diff mbox series

[bug#65866,v2,5/8] build: Add dependency on Git.

Message ID 8ec588483525275aac1eb057543a903bea707ead.1695421391.git.ludo@gnu.org
State New
Headers show
Series Add built-in builder for Git checkouts | expand

Commit Message

Ludovic Courtès Sept. 22, 2023, 10:28 p.m. UTC 
* configure.ac: Check for ‘git’ and substitute ‘GIT’.
* guix/config.scm.in (%git): New variable.
* guix/self.scm (compiled-guix): Define ‘git’ and pass it to
‘make-config.scm’.
(make-config.scm): Add #:git; emit a ‘%git’ variable.
* doc/guix.texi (Requirements): Add it.
---
 configure.ac       |  7 +++++++
 doc/guix.texi      |  1 +
 guix/config.scm.in |  6 +++++-
 guix/self.scm      | 10 +++++++++-
 4 files changed, 22 insertions(+), 2 deletions(-)

Comments

Simon Tournier Sept. 25, 2023, 1:59 p.m. UTC | #1 
Hi Ludo,

On Sat, 23 Sep 2023 at 00:28, Ludovic Courtès <ludo@gnu.org> wrote:
> * configure.ac: Check for ‘git’ and substitute ‘GIT’.
> * guix/config.scm.in (%git): New variable.
> * guix/self.scm (compiled-guix): Define ‘git’ and pass it to
> ‘make-config.scm’.
> (make-config.scm): Add #:git; emit a ‘%git’ variable.
> * doc/guix.texi (Requirements): Add it.

Moving the Git dependency to a daemon dependency tweaks a bit what we
control when “bootstrapping”, no?  Maybe I misread or misunderstand a
point.

Currently, the full bootstrap story requires the binary seed (well
documented in the manual :-)), running a Linux kernel and a Guix daemon.
And then, everything is built one after the other, resolving the chain
of dependencies.

And obviously, there is another chicken-or-the-egg problem barely
discussed.  For building something, we first need to communicate with
the world for fetching the source code to build. :-)

It is not Git specific and also happens with ’url-fetch’ – as reported
very early (see #22774 from 2016).  For instance, TLS is required before
Guix has built GnuTLS.  The chicken-or-the-egg had been solved by hiding
this dependency as a dependency of the daemon.  A hack.

Therefore, it means that the Reduced Binary Seed bootstrap is somehow
enlarged by what the Guix daemon depends on.

I mean, breaking the dependency cycles by introducing a dependency on
Git (as for fixing #63331) is not free of other dependencies.  It is
another hack when it could be avoided since the issue is about
Guile-GnuTLS.

It means we are doing a step back for a full bootstrap story, IMHO,
having a “builtin:git-download” makes less clear what are the hard
dependencies to what Guix is able to build from source starting from
almost nothing.

Cheers,
simon
Ludovic Courtès Sept. 26, 2023, 2:05 p.m. UTC | #2 
Hi,

Simon Tournier <zimon.toutoune@gmail.com> skribis:

> On Sat, 23 Sep 2023 at 00:28, Ludovic Courtès <ludo@gnu.org> wrote:
>> * configure.ac: Check for ‘git’ and substitute ‘GIT’.
>> * guix/config.scm.in (%git): New variable.
>> * guix/self.scm (compiled-guix): Define ‘git’ and pass it to
>> ‘make-config.scm’.
>> (make-config.scm): Add #:git; emit a ‘%git’ variable.
>> * doc/guix.texi (Requirements): Add it.
>
> Moving the Git dependency to a daemon dependency tweaks a bit what we
> control when “bootstrapping”, no?  Maybe I misread or misunderstand a
> point.

The model in Guix is that there’s a daemon to “emulate” a build “from
scratch”.

One can question whether the model matches reality, and this is what I
and fellow hackers looked at during the 2019 R-B Summit:

  https://guix.gnu.org/en/blog/2019/reproducible-builds-summit-5th-edition/
  (under “Extreme Bootstrapping”)

(The ‘wip-system-bootstrap’ branch still exists!)

Anyway, we’re drifting away from this patch series!

Ludo’.
Simon Tournier Sept. 26, 2023, 5:04 p.m. UTC | #3 
Hi Ludo,

On Tue, 26 Sept 2023 at 16:05, Ludovic Courtès <ludo@gnu.org> wrote:

> > Moving the Git dependency to a daemon dependency tweaks a bit what we
> > control when “bootstrapping”, no?  Maybe I misread or misunderstand a
> > point.
>
> The model in Guix is that there’s a daemon to “emulate” a build “from
> scratch”.

Yes and that "emulate" will be bigger.

>   https://guix.gnu.org/en/blog/2019/reproducible-builds-summit-5th-edition/
>   (under “Extreme Bootstrapping”)

Thanks for the reference.  I have forgotten it.  Yes, that's it. :-)

Adding Git as dependency to the daemon is adding Git in the Trusted
Computing Base.  It appears to me important to raise and to not hide
under the carpet. :-)

> (The ‘wip-system-bootstrap’ branch still exists!)

