Hacker News new | past | comments | ask | show | jobs | submit login
Arch Linux minimal container userland 100% reproducible – now what? (reproducible-builds.org)
103 points by kpcyrd on March 20, 2024 | hide | past | favorite | 17 comments



Oh, might be the chance to chuck my Alpine, Debian and Ubuntu containers into the flaming sun and just use an Arch Linux base image.

No more dealing with apt nonsense; no more dealing with Debian packaging philosophy which is antithetical to containers; and no more musl, which has been working fine, but I keep wondering whether any DNS issue is because of it.


> I keep wondering whether any DNS issue is because of it

If you're referring to the lack of TCP for DNS, that was fixed almost a year ago in 1.2.4.

https://musl.libc.org/releases.html

https://news.ycombinator.com/item?id=36933028


So apart from unknown bugs, musl should now be as good as glibc for networked services?


I suspect so. I'm not really qualified to answer that definitively, though.


IMO musl is the right way forward if you want to optimize for minimalism, security, and making it easy to build static binaries in most languages.


Not just static builds. An alpine chroot with bubblewrap and mosh for non-supported distros weights less than 60MB.


I wonder how much larger that is than, say, classic Unix distributions like 4.3BSD.


And glibc is bad until it can be used reliably for static builds.


Since OCI determinism was mentioned, I feel it may be of interest that some friends and I bootstrapped a linux distro from 0 to solve exactly this problem.

[Stageˣ]: The container native, full source bootstrapped, musl based, and reproducible toolchain to build all of the things.

https://codeberg.org/stagex/stagex

A lot more to come on this soon.

This was only possible by carefully incorporating and cribbing a huge amount of bootstrapping and reproducibility work from the Stage0, live-bootstrap, Docker, Guix, Nix, mrustc, Debian, Alpine, and Arch teams, many of whose members have generously helped unblock us several times.


flake.nix and Brazil exist. So does Guix. This news is great for the Arch Linux project. But for the reproducible world this is meh.


Nix is mostly reproducible but does not require maintainers to sign their packages or commits, and most do not, which is a bare minimum for any security sensitive environment.

In Guix signing is mandated and it is mostly reproducible, but the choice of scheme and lack of base container images make it unapproachable for many.

Debian lead the way on signing and reproducibility, but package versions of things like rust are too far behind to be useful to most orgs.

Arch in contrast to these is IMO easy to package for, has recent well maintained signed packages, has well maintained OCI images published, and is rapidly improving on reproducibility.

Having at least one glibc distro that can meet this criteria is a big win for many use cases.

Different tools for different projects and threat models.


>> base container images

This is very easy to solve for.

>> choice of scheme

There was more wisdom when everyone at least tacitly acknowledge that maybe not everyone should be touching servers.


With all due respect to Nix/Guix, to me they swim uphill against the current of "worse is better" than UNIX is built upon. They are trying to tame the complexity of the world by making it declarative. A lofty, and a little too idealistic goal.

I much prefer the immutable approach (rpm-ostree) or even an unsophisticated approach like a Dockerfile, which is worse but much closer to the status quo, than to create a perfect world from scratch and hope that everybody follows the Light. Software is too large, complex, hacky, buggy and nuanced to expect it to fit into neat preordained categories. Because unless you do very simple things, you'll soon find yourself out of the happy path and have to resort to doing the hacky way anyway.

This is what some believe killed Lisp machines vs UNIX. I guess, like Lisp, in decades there will a vocal contingent of people lamenting the fact that we all run immutable Microsoft Kubernetes Ubuntu (MSKU) instead of using the more refined NixOS approach.

https://www.dreamsongs.com/WorseIsBetter.html


>> in decades there will a vocal contingent of people lamenting the fact that we all run immutable Microsoft Kubernetes Ubuntu (MSKU) instead of using the more refined NixOS approach.

You are, unfortunately, correct. Some of us still run illumos Unix (SmartOS), but we are a tiny minority. I hope that things can work out so that something other than the lowest common denominator is accessible enough to also have a pervasive footprint.

A lot of very crummy ideas are popular in ways that would not have been imaginable 15 years ago.

>> or even an unsophisticated approach like a Dockerfile

In a handful of "higher end" on the salary side of DevOps/SRE roles I have done, I managed to quietly do things with flake.nix -- next time around I'll do them with Guix. I can get Guix container images going, that's not hard for me.

But yeah, doing things non-Docker isn't too hard for us DevOps ninjas (what DevOps was in 2012, not the watered down thing today).

After doing flake.nix, I managed to get written company policy ratified by our legal team that all container images must be binary reproducible. That probably fell apart since I left, unless the high quality CTO I was serving is still there.


I am not sure if this is a tongue-in-cheek comment that's above my comedic pay grade, but if it is not:

This sounds like a lot of words that would otherwise mean nothing to any Nix/Guix user. It works. It is not "too idealistic goal", Nix repositories already contain more packages than any distribution around.

It is too late to throw the occasional uninspiring "you are too ambitious." Because they have been doing this for years now successfully.


>> A lofty, and a little too idealistic goal.

Guix has accomplished, as in put into real world practice, their ideas.


I think the question is about what kind of commitment the functional package management paradigm, especially as implemented by Nix and Guix, requires too much commitment or skill to really 'eat the world'.

That whole operating systems based on this model are workable by enthusiasts, experts, and adventurous hackers is, as you point out, well-proven by NixOS and (perhaps especially, by your reckoning) GuixSD.

Personally, while I think later, 'more pragmatic' takes on functional package management (e.g., Spack) get some things right for the first time in the space, I'm optimistic about how far projects like NixOS and Guix can go even without relaxing any 'purity' constraints. NixOS is blowing up with Linux hobbyists right now because there's already so much it can do without experienced administrator. The Guix package collection is growing incredibly quickly given its relative youth and smaller contributor base— I'd be shocked if it didn't outgrow some of the most popular Linux distros in the next few years.

Like you say, these projects aren't just proofs of concept in a lab or paper somewhere. They have users and contributors right here in the real world, already, and they're growing and improving all the time.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: