This document describes GNU Guix version 0.7, a functional package management tool written for the GNU system.
|• Introduction:||What is Guix about?|
|• Installation:||Installing Guix.|
|• Package Management:||Package installation, upgrade, etc.|
|• Programming Interface:||Using Guix in Scheme.|
|• Utilities:||Package management commands.|
|• GNU Distribution:||Software for your friendly GNU system.|
|• Contributing:||Your help needed!|
|• GNU Free Documentation License:||The license of this manual.|
|• Concept Index:||Concepts.|
|• Programming Index:||Data types, functions, and variables.|
GNU Guix1 is a functional package management tool for the GNU system. Package management consists of all activities that relate to building packages from sources, honoring their build-time and run-time dependencies, installing packages in user environments, upgrading installed packages to new versions or rolling back to a previous set, removing unused software packages, etc.
The term functional refers to a specific package management discipline. In Guix, the package build and installation process is seen as a function, in the mathematical sense. That function takes inputs, such as build scripts, a compiler, and libraries, and returns an installed package. As a pure function, its result depends solely on its inputs—for instance, it cannot refer to software or scripts that were not explicitly passed as inputs. A build function always produces the same result when passed a given set of inputs. It cannot alter the system’s environment in any way; for instance, it cannot create, modify, or delete files outside of its build and installation directories. This is achieved by running build processes in isolated environments (or containers), where only their explicit inputs are visible.
The result of package build functions is cached in the file system, in a special directory called the store (see The Store). Each package is installed in a directory of its own, in the store—by default under /gnu/store. The directory name contains a hash of all the inputs used to build that package; thus, changing an input yields a different directory name.
This approach is the foundation of Guix’s salient features: support for transactional package upgrade and rollback, per-user installation, and garbage collection of packages (see Features).
Guix has a command-line interface, which allows users to build, install, upgrade, and remove packages, as well as a Scheme programming interface.
Last but not least, Guix is used to build a distribution of the GNU system, with many GNU and non-GNU free software packages. See GNU Distribution.
GNU Guix is available for download from its website at http://www.gnu.org/software/guix/. This section describes the software requirements of Guix, as well as how to install it and get ready to use it.
Note that this section is concerned with the installation of the package manager, which can be done on top of a running GNU/Linux system. If, instead, you want to install the complete GNU operating system, see System Installation.
The build procedure for Guix is the same as for other GNU software, and is not covered here. Please see the files README and INSTALL in the Guix source tree for additional details.
|• Requirements:||Software needed to build and run Guix.|
|• Setting Up the Daemon:||Preparing the build daemon’s environment.|
|• Invoking guix-daemon:||Running the build daemon.|
GNU Guix depends on the following packages:
--disable-daemon was passed to
following packages are also needed:
When a working installation of the Nix package
manager is available, you
can instead configure Guix with
--disable-daemon. In that case,
Nix replaces the three dependencies above.
Guix is compatible with Nix, so it is possible to share the same store
between both. To do so, you must pass
configure not only the
--with-store-dir value, but also the same
--localstatedir value. The latter is essential because it
specifies where the database that stores metadata about the store is
located, among other things. The default values for Nix are
--disable-daemon is not required if
your goal is to share the store with Nix.
Operations such as building a package or running the garbage collector
are all performed by a specialized process, the build daemon, on
behalf of clients. Only the daemon may access the store and its
associated database. Thus, any operation that manipulates the store
goes through the daemon. For instance, command-line tools such as
guix package and
guix build communicate with the
daemon (via remote procedure calls) to instruct it what to do.
The following sections explain how to prepare the build daemon’s environment.
|• Build Environment Setup:||Preparing the isolated build environment.|
|• Daemon Offload Setup:||Offloading builds to remote machines.|
In a standard multi-user setup, Guix and its daemon—the
guix-daemon program—are installed by the system
administrator; /gnu/store is owned by
guix-daemon runs as
root. Unprivileged users may use
Guix tools to build packages or otherwise access the store, and the
daemon will do it on their behalf, ensuring that the store is kept in a
consistent state, and allowing built packages to be shared among users.
guix-daemon runs as
root, you may not want package
build processes themselves to run as
root too, for obvious
security reasons. To avoid that, a special pool of build users
should be created for use by build processes started by the daemon.
These build users need not have a shell and a home directory: they will
just be used when the daemon drops
root privileges in build
processes. Having several such users allows the daemon to launch
distinct build processes under separate UIDs, which guarantees that they
do not interfere with each other—an essential feature since builds are
regarded as pure functions (see Introduction).
On a GNU/Linux system, a build user pool may be created like this (using
Bash syntax and the
# groupadd guix-builder # for i in `seq 1 10`; do useradd -g guix-builder -G guix-builder \ -d /var/empty -s `which nologin` \ -c "Guix build user $i" --system \ guix-builder$i; done
guix-daemon program may then be run as
# guix-daemon --build-users-group=guix-builder
This way, the daemon starts build processes in a chroot, under one of
guix-builder users. On GNU/Linux, by default, the chroot
environment contains nothing but:
/devdirectory, created mostly independently from the host
/procdirectory; it only shows the container’s processes since a separate PID name space is used;
If you are installing Guix as an unprivileged user, it is still
possible to run
guix-daemon. However, build processes will
not be isolated from one another, and not from the rest of the system.
Thus, build processes may interfere with each other, and may access
programs, libraries, and other files available on the system—making it
much harder to view them as pure functions.
When desired, the build daemon can offload
derivation builds to other machines
running Guix, using the
offload build hook. When that
feature is enabled, a list of user-specified build machines is read from
/etc/guix/machines.scm; anytime a build is requested, for
guix build, the daemon attempts to offload it to one
of the machines that satisfies the derivation’s constraints, in
particular its system type—e.g., x86_64-linux. Missing
prerequisites for the build are copied over SSH to the target machine,
which then proceeds with the build; upon success the output(s) of the
build are copied back to the initial machine.
The /etc/guix/machines.scm file typically looks like this:
(list (build-machine (name "eightysix.example.org") (system "x86_64-linux") (user "bob") (speed 2.)) ; incredibly fast! (build-machine (name "meeps.example.org") (system "mips64el-linux") (user "alice") (private-key (string-append (getenv "HOME") "/.ssh/id-rsa-for-guix"))))
In the example above we specify a list of two build machines, one for
x86_64 architecture and one for the
In fact, this file is—not surprisingly!—a Scheme file that is
evaluated when the
offload hook is started. Its return value
must be a list of
build-machine objects. While this example
shows a fixed list of build machines, one could imagine, say, using
DNS-SD to return a list of potential build machines discovered in the
local network (see Guile-Avahi in Using
Avahi in Guile Scheme Programs).
The compulsory fields for a
build-machine declaration are:
The remote machine’s host name.
The remote machine’s system type.
The user account to use when connecting to the remote machine over SSH. Note that the SSH key pair must not be passphrase-protected, to allow non-interactive logins.
A number of optional fields may be specified:
Port number of the machine’s SSH server (default: 22).
The SSH private key file to use when connecting to the machine.
The number of builds that may run in parallel on the machine (1 by default.)
A “relative speed factor”. The offload scheduler will tend to prefer machines with a higher speed factor.
A list of strings denoting specific features supported by the machine.
An example is
"kvm" for machines that have the KVM Linux modules
and corresponding hardware support. Derivations can request features by
name, and they will be scheduled on matching build machines.
guix command must be in the search path on the build
machines, since offloading works by invoking the
guix archive and
guix build commands.
There’s one last thing to do once machines.scm is in place. As explained above, when offloading, files are transferred back and forth between the machine stores. For this to work, you need to generate a key pair to allow the daemon to export signed archives of files from the store (see Invoking guix archive):
# guix archive --generate-key
Thus, when receiving files, a machine’s build daemon can make sure they are genuine, have not been tampered with, and that they are signed by an authorized key.
guix-daemon program implements all the functionality to
access the store. This includes launching build processes, running the
garbage collector, querying the availability of a build result, etc. It
is normally run as
root like this:
# guix-daemon --build-users-group=guix-builder
For details on how to set it up, Setting Up the Daemon.
guix-daemon launches build processes under
different UIDs, taken from the build group specified with
--build-users-group. In addition, each build process is run in a
chroot environment that only contains the subset of the store that the
build process depends on, as specified by its derivation
(see derivation), plus a set of specific
system directories. By default, the latter contains /dev and
/dev/pts. Furthermore, on GNU/Linux, the build environment is a
container: in addition to having its own file system tree, it has
a separate mount name space, its own PID name space, network name space,
etc. This helps achieve reproducible builds (see Features).
The following command-line options are supported:
Take users from group to run build processes (see build users).
Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries (see Substitutes).
By default substitutes are used, unless the client—such as the
guix package command—is explicitly invoked with
When the daemon runs with
--no-substitutes, clients can still
explicitly enable substitution via the
remote procedure call (see The Store).
Do not use the build hook.
The build hook is a helper program that the daemon can start and to which it submits build requests. This mechanism is used to offload builds to other machines (see Daemon Offload Setup).
Cache build failures. By default, only successful builds are cached.
Use n CPU cores to build each derivation;
0 means as many
The default value is
1, but it may be overridden by clients, such
--cores option of
guix build (see Invoking guix build).
The effect is to define the
NIX_BUILD_CORES environment variable
in the build process, which can then use it to exploit internal
parallelism—for instance, by running
Allow at most n build jobs in parallel. The default value is
Produce debugging output.
This is useful to debug daemon start-up issues, but then it may be
overridden by clients, for example the
--verbosity option of
guix build (see Invoking guix build).
Add dir to the build chroot.
Doing this may change the result of build processes—for instance if they use optional dependencies found in dir when it is available, and not otherwise. For that reason, it is not recommended to do so. Instead, make sure that each derivation declares all the inputs that it needs.
Disable chroot builds.
Using this option is not recommended since, again, it would allow build processes to gain access to undeclared dependencies.
Disable compression of the build logs.
--lose-logs is used, all the build logs are kept in the
localstatedir. To save space, the daemon automatically compresses
them with bzip2 by default. This option disables that.
Disable automatic file “deduplication” in the store.
By default, files added to the store are automatically “deduplicated”: if a newly added file is identical as another one found in the store, the daemon makes the new file a hard link to the other file. This slightly increases the input/output load at the end of a build process. This option disables this.
Tell whether the garbage collector (GC) must keep outputs of live derivations.
When set to “yes”, the GC will keep the outputs of any live derivation
available in the store—the
.drv files. The default is “no”,
meaning that derivation outputs are kept only if they are GC roots.
Tell whether the garbage collector (GC) must keep derivations corresponding to live outputs.
When set to “yes”, as is the case by default, the GC keeps
.drv files—as long as at least one of their
outputs is live. This allows users to keep track of the origins of
items in their store. Setting it to “no” saves a bit of disk space.
Note that when both
--gc-keep-outputs are used, the effect is to keep all the build
prerequisites (the sources, compiler, libraries, and other build-time
tools) of live objects in the store, regardless of whether these
prerequisites are live. This is convenient for developers since it
saves rebuilds or downloads.
On Linux-based systems, impersonate Linux 2.6. This means that the
uname system call will report 2.6 as the release number.
This might be helpful to build programs that (usually wrongfully) depend on the kernel version number.
Do not keep build logs. By default they are kept under
Assume system as the current system type. By default it is the
architecture/kernel pair found at configure time, such as
Listen for connections on socket, the file name of a Unix-domain socket. The default socket is localstatedir/daemon-socket/socket. This option is only useful in exceptional circumstances, such as if you need to run several daemons on the same machine.
The purpose of GNU Guix is to allow users to easily install, upgrade, and remove software packages, without having to know about their build procedure or dependencies. Guix also goes beyond this obvious set of features.
This chapter describes the main features of Guix, as well as the package management tools it provides.
|• Features:||How Guix will make your life brighter.|
|• Invoking guix package:||Package installation, removal, etc.|
|• Substitutes:||Downloading pre-built binaries.|
|• Packages with Multiple Outputs:||Single source package, multiple outputs.|
|• Invoking guix gc:||Running the garbage collector.|
|• Invoking guix pull:||Fetching the latest Guix and distribution.|
|• Invoking guix archive:||Exporting and importing store files.|
When using Guix, each package ends up in the package store, in its
own directory—something that resembles
xxx is a base32 string.
Instead of referring to these directories, users have their own
profile, which points to the packages that they actually want to
use. These profiles are stored within each user’s home directory, at
alice installs GCC 4.7.2. As a result,
/home/alice/.guix-profile/bin/gcc points to
/gnu/store/…-gcc-4.7.2/bin/gcc. Now, on the same machine,
bob had already installed GCC 4.8.0. The profile of
simply continues to point to
/gnu/store/…-gcc-4.8.0/bin/gcc—i.e., both versions of GCC
coexist on the same system without any interference.
guix package command is the central tool to manage
packages (see Invoking guix package). It operates on those per-user
profiles, and can be used with normal user privileges.
The command provides the obvious install, remove, and upgrade
operations. Each invocation is actually a transaction: either
the specified operation succeeds, or nothing happens. Thus, if the
guix package process is terminated during the transaction,
or if a power outage occurs during the transaction, then the user’s
profile remains in its previous state, and remains usable.
In addition, any package transaction may be rolled back. So, if, for example, an upgrade installs a new version of a package that turns out to have a serious bug, users may roll back to the previous instance of their profile, which was known to work well. Similarly, the global system configuration is subject to transactional upgrades and roll-back (see Using the Configuration System).
All those packages in the package store may be garbage-collected. Guix can determine which packages are still referenced by the user profiles, and remove those that are provably no longer referenced (see Invoking guix gc). Users may also explicitly remove old generations of their profile so that the packages they refer to can be collected.
