[rb-general] Container-only Linux Distribution

Paul Colomiets paul at colomiets.name
Fri Dec 11 14:01:06 CET 2015

On Fri, Dec 11, 2015 at 11:30 AM, Ludovic Courtès <ludo at gnu.org> wrote:
> Hi,
> Paul Colomiets <paul at colomiets.name> skribis:
>> I blogged about making a linux distribution for containers with
>> reproducible builds.
>> Hopefully you find it interesting.
>> https://medium.com/p/container-only-linux-distribution-ff0497933c33
> Regarding this paragraph:
>   So to freeze a package version you need to lock the revision of git
>   repository. And then you quickly run into the situation where the
>   package cache you relied on is already replaced. So you need to build
>   everything from scratch (including gcc, glibc, and so on). Which
>   effectively means you can’t freeze a package without running your own
>   build bot (called “hydra”) and a cache. Which is okay for larger
>   organizations, but is too cumbersome for individual developers.
> One doesn’t need to run Hydra, the full-blown CI server for this.  It’s
> enough to simply build things locally.  If they’re in a user profile,
> they’re protected from garbage collection, so it’s a one-time cost.

Yes, I know, and it makes sense for some cases. But shortly two issues
with this:

1. If you publish open-source project, should you also publish nix
closure? If you join a project, should you take large blob of unknown
binaries to make a pull request?

2. If your colleague quits job. Where would you take closure from?
It's okay for larger organization where you have "defined process" of
quiting job (and which can affort to setup hydra anyway). But problem
for small organizations.

> Guix provides ‘guix publish’ as a lightweight way to publish binaries
> from your store.  So if there’s a group of people working on the same
> set of packages, the binaries could effectively be shared this way.

I have not used guix, but it seems even more cumbersome than
nix-copy-closure. If I publish, then turn of the laptop, my team can't
get the files.

Also nix closures change every so often that it's hard to make sure
that I my team-mates and a buildbot has very same packages. Unless I
operate hashes directly instead of a list of dependencies, which is
ugly. Traditional distributions like Ubuntu and even Archlilnux have
less updates and are more manageable in this respect. So I feel we can
make a better trade-off here.


More information about the rb-general mailing list