posts: Update "Getting started with Guix" for 0.9.0 release.

* add discussion on signature checking
* update URLs
* add headings

1 files changed, 75 insertions, 20 deletions

diff --git a/posts/2015-06-21-getting-started-with-guix.skr b/posts/2015-06-21-getting-started-with-guix.skr
index ddf3b94..1548772 100644
--- a/posts/2015-06-21-getting-started-with-guix.skr
+++ b/posts/2015-06-21-getting-started-with-guix.skr
@@ -8,6 +8,9 @@
          "packaging"
          "guix")
 
+ (list 'warning [,(strong [Feb 24, 2016:])
+   This post has been updated for the 0.9.0 release of GNU Guix.])
+
  (p [,(ref "/posts/2015-04-17-gnu-guix.html" "Previously I wrote")
      about how using GNU Guix in an HPC environment enables easy
      software deployment for multiple users with different needs when
@@ -23,29 +26,60 @@
      for Guix and all its dependencies.  You need to have GNU tar and
      xz installed to unpack the tarball.  Note that the tarball will
      only work on GNU/Linux systems; it will not work on MacOS.])
+
+ (p [Guix needs a little bit of setting up, which can be done in just
+     a couple of steps.])
+
  
- 
- (h2 [Six simple steps])
+ (h2 [Download and check])
  
  (p [,(em [First]), if you are using a 64 bit machine, download the
      compressed ,(ref
-     "ftp://alpha.gnu.org/gnu/guix/guix-binary-0.8.2.x86_64-linux.tar.xz"
+     "ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.x86_64-linux.tar.xz"
      "x86_64 archive from the FTP server").  There also is a ,(ref
-     "ftp://alpha.gnu.org/gnu/guix/guix-binary-0.8.2.i686-linux.tar.xz"
+     "ftp://alpha.gnu.org/gnu/guix/guix-binary-0.9.0.i686-linux.tar.xz"
      "tarball for 32 bit machines") and ,(ref
-     "ftp://alpha.gnu.org/gnu/guix/guix-binary-0.8.2.mips64el-linux.tar.xz"
-     "one for the less common MIPS").])
+     "ftp://alpha.gnu.org/gnu/guix/" "for other architectures").])
+
+ (p [For your own sake you really should also download the matching
+     cryptographic signature file (they all have the same name as the
+     archive you downloaded, but end on ,(code [.sig])) to ensure that
+     the tarballs are signed by release managers.  Releases up to now
+     were signed by ,(ref
+     "https://pgp.mit.edu/pks/lookup?op=vindex&search=0x090B11993D9AEBB5"
+     "Ludovic Courtès").  I suggest you fetch both Ludo's and my own
+     PGP key from PGP key servers, for example by doing this:])
+
+ (pre (code [# gpg2 --recv-keys 090b11993d9aebb5 197a5888235facac]))
  
+ (p [You only need to do this once.  With these keys you can now check
+     that the file you downloaded is in fact legit.  To verify that
+     the file is indeed signed by the release manager and the
+     signature is valid following command in the same directory that
+     holds the tarball and the signature file:])
+
+ (pre (code [# gpg2 --verify guix-binary-0.9.0.x86_64-linux.tar.xz.sig]))
+
+ (p [If you see something like “Good signature from "Ludovic Courtès
+     <ludo@gnu.org>” you’re safe (according to your trust in the keys you
+     downloaded).])
+
+
+ (h2 [Unpacking the archive])
+
  (p [,(em [Second]), unpack the archive as root in the root directory:])
  
  (pre (code [# cd /
-# tar xf guix-binary-0.8.2.SYSTEM.tar.xz]))
+# tar xf guix-binary-0.9.0.SYSTEM.tar.xz]))
  
  (p [This creates a pre-populated store at ,(code [/gnu/store])
      (containing the “guix” package and the complete dependency graph),
      the ,(em [local state directory]) ,(code [/var/guix]), and a Guix
      profile for the root user at ,(code [/root/.guix-profile]), which
      contains the guix command line tools and the daemon.])
+
+
+ (h2 [Create dedicated build users])
  
  (p [,(em [Third]), create a build user pool, as root:])
  
@@ -61,12 +95,43 @@
  (p [These are the restricted user accounts which are used by the
      daemon to build software in a controlled environment.  You may not
      need ten, but it’s a good default.])
+
+
+ (h2 [Run the build daemon])
  
  (p [,(em [Fourth]), run the daemon and tell it about the ,(code
      [guix-builder]) group:])
  
  (pre (code [# /root/.guix-profile/bin/guix-daemon --build-users-group=guix-builder]))
  
+ (p [Note that this is a server process, so it will never return.  I
+     suggest turning this into a system service and keep it running in
+     the background at all times.  The archive unpacks a Systemd
+     service file to ,(code
+     [/gnu/store/632msbms2yald...-guix-0.9.0/lib/systemd/system/guix-daemon.service]),
+     which you can just copy to ,(code [/etc/systemd/system/]); run
+     the following commands to start and enable the service:])
+
+ (pre (code [# systemctl daemon-reload
+# systemctl enable guix-daemon
+# systemctl start guix-daemon]))
+
+ (p [The daemon is responsible to handle build requests from users, so
+     it is essential that it keeps running.])
+
+ (p [Since building all software locally can take a very long time,
+     the GNU Guix build farm hydra.gnu.org is by default authorised as
+     a source for so-called binary substitutes.])
+
+ (p [Note that hydra.gnu.org isn’t at all special.  Packages are built
+     there continuously from source.  Guix is flexible and can pull
+     binary substitutes from other locations as long as you authorise
+     them.  Check the Guix Info manual for more information about
+     substitutes.])
+
+
+ (h2 [Guix for everyone])
+
  (p [,(em [Fifth]), make the ,(code [guix]) command available to other users
      on the machine by linking it to a location everyone can access,
      such as ,(code [/usr/local/bin]).])
@@ -77,18 +142,7 @@
  
  (p [Now any user—not just the almighty root—can install software by
      invoking ,(code [guix package -i whatever]).  Yay!])
- 
- (p [,(em [Finally]), if you do not want to build all software locally
-     (which can take a very long time) and you think you can trust the
-     GNU Guix build farm hydra.gnu.org, authorise it as a source for
-     so-called binary substitutes using the included public key:])
- 
- (pre (code [# guix archive --authorize < /root/.guix-profile/share/guix/hydra.gnu.org.pub]))
- 
- (p [Note that hydra.gnu.org isn’t at all special.  Packages are built
-     there continuously from source.  Guix is flexible and can pull
-     binary substitutes from other locations as long as you authorise
-     them.])
+
  
  (h2 [Where to go from here])
  
@@ -97,7 +151,8 @@
  
  (p [To get the latest package recipes for Guix just run ,(code [guix
      pull]), which will download and compile the most recent
-     development version.])
+     development version for the current user.  This allows users
+     (including root) to all have a different version of Guix.])
  
  (p [I recommend reading the excellent Guix reference manual, which is
      ,(ref "https://www.gnu.org/software/guix/manual/guix.html"