summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--guix-blu-2016-01-20.org305
1 files changed, 232 insertions, 73 deletions
diff --git a/guix-blu-2016-01-20.org b/guix-blu-2016-01-20.org
index b5c4377..8d790f5 100644
--- a/guix-blu-2016-01-20.org
+++ b/guix-blu-2016-01-20.org
@@ -17,13 +17,14 @@
#+LaTeX_CLASS_OPTIONS: [bigger]
#+COLUMNS: %40ITEM %10BEAMER_env(Env) %9BEAMER_envargs(Env Args) %4BEAMER_col(Col) %10BEAMER_extra(Extra)
#+LATEX_HEADER: \beamertemplatenavigationsymbolsempty
+#+BEAMER_THEME: metropolis
* About me
- GNU project volunteer
- - GNU Guile user and contributor since 2012
- - GNU Guix user since 2013
- - Day job: Ruby + JavaScript web development / "DevOps"
+ - GNU Guile user and contributor since 2012
+ - GNU Guix contributor since 2013
+ - Day job: Ruby + JavaScript web development / “DevOps”
* Overview
@@ -32,104 +33,186 @@
- Towards the future
- How you can help
-* Preface: User autonomy and control
+* User autonomy and control
It is becoming increasingly difficult to have control over your own
computing:
- - Growing number of applications that cannot be reasonably packaged
- for GNU/Linux distributions
+ - GNU/Linux package managers not meeting user needs
- Self-hosting web applications requires too much time and effort
- Growing number of projects recommend installation via =curl | sudo
- bash= or otherwise avoid using system package managers
+ bash= [fn:2] or otherwise avoid using system package managers
- Users unable to verify that a given binary corresponds to the
source code
- This is bad for desktop users and system administrators alike.
+* User autonomy and control
-* Problems with package management
+ “Debian and other distributions are going to be that thing you run
+ Docker on, little more.” [fn:7]
+
+* User autonomy and control
+
+ This is very bad for desktop users and system administrators alike.
+ We must regain control!
+
+* What’s wrong with Apt/Yum/Pacman/etc.?
- Global state (=/usr=) that prevents multiple versions of a package
from coexisting
- Non-atomic installation, removal, upgrade of software
- - Nondeterminstic package builds
- - Proliferation of language-specific package managers
- - Reliance on pre-built binaries that few can build from source
- - Binary bundles (a la OmniBus) complicate secure system maintenance
- - System package managers do not allow unprivileged operation
+ - No way to roll back
+ - Nondeterminstic package builds (though this is changing!)
+ - Reliance on pre-built binaries provided by a single point of trust
+ - Requires superuser privileges
+
+* The problem is bigger
+
+ Proliferation of *language-specific package managers* and *binary
+ bundles* that complicate secure system maintenance.
+
+* Web applications
+
+ Web applications are particularly painful.
+
+* Web applications
+
+ It’s common for today’s web applications to require *two or more
+ package managers* to get all dependencies.
+
+* Web applications
-* Problems with mainstream configuration management
+ Integrating a web application packaged only for a language-specific
+ manager into a system package manager proves difficult. NodeJS is
+ particularly frightening. [fn:6]
- - Imperative paradigm makes software overly-complex and brittle
+* Web applications
+
+ There’s a growing number of popular web applications (Hadoop, Chef
+ Server, Cloudera, etc.) that *no one knows how to build from
+ source*! [fn:3]
+
+* Deployment
+
+ How do we automate application deployment without going crazy?
+
+* Chef/Puppet/Ansible/etc. are pretty good, right?
+
+ Building on top of mainstream package managers and distros yields an
+ unstable foundation.
+
+* Problems with configuration management software
+
+ - Imperative config management makes is overly-complex and brittle
(idempotence is hard)
- - Promotes one disk image per application to cover up underlying
- package management mess
+ - More reliable builds require spawning new machines and building
+ from scratch each time (sledgehammer)
- Made primarily for developers for server maintenance, but all
users could benefit
-* Qualities of good software
+* Docker?
- - System integration
- - Reproducibility
- - Security
+ Surely Docker addresses these issues?
-* System integration
+* Docker?
- - Use the system package manager!
- - Not uncommon for today's web applications to require 2 or more
- package managers to get all dependencies
+ I’m afraid not.
-* Reproducibility
+* Problems with Docker
- - Growing number of free software projects that no one knows how to
- build from source
+ - Still imperative (though resulting images are immutable)
-* Security
+ - Dockerfile DSL is not expressive
+
+ - Promotes one disk image per application to cover up underlying
+ package management mess [fn:4]
-* Solutions?
+ - No provenance
- - Ansible?
- - Docker?
- - OmniBus?
+ - Image layering is an ineffective caching strategy
+
+ - Does not compose (containers are only one important use-case)
+
+* Problems with Docker
+
+ - Reliance on DockerHub binaries proves to be insecure [fn:5]
+
+* Well that was pessimistic
+
+ Computers are hard. Maybe we should just farm potatoes instead.
+
+* Meet GNU Guix
+
+ Guix is the functional package management tool for the GNU system.
+
+ It is based on the pioneering work of the Nix project. [fn:8]
+
+* What does “functional” mean?
+
+ “Functional” in this context means treating package builds as
+ functions, in the mathematical sense.
+
+ =emacs = f(gcc,make,coreutils,…)=
* Functional package management
-* What does it mean?
+ Benefits:
- Treating package builds as functions, in the mathematical sense...
+ - Build reproducibility
+ - Atomic upgrades and roll backs
+ - No single point of trust
+ - Unprivileged package management
+ - Multiple variants of the same software may coexist
-* Why?
+* Functional package management
-* What's wrong with dpkg/yum/pacman/etc.?
+ The *complete dependency graph* is captured, precisely, down to the
+ *bootstrap binaries*.
