroless Docker containers are relatively common. https://github.com/GoogleContainerTools/distroless

Deployment: https://github.com/GoogleContainerTools/distroless

Or use distroless image as it includes one, among others. https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md