Finally, Guix takes a purely functional approach to package management, as described in the introduction (see Introduction). Each /gnu/store package directory name contains a hash of all the inputs that were used to build that package—compiler, libraries, build scripts, etc. This direct correspondence allows users to make sure a given package installation matches the current state of their distribution. It also helps maximize build reproducibility: thanks to the isolated build environments that are used, a given build is likely to yield bit-identical files when performed on different machines (see container).
This foundation allows Guix to support transparent binary/source deployment. When a pre-built binary for a /gnu/store item is available from an external source—a substitute, Guix just downloads it and unpacks it; otherwise, it builds the package from source, locally (see Substitutes).
guix package command is the tool that allows users to
install, upgrade, and remove packages, as well as rolling back to
previous configurations. It operates only on the user’s own profile,
and works with normal user privileges (see Features). Its syntax
guix package options
Primarily, options specifies the operations to be performed during the transaction. Upon completion, a new profile is created, but previous generations of the profile remain available, should the user want to roll back.
For example, to remove
lua and install
guile-cairo in a single transaction:
guix package -r lua -i guile guile-cairo
For each user, a symlink to the user’s default profile is automatically
created in $HOME/.guix-profile. This symlink always points to the
current generation of the user’s default profile. Thus, users can add
$HOME/.guix-profile/bin to their
variable, and so on.
In a multi-user setup, user profiles must be stored in a place
registered as a garbage-collector root, which
$HOME/.guix-profile points to (see Invoking guix gc). That
directory is normally
localstatedir is the value passed to
--localstatedir, and user is the user name. It must be
root, with user as the owner. When it does not
exist, or is not owned by user,
guix package emits an
error about it.
The options can be among the following:
-i package …
Install the specified packages.
Each package may specify either a simple package name, such as
guile, or a package name followed by a hyphen and version number,
guile-1.8.8. If no version number is specified, the
newest available version will be selected. In addition, package
may contain a colon, followed by the name of one of the outputs of the
package, as in
(see Packages with Multiple Outputs). Packages with a corresponding
name (and optionally version) are searched for among the GNU
distribution modules (see Package Modules).
Sometimes packages have propagated inputs: these are dependencies that automatically get installed along with the required package.
An example is the GNU MPC library: its C header files refer to those of the GNU MPFR library, which in turn refer to those of the GMP library. Thus, when installing MPC, the MPFR and GMP libraries also get installed in the profile; removing MPC also removes MPFR and GMP—unless they had also been explicitly installed independently.
Besides, packages sometimes rely on the definition of environment
variables for their search paths (see explanation of
--search-paths below). Any missing or possibly incorrect
environment variable definitions are reported here.
Finally, when installing a GNU package, the tool reports the availability of a newer upstream version. In the future, it may provide the option of installing directly from the upstream version, even if that version is not yet in the distribution.
Install the package exp evaluates to.
exp must be a Scheme expression that evaluates to a
<package> object. This option is notably useful to disambiguate
between same-named variants of a package, with expressions such as
(@ (gnu packages base) guile-final).
Note that this option installs the first output of the specified package, which may be insufficient when needing a specific output of a multiple-output package.
-r package …
Remove the specified packages.
--install, each package may specify a version number
and/or output name in addition to the package name. For instance,
-r glibc:debug would remove the
debug output of
-u [regexp …]
Upgrade all the installed packages. If one or more regexps are specified, upgrade only installed packages whose name matches a regexp.
Note that this upgrades package to the latest version of packages found
in the distribution currently installed. To update your distribution,
you should regularly run
guix pull (see Invoking guix pull).
Roll back to the previous generation of the profile—i.e., undo the last transaction.
When combined with options such as
--install, roll back occurs
before any other actions.
When rolling back from the first generation that actually contains installed packages, the profile is made to point to the zeroth generation, which contains no files apart from its own meta-data.
Installing, removing, or upgrading packages from a generation that has been rolled back to overwrites previous future generations. Thus, the history of a profile’s generations is always linear.
Report environment variable definitions, in Bash syntax, that may be needed in order to use the set of installed packages. These environment variables are used to specify search paths for files used by some of the installed packages.
For example, GCC needs the
environment variables to be defined so it can look for headers and
libraries in the user’s profile (see Environment Variables in Using the GNU Compiler Collection (GCC)). If GCC and, say, the C
library are installed in the profile, then
suggest setting these variables to
Use profile instead of the user’s default profile.
Produce verbose output. In particular, emit the environment’s build log on the standard error port.
Use the bootstrap Guile to build the profile. This option is only useful to distribution developers.
In addition to these actions
guix package supports the
following options to query the current state of a profile, or the
availability of packages:
List the available packages whose synopsis or description matches
regexp. Print all the meta-data of matching packages in
recutils format (see GNU recutils databases in GNU recutils manual).
This allows specific fields to be extracted using the
command, for instance:
$ guix package -s malloc | recsel -p name,version name: glibc version: 2.17 name: libgc version: 7.2alpha6
Similarly, to show the name of all the packages available under the terms of the GNU LGPL version 3:
$ guix package -s "" | recsel -p name -e 'license ~ "LGPL 3"' name: elfutils name: gmp …
Show details about package, taken from the list of available packages, in
recutils format (see GNU recutils databases in GNU
$ guix package --show=python | recsel -p name,version name: python version: 2.7.6 name: python version: 3.3.5
You may also specify the full name of a package to only get details about a specific version of it:
$ guix package --show=python-3.3.5 | recsel -p name,version name: python version: 3.3.5
List the currently installed packages in the specified profile, with the most recently installed packages shown last. When regexp is specified, list only installed packages whose name matches regexp.
For each installed package, print the following items, separated by
tabs: the package name, its version string, the part of the package that
is installed (for instance,
out for the default output,
include for its headers, etc.), and the path of this package in
List packages currently available in the software distribution (see GNU Distribution). When regexp is specified, list only installed packages whose name matches regexp.
For each package, print the following items separated by tabs: its name, its version string, the parts of the package (see Packages with Multiple Outputs), and the source location of its definition.
Return a list of generations along with their creation dates; for each generation, show the installed packages, with the most recently installed packages shown last. Note that the zeroth generation is never shown.
For each installed package, print the following items, separated by tabs: the name of a package, its version string, the part of the package that is installed (see Packages with Multiple Outputs), and the location of this package in the store.
When pattern is used, the command returns only matching generations. Valid patterns include:
--list-generations=1returns the first one.
--list-generations=1,8,2 outputs three generations in the
specified order. Neither spaces nor trailing commas are allowed.
--list-generations=2..9prints the specified generations and everything in between. Note that the start of a range must be lesser than its end.
It is also possible to omit the endpoint. For example,
--list-generations=2.., returns all generations starting from the
--list-generations=20dlists generations that are up to 20 days old.
When pattern is omitted, delete all generations except the current one.
This command accepts the same patterns as --list-generations.
When pattern is specified, delete the matching generations. When
pattern specifies a duration, generations older than the
specified duration match. For instance,
deletes generations that are more than one month old.
If the current generation matches, it is deleted atomically—i.e., by switching to the previous available generation. Note that the zeroth generation is never deleted.
Note that deleting generations prevents roll-back to them. Consequently, this command must be used with care.
guix package may actually start build
processes, it supports all the common build options that
build supports (see common build options).
Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server. We call these pre-built items substitutes—they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally.
Substitutes can be anything resulting from a derivation build (see Derivations). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result from derivation builds, can be available as substitutes.
hydra.gnu.org server is a front-end to a build farm that
builds packages from the GNU distribution continuously for some
architectures, and makes them available as substitutes.
To allow Guix to download substitutes from
must add its public key to the access control list (ACL) of archive
imports, using the
guix archive command (see Invoking guix archive). Doing so implies that you trust
hydra.gnu.org to not
be compromised and to serve genuine substitutes.
This public key is installed along with Guix, in
prefix/share/guix/hydra.gnu.org.pub, where prefix is
the installation prefix of Guix. If you installed Guix from source,
make sure you checked the GPG signature of
guix-0.7.tar.gz, which contains this public key file.
Then, you can run something like this:
# guix archive --authorize < hydra.gnu.org.pub
Once this is in place, the output of a command like
should change from something like:
$ guix build emacs --dry-run The following derivations would be built: /gnu/store/yr7bnx8xwcayd6j95r2clmkdl1qh688w-emacs-24.3.drv /gnu/store/x8qsh1hlhgjx6cwsjyvybnfv2i37z23w-dbus-1.6.4.tar.gz.drv /gnu/store/1ixwp12fl950d15h2cj11c73733jay0z-alsa-lib-22.214.171.124.tar.bz2.drv /gnu/store/nlma1pw0p603fpfiqy7kn4zm105r5dmw-util-linux-2.21.drv …
to something like:
$ guix build emacs --dry-run The following files would be downloaded: /gnu/store/pk3n22lbq6ydamyymqkkz7i69wiwjiwi-emacs-24.3 /gnu/store/2ygn4ncnhrpr61rssa6z0d9x22si0va3-libjpeg-8d /gnu/store/71yz6lgx4dazma9dwn2mcjxaah9w77jq-cairo-1.12.16 /gnu/store/7zdhgp0n1518lvfn8mb96sxqfmvqrl7v-libxrender-0.9.7 …
This indicates that substitutes from
hydra.gnu.org are usable and
will be downloaded, when possible, for future builds.
Guix ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL. It also detects and raises an error when attempting to use a substitute that has been tampered with.
The substitute mechanism can be disabled globally by running
--no-substitutes (see Invoking guix-daemon). It can also be disabled temporarily by passing the
--no-substitutes option to
build, and other command-line tools.
Today, each individual’s control over their own computing is at the
mercy of institutions, corporations, and groups with enough power and
determination to subvert the computing infrastructure and exploit its
weaknesses. While using
hydra.gnu.org substitutes can be
convenient, we encourage users to also build on their own, or even run
their own build farm, such that
hydra.gnu.org is less of an
Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems.
In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on firstname.lastname@example.org.
Often, packages defined in Guix have a single output—i.e., the
source package leads exactly one directory in the store. When running
guix package -i glibc, one installs the default output of the
GNU libc package; the default output is called
out, but its name
can be omitted as shown in this command. In this particular case, the
default output of
glibc contains all the C header files, shared
libraries, static libraries, Info documentation, and other supporting
Sometimes it is more appropriate to separate the various types of files
produced from a single source package into separate outputs. For
instance, the GLib C library (used by GTK+ and related packages)
installs more than 20 MiB of reference documentation as HTML pages.
To save space for users who do not need it, the documentation goes to a
separate output, called
doc. To install the main GLib output,
which contains everything but the documentation, one would run:
guix package -i glib
The command to install its documentation is:
guix package -i glib:doc
Some packages install programs with different “dependency footprints”. For instance, the WordNet package install both command-line tools and graphical user interfaces (GUIs). The former depend solely on the C library, whereas the latter depend on Tcl/Tk and the underlying X libraries. In this case, we leave the command-line tools in the default output, whereas the GUIs are in a separate output. This allows users who do not need the GUIs to save space.
There are several such multiple-output packages in the GNU distribution.
Other conventional output names include
lib for libraries and
possibly header files,
bin for stand-alone programs, and
debug for debugging information (see Installing Debugging Files). The outputs of a packages are listed in the third column of
the output of
guix package --list-available (see Invoking guix package).
Packages that are installed but not used may be garbage-collected.
guix gc command allows users to explicitly run the garbage
collector to reclaim space from the /gnu/store directory.
The garbage collector has a set of known roots: any file under
/gnu/store reachable from a root is considered live and
cannot be deleted; any other file is considered dead and may be
deleted. The set of garbage collector roots includes default user
profiles, and may be augmented with
guix build --root, for
example (see Invoking guix build).
Prior to running
guix gc --collect-garbage to make space, it is
often useful to remove old generations from user profiles; that way, old
package builds referenced by those generations can be reclaimed. This
is achieved by running
guix package --delete-generations
(see Invoking guix package).
guix gc command has three modes of operation: it can be
used to garbage-collect any dead files (the default), to delete specific
--delete option), or to print garbage-collector
information. The available options are listed below:
Collect garbage—i.e., unreachable /gnu/store files and sub-directories. This is the default operation when no option is specified.
When min is given, stop once min bytes have been collected.
min may be a number of bytes, or it may include a unit as a
suffix, such as
MiB for mebibytes and
GB for gigabytes.
When min is omitted, collect all the garbage.
Attempt to delete all the store files and directories specified as arguments. This fails if some of the files are not in the store, or if they are still live.
Show the list of dead files and directories still present in the store—i.e., files and directories no longer reachable from any root.
Show the list of live store files and directories.
In addition, the references among existing store files can be queried:
List the references (respectively, the referrers) of store files given as arguments.
List the requisites of the store files passed as arguments. Requisites include the store files themselves, their references, and the references of these, recursively. In other words, the returned list is the transitive closure of the store files.
Packages are installed or upgraded to the latest version available in
the distribution currently available on your local machine. To update
that distribution, along with the Guix tools, you must run
pull: the command downloads the latest Guix source code and package
descriptions, and deploys it.
guix package will use packages and package
versions from this just-retrieved copy of Guix. Not only that, but all
the Guix commands and Scheme modules will also be taken from that latest
guix sub-commands added by the update also
guix pull command is usually invoked with no arguments,
but it supports the following options:
Produce verbose output, writing build logs to the standard error output.
Download the source tarball of Guix from url.
By default, the tarball is taken from its canonical address at
gnu.org, for the stable branch of Guix.
Use the bootstrap Guile to build the latest Guix. This option is only useful to Guix developers.
guix archive command allows users to export files
from the store into a single archive, and to later import them.
