help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: some questions about GUIX


From: Ludovic Courtès
Subject: Re: some questions about GUIX
Date: Fri, 01 Jan 2016 15:45:59 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Sam Halliday <address@hidden> skribis:

> As a Java / Scala developer, I avoid all repackaged jars unless they
> contain a bug or security fix. I don't see why I should trust a package
> manager (and their machines), who are self-confessed non-experts, more
> than the original author of that library, who has GPG signed their
> artefacts and made their source code available.

Jars are binaries.  What Guix seeks to offer is a way for users to make
sure that the binaries they run correspond to the source code they think
it corresponds to.  See:

  https://savannah.gnu.org/forum/forum.php?forum_id=8407

The practice of installing binaries built by a third-party without
having any way to verify that those binaries are authentic is inherently
unsafe.  It’s also a serious attack on user freedom if users aren’t able
to rebuild software by themselves.

We set out to address that.  The cost may be, indeed, that it’ll be some
time before a large set of Java/Scala packages can be imported in Guix.

Thanks for your feedback,
Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]