Guix Gets Grafts: Timely Delivery of Security Updates

paroneayea writes: GNU Guix, the functional package manager (and with GuixSD, distribution) got a nice feature yesterday: timely delivery of security updates with grafts. Guix's new grafts feature recursively produces re-linked packages as dependencies without waiting for all to compile when a time-sensitive security upgrade is an issue. This came just in time for this week's OpenSSL security issues, and has been successfully tested by the community. It worked so well that it was able to reproduce the ABI break issue that other traditional distributions experienced also!

Re:

[Anonymous Coward]

The news seems to be something like this:
- GNU has a package manager. Didn't know that.
- The package manager is functional in many ways.
- Because it's functional in many ways, it also sucks in some ways.
- They managed to reduce the suckage, which is good for them.

What would be news for me is something like this:
- Why do I care?

It's a relatively new thing (2012) so I'm guessing most haven't heard of it. The GNU folks took an existing package manager, Nix [nixos.org] and modified it to use Guile Scheme instead of Nix's own language for describing functions (packages). You're right that it's functional (in the functional programming sense), which gives it its own set of pros and cons compared to traditional package managers.

As for why you might care, this comment on SN [soylentnews.org] briefly covers what it means to be a functional package manager, including

Parent needs more upmods.

[jeffb (2.718)]

This isn't a topic I follow closely, and so when I saw "functional package manager" I didn't immediately make the association with "functional programming". The SN comment was enlightening.

This is a case where insider terminology ("functional package manager") not only fails to convey meaning to outsiders, it doesn't even provide a hint that the outsiders are missing something -- "functional" masquerades quite well as a bit of marketing fluff. ("We're not like the dysfunctional PMs you've had to put up with

Re:

[DuckDodgers]

That's a fair point. In any event, I think if Nix or Guix ever get wide adoption it will be a long road because the way they store and manage packages is so fundamentally different from traditional Unixes and Unix package managers. Interesting idea, though.

So... Which is it?

[Zontar The Mindless]

Is Guix a window cleaner, a dessert topping, or both?

Re:

[Zontar The Mindless]

I'm sorry about your butthurt, but it's not my fault that your devs don't understand how to name things in a fashion that it doesn't require 20 minutes to puzzle out and leave you feeling dissatisfied even then.

So if I understand correctly

[guruevi]

GNU doesn't like dynamically linking to libraries, instead preferring to statically link all the code. This results in (obviously) all statically linked packages having to be recompiled from scratch every time something in a core package (like OpenSSL) changes.

Now, however they've figured out a way to dynamically link dependent packages so that their statically linked packages will recompile correctly. Oh, and wanton disabling SSLv2 breaks shit.

Re:

[Tool Man]

If "wanton disabling SSLv2" breaks shit, it's shit that needs breaking. Dodgy old crypto protocols are deprecated for a reason, and massive, cheap security lossage is a good example here.

finally!

[Gravis Zero]

thank you for finally explaining wtf the thing is that you want to tell us more about. congratulations slashdot, you did it!