help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security of packages in official repo


From: zimoun
Subject: Re: Security of packages in official repo
Date: Thu, 26 Nov 2020 20:30:11 +0100

Hi Ricardo,

On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote:
> zimoun <zimon.toutoune@gmail.com> writes:
>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>>
>>> However, can anyone point me to, or explain - what is done to audit
>>> packages in the official Repo in the first place - i.e. how do I know
>>> that a piece of software supplied to me by Guix is not only
>>> delivered in a safe/reliable fashion, but is also free from malware 
>>> potentially
>>> introduced by the authors/maintainers themselves?
>>
>> Nothing.

The correct quote is: «Nothing.  It is about trust, as with any
distribution.» 

> It’s a little more than nothing in some cases.  For example, there was
> extensive work to gain confidence that Ungoogled Chromium does not phone
> home.  Generally, anti-features such as update checkers that phone home
> are patched out.
>
> We generally take the code as is, however, and don’t assume that every
> bit of free software out there is malware in disguise until it is
> demonstrated beyond reasonable doubt that this is not the case.  That
> would neither be feasible nor would it guarantee satisfactory results.

Even if I agree and your complement makes totally sense, and for sure I
thank a lot all the collectively tough work done, I still claim that
“you do not know that a piece of software supplied to you by <name-it>
is free from malware potentially introduced by <whatever>”.  The only
way to know is to audit yourself, compiled yourself using a toolchain
that you audited yourself.

Therefore, it is about trust.

The question is: what does Guix do to be trust-able?  I think all the
code around speaks by itself.  And personally I trust people doing that
job and then pushing to Guix.


Cheers,
simon



reply via email to

[Prev in Thread] Current Thread [Next in Thread]