[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security of packages in official repo
|
From: |
Ricardo Wurmus |
|
Subject: |
Re: Security of packages in official repo |
|
Date: |
Thu, 26 Nov 2020 17:51:45 +0100 |
|
User-agent: |
mu4e 1.4.13; emacs 27.1 |
zimoun <zimon.toutoune@gmail.com> writes:
> Hi,
>
> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>
>> However, can anyone point me to, or explain - what is done to audit
>> packages in the official Repo in the first place - i.e. how do I know
>> that a piece of software supplied to me by Guix is not only
>> delivered in a safe/reliable fashion, but is also free from malware
>> potentially
>> introduced by the authors/maintainers themselves?
>
> Nothing.
It’s a little more than nothing in some cases. For example, there was
extensive work to gain confidence that Ungoogled Chromium does not phone
home. Generally, anti-features such as update checkers that phone home
are patched out.
We generally take the code as is, however, and don’t assume that every
bit of free software out there is malware in disguise until it is
demonstrated beyond reasonable doubt that this is not the case. That
would neither be feasible nor would it guarantee satisfactory results.
--
Ricardo