This patch series allows ‘guix system’ to record provenance info
about a system in its output: the system itself (e.g.,
/run/current-system) now contains three more files: “channels.scm”,
“configuration.scm”, and “provenance” (a summary of the first two
That means you can always inspect a deployed system to find its own
“source”. In some cases, you can even run something like:
guix time-machine \
-C /var/guix/profiles/system-N-link/channels.scm -- \
system reconfigure \
to rebuild generation N of your system. Pretty cool, no? :-)
Otherwise you can simply run:
guix system describe
to see where your OS comes from.
Provenance tracking is implemented as a service. The service is
automatically added by ‘guix system init’, ‘reconfigure’, and by
‘guix deploy’. For other commands, one can pass ‘--save-provenance’
to turn it on.
This was long overdue!
This has interesting implications on trustworthiness: you can
distribute a VM/Docker image with provenance info, and anyone
can reproduce it and ensure they obtain the same bits (well, ideally,
because I guess a few steps may still not be bit-reproducible).
Ludovic Courtès (5):
services: Add 'provenance-service-type'.
guix system: Use 'provenance-service-type', add "--save-provenance".
machine: Add provenance tracking to each machine operating system.
guix system: "list-generations" displays provenance info.
guix system: Add "describe" action.
doc/guix.texi | 109 +++++++++++++++++++++++++++++++++++++---
gnu/machine.scm | 7 ++-
gnu/services.scm | 87 ++++++++++++++++++++++++++++++++
gnu/system.scm | 10 ++++
guix/scripts/pull.scm | 1 +
guix/scripts/system.scm | 107 ++++++++++++++++++++++++++++++++-------
6 files changed, 293 insertions(+), 28 deletions(-)