NPM and trusted binaries

[Pjotr Prins]

On Tue, Sep 06, 2016 at 11:48:04AM -0400, Thompson, David wrote:
> On Sun, Sep 4, 2016 at 10:11 AM, Jan Nieuwenhuizen <address@hidden> wrote:
> 
> >    * add --binary option to importer, sets (arguments (#:binary? #t))
> 
> This violates a core principle of Guix: reproducible builds.  I don't
> support patches that encourage using pre-built binaries.

In principle I agree. We want to be able to read the code.

Still, I think Guix would benefit from a somewhat more relaxed stance
in this. Especially where it comes to cross-platform binary
deployments we could be accelerate things now and then - and maybe
work on source deployment later. I am thinking of Erlang Beam and the
JVM mostly. If binaries are *trusted* we could do that. Point of note,
we distribute *trusted* binaries already. Who builds those?

I am becoming increasingly of the opinion that Guix can be a 'small'
core of rock solid software and we should provide mechanisms to wave
out in other maybe less controlled directions. Whether it is in source
or in binary form.

Pj.