- Lack of transactional updates, rollbacks, unprivileged package
- management
+ No SAT solver or other complex algorithm for dependency resolution.
+
+* Functional package management
-* What about Docker?
+ To view package builds this way, Guix performs builds in an
+ *isolated container* in which *only the specified dependencies* are
+ accessible.
- Trusting random binaries, non-reproducible, no provenance, opaque
- disk images...
+ This maximizes *build reproducibility*.
* Reproducible builds
-* What are they?
+ Reproducible builds produce *bit-identical binaries* when performed
+ multiple times under the same conditions.
+
+ Allows for *independent verification* that a given binary
+ corresponds to its alleged source code.
+
+* Why?
+
+ WRITEME
-* Why is it important for security and freedom?
+ Mention reproducible-builds.org
- reproducible-builds.org
+* Demo
- guix challenge
+ guix package
-* GuixSD: Configuration management
+ guix challenge
- guix system, declarative interface, fully free, system rollback
+* Hacking
+
+ Guix is made to be maximally hackable, taking inspiration from
+ Emacs.
+
+ We seek to intentionally blur the line between user and developer.
* Choice of language
-* Off the beaten path
+ Guix is rather special in its choice of implementation language.
+
+* Philosophy
- Guix takes a different approach than a lot of other
- package/configuration managers
+ It’s better to extend an existing language for package recipes and
+ configuration files rather than making a new, domain-specific one.
* Embedded vs. External DSLs
@@ -152,66 +235,142 @@
- GNU Guile is a Scheme implementation and the official extension
language of the GNU project
- - It's a great choice for EDSLs because of Scheme's hygienic macro
+ - It’s a great choice for EDSLs because of Scheme’s hygienic macro
system
- - It's a great choice for Guix because purely functional
+ - It’s a great choice for Guix because purely functional
programming is well-supported in Scheme
-* Guile all the way down
+* Guile goes with everything
Guix uses Guile for nearly everything:
- Initial RAM disk
+
- Init system (GNU Shepherd, formerly GNU dmd)
+
- Package recipes (including build scripts!)
+
- Command line tools
+
- Low-level POSIX/Linux utilities (such as =call-with-container=)
* Guix as a library
- Guix is a big collection of Guile modules.
+ - Guix is a big collection of Guile modules
+
+ - Packages are first-class Scheme objects
+
+ - Anyone can use Guix as a library to write new Guile programs that
+ manipulate package recipes, create new user interfaces (like a web
+ UI), etc.
+
+* Example package recipe
- Packages are first-class Scheme objects.
+ WRITEME
- Anyone can use Guix as a library to write new Guile programs that
- manipulate package recipes, create new user interfaces (like a web
- UI), etc.
+* Demo
+
+ build package at the REPL in Emacs
+
+* Other user interfaces
+
+ Demo Emacs UI, web prototype
+
+* Importing packages from elsewhere
+
+ guix import
+
+ guix refresh
+
+* Demo
+
+ Import a package from PyPI
* Development environments
- guix environment
+ guix environment
+
+* Full-system configuration
+
+ WRITEME
-* UIs
+* Example system configuration
- CLI, Emacs, web prototype
+ WRITEME
-* The trouble with language-specific package managers
+* Demo
- Why Guix is better, how to pull in foreign packages with guix
- import, update them with guix refresh
+ guix system vm
* Project status
+ WRITEME
+
+* Future
+
+ WRITEME
+
+* Join us!
+
+ We need interested hackers to help us:
+
+ - Add new packages
+ - Upgrade existing packages
+ - Write system services
+ - Improve the UI
+ - Add new tools
+ - Translate to new languages
+ - Maintain the web site
+ - Other stuff!
+
* Join us!
- - Chat with us in the =#guix= channel on Freenode or on the
- =guix-devel@gnu.org= mailing list
- -
+ We are currently collecting donations via the FSF to purchase new
+ servers for our build farm!
+
+ https://gnu.org/software/guix/donate/
+
+* Join us!
+
+ Chat with us in the =#guix= channel on Freenode or on the
+ =guix-devel@gnu.org= and =help-guix@gnu.org= mailing lists.
* Thank you!
- Any questions?
+ Visit https://gnu.org/software/guix for source code, documentation,
+ past talks, etc.
+
+ \begin{center}
+ \huge{Questions?}
+ \end{center}
* Legal
- © 2016 David Thompson <davet@gnu.org>
+ © 2016 David Thompson =<davet@gnu.org>=
This presentation is licensed under the Creative Common Attribute
Share-Alike 4.0 International license.
* Footnotes
-[fn:1] "How to be a good host: miniKanren as a case study" \newline
-Dan Friedman and Jason Hemann
+[fn:1] “How to be a good host: miniKanren as a case study”
https://www.youtube.com/watch?v=b9C3r3dQnNY
+
+[fn:2] http://curlpipesh.tumblr.com/
+
+[fn:3] “Your big data toolchain is a big security risk!”
+http://www.vitavonni.de/blog/201504/2015042601-big-data-toolchains-are-a-security-risk.html
+
+[fn:4] “The sad state of sysadmin in the age of containers”
+http://www.vitavonni.de/blog/201503/2015031201-the-sad-state-of-sysadmin-in-the-age-of-containers.html
+
+[fn:5] “Over 30% of Official Images in Docker Hub Contain High
+Priority Security Vulnerabilities”
+http://www.banyanops.com/blog/analyzing-docker-hub/
+
+[fn:6] “Let’s Package jQuery: A Javascript Packaging Dystopian Novella” http://dustycloud.org/blog/javascript-packaging-dystopia/
+
+[fn:7] “ownCloud and distribution packaging” http://lwn.net/Articles/670566/
+
+[fn:8] http://nixos.org/nix/