[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security questions around using Guix to package apps
From: |
Divan Santana |
Subject: |
Re: Security questions around using Guix to package apps |
Date: |
Fri, 30 Jun 2017 15:22:01 +0200 |
Ludovic Courtès <address@hidden> writes:
> Hello Divan,
>
> Divan Santana <address@hidden> skribis:
>
>> If guix is installed on a system and configured to point to substitutes
>> that the same nonroot user has access to submit and approve packages in,
>> can that nonroot user on the system gain root. Therefore would one need
>> to review the submitted packages to avoid the user gaining root.
>>
>> (This is talking about guix package manager on a foreign distro like
>> RedHat)
>>
>> I'm guessing it's not possible. Though would be nice to have
>> feedback from those that are more familiar with it.
>
> We owe this design to Eelco Dolstra et al. of Nix. There’s a very good
> analysis in this paper:
>
> https://nixos.org/~eelco/pubs/secsharing-ase2005-final.pdf
>
> Hopefully it answers all your questions and more. If not, come back
> here. :-)
Thanks Ludo. :-)