Group: Guix/Mirrors

1. Substitutes (guix install, etc.)

The Guix project runs two official build farms that continuously build binary substitutes, so users don't have to build everything at home. When installing Guix or Guix System for the first time, you'll be asked whether to trust their signatures and download their substitutes by default:

• https://ci.guix.gnu.org (Germany)
• https://bordeaux.guix.gnu.org (France)

It's possible that both of these servers are unavailable or intolerably slow in your country. Don't fret just yet: volunteers maintain unofficial mirrors of the official servers:

• Germany
  • https://hydra-guix-129.guix.gnu.org (official mirror of bordeaux.guix.gnu.org in Berlin)
• People's Republic of China
  • https://mirrors.sjtug.sjtu.edu.cn/guix (mirrors ci.guix.gnu.org)
• Singapore
  • https://bordeaux-singapore-mirror.cbaines.net
• United States of America
  • https://bordeaux-us-east-mirror.cbaines.net (mirrors bordeaux.guix.gnu.org)

To use one or more of these mirrors, simply add the URL(s) to the front of your substitute-urls list.

Mirrored substitutes are signed by the original builder, not the mirror. This means that mirror operators cannot add or modify binaries, as long as you trust only the signing keys published by the Guix project.

2. Git (guix pull)

• The official Git repository lives at GNU Savannah. This is what guix pull will use by default.
• There is also one official mirror at Codeberg. We are discussing a gradual migration from Savannah to Codeberg.

It is safe to momentarily guix pull from other copies of the Guix Git repository, for example during upstream outages. Guix will reject commits that haven't been signed by trusted upstream committers. It will also warn loudly about (un)intentional downgrades.

However, Guix will not detect when a mirror is out of date and may lack important (security) updates! You are responsible for checking whether your chosen unofficial Git mirror is still, well, mirroring.