Next: Packages with Multiple Outputs, Previous: Invoking guix package, Up: Package Management [Contents][Index]
Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server. We call these pre-built items substitutes—they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally.
Substitutes can be anything resulting from a derivation build (see Derivations). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result from derivation builds, can be available as substitutes.
The hydra.gnu.org
server is a front-end to a build farm that
builds packages from the GNU distribution continuously for some
architectures, and makes them available as substitutes. This is the
default source of substitutes; it can be overridden by passing the
--substitute-urls option either to guix-daemon
(see guix-daemon --substitute-urls
)
or to client tools such as guix package
(see client --substitute-urls
option).
To allow Guix to download substitutes from hydra.gnu.org
, you
must add its public key to the access control list (ACL) of archive
imports, using the guix archive
command (see Invoking guix archive). Doing so implies that you trust hydra.gnu.org
to not
be compromised and to serve genuine substitutes.
This public key is installed along with Guix, in
prefix/share/guix/hydra.gnu.org.pub
, where prefix is
the installation prefix of Guix. If you installed Guix from source,
make sure you checked the GPG signature of
guix-0.9.0.tar.gz, which contains this public key file.
Then, you can run something like this:
# guix archive --authorize < hydra.gnu.org.pub
Once this is in place, the output of a command like guix build
should change from something like:
$ guix build emacs --dry-run The following derivations would be built: /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-1.0.27.1.tar.bz2.drv /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv …
to something like:
$ guix build emacs --dry-run The following files would be downloaded: /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 …
This indicates that substitutes from hydra.gnu.org
are usable and
will be downloaded, when possible, for future builds.
Guix ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL. It also detects and raises an error when attempting to use a substitute that has been tampered with.
The substitute mechanism can be disabled globally by running
guix-daemon
with --no-substitutes
(see Invoking guix-daemon). It can also be disabled temporarily by passing the
--no-substitutes
option to guix package
, guix
build
, and other command-line tools.
Today, each individual’s control over their own computing is at the
mercy of institutions, corporations, and groups with enough power and
determination to subvert the computing infrastructure and exploit its
weaknesses. While using hydra.gnu.org
substitutes can be
convenient, we encourage users to also build on their own, or even run
their own build farm, such that hydra.gnu.org
is less of an
interesting target. One way to help is by publishing the software you
build using guix publish
so that others have one more choice
of server to download substitutes from (see Invoking guix publish).
Guix has the foundations to maximize build reproducibility
(see Features). In most cases, independent builds of a given
package or derivation should yield bit-identical results. Thus, through
a diverse set of independent package builds, we can strengthen the
integrity of our systems. The guix challenge
command aims to
help users assess substitute servers, and to assist developers in
finding out about non-deterministic package builds (see Invoking guix challenge).
In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on guix-devel@gnu.org.
Next: Packages with Multiple Outputs, Previous: Invoking guix package, Up: Package Management [Contents][Index]