Guix started as a fork of Nix, but I believe all original Nix code has been replaced with Guix specific code at this point. Core functionality is pretty comparable between the two of them. Two differences I can tell you immediately is that GNU Guix has a built in user home configuration management system[0], and Nix depends on an external module to do the same[1]. NixOS, like most distros uses systemd for it's init system. GNU Guix uses Shepherd[2]. Honestly it hasn't really been much of a point of note in my experience, but it's probably worth mentioning as a difference.
Regarding Free vs non-Free packages: this can be a pain point if your system requires non-Free packages to function on GNU Guix. I (like most other Guix users I would guess) use the nonguix[3] channel for additional packages. One of my systems requires the baseline Linux kernel for propriety Ethernet drivers (included in Linux because of GPLv2 :P), so I had to create a custom installation ISO with the baseline kernel. This probably sounds horrifying, but creating a custom installation ISO is actually very easy in Guix (and probably Nix as well). It's the only distro I've ever done it for.
But between the main Guix channel, nonguix, and Flatpak, it's very uncommon that I cannot find what I want. According to repology[4], Guix is the #5 repo for most packages. And the few packages that I have wanted that were missing, I have actually been able to contribute package definitions for upstream to Guix, since the process is very easy and well documented (also the only distro I have ever done that for).
An interesting advantage of Guix over Nix is having better options for runtime isolation. Nix is not well developed in this area yet, although one can always use bwrap or AppArmor to implement something ad hoc.
Besides, Guix uses Scheme everywhere, whereas Nix is a mix of the Nix language and lots of shell code. The Nix language is a pretty elegant lazy functional language, and yields very compact and clean code. But if you want to do complex things, Scheme might be easier.
Although it doesn't seem have much in the way of runtime isolation of Guix source files themselves. From what I can tell it runs the Guile scripts that evaluate to manifests and such as your own user, with all of the authority associated with that.
So although Guix provides good mechanisms for isolating applications at runtime, you do have to put a lot of trust in the channels you're using.
(This is something I would like to see improved as a Guix user.)
Thanks. So there are two concepts where isolation is mentioned, the --pure and the --container options. But still the documentation is very light on details and doesn't really answer what kind of (if any) security boundary or sandbox is provided by the container feature.
How might it compare to eg using nsjail[1] or firecracker [2] or flatpak's sandbox[3]? These could be also good benchmarks for the documentation.
Good point. My main distro is NixOS, so I am not too familiar with Guix. After a quick glance at the code, Guix seems to be similar to bwrap et al. as it uses kernel namespaces for sandboxing [1].
I think the pure option is not really for (security) sandboxing, but rather for making sure your programs do not use any dependencies that are not explicitly declared, i.e. to ensure referential transparency.
This is not actually correct. Guix only ever used a copy of the nix-daemon, because there's no point in reinventing the derivation format or the low-level implementation of functional package management; no other part of nix/nixpkgs has been used to make Guix.
Regarding Free vs non-Free packages: this can be a pain point if your system requires non-Free packages to function on GNU Guix. I (like most other Guix users I would guess) use the nonguix[3] channel for additional packages. One of my systems requires the baseline Linux kernel for propriety Ethernet drivers (included in Linux because of GPLv2 :P), so I had to create a custom installation ISO with the baseline kernel. This probably sounds horrifying, but creating a custom installation ISO is actually very easy in Guix (and probably Nix as well). It's the only distro I've ever done it for.
But between the main Guix channel, nonguix, and Flatpak, it's very uncommon that I cannot find what I want. According to repology[4], Guix is the #5 repo for most packages. And the few packages that I have wanted that were missing, I have actually been able to contribute package definitions for upstream to Guix, since the process is very easy and well documented (also the only distro I have ever done that for).
[0] https://guix.gnu.org/manual/en/html_node/Home-Configuration....
[1] https://github.com/nix-community/home-manager
[2] https://www.gnu.org/software/shepherd
[3] https://gitlab.com/nonguix/nonguix
[4] https://repology.org/