Having a potential solution does not make pointless the current concern. ;-)

> Anyway, we’re drifting away from this patch series!

No, it is not drifting.  The addition of Git in the trusting trust
story cannot be dismissed, IMHO.

It is not drifting to discuss for reaching some consensus about the
"risk" of enlarging the trusting trust computing base.  For example,
is this "risk" worth the corner case of Guile-GnuTLS?

As I said elsewhere, adding something is often much easier than
removing something.  Here the addition of Git has some implications
(libgit2, trusted computing base, etc.) and it is always about the
right balance.  Do we have the right balance here?  The discussion
about concrete concerns for the addition of Git as dependency helps in
reinforcing the consensus that this change is worth despite the
downsides.

To make it explicit: is this series worth the Guile-GnuTLS/Git
circular dependency corner case?  Maybe it is already all clear for
you, and your answer is a big YES. :-)  And perhaps it is the only
answer. :-)  But it does not mean the answer is fully clear for
everybody, at least it is not necessary straightforward for me.
Somehow, do we have a consensus about the way that this series is
worth the Guile-GnuTLS/Git circular dependency corner case?  And a
consensus about the way that this series is The Right Thing for that
circular dependency?

Cheers,
simon
Ludovic Courtès Oct. 12, 2023, 10:54 a.m. UTC | #4 
Hi,

Simon Tournier <zimon.toutoune@gmail.com> skribis:

> To make it explicit: is this series worth the Guile-GnuTLS/Git
> circular dependency corner case?  Maybe it is already all clear for
> you, and your answer is a big YES. :-)  And perhaps it is the only
> answer. :-)  But it does not mean the answer is fully clear for
> everybody, at least it is not necessary straightforward for me.
> Somehow, do we have a consensus about the way that this series is
> worth the Guile-GnuTLS/Git circular dependency corner case?  And a
> consensus about the way that this series is The Right Thing for that
> circular dependency?

One thing I probably didn’t explain clearly is that yes, the circular
dependency issue is one we have to solve.  For years, I hope we could
avoid it but experience has shown that no, it’s a problem we did have to
address.

One example is Guile-GnuTLS being built from a Git checkout.  Another
one is Hurd packages in commencement.scm built from a Git checkout.  We
had to go to great lengths to avoid ‘git-fetch’:

  https://issues.guix.gnu.org/64708#6

More and more software is built from Git checkouts rather than tarballs.
In the long run, we won’t be able to guarantee that none of the
dependencies of ‘git-minimal’ takes its source via ‘git-fetch’.

This is especially true if we want to move away from Autotools-generated
tarballs and instead run ‘autoreconf’ ourselves on pristine source.

Ludo’.
Simon Tournier Oct. 16, 2023, 8:46 a.m. UTC | #5 
Hi Ludo,

On Thu, 12 Oct 2023 at 12:54, Ludovic Courtès <ludo@gnu.org> wrote:

>> To make it explicit: is this series worth the Guile-GnuTLS/Git
>> circular dependency corner case?  Maybe it is already all clear for
>> you, and your answer is a big YES. :-)  And perhaps it is the only
>> answer. :-)  But it does not mean the answer is fully clear for
>> everybody, at least it is not necessary straightforward for me.
>> Somehow, do we have a consensus about the way that this series is
>> worth the Guile-GnuTLS/Git circular dependency corner case?  And a
>> consensus about the way that this series is The Right Thing for that
>> circular dependency?
>
> One thing I probably didn’t explain clearly is that yes, the circular
> dependency issue is one we have to solve.  For years, I hope we could
> avoid it but experience has shown that no, it’s a problem we did have to
> address.

There is different ways to solve this circular dependency.


> One example is Guile-GnuTLS being built from a Git checkout.  Another
> one is Hurd packages in commencement.scm built from a Git checkout.  We
> had to go to great lengths to avoid ‘git-fetch’:
>
>   https://issues.guix.gnu.org/64708#6

Somehow, I think it is the direction to explore: have some
’git-fetch-bootstrap’ which relies on some ’builtin:git-download’ and
guix-daemon side code, and then that being used to have the packages
required by some ’git-fetch’ without guix-daemon side code.

Doing so, we would minimize the opaque – hard to audit – code, which
means less power to guix-daemon, we keep the control, etc.  It appears
to me more consistent with the general approach elsewhere.  Anyway.

Rehashing all, your opinion was already made when you sent this patch.
You wrote since the very beginning on 6 May 2023 for Guile-GnuTLS [1]:

        The longer-term solution is to add a “builtin:git-download”
        derivation builder, just like we have “builtin:download”.  The
        implementation should be relatively easy, but we’ll have to be
        able to deal with daemons that lack this builtin possibly for
        several years.

        https://issues.guix.gnu.org/63331#0

Therefore, this patch was not an open discussion for some design but the
review of some code for fixing concrete issues.  No hard feeling, we
need to make progress after all; the issue is pending since months.
However, when giving a look at this patch, it was not my expectations.