In particular, it allows store files to be transferred from one machine
to another machine’s store. For example, to transfer the
package to a machine connected over SSH, one would run:
guix archive --export emacs | ssh the-machine guix archive --import
However, note that, in this example, all of
emacs and its
dependencies are transferred, regardless of what is already available in
the target machine’s store. The
--missing option can help figure
out which items are missing from the target’s store.
Archives are stored in the “Nix archive” or “Nar” format, which is comparable in spirit to ‘tar’, but with a few noteworthy differences that make it more appropriate for our purposes. First, rather than recording all Unix meta-data for each file, the Nar format only mentions the file type (regular, directory, or symbolic link); Unix permissions and owner/group are dismissed. Second, the order in which directory entries are stored always follows the order of file names according to the C locale collation order. This makes archive production fully deterministic.
When exporting, the daemon digitally signs the contents of the archive, and that digital signature is appended. When importing, the daemon verifies the signature and rejects the import in case of an invalid signature or if the signing key is not authorized.
The main options are:
Export the specified store files or packages (see below.) Write the resulting archive to the standard output.
Read an archive from the standard input, and import the files listed
therein into the store. Abort if the archive has an invalid digital
signature, or if it is signed by a public key not among the authorized
Read a list of store file names from the standard input, one per line, and write on the standard output the subset of these files missing from the store.
Generate a new key pair for the daemons. This is a prerequisite before
archives can be exported with
--export. Note that this operation
usually takes time, because it needs to gather enough entropy to
generate the key pair.
The generated key pair is typically stored under /etc/guix, in
signing-key.pub (public key) and signing-key.sec (private
key, which must be kept secret.) When parameters is omitted, it
is a 4096-bit RSA key. Alternately, parameters can specify
genkey parameters suitable for Libgcrypt (see
gcry_pk_genkey in The
Libgcrypt Reference Manual).
Authorize imports signed by the public key passed on standard input. The public key must be in “s-expression advanced format”—i.e., the same format as the signing-key.pub file.
The list of authorized keys is kept in the human-editable file /etc/guix/acl. The file contains “advanced-format s-expressions” and is structured as an access-control list in the Simple Public-Key Infrastructure (SPKI).
To export store files as an archive to the standard output, run:
guix archive --export options specifications...
specifications may be either store file names or package
specifications, as for
guix package (see Invoking guix package). For instance, the following command creates an archive
gui output of the
git package and the main
guix archive --export git:gui /gnu/store/...-emacs-24.3 > great.nar
If the specified packages are not built yet,
automatically builds them. The build process may be controlled with the
same options that can be passed to the
guix build command
(see common build options).
GNU Guix provides several Scheme programming interfaces (APIs) to define, build, and query packages. The first interface allows users to write high-level package definitions. These definitions refer to familiar packaging concepts, such as the name and version of a package, its build system, and its dependencies. These definitions can then be turned into concrete build actions.
Build actions are performed by the Guix daemon, on behalf of users. In a standard setup, the daemon has write access to the store—the /gnu/store directory—whereas users do not. The recommended setup also has the daemon perform builds in chroots, under a specific build users, to minimize interference with the rest of the system.
Lower-level APIs are available to interact with the daemon and the store. To instruct the daemon to perform a build action, users actually provide it with a derivation. A derivation is a low-level representation of the build actions to be taken, and the environment in which they should occur—derivations are to package definitions what assembly is to C programs. The term “derivation” comes from the fact that build results derive from them.
This chapter describes all these APIs in turn, starting from high-level package definitions.
|• Defining Packages:||Defining new packages.|
|• Build Systems:||Specifying how packages are built.|
|• The Store:||Manipulating the package store.|
|• Derivations:||Low-level interface to package derivations.|
|• The Store Monad:||Purely functional interface to the store.|
|• G-Expressions:||Manipulating build expressions.|
The high-level interface to package definitions is implemented in the
(guix packages) and
(guix build-system) modules. As an
example, the package definition, or recipe, for the GNU Hello
package looks like this:
(define-module (gnu packages hello) #:use-module (guix packages) #:use-module (guix download) #:use-module (guix build-system gnu) #:use-module (guix licenses)) (define hello (package (name "hello") (version "2.8") (source (origin (method url-fetch) (uri (string-append "mirror://gnu/hello/hello-" version ".tar.gz")) (sha256 (base32 "0wqd8sjmxfskrflaxywc7gqw7sfawrfvdxd9skxawzfgyy0pzdz6")))) (build-system gnu-build-system) (arguments `(#:configure-flags '("--enable-silent-rules"))) (inputs `(("gawk" ,gawk))) (synopsis "Hello, GNU world: An example GNU package") (description "Guess what GNU Hello prints!") (home-page "http://www.gnu.org/software/hello/") (license gpl3+)))
Without being a Scheme expert, the reader may have guessed the meaning
of the various fields here. This expression binds variable
<package> object, which is essentially a record
(see Scheme records in GNU Guile Reference Manual).
This package object can be inspected using procedures found in the
(guix packages) module; for instance,
In the example above, hello is defined into a module of its own,
(gnu packages hello). Technically, this is not strictly
necessary, but it is convenient to do so: all the packages defined in
(gnu packages …) are automatically known to
the command-line tools (see Package Modules).
There are a few points worth noting in the above package definition:
sourcefield of the package is an
<origin>object. Here, the
(guix download)is used, meaning that the source is a file to be downloaded over FTP or HTTP.
mirror://gnu prefix instructs
url-fetch to use one of
the GNU mirrors defined in
sha256 field specifies the expected SHA256 hash of the file
being downloaded. It is mandatory, and allows Guix to check the
integrity of the file. The
(base32 …) form introduces the
base32 representation of the hash. You can obtain this information with
guix download (see Invoking guix download) and
hash (see Invoking guix hash).
When needed, the
origin form can also have a
listing patches to be applied, and a
snippet field giving a
Scheme expression to modify the source code.
build-systemfield specifies the procedure to build the package (see Build Systems). Here, gnu-build-system represents the familiar GNU Build System, where packages may be configured, built, and installed with the usual
./configure && make && make check && make installcommand sequence.
argumentsfield specifies options for the build system (see Build Systems). Here it is interpreted by gnu-build-system as a request run configure with the
inputsfield specifies inputs to the build process—i.e., build-time or run-time dependencies of the package. Here, we define an input called
"gawk"whose value is that of the gawk variable; gawk is itself bound to a
Note that GCC, Coreutils, Bash, and other essential tools do not need to be specified as inputs here. Instead, gnu-build-system takes care of ensuring that they are present (see Build Systems).
However, any other dependencies need to be specified in the
inputs field. Any dependency not specified here will simply be
unavailable to the build process, possibly leading to a build failure.
Once a package definition is in place3, the
package may actually be built using the
guix build command-line
tool (see Invoking guix build). See Packaging Guidelines, for
more information on how to test package definitions.
Eventually, updating the package definition to a new upstream version
can be partly automated by the
guix refresh command
(see Invoking guix refresh).
Behind the scenes, a derivation corresponding to the
object is first computed by the
That derivation is stored in a
.drv file under /gnu/store.
The build actions it prescribes may then be realized by using the
build-derivations procedure (see The Store).
<derivation> object of package for system
package must be a valid
<package> object, and system
must be a string denoting the target system type—e.g.,
"x86_64-linux" for an x86_64 Linux-based GNU system. store
must be a connection to the daemon, which operates on the store
(see The Store).
Similarly, it is possible to compute a derivation that cross-builds a package for some other system:
<derivation> object of package cross-built from
system to target.
target must be a valid GNU triplet denoting the target hardware
and operating system, such as
(see GNU configuration triplets in GNU
Configure and Build System).
Each package definition specifies a build system and arguments for
that build system (see Defining Packages). This
field represents the build procedure of the package, as well implicit
dependencies of that build procedure.
Build systems are
<build-system> objects. The interface to
create and manipulate them is provided by the
module, and actual build systems are exported by specific modules.
Build systems accept an optional list of arguments. In package
definitions, these are passed via the
(see Defining Packages). They are typically keyword arguments
(see keyword arguments in Guile in GNU
Guile Reference Manual). The value of these arguments is usually
evaluated in the build stratum—i.e., by a Guile process launched
by the daemon (see Derivations).
The main build system is gnu-build-system, which implements the
standard build procedure for GNU packages and many other packages. It
is provided by the
(guix build-system gnu) module.
gnu-build-system represents the GNU Build System, and variants thereof (see configuration and makefile conventions in GNU Coding Standards).
In a nutshell, packages using it configured, built, and installed with
./configure && make && make check && make install
command sequence. In practice, a few additional steps are often needed.
All these steps are split up in separate phases,
Unpack the source tarball, and change the current directory to the extracted source tree. If the source is actually a directory, copy it to the build tree, and enter that directory.
Patch shebangs encountered in source files so they refer to the right
store file names. For instance, this changes
Run the configure script with a number of default options, such
--prefix=/gnu/store/…, as well as the options specified
make with the list of flags specified with
#:make-flags. If the
#:parallel-builds? argument is true
(the default), build with
make check, or some other target specified with
#:tests? #f is passed. If the
#:parallel-tests? argument is true (the default), run
make install with the flags listed in
Patch shebangs on the installed executable files.
Strip debugging symbols from ELF files (unless
is false), copying them to the
debug output when available
(see Installing Debugging Files).
The build-side module
(guix build gnu-build-system) defines
%standard-phases as the default list of build phases.
%standard-phases is a list of symbol/procedure pairs, where the
procedure implements the actual phase.
The list of phases used for a particular package can be changed with the
#:phases parameter. For instance, passing:
#:phases (alist-delete 'configure %standard-phases)
means that all the phases described above will be used, except the
In addition, this build system ensures that the “standard” environment
for GNU packages is available. This includes tools such as GCC, libc,
Coreutils, Bash, Make, Diffutils, grep, and sed (see the
build-system gnu) module for a complete list.) We call these the
implicit inputs of a package, because package definitions don’t
have to mention them.
<build-system> objects are defined to support other
conventions and tools used by free software packages. They inherit most
of gnu-build-system, and differ mainly in the set of inputs
implicitly added to the build process, and in the list of phases
executed. Some of these build systems are listed below.
This variable is exported by
(guix build-system cmake). It
implements the build procedure for packages using the
CMake build tool.
It automatically adds the
cmake package to the set of inputs.
Which package is used can be specified with the
This variable is exported by
(guix build-system python). It
implements the more or less standard build procedure used by Python
packages, which consists in running
python setup.py build and
python setup.py install --prefix=/gnu/store/….
For packages that install stand-alone Python programs under
it takes care of wrapping these programs so their
environment variable points to all the Python libraries they depend on.
Which Python package is used can be specified with the
This variable is exported by
(guix build-system perl). It
implements the standard build procedure for Perl packages, which
consists in running
perl Makefile.PL PREFIX=/gnu/store/…,
perl Makefile.PL invocation passes flags specified by
Which Perl package is used can be specified with
Lastly, for packages that do not need anything as sophisticated, a “trivial” build system is provided. It is trivial in the sense that it provides basically no support: it does not pull any implicit inputs, and does not have a notion of build phases.
This variable is exported by
(guix build-system trivial).
This build system requires a
#:builder argument. This argument
must be a Scheme expression that builds the package’s output(s)—as
Conceptually, the store is where derivations that have been successfully built are stored—by default, under /gnu/store. Sub-directories in the store are referred to as store paths. The store has an associated database that contains information such has the store paths referred to by each store path, and the list of valid store paths—paths that result from a successful build.
The store is always accessed by the daemon on behalf of its clients (see Invoking guix-daemon). To manipulate the store, clients connect to the daemon over a Unix-domain socket, send it requests, and read the result—these are remote procedure calls, or RPCs.
(guix store) module provides procedures to connect to the
daemon, and to perform RPCs. These are described below.
Connect to the daemon over the Unix-domain socket at file. When reserve-space? is true, instruct it to reserve a little bit of extra space on the file system so that the garbage collector can still operate, should the disk become full. Return a server object.
file defaults to %default-socket-path, which is the normal
location given the options that were passed to
Close the connection to server.
This variable is bound to a SRFI-39 parameter, which refers to the port where build and error logs sent by the daemon should be written.
Procedures that make RPCs all take a server object as their first argument.
#t when path is a valid store path.
Add text under file name in the store, and return its store path. references is the list of store paths referred to by the resulting store path.
Build derivations (a list of
<derivation> objects or
derivation paths), and return when the worker is done building them.
#t on success.
Note that the
(guix monads) module provides a monad as well as
monadic versions of the above procedures, with the goal of making it
more convenient to work with code that accesses the store (see The Store Monad).
This section is currently incomplete.
Low-level build actions and the environment in which they are performed are represented by derivations. A derivation contain the following pieces of information:
Derivations allow clients of the daemon to communicate build actions to
the store. They exist in two forms: as an in-memory representation,
both on the client- and daemon-side, and as files in the store whose
name end in
.drv—these files are referred to as derivation
paths. Derivations paths can be passed to the
procedure to perform the build actions they prescribe (see The Store).
(guix derivations) module provides a representation of
derivations as Scheme objects, along with procedures to create and
otherwise manipulate derivations. The lowest-level primitive to create
a derivation is the
Build a derivation with the given arguments, and return the resulting
When hash and hash-algo are given, a fixed-output derivation is created—i.e., one whose result is known in advance, such as a file download. If, in addition, recursive? is true, then that fixed output may be an executable file or a directory and hash must be the hash of an archive containing this output.
When references-graphs is true, it must be a list of file name/store path pairs. In that case, the reference graph of each store path is exported in the build environment in the corresponding file, in a simple text format.
When allowed-references is true, it must be a list of store items or outputs that the derivation’s output may refer to.
