[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security of packages in official repo
From: |
Phil |
Subject: |
Re: Security of packages in official repo |
Date: |
Thu, 26 Nov 2020 19:07:01 +0000 |
User-agent: |
mu4e 1.2.0; emacs 26.3 |
Thanks for the reply Simon.
zimoun writes:
> Nothing. It is about trust, as with any distribution. Now, you can
> audit by yourself the source code, compiled by yourself and check if it
> is the same that the substitutes serve you.
I understand that Guix makes the process of reproducability and auditing
much more rock-solid than most other distributions - and this more than
satisfies any requirements I have for proving that software package X,
is a true representation of source code X, built with toolchain Y.
This is great - but my question is more mundane than that.
The good news is I think it's answered here:
https://guix.gnu.org/manual/en/guix.html#Submitting-Patches
Say I have a new piece of software I've developed and I want to make it
available through Guix's offical repo. I define a new Guix package for
that app - and create a patch for it.
The important point is that the patch is vetted by the members of
guix-patches@gnu.org mail list. And I assume packages which appear
inappropriate for whatever reason are not accepted by members of this
list?
This is different to PyPi for example where (I believe) anyone can upload
any content and have the public downloading it immediately without any
approval or vetting - it's pretty Wild West.
This makes some institutions unwilling to give students/employees/etc
access to systems like PyPi... but on other systems where there is a
degree of scrutiny required (such as patch vetting on Guix) - this can
make a world of difference in terms of getting a tick in the right box.
Whether there is wisdom or any real protection is a separate question
of course (nobody will guarantee every line of every source repo!), but
nevertheless from a practical point of view, it can prove useful in
getting software like Guix adopted - which is what I'm keen to do.
As a workaround it would seem perfectly possible to host a private Guix
channel with a subset of packages on that have been internally vetted,
but it would be more in the spirit of Guix to contribute and use the
official package repo.
Thanks - hopefully I haven't overly laboured my point!
Phil