I Love Arch, but GNU Guix Is My New Distro

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

CodeRabbit: AI Code Reviews for Developers
Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.
coderabbit.ai
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • pacman-bintrans

    Experimental pacman integration for Reproducible Builds and Binary Transparency (with sigstore/rekor)

    Reproducible builds are an important part of efforts to secure the software supply chain. Ideally you want multiple independent parties vouching that a given package (whether a compiled binary, or a source tarball) corresponds to a globally immutably published revision in a source code repository.

    That gives you Binary Transparency, which is already being attempted in the Arch Linux package ecosystem[0], and it protects the user from compromised build environments and software updates that are targeted at a specific user or that occur without upstream's knowledge.

    Once updates can be tied securely to version control tags, it is possible to add something like Crev[1] to allow distributed auditing of source code changes. That still leaves open the questions of who to trust for audits, and how to fund that auditing work, but it greatly mitigates other classes of attack.

    [0] https://github.com/kpcyrd/pacman-bintrans

    [1] https://github.com/crev-dev/cargo-crev

  • CodeRabbit

    CodeRabbit: AI Code Reviews for Developers. Revolutionize your code reviews with AI. CodeRabbit offers PR summaries, code walkthroughs, 1-click suggestions, and AST-based analysis. Boost productivity and code quality across all major languages with each PR.

    CodeRabbit logo
  • cargo-crev

    A cryptographically verifiable code review system for the cargo (Rust) package manager.

    Reproducible builds are an important part of efforts to secure the software supply chain. Ideally you want multiple independent parties vouching that a given package (whether a compiled binary, or a source tarball) corresponds to a globally immutably published revision in a source code repository.

    That gives you Binary Transparency, which is already being attempted in the Arch Linux package ecosystem[0], and it protects the user from compromised build environments and software updates that are targeted at a specific user or that occur without upstream's knowledge.

    Once updates can be tied securely to version control tags, it is possible to add something like Crev[1] to allow distributed auditing of source code changes. That still leaves open the questions of who to trust for audits, and how to fund that auditing work, but it greatly mitigates other classes of attack.

    [0] https://github.com/kpcyrd/pacman-bintrans

    [1] https://github.com/crev-dev/cargo-crev

  • dysnomia

    Dysnomia: A tool for deploying mutable components

    Depends on how the state is stored. If it's in configuration, Nix generated it and it lives immutable in the Nix store, so Nix will just point out it to the old version on rollback.

    If it's something like the content of a SQL database, which lives outside the Nix store and which Nix did not generate, you need some other tool (like a filesystem snapshot, maybe) to perform the rollback. I think CoW filesystems sometimes have performance issues with DBs, though, so I'm not sure that's always the approach you'd take.

    The Nix ecosystem does have a fairly mature tool for managing stateful components that live outside the Nix store, though: https://github.com/svanderburg/dysnomia

    It's been around for a long time. Idk who all is using it

  • nonguix

    One of the nice things about the FSF's free software principles is that if you disagree with how they think you should use their software, they're not going to stop you. Nonguix[1] provides solid non-free support if that's what you want.

    The FSF even condones non-free software (in a rather dorky way) for people whose machines require it[2]. I understand the FSF's principles and am glad they hold to them so strongly, but I would use non-free graphics drivers if I were to install Guix. I do fundamentally agree with the principles of software freedom and I am honest with myself that I am in fact making a moral compromise. Similarly I'd probably compromise over CPU microcode patches, even though I believe I have the moral right to view, understand, and change those microcode updates if I wish to and am displeased that my rights are being violated.

    I believe in this day and age where the right to repair your own equipment is under serious threat, the principle that we should be free to modify the machines we own as we see fit is more important than ever.

    [1] https://gitlab.com/nonguix/nonguix

    [2] https://www.gnu.org/philosophy/install-fest-devil.en.html

  • Is it anymore of a "magic incantation" than the linux-image-XYZ package which controls which OS kernel is installed?

    If you want to see when Intel issues new microcode updates, it is all available on their GitHub: https://github.com/intel/Intel-Linux-Processor-Microcode-Dat...

  • Is it anymore of a "magic incantation" than the linux-image-XYZ package which controls which OS kernel is installed?

    If you want to see when Intel issues new microcode updates, it is all available on their GitHub: https://github.com/intel/Intel-Linux-Processor-Microcode-Dat...

  • userscan

    Scans files for Nix store references and registers them with the Nix garbage collector.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • 50% new NPM packages are spam

    4 projects | news.ycombinator.com | 30 Mar 2023
  • Hard disk LEDs and noisy machines

    7 projects | news.ycombinator.com | 5 Jan 2024
  • UEFI Software Bill of Materials Proposal

    8 projects | news.ycombinator.com | 14 Nov 2023
  • NPM repository flooded with 15,000 phishing packages

    3 projects | news.ycombinator.com | 24 Feb 2023
  • The Python Package Index (PyPI) warns of an ongoing phishing campaign to steal developer credentials and distribute malicious updates.

    1 project | /r/programming | 29 Aug 2022