When local-build? is true, declare that the derivation is not a good candidate for offloading and should rather be built locally (see Daemon Offload Setup). This is the case for small derivations where the costs of data transfers would outweigh the benefits.
Here’s an example with a shell script as its builder, assuming store is an open connection to the daemon, and bash points to a Bash executable in the store:
(use-modules (guix utils) (guix store) (guix derivations)) (let ((builder ; add the Bash script to the store (add-text-to-store store "my-builder.sh" "echo hello world > $out\n" '()))) (derivation store "foo" bash `("-e" ,builder) #:inputs `((,bash) (,builder)) #:env-vars '(("HOME" . "/homeless")))) ⇒ #<derivation /gnu/store/…-foo.drv => /gnu/store/…-foo>
As can be guessed, this primitive is cumbersome to use directly. A
better approach is to write build scripts in Scheme, of course! The
best course of action for that is to write the build code as a
“G-expression”, and to pass it to
gexp->derivation. For more
information, see G-Expressions.
Once upon a time,
gexp->derivation did not exist and constructing
derivations with build code written in Scheme was achieved with
build-expression->derivation, documented below. This procedure
is now deprecated in favor of the much nicer
Return a derivation that executes Scheme expression exp as a
builder for derivation name. inputs must be a list of
(name drv-path sub-drv) tuples; when sub-drv is omitted,
"out" is assumed. modules is a list of names of Guile
modules from the current search path to be copied in the store,
compiled, and made available in the load path during the execution of
((guix build utils) (guix build
exp is evaluated in an environment where
%outputs is bound
to a list of output/path pairs, and where
%build-inputs is bound
to a list of string/output-path pairs made from inputs.
Optionally, env-vars is a list of string pairs specifying the name
and value of environment variables visible to the builder. The builder
terminates by passing the result of exp to
exit; thus, when
#f, the build is considered to have failed.
exp is built using guile-for-build (a derivation). When
guile-for-build is omitted or is
#f, the value of the
%guile-for-build fluid is used instead.
derivation procedure for the meaning of
references-graphs, allowed-references, and local-build?.
Here’s an example of a single-output derivation that creates a directory containing one file:
(let ((builder '(let ((out (assoc-ref %outputs "out"))) (mkdir out) ; create /gnu/store/…-goo (call-with-output-file (string-append out "/test") (lambda (p) (display '(hello guix) p)))))) (build-expression->derivation store "goo" builder)) ⇒ #<derivation /gnu/store/…-goo.drv => …>
The procedures that operate on the store described in the previous sections all take an open connection to the build daemon as their first argument. Although the underlying model is functional, they either have side effects or depend on the current state of the store.
The former is inconvenient: the connection to the build daemon has to be carried around in all those functions, making it impossible to compose functions that do not take that parameter with functions that do. The latter can be problematic: since store operations have side effects and/or depend on external state, they have to be properly sequenced.
This is where the
(guix monads) module comes in. This module
provides a framework for working with monads, and a particularly
useful monad for our uses, the store monad. Monads are a
construct that allows two things: associating “context” with values
(in our case, the context is the store), and building sequences of
computations (here computations includes accesses to the store.) Values
in a monad—values that carry this additional context—are called
monadic values; procedures that return such values are called
Consider this “normal” procedure:
(define (sh-symlink store) ;; Return a derivation that symlinks the 'bash' executable. (let* ((drv (package-derivation store bash)) (out (derivation->output-path drv)) (sh (string-append out "/bin/bash"))) (build-expression->derivation store "sh" `(symlink ,sh %output))))
(guix monads), it may be rewritten as a monadic function:
(define (sh-symlink) ;; Same, but return a monadic value. (gexp->derivation "sh" #~(symlink (string-append #$bash "/bin/bash") #$output)))
There are two things to note in the second version: the
parameter is now implicit, and the monadic value returned by
package-file—a wrapper around
derivation->output-path—is bound using
instead of plain
Calling the monadic
profile.sh has no effect. To get the desired
effect, one must use
(run-with-store (open-connection) (profile.sh)) ⇒ /gnu/store/...-profile.sh
The main syntactic forms to deal with monads in general are described below.
return forms in body as being
Return a monadic value that encapsulates val.
Bind monadic value mval, passing its “contents” to monadic procedure mproc5.
Bind the variables var to the monadic values mval in
body. The form (var -> val) binds var to the
“normal” value val, as per
mlet* is to
let* is to
(see Local Bindings in GNU Guile Reference Manual).
The interface to the store monad provided by
(guix monads) is as
The store monad. Values in the store monad encapsulate accesses to the
store. When its effect is needed, a value of the store monad must be
“evaluated” by passing it to the
run-with-store procedure (see
Run mval, a monadic value in the store monad, in store, an open store connection.
Return as a monadic value the absolute file name in the store of the file containing text, a string.
Return as a monadic value a derivation that builds a text file containing all of text. text may list, in addition to strings, packages, derivations, and store file names; the resulting store file holds references to all these.
This variant should be preferred over
text-file anytime the file
to create will reference items from the store. This is typically the
case when building a configuration file that embeds store file names,
(define (profile.sh) ;; Return the name of a shell script in the store that ;; initializes the 'PATH' environment variable. (text-file* "profile.sh" "export PATH=" coreutils "/bin:" grep "/bin:" sed "/bin\n"))
In this example, the resulting /gnu/store/…-profile.sh file will references coreutils, grep, and sed, thereby preventing them from being garbage-collected during its lifetime.
Return the name of file once interned in the store. Use name as its store name, or the basename of file if name is omitted.
When recursive? is true, the contents of file are added recursively; if file designates a flat file and recursive? is true, its contents are added, and its permission bits are kept.
The example below adds a file to the store, under two different names:
(run-with-store (open-connection) (mlet %store-monad ((a (interned-file "README")) (b (interned-file "README" "LEGU-MIN"))) (return (list a b)))) ⇒ ("/gnu/store/rwm…-README" "/gnu/store/44i…-LEGU-MIN")
value in the absolute file name of file within the output directory of package. When file is omitted, return the name of the output directory of package.
Monadic version of
package-derivation (see Defining Packages).
So we have “derivations”, which represent a sequence of build actions to be performed to produce an item in the store (see Derivations). Those build actions are performed when asking the daemon to actually build the derivations; they are run by the daemon in a container (see Invoking guix-daemon).
It should come as no surprise that we like to write those build actions
in Scheme. When we do that, we end up with two strata of Scheme
code6: the “host code”—code that defines packages, talks
to the daemon, etc.—and the “build code”—code that actually
performs build actions, such as making directories, invoking
To describe a derivation and its build actions, one typically needs to
embed build code inside host code. It boils down to manipulating build
code as data, and Scheme’s homoiconicity—code has a direct
representation as data—comes in handy for that. But we need more than
quasiquote mechanism to construct build
(guix gexp) module implements G-expressions, a form of
S-expressions adapted to build expressions. G-expressions, or
gexps, consist essentially in three syntactic forms:
ungexp-splicing (or simply:
#$@), which are comparable respectively to
quasiquote in GNU Guile
Reference Manual). However, there are major differences:
To illustrate the idea, here is an example of a gexp:
(define build-exp #~(begin (mkdir #$output) (chdir #$output) (symlink (string-append #$coreutils "/bin/ls") "list-files")))
This gexp can be passed to
gexp->derivation; we obtain a
derivation that builds a directory containing exactly one symlink to
(gexp->derivation "the-thing" build-exp)
As one would expect, the
"/gnu/store/…-coreutils-8.22" string is
substituted to the reference to the coreutils package in the
actual build code, and coreutils is automatically made an input to
the derivation. Likewise,
#$output (equivalent to
output)) is replaced by a string containing the derivation’s output
directory name. The syntactic form to construct gexps is summarized
Return a G-expression containing exp. exp may contain one or more of the following forms:
Introduce a reference to obj. obj may be a package or a
derivation, in which case the
ungexp form is replaced by its
output file name—e.g.,
If obj is a list, it is traversed and any package or derivation references are substituted similarly.
If obj is another gexp, its contents are inserted and its dependencies are added to those of the containing gexp.
If obj is another kind of object, it is inserted as is.
(ungexp package-or-derivation output)
This is like the form above, but referring explicitly to the output of package-or-derivation—this is useful when package-or-derivation produces multiple outputs (see Packages with Multiple Outputs).
(ungexp output [output])
Insert a reference to derivation output output, or to the main output when output is omitted.
This only makes sense for gexps passed to
Like the above, but splices the contents of lst inside the containing list.
G-expressions created by
#~ are run-time objects
gexp? type (see below.)
#t if obj is a G-expression.
G-expressions are meant to be written to disk, either as code building some derivation, or as plain files in the store. The monadic procedures below allow you to do that (see The Store Monad, for more information about monads.)
Return a derivation name that runs exp (a gexp) with guile-for-build (a derivation) on system.
Make modules available in the evaluation context of EXP;
MODULES is a list of names of Guile modules from the current
search path to be copied in the store, compiled, and made available in
the load path during the execution of exp—e.g.,
build utils) (guix build gnu-build-system)).
The other arguments are as for
derivation (see Derivations).
Return an executable script name that runs exp using guile with modules in its search path.
The example below builds a script that simply invokes the
(use-modules (guix gexp) (gnu packages base)) (gexp->script "list-files" #~(execl (string-append #$coreutils "/bin/ls") "ls"))
When “running” it through the store (see
run-with-store), we obtain a derivation that produces an
executable file /gnu/store/…-list-files along these lines:
#!/gnu/store/…-guile-2.0.11/bin/guile -ds !# (execl (string-append "/gnu/store/…-coreutils-8.22"/bin/ls") "ls")
Return a derivation that builds a file name containing exp.
The resulting file holds references to all the dependencies of exp or a subset thereof.
Of course, in addition to gexps embedded in “host” code, there are
also modules containing build tools. To make it clear that they are
meant to be used in the build stratum, these modules are kept in the
(guix build …) name space.
This section describes tools primarily targeted at developers and users who write new package definitions. They complement the Scheme programming interface of Guix in a convenient way.
|• Invoking guix build:||Building packages from the command line.|
|• Invoking guix download:||Downloading a file and printing its hash.|
|• Invoking guix hash:||Computing the cryptographic hash of a file.|
|• Invoking guix refresh:||Updating package definitions.|
guix build command builds packages or derivations and
their dependencies, and prints the resulting store paths. Note that it
does not modify the user’s profile—this is the job of the
guix package command (see Invoking guix package). Thus,
it is mainly useful for distribution developers.
The general syntax is:
guix build options package-or-derivation…
package-or-derivation may be either the name of a package found in
the software distribution such as
coreutils-8.20, or a derivation such as
/gnu/store/…-coreutils-8.19.drv. In the former case, a
package with the corresponding name (and optionally version) is searched
for among the GNU distribution modules (see Package Modules).
--expression option may be used to specify a
Scheme expression that evaluates to a package; this is useful when
disambiguation among several same-named packages or package variants is
The options may be zero or more of the following:
Build the package or derivation expr evaluates to.
For example, expr may be
(@ (gnu packages guile)
guile-1.8), which unambiguously designates this specific variant of
version 1.8 of Guile.
Alternately, expr may be a G-expression, in which case it is used
as a build program passed to
Lastly, expr may refer to a zero-argument monadic procedure
(see The Store Monad). The procedure must return a derivation as a
monadic value, which is then passed through
Build the packages’ source derivations, rather than the packages themselves.
guix build -S gcc returns something like
/gnu/store/…-gcc-4.7.2.tar.bz2, which is GCC’s source tarball.
The returned source tarball is the result of applying any patches and
code snippets specified in the package’s
origin (see Defining Packages).
Attempt to build for system—e.g.,
the host’s system type.
An example use of this is on Linux-based systems, which can emulate
different personalities. For instance, passing
--system=i686-linux on an
x86_64-linux system allows users
to build packages in a complete 32-bit environment.
Cross-build for triplet, which must be a valid GNU triplet, such
"mips64el-linux-gnu" (see GNU
configuration triplets in GNU Configure and Build System).
Use source as the source of the corresponding package.
source must be a file name or a URL, as for
download (see Invoking guix download).
The “corresponding package” is taken to be one specified on the
command line whose name matches the base of source—e.g., if
/src/guile-2.0.10.tar.gz, the corresponding
guile. Likewise, the version string is inferred from
source; in the previous example, it’s
This option allows users to try out versions of packages other than the
one provided by the distribution. The example below downloads
ed-1.7.tar.gz from a GNU mirror and uses that as the source for
guix build ed --with-source=mirror://gnu/ed/ed-1.7.tar.gz
As a developer,
--with-source makes it easy to test release
guix build guile --with-source=../guile-126.96.36.199-e1bb7.tar.xz
Return the derivation paths, not the output paths, of the given packages.
Make file a symlink to the result, and register it as a garbage collector root.
Return the build log file names for the given package-or-derivations, or raise an error if build logs are missing.
This works regardless of how packages or derivations are specified. For instance, the following invocations are equivalent:
guix build --log-file `guix build -d guile` guix build --log-file `guix build guile` guix build --log-file guile guix build --log-file -e '(@ (gnu packages guile) guile-2.0)'
In addition, a number of options that control the build process are
guix build and other commands that can spawn builds,
guix package or
guix archive. These are the
Keep the build tree of failed builds. Thus, if a build fail, its build tree is kept under /tmp, in a directory whose name is shown at the end of the build log. This is useful when debugging build issues.
Do not build the derivations.
When substituting a pre-built binary fails, fall back to building packages locally.
Do not use substitutes for build products. That is, always build things locally instead of allowing downloads of pre-built binaries (see Substitutes).
Do not attempt to offload builds via the daemon’s “build hook” (see Daemon Offload Setup). That is, always build things locally instead of offloading builds to remote machines.
