Re: Getting started with GWL 0.3.0

[zimoun]

Hi,

On Mon, 22 Mar 2021 at 14:04, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:

> Looks like I missed a discussion on guix-devel. My excuse is that I
> can't keep up with guix-devel any more, it's getting too much!

Do not worry!  And I do not know if these days someone is actually
able to grasp all the discussions happening on guix-devel. :-)

> > This is really cool because “guix repl -- foo.scm arg1 arg2” can now be
> > really handy with “guix foo arg1 arg2”.
>
> Handy, yes. But is it a good idea from a security point of view? As a
> Guix user, I trust "guix" with all its subcommands because I know that
> all the code is carefully inspected by several competent developers.  I
> don't have the same level of trust in software packaged within Guix.

What do you mean?

The user has to explicitly set GUIX_EXTENSIONS_PATH or explicitly
install a package (or a channel, as "guix home").  I do not see where
there is a security flaw, I mean it is the same vulnerability as for
"guix repl -- foo.scm" or as for "guix install foo && foo".

And if you worry, I guess you can run GWL in a container, something like;

  guix environment -C --ad-hoc gwl -- guix workflow


> I'd rather see packages building on "guix" but provide their own
> top-level scripts with distinct names. And support for writing such
> packages in making it easier to access the user's default Guix profile.

Personally, I like the idea of extensions.  Similarly as "git foo"
works if "git-foo" is an executable on the PATH.

I imagine couple of extensions.  For instance, testing idea on UI is
hard because Guix itself is really conservative about the backward
compatibility---for a good! :-)
And we can imagine extensions as a way to test other flavours, either
before introducing a new subcommand or either as a replacement of
current subcommand.


Cheers,
simon