bug#22883: Trustable "guix pull"

bug-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#22883: Trustable "guix pull"

From:	Christopher Allan Webber
Subject:	bug#22883: Trustable "guix pull"
Date:	Wed, 02 Mar 2016 13:07:04 -0800
User-agent:	mu4e 0.9.13; emacs 24.5.1

Leo Famulari writes:

> On Wed, Mar 02, 2016 at 10:03:59AM -0800, Christopher Allan Webber wrote:
>> Right now, when a user does a "guix pull", that pulls down the latest
>> repository of code from git, which is kept in a tarball.  Once you
>> receive the latest code, this has some checks: what's the hash of each
>> package, etc.
>
> A discussion worth having. But, let's merge this bug into
> debbugs.gnu.org/22629.

I'm not sure they should be merged, though they're related.  That thread
doesn't deal at all with security, though it provides some other good
ideas.  It even says:

  PS: I do not mention the issue of authenticating code here, which is
      obviously very important and deserves to be treated separately.

However I have no objections to merging them if others think we should

> Also, we should read "The Update Framework" as requested there.

This?  https://theupdateframework.github.io/

There seem to be quite a few papers there!

[Prev in Thread]

Current Thread

[Next in Thread]

bug#22883: Trustable "guix pull", Christopher Allan Webber, 2016/03/02
- bug#22883: Trustable "guix pull", Leo Famulari, 2016/03/02
  - bug#22883: Trustable "guix pull", Christopher Allan Webber <=

Prev by Date: bug#22831: [PATCH 2/2] WIP: gnu: openssl: Restrict allowed references for openssl.
Next by Date: bug#21909: Segfault with eigen in R
Previous by thread: bug#22883: Trustable "guix pull"
Next by thread: bug#22738: Build failure in vigra
Index(es):
- Date
- Thread