When the build or substitution process remains silent for more than seconds, terminate it and report a build failure.
Likewise, when the build or substitution process lasts for more than seconds, terminate it and report a build failure.
By default there is no timeout. This behavior can be restored with
Use the given verbosity level. level must be an integer between 0 and 5; higher means more verbose output. Setting a level of 4 or more may be helpful when debugging setup issues with the build daemon.
Allow the use of up to n CPU cores for the build. The special
0 means to use as many CPU cores as available.
Behind the scenes,
guix build is essentially an interface to
package-derivation procedure of the
module, and to the
build-derivations procedure of the
When writing a package definition, developers typically need to download
the package’s source tarball, compute its SHA256 hash, and write that
hash in the package definition (see Defining Packages). The
guix download tool helps with this task: it downloads a file
from the given URI, adds it to the store, and prints both its file name
in the store and its SHA256 hash.
The fact that the downloaded file is added to the store saves bandwidth:
when the developer eventually tries to build the newly defined package
guix build, the source tarball will not have to be
downloaded again because it is already in the store. It is also a
convenient way to temporarily stash files, which may be deleted
eventually (see Invoking guix gc).
guix download command supports the same URIs as used in
package definitions. In particular, it supports
https URIs (HTTP over TLS) are supported provided the
Guile bindings for GnuTLS are available in the user’s environment; when
they are not available, an error is raised.
The following option is available:
Write the hash in the format specified by fmt. For more information on the valid values for fmt, Invoking guix hash.
guix hash command computes the SHA256 hash of a file.
It is primarily a convenience tool for anyone contributing to the
distribution: it computes the cryptographic hash of a file, which can be
used in the definition of a package (see Defining Packages).
The general syntax is:
guix hash option file
guix hash has the following option:
Write the hash in the format specified by fmt.
hexadecimal can be used as well).
If the --format option is not specified,
will output the hash in
nix-base32. This representation is used
in the definitions of packages.
Compute the hash on file recursively.
In this case, the hash is computed on an archive containing file, including its children if it is a directory. Some of file’s meta-data is part of the archive; for instance, when file is a regular file, the hash is different depending on whether file is executable or not. Meta-data such as time stamps has no impact on the hash (see Invoking guix archive).
The primary audience of the
guix refresh command is developers
of the GNU software distribution. By default, it reports any packages
provided by the distribution that are outdated compared to the latest
upstream version, like this:
$ guix refresh gnu/packages/gettext.scm:29:13: gettext would be upgraded from 0.18.1.1 to 0.18.2.1 gnu/packages/glib.scm:77:12: glib would be upgraded from 2.34.3 to 2.37.0
It does so by browsing each package’s FTP directory and determining the highest version number of the source tarballs therein7.
--update, it modifies distribution source files to
update the version numbers and source tarball hashes of those packages’
recipes (see Defining Packages). This is achieved by downloading
each package’s latest source tarball and its associated OpenPGP
signature, authenticating the downloaded tarball against its signature
gpg, and finally computing its hash. When the public
key used to sign the tarball is missing from the user’s keyring, an
attempt is made to automatically retrieve it from a public key server;
when it’s successful, the key is added to the user’s keyring; otherwise,
guix refresh reports an error.
The following options are supported:
Update distribution source files (package recipes) in place. Defining Packages, for more information on package definitions.
Select all the packages in subset, one of
core subset refers to all the packages at the core of the
distribution—i.e., packages that are used to build “everything
else”. This includes GCC, libc, Binutils, Bash, etc. Usually,
changing one of these packages in the distribution entails a rebuild of
all the others. Thus, such updates are an inconvenience to users in
terms of build time or bandwidth used to achieve the upgrade.
non-core subset refers to the remaining packages. It is
typically useful in cases where an update of the core packages would be
guix refresh can be passed one or more package
names, as in this example:
guix refresh -u emacs idutils
The command above specifically updates the
idutils packages. The
--select option would have no
effect in this case.
When considering whether to upgrade a package, it is sometimes
convenient to know which packages would be affected by the upgrade and
should be checked for compatibility. For this the following option may
be used when passing
guix refresh one or more package names:
List top-level dependent packages that would need to be rebuilt as a result of upgrading one or more packages.
Be aware that the
--list-dependent option only
approximates the rebuilds that would be required as a result of
an upgrade. More rebuilds might be required under some circumstances.
$ guix refresh --list-dependent flex Building the following 120 packages would ensure 213 dependent packages are rebuilt: hop-2.4.0 geiser-0.4 notmuch-0.18 mu-0.9.9.5 cflow-1.4 idutils-4.6 …
The command above lists a set of packages that could be built to check
for compatibility with an upgraded
The following options can be used to customize GnuPG operation:
Use host as the OpenPGP key server when importing a public key.
Use command as the GnuPG 2.x command. command is searched
Guix comes with a distribution of free software8 that forms the basis of the GNU system. This
includes core GNU packages such as GNU libc, GCC, and Binutils, as well
as many GNU and non-GNU applications. The complete list of available
packages can be browsed
on-line or by
guix package (see Invoking guix package):
guix package --list-available
Our goal is to build a practical 100% free software distribution of Linux-based and other variants of GNU, with a focus on the promotion and tight integration of GNU components, and an emphasis on programs and tools that help users exert that freedom.
The GNU distribution is currently available on the following platforms:
x86_64 architecture, Linux-Libre kernel;
Intel 32-bit architecture (IA32), Linux-Libre kernel;
little-endian 64-bit MIPS processors, specifically the Loongson series, n32 application binary interface (ABI), and Linux-Libre kernel.
For information on porting to other architectures or kernels, See Porting.
|• System Installation:||Installing the whole operating system.|
|• System Configuration:||Configuring a GNU system.|
|• Installing Debugging Files:||Feeding the debugger.|
|• Package Modules:||Packages from the programmer’s viewpoint.|
|• Packaging Guidelines:||Growing the distribution.|
|• Bootstrapping:||GNU/Linux built from scratch.|
|• Porting:||Targeting another platform or kernel.|
Building this distribution is a cooperative effort, and you are invited to join! Contributing, for information about how you can help.
This section explains how to install the complete GNU operating system on a machine. The Guix package manager can also be installed on top of a running GNU/Linux system, see Installation.
As of version 0.7, GNU Guix and the GNU system distribution are alpha software. It may contain bugs and lack important features. Thus, if you are looking for a stable production system that respects your freedom as a computer user, a good solution at this point is to consider one of more established GNU/Linux distributions. We hope you can soon switch to the GNU system without fear, of course. In the meantime, you can also keep using your distribution and try out the package manager on top of it (see Installation).
Before you proceed with the installation, be aware of the following noteworthy limitations applicable to version 0.7:
You’ve been warned. But more than a disclaimer, this is an invitation to report issues (and success stories!), and join us in improving it. See Contributing, for more info.
An installation image for USB sticks can be downloaded from ftp://alpha.gnu.org/gnu/guix/gnu-usb-install-0.7.system.xz, where system is one of:
for a GNU/Linux system on Intel/AMD-compatible 64-bit CPUs;
for a 32-bit GNU/Linux system on Intel-compatible CPUs.
This image contains a single partition with the tools necessary for an installation. It is meant to be copied as is to a large-enough USB stick.
To copy the image to a USB stick, follow these steps:
xz -d gnu-usb-install-0.7.system.xz
dd if=gnu-usb-install-0.7.x86_64 of=/dev/sdX
Access to /dev/sdX usually requires root privileges.
Once this is done, you should be able to reboot the system and boot from the USB stick. The latter usually requires you to get in the BIOS’ boot menu, where you can choose to boot from the USB stick.
Once you have successfully booted the image on the USB stick, you should end up with a root prompt. Several console TTYs are configured and can be used to run commands as root. TTY2 shows this documentation, browsable using the Info reader commands (see Help in Info: An Introduction).
To install the system, you would:
dhclient eth0(to get an automatically assigned IP address from the wired network interface controller), or using the
The system automatically loads drivers for your network interface controllers.
Setting up network access is almost always a requirement because the image does not contain all the software and tools that may be needed.
Preferably, assign partitions a label so that you can easily and
reliably refer to them in
file-system declarations (see File Systems). This is typically done using the
-L option of
mkfs.ext4 and related commands.
The installation image includes Parted (see Overview in GNU
Parted User Manual),
fdisk, and e2fsprogs, the suite of tools
to manipulate ext2/ext3/ext4 file systems.
deco start cow-store /mnt.
This will make /gnu/store copy-on-write, such that packages added to it during the installation phase will be written to the target disk rather than kept in memory.
With the target partitions ready, you now have to edit a file and provide the declaration of the operating system to be installed. To that end, the installation system comes with two text editors: GNU nano (see GNU nano Manual), and GNU Zile, an Emacs clone. It is better to store that file on the target root file system, say, as /mnt/etc/config.scm.
A minimal operating system configuration, with just the bare minimum and only a root account would look like this (on the installation system, this example is available as /etc/configuration-template.scm):
;; This is an operating system configuration template. (use-modules (gnu)) (operating-system (host-name "antelope") (timezone "Europe/Paris") (locale "en_US.UTF-8") ;; Assuming /dev/sdX is the target hard disk, and "root" is ;; the label of the target root file system. (bootloader (grub-configuration (device "/dev/sdX"))) (file-systems (cons (file-system (device "root") (title 'label) (mount-point "/") (type "ext4")) %base-file-systems)) ;; This is where user accounts are specified. The "root" ;; account is implicit, and is initially created with the ;; empty password. (users (list (user-account (name "alice") (comment "Bob's sister") (group "users") ;; Adding the account to the "wheel" group ;; makes it a sudoer. (supplementary-groups '("wheel")) (home-directory "/home/alice")))))
For more information on
see Using the Configuration System.
Once that is done, the new system must be initialized (remember that the target root file system is mounted under /mnt):
guix system init /mnt/etc/config.scm /mnt
This will copy all the necessary files, and install GRUB on /dev/sdX, unless you pass the --no-grub option. For more information, see Invoking guix system. This command may trigger downloads or builds of missing packages, which can take some time.
Once that command has completed—and hopefully succeeded!—you can
unmount /mnt and boot into the new system. Cross fingers, and
join us on
#guix on the Freenode IRC network or on
email@example.com to share your experience—good or not so
The installation image described above was built using the
system command, specifically:
guix system disk-image --image-size=800MiB gnu/system/install.scm
See Invoking guix system, for more information. See gnu/system/install.scm in the source tree for more information about the installation image.
The GNU system supports a consistent whole-system configuration mechanism. By that we mean that all aspects of the global system configuration—such as the available system services, timezone and locale settings, user accounts—are declared in a single place. Such a system configuration can be instantiated—i.e., effected.
One of the advantages of putting all the system configuration under the control of Guix is that it supports transactional system upgrades, and makes it possible to roll-back to a previous system instantiation, should something go wrong with the new one (see Features). Another one is that it makes it easy to replicate the exact same configuration across different machines, or at different points in time, without having to resort to additional administration tools layered on top of the system’s own tools.
This section describes this mechanism. First we focus on the system administrator’s viewpoint—explaining how the system is configured and instantiated. Then we show how this mechanism can be extended, for instance to support new system services.
|• Using the Configuration System:||Customizing your GNU system.|
|• File Systems:||Configuring file system mounts.|
|• User Accounts:||Specifying user accounts.|
|• Services:||Specifying system services.|
|• Setuid Programs:||Programs running with root privileges.|
|• Initial RAM Disk:||Linux-Libre bootstrapping.|
|• Invoking guix system:||Instantiating a system configuration.|
|• Defining Services:||Adding new service definitions.|
The operating system is configured by providing an
operating-system declaration in a file that can then be passed to
guix system command (see Invoking guix system). A
simple setup, with the default system services, the default Linux-Libre
kernel, initial RAM disk, and boot loader looks like this:
(use-modules (gnu) ; for 'user-account', '%base-services', etc. (gnu packages emacs) ; for 'emacs' (gnu services ssh)) ; for 'lsh-service' (operating-system (host-name "komputilo") (timezone "Europe/Paris") (locale "fr_FR.UTF-8") (bootloader (grub-configuration (device "/dev/sda"))) (file-systems (cons (file-system (device "/dev/sda1") ; or partition label (mount-point "/") (type "ext3")) %base-file-systems)) (users (list (user-account (name "alice") (password "") (uid 1000) (group 100) (comment "Bob's sister") (home-directory "/home/alice")))) (packages (cons emacs %base-packages)) (services (cons (lsh-service #:port 2222 #:allow-root-login? #t) %base-services)))
This example should be self-describing. Some of the fields defined
above, such as
bootloader, are mandatory.
Others, such as
services, can be omitted, in
which case they get a default value.
packages field lists
packages that will be globally visible on the system, for all user
accounts—i.e., in every user’s
PATH environment variable—in
addition to the per-user profiles (see Invoking guix package). The
%base-packages variable provides all the tools one would expect
for basic user and administrator tasks—including the GNU Core
Utilities, the GNU Networking Utilities, the GNU Zile lightweight text
grep, etc. The example above adds
Emacs to those, taken from the
(gnu packages emacs) module
(see Package Modules).
services field lists system services to be made
available when the system starts (see Services).
operating-system declaration above specifies that, in
addition to the basic services, we want the
lshd secure shell
daemon listening on port 2222, and allowing remote
(see Invoking lshd in GNU lsh Manual). Under the hood,
lsh-service arranges so that
lshd is started with the
right command-line options, possibly with supporting configuration files
generated as needed (see Defining Services).
Assuming the above snippet is stored in the my-system-config.scm
guix system reconfigure my-system-config.scm command
instantiates that configuration, and makes it the default GRUB boot
entry (see Invoking guix system). The normal way to change the
system’s configuration is by updating this file and re-running the
guix system command.
