[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security of packages in official repo
|
From: |
Ricardo Wurmus |
|
Subject: |
Re: Security of packages in official repo |
|
Date: |
Thu, 26 Nov 2020 22:10:21 +0100 |
|
User-agent: |
mu4e 1.4.13; emacs 27.1 |
zimoun <zimon.toutoune@gmail.com> writes:
> Hi Ricardo,
>
> On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote:
>> zimoun <zimon.toutoune@gmail.com> writes:
>>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>>>
>>>> However, can anyone point me to, or explain - what is done to audit
>>>> packages in the official Repo in the first place - i.e. how do I know
>>>> that a piece of software supplied to me by Guix is not only
>>>> delivered in a safe/reliable fashion, but is also free from malware
>>>> potentially
>>>> introduced by the authors/maintainers themselves?
>>>
>>> Nothing.
>
> The correct quote is: «Nothing. It is about trust, as with any
> distribution.»
[…]
> Therefore, it is about trust.
Certainly, I do not disagree. When someone does extra work to audit the
code and nobody is there to witness it … “does it make a sound”? :)
All dilligence here is trust with extra steps, but it still is
trust-based.
--
Ricardo