Next: , Previous: , Up: Package Management   [Contents][Index]

3.3 Substitutes

Guix supports transparent source/binary deployment, which means that it can either build things locally, or download pre-built items from a server. We call these pre-built items substitutes—they are substitutes for local build results. In many cases, downloading a substitute is much faster than building things locally.

Substitutes can be anything resulting from a derivation build (see Derivations). Of course, in the common case, they are pre-built package binaries, but source tarballs, for instance, which also result from derivation builds, can be available as substitutes.

The server is a front-end to a build farm that builds packages from the GNU distribution continuously for some architectures, and makes them available as substitutes (see Emacs Hydra, for information on how to query the continuous integration server). This is the default source of substitutes; it can be overridden by passing the --substitute-urls option either to guix-daemon (see guix-daemon --substitute-urls) or to client tools such as guix package (see client --substitute-urls option).

Substitute URLs can be either HTTP or HTTPS4 HTTPS is recommended because communications are encrypted; conversely, using HTTP makes all communications visible to an eavesdropper, who could use the information gathered to determine, for instance, whether your system has unpatched security vulnerabilities.

To allow Guix to download substitutes from or a mirror thereof, you must add its public key to the access control list (ACL) of archive imports, using the guix archive command (see Invoking guix archive). Doing so implies that you trust to not be compromised and to serve genuine substitutes.

This public key is installed along with Guix, in prefix/share/guix/, where prefix is the installation prefix of Guix. If you installed Guix from source, make sure you checked the GPG signature of guix-0.11.0.tar.gz, which contains this public key file. Then, you can run something like this:

# guix archive --authorize <

Once this is in place, the output of a command like guix build should change from something like:

$ guix build emacs --dry-run
The following derivations would be built:

to something like:

$ guix build emacs --dry-run
The following files would be downloaded:

This indicates that substitutes from are usable and will be downloaded, when possible, for future builds.

Guix ignores substitutes that are not signed, or that are not signed by one of the keys listed in the ACL. It also detects and raises an error when attempting to use a substitute that has been tampered with.

Substitutes are downloaded over HTTP or HTTPS. The http_proxy environment variable can be set in the environment of guix-daemon and is honored for downloads of substitutes. Note that the value of http_proxy in the environment where guix build, guix package, and other client commands are run has absolutely no effect.

When using HTTPS, the server’s X.509 certificate is not validated (in other words, the server is not authenticated), contrary to what HTTPS clients such as Web browsers usually do. This is because Guix authenticates substitute information itself, as explained above, which is what we care about (whereas X.509 certificates are about authenticating bindings between domain names and public keys.)

The substitute mechanism can be disabled globally by running guix-daemon with --no-substitutes (see Invoking guix-daemon). It can also be disabled temporarily by passing the --no-substitutes option to guix package, guix build, and other command-line tools.

On Trusting Binaries

Today, each individual’s control over their own computing is at the mercy of institutions, corporations, and groups with enough power and determination to subvert the computing infrastructure and exploit its weaknesses. While using substitutes can be convenient, we encourage users to also build on their own, or even run their own build farm, such that is less of an interesting target. One way to help is by publishing the software you build using guix publish so that others have one more choice of server to download substitutes from (see Invoking guix publish).

Guix has the foundations to maximize build reproducibility (see Features). In most cases, independent builds of a given package or derivation should yield bit-identical results. Thus, through a diverse set of independent package builds, we can strengthen the integrity of our systems. The guix challenge command aims to help users assess substitute servers, and to assist developers in finding out about non-deterministic package builds (see Invoking guix challenge). Similarly, the --check option of guix build allows users to check whether previously-installed substitutes are genuine by rebuilding them locally (see guix build --check).

In the future, we want Guix to have support to publish and retrieve binaries to/from other users, in a peer-to-peer fashion. If you would like to discuss this project, join us on



For HTTPS access, the Guile bindings of GnuTLS must be installed. See Requirements.

Next: , Previous: , Up: Package Management   [Contents][Index]