At the Scheme level, the bulk of an
is instantiated with the following monadic procedure (see The Store Monad):
Return a derivation that builds os, an
object (see Derivations).
The output of the derivation is a single directory that refers to all the packages, configuration files, and other supporting files needed to instantiate os.
The list of file systems to be mounted is specified in the
file-systems field of the operating system’s declaration
(see Using the Configuration System). Each file system is declared
file-system form, like this:
(file-system (mount-point "/home") (device "/dev/sda3") (type "ext4"))
As usual, some of the fields are mandatory—those shown in the example above—while others can be omitted. These are described below.
Objects of this type represent file systems to be mounted. They contain the following members:
This is a string specifying the type of the file system—e.g.,
This designates the place where the file system is to be mounted.
This names the “source” of the file system. By default it is the name
of a node under /dev, but its meaning depends on the
field described below.
This is a symbol that specifies how the
device field is to be
When it is the symbol
device, then the
device field is
interpreted as a file name; when it is
is interpreted as a partition label name; when it is
device is interpreted as a partition unique identifier (UUID).
uuid options offer a way to refer to disk
partitions without having to hard-code their actual device name.
This is a list of symbols denoting mount flags. Recognized flags
access to special files),
no-suid (ignore setuid and setgid
no-exec (disallow program execution.)
This is either
#f, or a string denoting mount options.
This Boolean value indicates whether the file system is needed when booting. If that is true, then the file system is mounted when the initial RAM disk (initrd) is loaded. This is always the case, for instance, for the root file system.
This Boolean indicates whether the file system needs to be checked for errors before being mounted.
When true, the mount point is created if it does not exist yet.
(gnu system file-systems) exports the following useful
These are essential file systems that are required on normal systems, such as %devtmpfs-file-system (see below.) Operating system declarations should always contain at least these.
devtmpfs file system to be mounted on /dev. This is a
requirement for udev (see
This is the file system to be mounted as /dev/pts. It supports
pseudo-terminals created via
openpty and similar
functions (see Pseudo-Terminals in The GNU C Library Reference
Manual). Pseudo-terminals are used by terminal emulators such as
This file system is mounted as /dev/shm and is used to support
memory sharing across processes (see
shm_open in The GNU C Library Reference Manual).
binfmt_misc file system, which allows handling of arbitrary
executable file types to be delegated to user space. This requires the
binfmt.ko kernel module to be loaded.
fusectl file system, which allows unprivileged users to mount
and unmount user-space FUSE file systems. This requires the
fuse.ko kernel module to be loaded.
User accounts are specified with the
(user-account (name "alice") (group "users") (supplementary-groups '("wheel")) ; allow use of sudo, etc. (comment "Bob's sister") (home-directory "/home/alice"))
Objects of this type represent user accounts. The following members may be specified:
The name of the user account.
This is the name (a string) or identifier (a number) of the user group this account belongs to.
Optionally, this can be defined as a list of group names that this account belongs to.
This is the user ID for this account (a number), or
#f. In the
latter case, a number is automatically chosen by the system when the
account is created.
A comment about the account, such as the account’s owner full name.
This is the name of the home directory for the account.
This is a G-expression denoting the file name of a program to be used as the shell (see G-Expressions).
This Boolean value indicates whether the account is a “system” account. System accounts are sometimes treated specially; for instance, graphical login managers do not list them.
#f, this is the password to be used for the account.
User group declarations are even simpler:
(user-group (name "students"))
This type is for, well, user groups. There are just a few fields:
The group’s name.
The group identifier (a number). If
#f, a new number is
automatically allocated when the group is created.
This Boolean value indicates whether the group is a “system” group. System groups have low numerical IDs.
What, user groups can have a password? Well, apparently yes. Unless
#f, this field specifies the group’s password.
For convenience, a variable lists all the basic user groups one may expect:
This is the list of basic user groups that users and/or packages expect to be present on the system. This includes groups such as “root”, “wheel”, and “users”, as well as groups used to control access to specific devices such as “audio”, “disk”, and “cdrom”.
An important part of preparing an
operating-system declaration is
listing system services and their configuration (see Using the Configuration System). System services are typically daemons launched
when the system boots, or other actions needed at that time—e.g.,
configuring network access. They are managed by GNU dmd
(see Introduction in GNU dmd Manual).
The following sections document the available services, starting with the core services.
|• Base Services:||Essential system services.|
|• Networking Services:||Network setup, SSH daemon, etc.|
|• X Window:||Graphical display.|
(gnu services base) module provides definitions for the basic
services that one expects from the system. The services exported by
this module are listed below.
This variable contains a list of basic services9 one would expect from the system: a login service (mingetty) on each tty, syslogd, libc’s name service cache daemon (nscd), the udev device manager, and more.
This is the default value of the
services field of
operating-system declarations. Usually, when customizing a
system, you will want to append services to %base-services, like
(cons* (avahi-service) (lshd-service) %base-services)
Return a service that sets the host name to name.
Return a service to run mingetty on tty.
When allow-empty-passwords? is true, allow empty log-in password. When
auto-login is true, it must be a user name under which to log-in
automatically. login-pause? can be set to
#t in conjunction with
auto-login, in which case the user will have to press a key before the
login shell is launched.
When true, login-program is a gexp or a monadic gexp denoting the name
of the log-in program (the default is the
login program from the Shadow
motd is a monadic value containing a text file to use as the “message of the day”.
Return a service that runs libc’s name service cache daemon (nscd).
Return a service that runs
syslogd with reasonable default
Return a service that runs the build daemon from guix, and has build-accounts user accounts available under builder-group.
When authorize-hydra-key? is true, the
hydra.gnu.org public key
provided by guix is authorized upon activation, meaning that substitutes
hydra.gnu.org are used by default.
If use-substitutes? is false, the daemon is run with --no-substitutes (see --no-substitutes).
Finally, extra-options is a list of additional command-line options
Run udev, which populates the /dev directory dynamically.
(gnu system networking) module provides services to configure
the network interface.
Return a service that starts interface with address ip. If gateway is true, it must be a string specifying the default network gateway.
Return a service to run the Tor daemon.
The daemon runs with the default settings (in particular the default exit
policy) as the
tor unprivileged user.
(gnu system ssh) provides the following service.
lshd program from lsh to listen on port port-number.
host-key must designate a file containing the host key, and readable
only by root.
When initialize? is true, automatically create the seed and host key upon service activation if they do not exist yet. This may take long and require interaction.
When interfaces is empty, lshd listens for connections on all the network interfaces; otherwise, interfaces must be a list of host names or addresses.
allow-empty-passwords? specifies whether to accepts log-ins with empty passwords, and root-login? specifies whether to accepts log-ins as root.
The other options should be self-descriptive.
Support for the X Window graphical display system—specifically
Xorg—is provided by the
(gnu services xorg) module. Note that
there is no
xorg-service procedure. Instead, the X server is
started by the login manager, currently SLiM.
Return a service that spawns the SLiM graphical login manager, which in
turn starts the X display server with startx, a command as returned by
When allow-empty-passwords? is true, allow logins with an empty password. When auto-login? is true, log in automatically as default-user.
Some programs need to run with “root” privileges, even when they are
launched by unprivileged users. A notorious example is the
passwd programs, which can users can run to change their
password, and which requires write access to the /etc/passwd and
/etc/shadow files—something normally restricted to root, for
obvious security reasons. To address that, these executables are
setuid-root, meaning that they always run with root privileges
(see How Change Persona in The GNU C Library Reference Manual,
for more info about the setuid mechanisms.)
The store itself cannot contain setuid programs: that would be a security issue since any user on the system can write derivations that populate the store (see The Store). Thus, a different mechanism is used: instead of changing the setuid bit directly on files that are in the store, we let the system administrator declare which programs should be setuid root.
setuid-programs field of an
declaration contains a list of G-expressions denoting the names of
programs to be setuid-root (see Using the Configuration System).
For instance, the
passwd program, which is part of the Shadow
package, can be designated by this G-expression (see G-Expressions):
#~(string-append #$shadow "/bin/passwd")
A default set of setuid programs is defined by the
%setuid-programs variable of the
(gnu system) module.
A list of G-expressions denoting common programs that are setuid-root.
The list includes commands such as
Under the hood, the actual setuid programs are created in the /run/setuid-programs directory at system activation time. The files in this directory refer to the “real” binaries, which are in the store.
For bootstrapping purposes, the Linux-Libre kernel is passed an initial RAM disk, or initrd. An initrd contains a temporary root file system, as well as an initialization script. The latter is responsible for mounting the real root file system, and for loading any kernel modules that may be needed to achieve that.
initrd field of an
operating-system declaration allows
you to specify which initrd you would like to use. The
system linux-initrd) module provides two ways to build an initrd: the
base-initrd procedure, and the low-level
base-initrd procedure is intended to cover most common uses.
For example, if you want to add a bunch of kernel modules to be loaded
at boot time, you can define the
initrd field of the operating
system declaration like this:
(initrd (cut base-initrd <> #:extra-modules '("my.ko" "modules.ko")))
It also handles common use cases that involves using the system as a QEMU guest, or as a “live” system whose root file system is volatile.
Return a monadic derivation that builds a generic initrd. file-systems is
a list of file-systems to be mounted by the initrd, possibly in addition to
the root file system specified on the kernel command line via
When qemu-networking? is true, set up networking with the standard QEMU parameters. When virtio? is true, load additional modules so the initrd can be used as a QEMU guest with para-virtualized I/O drivers.
When volatile-root? is true, the root file system is writable but any changes to it are lost.
The initrd is automatically populated with all the kernel modules necessary for file-systems and for the given options. However, additional kernel modules can be listed in extra-modules. They will be added to the initrd, and loaded at boot time in the order in which they appear.
Needless to say, the initrds we produce and use embed a
statically-linked Guile, and the initialization program is a Guile
program. That gives a lot of flexibility. The
expression->initrd procedure builds such an initrd, given the
program to run in that initrd.
Return a derivation that builds a Linux initrd (a gzipped cpio archive) containing guile and that evaluates exp, a G-expression, upon booting.
linux-modules is a list of .ko file names to be copied from linux into the initrd. to-copy is a list of additional derivations or packages to copy to the initrd. modules is a list of Guile module names to be embedded in the initrd.
Once you have written an operating system declaration, as seen in the
previous section, it can be instantiated using the
system command. The synopsis is:
guix system options… action file
file must be the name of a file containing an
operating-system declaration. action specifies how the
operating system is instantiate. Currently the following values are
Build the operating system described in file, activate it, and switch to it10.
This effects all the configuration specified in file: user accounts, system services, global package list, setuid programs, etc.
It also adds a GRUB menu entry for the new OS configuration, and moves entries for older configurations to a submenu—unless --no-grub is passed.
Build the operating system’s derivation, which includes all the configuration files and programs needed to boot and run the system. This action does not actually install anything.
Populate the given directory with all the files necessary to run the operating system specified in file. This is useful for first-time installations of the GNU system. For instance:
guix system init my-os-config.scm /mnt
copies to /mnt all the store items required by the configuration specified in my-os-config.scm. This includes configuration files, packages, and so on. It also creates other essential files needed for the system to operate correctly—e.g., the /etc, /var, and /run directories, and the /bin/sh file.
This command also installs GRUB on the device specified in my-os-config, unless the --no-grub option was passed.
Build a virtual machine that contain the operating system declared in file, and return a script to run that virtual machine (VM).
The VM shares its store with the host system.
Return a virtual machine or disk image of the operating system declared in file that stands alone. Use the --image-size option to specify the size of the image.
vm-image, the returned image is in qcow2 format, which
the QEMU emulator can efficiently use.
disk-image, a raw disk image is produced; it can be
copied as is to a USB stick, for instance. Assuming
the device corresponding to a USB stick, one can copy the image on it
using the following command:
# dd if=$(guix system disk-image my-os.scm) of=/dev/sdc
options can contain any of the common build options provided by
guix build (see Invoking guix build). In addition,
options can contain one of the following:
Attempt to build for system instead of the host’s system type.
This works as per
guix build (see Invoking guix build).
disk-image actions, create an image
of the given size. size may be a number of bytes, or it may
include a unit as a suffix, such as
MiB for mebibytes and
GB for gigabytes.
Note that all the actions above, except
rely on KVM support in the Linux-Libre kernel. Specifically, the
machine should have hardware virtualization support, the corresponding
KVM kernel module should be loaded, and the /dev/kvm device node
must exist and be readable and writable by the user and by the daemon’s
(gnu services …) modules define several procedures that allow
users to declare the operating system’s services (see Using the Configuration System). These procedures are monadic
procedures—i.e., procedures that return a monadic value in the store
monad (see The Store Monad). For examples of such procedures,
The monadic value returned by those procedures is a service
definition—a structure as returned by the
Service definitions specifies the inputs the service depends on, and an
expression to start and stop the service. Behind the scenes, service
definitions are “translated” into the form suitable for the
configuration file of dmd, the init system (see Services in GNU
As an example, here is what the
nscd-service procedure looks
(define (nscd-service) (with-monad %store-monad (return (service (documentation "Run libc's name service cache daemon.") (provision '(nscd)) (activate #~(begin (use-modules (guix build utils)) (mkdir-p "/var/run/nscd"))) (start #~(make-forkexec-constructor (string-append #$glibc "/sbin/nscd") "-f" "/dev/null" "--foreground")) (stop #~(make-kill-destructor)) (respawn? #f)))))
stop fields are G-expressions
(see G-Expressions). The
activate field contains a script to
run at “activation” time; it makes sure that the /var/run/nscd
directory exists before
nscd is started.
stop fields refer to dmd’s facilities to
start and stop processes (see Service De- and Constructors in GNU dmd Manual). The
provision field specifies the name under
which this service is known to dmd, and
on-line documentation. Thus, the commands
deco start ncsd,
deco stop nscd, and
deco doc nscd will do what you
would expect (see Invoking deco in GNU dmd Manual).