It is my own mistake to have not been enough active before with the
issue.  I had months to discuss some design for the circular
dependencies of the fetching methods.  Since I am spending some time
reading about what is going on with Guix, I think we have a failure in
some process.

IMHO, we are missing a Request For Comments and I will send a proposal
for some implementation details this week.

Cheers,
simon
diff mbox series

Patch

diff --git a/configure.ac b/configure.ac
index 92dede8014..d817f620cf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -201,6 +201,13 @@  AC_SUBST([GZIP])
 AC_SUBST([BZIP2])
 AC_SUBST([XZ])
 
+dnl Git is now required for the "builtin:git-download" derivation builder.
+AC_PATH_PROG([GIT], [git])
+if test "x$GIT" = "x"; then
+  AC_MSG_ERROR([Git is missing; please install it.])
+fi
+AC_SUBST([GIT])
+
 LIBGCRYPT_LIBDIR="no"
 LIBGCRYPT_PREFIX="no"
 
diff --git a/doc/guix.texi b/doc/guix.texi
index 50c4984d71..8812e42e99 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -1011,6 +1011,7 @@  Requirements
 @item
 @uref{https://gitlab.com/guile-git/guile-git, Guile-Git}, version 0.5.0
 or later;
+@item @uref{https://git-scm.com, Git} (yes, both!);
 @item @uref{https://savannah.nongnu.org/projects/guile-json/, Guile-JSON}
 4.3.0 or later;
 @item @url{https://www.gnu.org/software/make/, GNU Make}.
diff --git a/guix/config.scm.in b/guix/config.scm.in
index d582d91d74..62e15dd713 100644
--- a/guix/config.scm.in
+++ b/guix/config.scm.in
@@ -1,5 +1,5 @@ 
 ;;; GNU Guix --- Functional package management for GNU
-;;; Copyright © 2012, 2013, 2014, 2015, 2016, 2018, 2019, 2021 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2012-2016, 2018-2019, 2021, 2023 Ludovic Courtès <ludo@gnu.org>
 ;;; Copyright © 2017 Caleb Ristvedt <caleb.ristvedt@cune.org>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -35,6 +35,7 @@  (define-module (guix config)
             %config-directory
 
             %system
+            %git
             %gzip
             %bzip2
             %xz))
@@ -109,6 +110,9 @@  (define %config-directory
 (define %system
   "@guix_system@")
 
+(define %git
+  "@GIT@")
+
 (define %gzip
   "@GZIP@")
 
diff --git a/guix/self.scm b/guix/self.scm
index d2300052d8..9eaddc7a29 100644
--- a/guix/self.scm
+++ b/guix/self.scm
@@ -69,6 +69,7 @@  (define %packages
       ("gzip"               . ,(ref 'compression 'gzip))
       ("bzip2"              . ,(ref 'compression 'bzip2))
       ("xz"                 . ,(ref 'compression 'xz))
+      ("git-minimal"        . ,(ref 'version-control 'git-minimal))
       ("po4a"               . ,(ref 'gettext 'po4a))
       ("gettext-minimal"    . ,(ref 'gettext 'gettext-minimal))
       ("gcc-toolchain"      . ,(ref 'commencement 'gcc-toolchain))
@@ -826,6 +827,9 @@  (define* (compiled-guix source #:key
   (define guile-lzma
     (specification->package "guile-lzma"))
 
+  (define git
+    (specification->package "git-minimal"))
+
   (define dependencies
     (append-map transitive-package-dependencies
                 (list guile-gcrypt guile-gnutls guile-git guile-avahi
@@ -999,6 +1003,7 @@  (define* (compiled-guix source #:key
                     => ,(make-config.scm #:gzip gzip
                                          #:bzip2 bzip2
                                          #:xz xz
+                                         #:git git
                                          #:package-name
                                          %guix-package-name
                                          #:package-version
@@ -1104,7 +1109,7 @@  (define %default-config-variables
     (%storedir . "/gnu/store")
     (%sysconfdir . "/etc")))
 
-(define* (make-config.scm #:key gzip xz bzip2
+(define* (make-config.scm #:key gzip xz bzip2 git
                           (package-name "GNU Guix")
                           (package-version "0")
                           (channel-metadata #f)
@@ -1134,6 +1139,7 @@  (define* (make-config.scm #:key gzip xz bzip2
                                %state-directory
                                %store-database-directory
                                %config-directory
+                               %git
                                %gzip
                                %bzip2
                                %xz))
@@ -1176,6 +1182,8 @@  (define* (make-config.scm #:key gzip xz bzip2
                      ;; information is used by (guix describe).
                      '#$channel-metadata)
 
+                   (define %git
+                     #+(and git (file-append git "/bin/git")))
                    (define %gzip
                      #+(and gzip (file-append gzip "/bin/gzip")))
                    (define %bzip2