RFC: In guix compile the GUI sequentially from everything else?

[maflcko]

Compiling the GUI pulls in quite a few dependencies, which could theoretically include backdoors that are leaked into bitcoind (or other non-GUI utils) as well.

A possible mitigation would be to compile the GUI in a separate guix container from the rest of the binaries. The downside would be that the node library, and the depends dependencies of the node library would have to be compiled twice, but the overhead may be worth it?

(I won't be working on this, but I wanted to keep track of this in a brainstorming issue, as the topic has repeatedly come up)

[laanwj]

FWIW in #29923 i've removed all the GUI specific build-time dependencies except for Qt itself.

[maflcko]

FWIW in #29923 i've removed all the GUI specific build-time dependencies except for Qt itself.

Nice!

qt is still a massive blob (and possibly a large attack surface for backdoors), so I guess sequential builds could still be considered, but the priority would be less urgent after 29923.

[laanwj]

Sure, and there may still be other reasons to have seperate build step; the idea of fully static binaries for the non-GUI utilities was raised again at CoreDev. This is not possible with the GUI as it necessarily needs access to the dynamic linker. And as this might require different compile and linker flags, this would also effectively need two seperate builds.

[fanquake]

fully static binaries

Yea. I think I'm just going to start PR'ing related changes, so we can move forward with static builds separately from the GUI, and keep all it's deps / build tools out of the env.