Program binaries, as produced by the GCC compilers for instance, are typically written in the ELF format, with a section containing debugging information. Debugging information is what allows the debugger, GDB, to map binary code to source code; it is required to debug a compiled program in good conditions.
The problem with debugging information is that is takes up a fair amount of disk space. For example, debugging information for the GNU C Library weighs in at more than 60 MiB. Thus, as a user, keeping all the debugging info of all the installed programs is usually not an option. Yet, space savings should not come at the cost of an impediment to debugging—especially in the GNU system, which should make it easier for users to exert their computing freedom (see GNU Distribution).
Thankfully, the GNU Binary Utilities (Binutils) and GDB provide a mechanism that allows users to get the best of both worlds: debugging information can be stripped from the binaries and stored in separate files. GDB is then able to load debugging information from those files, when they are available (see Separate Debug Files in Debugging with GDB).
The GNU distribution takes advantage of this by storing debugging
information in the
lib/debug sub-directory of a separate package
output unimaginatively called
debug (see Packages with Multiple Outputs). Users can choose to install the
of a package when they need it. For instance, the following command
installs the debugging information for the GNU C Library and for GNU
guix package -i glibc:debug guile:debug
GDB must then be told to look for debug files in the user’s profile, by
debug-file-directory variable (consider setting it
from the ~/.gdbinit file, see Startup in Debugging with
(gdb) set debug-file-directory ~/.guix-profile/lib/debug
From there on, GDB will pick up debugging information from the
.debug files under ~/.guix-profile/lib/debug.
In addition, you will most likely want GDB to be able to show the source
code being debugged. To do that, you will have to unpack the source
code of the package of interest (obtained with
--source, see Invoking guix build), and to point GDB to that source
directory using the
directory command (see
directory in Debugging with GDB).
debug output mechanism in Guix is implemented by the
gnu-build-system (see Build Systems). Currently, it is
opt-in—debugging information is available only for those packages
whose definition explicitly declares a
debug output. This may be
changed to opt-out in the future, if our build farm servers can handle
the load. To check whether a package has a
debug output, use
guix package --list-available (see Invoking guix package).
From a programming viewpoint, the package definitions of the
GNU distribution are provided by Guile modules in the
…) name space11 (see Guile modules in GNU Guile
Reference Manual). For instance, the
(gnu packages emacs)
module exports a variable named
emacs, which is bound to a
<package> object (see Defining Packages).
(gnu packages …) module name space is special: it is
automatically scanned for packages by the command-line tools. For
instance, when running
guix package -i emacs, all the
packages …) modules are scanned until one that exports a package
object whose name is
emacs is found. This package search
facility is implemented in the
(gnu packages) module.
Users can store package definitions in modules with different
(my-packages emacs). In that case, commands such
guix package and
guix build have to be used with
-e option so that they know where to find the package.
The distribution is fully bootstrapped and self-contained:
each package is built based solely on other packages in the
distribution. The root of this dependency graph is a small set of
bootstrap binaries, provided by the
bootstrap) module. For more information on bootstrapping,
The GNU distribution is nascent and may well lack some of your favorite packages. This section describes how you can help make the distribution grow. See Contributing, for additional information on how you can help.
Free software packages are usually distributed in the form of source code tarballs—typically tar.gz files that contain all the source files. Adding a package to the distribution means essentially two things: adding a recipe that describes how to build the package, including a list of other packages required to build it, and adding package meta-data along with that recipe, such as a description and licensing information.
In Guix all this information is embodied in package definitions. Package definitions provide a high-level view of the package. They are written using the syntax of the Scheme programming language; in fact, for each package we define a variable bound to the package definition, and export that variable from a module (see Package Modules). However, in-depth Scheme knowledge is not a prerequisite for creating packages. For more information on package definitions, Defining Packages.
Once a package definition is in place, stored in a file in the Guix
source tree, it can be tested using the
guix build command
(see Invoking guix build). For example, assuming the new package is
gnew, you may run this command from the Guix build tree:
./pre-inst-env guix build gnew --keep-failed
--keep-failed makes it easier to debug build failures since
it provides access to the failed build tree. Another useful
command-line option when debugging is
--log-file, to access the
If the package is unknown to the
guix command, it may be that
the source file contains a syntax error, or lacks a
clause to export the package variable. To figure it out, you may load
the module from Guile to get more information about the actual error:
./pre-inst-env guile -c '(use-modules (gnu packages gnew))'
Once your package builds correctly, please send us a patch (see Contributing). Well, if you need help, we will be happy to help you too. Once the patch is committed in the Guix repository, the new package automatically gets built on the supported platforms by our continuous integration system.
Users can obtain the new package definition simply by running
guix pull (see Invoking guix pull). When
hydra.gnu.org is done building the package, installing the
package automatically downloads binaries from there
(see Substitutes). The only place where human intervention is
needed is to review and apply the patch.
|• Software Freedom:||What may go into the distribution.|
|• Package Naming:||What’s in a name?|
|• Version Numbers:||When the name is not enough.|
|• Python Modules:||Taming the snake.|
|• Perl Modules:||Little pearls.|
The GNU operating system has been developed so that users can have freedom in their computing. GNU is free software, meaning that users have the four essential freedoms: to run the program, to study and change the program in source code form, to redistribute exact copies, and to distribute modified versions. Packages found in the GNU distribution provide only software that conveys these four freedoms.
In addition, the GNU distribution follow the free software distribution guidelines. Among other things, these guidelines reject non-free firmware, recommendations of non-free software, and discuss ways to deal with trademarks and patents.
Some packages contain a small and optional subset that violates the
above guidelines, for instance because this subset is itself non-free
code. When that happens, the offending items are removed with
appropriate patches or code snippets in the package definition’s
origin form (see Defining Packages). That way,
build --source returns the “freed” source rather than the unmodified
A package has actually two names associated with it:
First, there is the name of the Scheme variable, the one following
define-public. By this name, the package can be made known in the
Scheme code, for instance as input to another package. Second, there is
the string in the
name field of a package definition. This name
is used by package management commands such as
guix package and
Both are usually the same and correspond to the lowercase conversion of
the project name chosen upstream, with underscores replaced with
hyphens. For instance, GNUnet is available as
We do not add
lib prefixes for library packages, unless these are
already part of the official project name. But see see Python Modules and Perl Modules for special rules concerning modules for
the Python and Perl languages.
We usually package only the latest version of a given free software
project. But sometimes, for instance for incompatible library versions,
two (or more) versions of the same package are needed. These require
different Scheme variable names. We use the name as defined
in Package Naming
for the most recent version; previous versions use the same name, suffixed
- and the smallest prefix of the version number that may
distinguish the two versions.
The name inside the package definition is the same for all versions of a package and does not contain any version number.
For instance, the versions 2.24.20 and 3.9.12 of GTK+ may be packaged as follows:
(define-public gtk+ (package (name "gtk+") (version "3.9.12") ...)) (define-public gtk+-2 (package (name "gtk+") (version "2.24.20") ...))
If we also wanted GTK+ 3.8.2, this would be packaged as
(define-public gtk+-3.8 (package (name "gtk+") (version "3.8.2") ...))
We currently package Python 2 and Python 3, under the Scheme variable names
python as explained in Version Numbers.
To avoid confusion and naming clashes with other programming languages, it
seems desirable that the name of a package for a Python module contains
Some modules are compatible with only one version of Python, others with both.
If the package Foo compiles only with Python 3, we name it
python-foo; if it compiles only with Python 2, we name it
python2-foo. If it is compatible with both versions, we create two
packages with the corresponding names.
If a project already contains the word
python, we drop this;
for instance, the module python-dateutil is packaged under the names
Perl programs standing for themselves are named as any other package,
using the lowercase upstream name.
For Perl packages containing a single class, we use the lowercase class name,
replace all occurrences of
:: by dashes and prepend the prefix
So the class
Modules containing several classes keep their lowercase upstream name and
are also prepended by
perl-. Such modules tend to have the word
perl somewhere in their name, which gets dropped in favor of the
prefix. For instance,
Bootstrapping in our context refers to how the distribution gets built “from nothing”. Remember that the build environment of a derivation contains nothing but its declared inputs (see Introduction). So there’s an obvious chicken-and-egg problem: how does the first package get built? How does the first compiler get compiled? Note that this is a question of interest only to the curious hacker, not to the regular user, so you can shamelessly skip this section if you consider yourself a “regular user”.
The GNU system is primarily made of C code, with libc at its core. The
GNU build system itself assumes the availability of a Bourne shell and
command-line tools provided by GNU Coreutils, Awk, Findutils, ‘sed’, and
‘grep’. Furthermore, build programs—programs that run
make, etc.—are written in Guile Scheme
(see Derivations). Consequently, to be able to build anything at
all, from scratch, Guix relies on pre-built binaries of Guile, GCC,
Binutils, libc, and the other packages mentioned above—the
These bootstrap binaries are “taken for granted”, though we can also re-create them if needed (more on that later).
The figure above shows the very beginning of the dependency graph of the
distribution, corresponding to the package definitions of the
packages bootstrap) module. At this level of detail, things are
slightly complex. First, Guile itself consists of an ELF executable,
along with many source and compiled Scheme files that are dynamically
loaded when it runs. This gets stored in the guile-2.0.7.tar.xz
tarball shown in this graph. This tarball is part of Guix’s “source”
distribution, and gets inserted into the store with
(see The Store).
But how do we write a derivation that unpacks this tarball and adds it
to the store? To solve this problem, the
derivation—the first one that gets built—uses
bash as its
builder, which runs
build-bootstrap-guile.sh, which in turn calls
tar to unpack the tarball. Thus, bash, tar,
xz, and mkdir are statically-linked binaries, also part of
the Guix source distribution, whose sole purpose is to allow the Guile
tarball to be unpacked.
guile-bootstrap-2.0.drv is built, we have a functioning
Guile that can be used to run subsequent build programs. Its first task
is to download tarballs containing the other pre-built binaries—this
is what the
.tar.xz.drv derivations do. Guix modules such as
ftp-client.scm are used for this purpose. The
module-import.drv derivations import those modules in a directory
in the store, using the original layout. The
module-import-compiled.drv derivations compile those modules, and
write them in an output directory with the right layout. This
corresponds to the
#:modules argument of
build-expression->derivation (see Derivations).
Finally, the various tarballs are unpacked by the
etc., at which point we have a working C tool chain.
Bootstrapping is complete when we have a full tool chain that does not
depend on the pre-built bootstrap tools discussed above. This
no-dependency requirement is verified by checking whether the files of
the final tool chain contain references to the /gnu/store
directories of the bootstrap inputs. The process that leads to this
“final” tool chain is described by the package definitions found in
(gnu packages base) module.
The first tool that gets built with the bootstrap binaries is GNU Make, which is a prerequisite for all the following packages. From there Findutils and Diffutils get built.
Then come the first-stage Binutils and GCC, built as pseudo cross
--target equal to
--host. They are
used to build libc. Thanks to this cross-build trick, this libc is
guaranteed not to hold any reference to the initial tool chain.
From there the final Binutils and GCC are built. GCC uses
from the final Binutils, and links programs against the just-built libc.
This tool chain is used to build the other packages used by Guix and by
the GNU Build System: Guile, Bash, Coreutils, etc.
And voilà! At this point we have the complete set of build tools that
the GNU Build System expects. These are in the
variables of the
(gnu packages base) module, and are implicitly
used by any package that uses
gnu-build-system (see Defining Packages).
Because the final tool chain does not depend on the bootstrap binaries,
those rarely need to be updated. Nevertheless, it is useful to have an
automated way to produce them, should an update occur, and this is what
(gnu packages make-bootstrap) module provides.
The following command builds the tarballs containing the bootstrap binaries (Guile, Binutils, GCC, libc, and a tarball containing a mixture of Coreutils and other basic command-line tools):
guix build bootstrap-tarballs
The generated tarballs are those that should be referred to in the
(gnu packages bootstrap) module mentioned at the beginning of
Still here? Then perhaps by now you’ve started to wonder: when do we reach a fixed point? That is an interesting question! The answer is unknown, but if you would like to investigate further (and have significant computational and storage resources to do so), then let us know.
As discussed above, the GNU distribution is self-contained, and
self-containment is achieved by relying on pre-built “bootstrap
binaries” (see Bootstrapping). These binaries are specific to an
operating system kernel, CPU architecture, and application binary
interface (ABI). Thus, to port the distribution to a platform that is
not yet supported, one must build those bootstrap binaries, and update
(gnu packages bootstrap) module to use them on that platform.
Fortunately, Guix can cross compile those bootstrap binaries. When everything goes well, and assuming the GNU tool chain supports the target platform, this can be as simple as running a command like this one:
guix build --target=armv5tel-linux-gnueabi bootstrap-tarballs
Once these are built, the
(gnu packages bootstrap) module needs
to be updated to refer to these binaries on the target platform. In
glibc-dynamic-linker procedure in that module must
be augmented to return the right file name for libc’s dynamic linker on
that platform; likewise,
packages linux) must be taught about the new platform.
In practice, there may be some complications. First, it may be that the
extended GNU triplet that specifies an ABI (like the
above) is not recognized by all the GNU tools. Typically, glibc
recognizes some of these, whereas GCC uses an extra
configure flag (see
gcc.scm for examples of how to handle this).
Second, some of the required packages could fail to build for that
platform. Lastly, the generated binaries could be broken for some
This project is a cooperative effort, and we need your help to make it
grow! Please get in touch with us on firstname.lastname@example.org and
#guix on the Freenode IRC network. We welcome ideas, bug
reports, patches, and anything that may be helpful to the project. We
particularly welcome help on packaging (see Packaging Guidelines).
Please see the HACKING file that comes with the Guix source code for practical details about contributions.
Guix is based on the Nix package manager, which was designed and implemented by Eelco Dolstra. Nix pioneered functional package management, and promoted unprecedented features, such as transactional package upgrades and rollbacks, per-user profiles, and referentially transparent build processes. Without this work, Guix would not exist.
The Nix-based software distributions, Nixpkgs and NixOS, have also been an inspiration for Guix.
Copyright © 2000, 2001, 2002, 2007, 2008 Free Software Foundation, Inc. http://fsf.org/ Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
The purpose of this License is to make a manual, textbook, or other functional and useful document free in the sense of freedom: to assure everyone the effective freedom to copy and redistribute it, with or without modifying it, either commercially or noncommercially. Secondarily, this License preserves for the author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.
This License is a kind of “copyleft”, which means that derivative works of the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.
We have designed this License in order to use it for manuals for free software, because free software needs free documentation: a free program should come with manuals providing the same freedoms that the software does. But this License is not limited to software manuals; it can be used for any textual work, regardless of subject matter or whether it is published as a printed book. We recommend this License principally for works whose purpose is instruction or reference.
This License applies to any manual or other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under the conditions stated herein. The “Document”, below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as “you”. You accept the license if you copy, modify or distribute the work in a way requiring permission under copyright law.
A “Modified Version” of the Document means any work containing the Document or a portion of it, either copied verbatim, or with modifications and/or translated into another language.
A “Secondary Section” is a named appendix or a front-matter section of the Document that deals exclusively with the relationship of the publishers or authors of the Document to the Document’s overall subject (or to related matters) and contains nothing that could fall directly within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a Secondary Section may not explain any mathematics.) The relationship could be a matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.
The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License. If a section does not fit the above definition of Secondary then it is not allowed to be designated as Invariant. The Document may contain zero Invariant Sections. If the Document does not identify any Invariant Sections then there are none.
The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License. A Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.
A “Transparent” copy of the Document means a machine-readable copy, represented in a format whose specification is available to the general public, that is suitable for revising the document straightforwardly with generic text editors or (for images composed of pixels) generic paint programs or (for drawings) some widely available drawing editor, and that is suitable for input to text formatters or for automatic translation to a variety of formats suitable for input to text formatters. A copy made in an otherwise Transparent file format whose markup, or absence of markup, has been arranged to thwart or discourage subsequent modification by readers is not Transparent. An image format is not Transparent if used for any substantial amount of text. A copy that is not “Transparent” is called “Opaque”.
Examples of suitable formats for Transparent copies include plain ASCII without markup, Texinfo input format, LaTeX input format, SGML or XML using a publicly available DTD, and standard-conforming simple HTML, PostScript or PDF designed for human modification. Examples of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary formats that can be read and edited only by proprietary word processors, SGML or XML for which the DTD and/or processing tools are not generally available, and the machine-generated HTML, PostScript or PDF produced by some word processors for output purposes only.
The “Title Page” means, for a printed book, the title page itself, plus such following pages as are needed to hold, legibly, the material this License requires to appear in the title page. For works in formats which do not have any title page as such, “Title Page” means the text near the most prominent appearance of the work’s title, preceding the beginning of the body of the text.
The “publisher” means any person or entity that distributes copies of the Document to the public.
A section “Entitled XYZ” means a named subunit of the Document whose title either is precisely XYZ or contains XYZ in parentheses following text that translates XYZ in another language. (Here XYZ stands for a specific section name mentioned below, such as “Acknowledgements”, “Dedications”, “Endorsements”, or “History”.) To “Preserve the Title” of such a section when you modify the Document means that it remains a section “Entitled XYZ” according to this definition.
The Document may include Warranty Disclaimers next to the notice which states that this License applies to the Document. These Warranty Disclaimers are considered to be included by reference in this License, but only as regards disclaiming warranties: any other implication that these Warranty Disclaimers may have is void and has no effect on the meaning of this License.
You may copy and distribute the Document in any medium, either commercially or noncommercially, provided that this License, the copyright notices, and the license notice saying this License applies to the Document are reproduced in all copies, and that you add no other conditions whatsoever to those of this License. You may not use technical measures to obstruct or control the reading or further copying of the copies you make or distribute. However, you may accept compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly display copies.
If you publish printed copies (or copies in media that commonly have printed covers) of the Document, numbering more than 100, and the Document’s license notice requires Cover Texts, you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers must also clearly and legibly identify you as the publisher of these copies. The front cover must present the full title with all words of the title equally prominent and visible. You may add other material on the covers in addition. Copying with changes limited to the covers, as long as they preserve the title of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.
If the required texts for either cover are too voluminous to fit legibly, you should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.
If you publish or distribute Opaque copies of the Document numbering more than 100, you must either include a machine-readable Transparent copy along with each Opaque copy, or state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the Document, free of added material. If you use the latter option, you must take reasonably prudent steps, when you begin distribution of Opaque copies in quantity, to ensure that this Transparent copy will remain thus accessible at the stated location until at least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.
You may copy and distribute a Modified Version of the Document under the conditions of sections 2 and 3 above, provided that you release the Modified Version under precisely this License, with the Modified Version filling the role of the Document, thus licensing distribution and modification of the Modified Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:
If the Modified Version includes new front-matter sections or appendices that qualify as Secondary Sections and contain no material copied from the Document, you may at your option designate some or all of these sections as invariant. To do this, add their titles to the list of Invariant Sections in the Modified Version’s license notice. These titles must be distinct from any other section titles.
You may add a section Entitled “Endorsements”, provided it contains nothing but endorsements of your Modified Version by various parties—for example, statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.
You may add a passage of up to five words as a Front-Cover Text, and a passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through arrangements made by) any one entity. If the Document already includes a cover text for the same cover, previously added by you or by arrangement made by the same entity you are acting on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.
The author(s) and publisher(s) of the Document do not by this License give permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.
You may combine the Document with other documents released under this License, under the terms defined in section 4 above for modified versions, provided that you include in the combination all of the Invariant Sections of all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice, and that you preserve all their Warranty Disclaimers.
The combined work need only contain one copy of this License, and multiple identical Invariant Sections may be replaced with a single copy. If there are multiple Invariant Sections with the same name but different contents, make the title of each such section unique by adding at the end of it, in parentheses, the name of the original author or publisher of that section if known, or else a unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.
In the combination, you must combine any sections Entitled “History” in the various original documents, forming one section Entitled “History”; likewise combine any sections Entitled “Acknowledgements”, and any sections Entitled “Dedications”. You must delete all sections Entitled “Endorsements.”
You may make a collection consisting of the Document and other documents released under this License, and replace the individual copies of this License in the various documents with a single copy that is included in the collection, provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.
You may extract a single document from such a collection, and distribute it individually under this License, provided you insert a copy of this License into the extracted document, and follow this License in all other respects regarding verbatim copying of that document.
A compilation of the Document or its derivatives with other separate and independent documents or works, in or on a volume of a storage or distribution medium, is called an “aggregate” if the copyright resulting from the compilation is not used to limit the legal rights of the compilation’s users beyond what the individual works permit. When the Document is included in an aggregate, this License does not apply to the other works in the aggregate which are not themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then if the Document is less than one half of the entire aggregate, the Document’s Cover Texts may be placed on covers that bracket the Document within the aggregate, or the electronic equivalent of covers if the Document is in electronic form. Otherwise they must appear on printed covers that bracket the whole aggregate.
Translation is considered a kind of modification, so you may distribute translations of the Document under the terms of section 4. Replacing Invariant Sections with translations requires special permission from their copyright holders, but you may include translations of some or all Invariant Sections in addition to the original versions of these Invariant Sections. You may include a translation of this License, and all the license notices in the Document, and any Warranty Disclaimers, provided that you also include the original English version of this License and the original versions of those notices and disclaimers. In case of a disagreement between the translation and the original version of this License or a notice or disclaimer, the original version will prevail.
If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”, the requirement (section 4) to Preserve its Title (section 1) will typically require changing the actual title.
You may not copy, modify, sublicense, or distribute the Document except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, or distribute it is void, and will automatically terminate your rights under this License.
However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation.
Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice.
Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, receipt of a copy of some or all of the same material does not give you any rights to use it.
The Free Software Foundation may publish new, revised versions of the GNU Free Documentation License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.
Each version of the License is given a distinguishing version number. If the Document specifies that a particular numbered version of this License “or any later version” applies to it, you have the option of following the terms and conditions either of that specified version or of any later version that has been published (not as a draft) by the Free Software Foundation. If the Document does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation. If the Document specifies that a proxy can decide which future versions of this License can be used, that proxy’s public statement of acceptance of a version permanently authorizes you to choose that version for the Document.
“Massive Multiauthor Collaboration Site” (or “MMC Site”) means any World Wide Web server that publishes copyrightable works and also provides prominent facilities for anybody to edit those works. A public wiki that anybody can edit is an example of such a server. A “Massive Multiauthor Collaboration” (or “MMC”) contained in the site means any set of copyrightable works thus published on the MMC site.
“CC-BY-SA” means the Creative Commons Attribution-Share Alike 3.0 license published by Creative Commons Corporation, a not-for-profit corporation with a principal place of business in San Francisco, California, as well as future copyleft versions of that license published by that same organization.
“Incorporate” means to publish or republish a Document, in whole or in part, as part of another Document.
An MMC is “eligible for relicensing” if it is licensed under this License, and if all works that were first published under this License somewhere other than this MMC, and subsequently incorporated in whole or in part into the MMC, (1) had no cover texts or invariant sections, and (2) were thus incorporated prior to November 1, 2008.
The operator of an MMC Site may republish an MMC contained in the site under CC-BY-SA on the same site at any time before August 1, 2009, provided the MMC is eligible for relicensing.
To use this License in a document you have written, include a copy of the License in the document and put the following copyright and license notices just after the title page:
Copyright (C) year your name. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled ``GNU Free Documentation License''.
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the “with…Texts.” line with this:
with the Invariant Sections being list their titles, with the Front-Cover Texts being list, and with the Back-Cover Texts being list.
If you have Invariant Sections without Cover Texts, or some other combination of the three, merge those two alternatives to suit the situation.
If your document contains nontrivial examples of program code, we recommend releasing these examples in parallel under your choice of free software license, such as the GNU General Public License, to permit their use in free software.
|Jump to:||A B C D F G I M O P R S V|
|authorizing, archives:||Invoking guix archive|
|build code quoting:||G-Expressions|
|build environment:||Invoking guix-daemon|
|build hook:||Daemon Offload Setup|
|build hook:||Invoking guix-daemon|
|build phases:||Build Systems|
|build system:||Build Systems|
|build users:||Build Environment Setup|
|chroot:||Build Environment Setup|
|common build options:||Invoking guix build|
|container, build environment:||Invoking guix-daemon|
|cross-compilation:||Invoking guix build|
|daemon:||Setting Up the Daemon|
|debugging files:||Installing Debugging Files|
|functional package management:||Introduction|
|garbage collector:||Invoking guix gc|
|GNU Build System:||Defining Packages|
|initial RAM disk (initrd):||Initial RAM Disk|
|initrd (initial RAM disk):||Initial RAM Disk|
|monad:||The Store Monad|
|monadic functions:||The Store Monad|
|monadic values:||The Store Monad|
|multiple-output packages:||Packages with Multiple Outputs|
|offloading:||Daemon Offload Setup|
|package outputs:||Packages with Multiple Outputs|
|propagated inputs:||Invoking guix package|
|reproducible builds:||Invoking guix-daemon|
|search paths:||Invoking guix package|
|service definition:||Defining Services|
|setuid programs:||Setuid Programs|
|signing, archives:||Invoking guix archive|
|store paths:||The Store|
|strata of code:||G-Expressions|
|system configuration:||System Configuration|
|virtual machine:||Invoking guix system|
|Jump to:||A B C D F G I M O P R S V|
A B C D E F G H I L M N O P R S T U V W
|Using the Configuration System|
|Using the Configuration System|
|The Store Monad|
|The Store Monad|
|Initial RAM Disk|
|Initial RAM Disk|
|The Store Monad|
|The Store Monad|
|The Store Monad|
|Using the Configuration System|
|Using the Configuration System|
|The Store Monad|
|The Store Monad|
|The Store Monad|
|The Store Monad|
|The Store Monad|
|The Store Monad|
|The Store Monad|
A B C D E F G H I L M N O P R S T U V W
“Guix” is pronounced like “geeks”, or “ɡiːks” using the international phonetic alphabet (IPA).
“Mostly”, because while the set of files
that appear in the chroot’s
/dev is fixed, most of these files
can only be created if the host has them.
definitions like the one above may be automatically converted from the
Nixpkgs distribution using the
guix import command.
Please see the
(guix build gnu-build-system)
modules for more details about the build phases.
This operation is commonly referred to as “bind”, but that name denotes an unrelated procedure in Guile. Thus we use this somewhat cryptic symbol inherited from the Haskell language.
The term stratum in this context was coined by Manuel Serrano et al. in the context of their work on Hop. Oleg Kiselyov, who has written insightful essays and code on this topic, refers to this kind of code generation as staging.
Currently, this only works for GNU packages.
The term “free” here refers to the freedom provided to users of that software.
Technically, this is a list of monadic services. See The Store Monad.
This action is usable only on systems already running GNU.
Note that packages under the
packages …) module name space are not necessarily “GNU
packages”. This module naming scheme follows the usual Guile module
gnu means that these modules are distributed
as part of the GNU system, and
packages identifies modules that