From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp11.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id cDTwLtxXSGOJ5QAAbAwnHQ (envelope-from ) for ; Thu, 13 Oct 2022 20:24:28 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp11.migadu.com with LMTPS id sGbYLtxXSGMKVwEA9RJhRA (envelope-from ) for ; Thu, 13 Oct 2022 20:24:28 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5271F1B36E for ; Thu, 13 Oct 2022 20:24:28 +0200 (CEST) Received: from localhost ([::1]:36946 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oj2sc-0005QW-0g for larch@yhetil.org; Thu, 13 Oct 2022 14:24:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:57498) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oj2sE-0005Px-Hs for bug-guix@gnu.org; Thu, 13 Oct 2022 14:24:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:35844) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oj2sE-0007ML-1l for bug-guix@gnu.org; Thu, 13 Oct 2022 14:24:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oj2sD-0001J2-NP for bug-guix@gnu.org; Thu, 13 Oct 2022 14:24:01 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#57878: Minimal reproducible setup Resent-From: Liliana Marie Prikler Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 13 Oct 2022 18:24:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 57878 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Max Brieiev Cc: Konrad Hinsen , "Thompson, David" , 57878@debbugs.gnu.org Received: via spool by 57878-submit@debbugs.gnu.org id=B57878.16656853954951 (code B ref 57878); Thu, 13 Oct 2022 18:24:01 +0000 Received: (at 57878) by debbugs.gnu.org; 13 Oct 2022 18:23:15 +0000 Received: from localhost ([127.0.0.1]:34922 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oj2rT-0001Hm-85 for submit@debbugs.gnu.org; Thu, 13 Oct 2022 14:23:15 -0400 Received: from mail-ej1-f65.google.com ([209.85.218.65]:38447) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oj2rS-0001Ha-1g for 57878@debbugs.gnu.org; Thu, 13 Oct 2022 14:23:14 -0400 Received: by mail-ej1-f65.google.com with SMTP id fy4so5732275ejc.5 for <57878@debbugs.gnu.org>; Thu, 13 Oct 2022 11:23:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:from:to:cc:subject :date:message-id:reply-to; bh=GAvaw0J7x1dLdh6L3EuOahpw8j1Gu2nWcw4Uhu+J6jA=; b=Kn4wb4dSu891LpOOvzRNO1Et0Wl2CYHSc5TKT5abE6c/CsBhwpX7dWsafg+vQb1m6Z P+mJnpZoikRpYCSfdjPDoKBAvy8Fu20Hv/4a1YIcmdSJYDaXK9ABE5oT8+IDEgjN4PzF +zz2x5qyyMyLCKJIv25zDtMwyEDpKvA4NEhm9W0yARggJjgSIkOcRp1xmcv58MmErdKT bIidWvneTX1uPwprZvPbZc172A5Qlf3BLk5hg+xCrfLmLTI+A2pixIcMIJVXMmVPRRv1 +b5PBYmGmIKv9FMM4e8w6hUxFGivH7x957CdUuILvACCfHf0IHwVNEEtj5JAvWo808nA XeYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:user-agent:content-transfer-encoding:references :in-reply-to:date:cc:to:from:subject:message-id:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=GAvaw0J7x1dLdh6L3EuOahpw8j1Gu2nWcw4Uhu+J6jA=; b=5W9rMsD6ROtIGtFDe4IcUx0ZFxYgkg+Z2atr+v8uy+xRtzoyL4YsAt1LqZRcRhpmK5 ovvVNABmNVSrQognAcO4HFbk02aYZl11fT9oPW25quZmH+vYriAngzbsu7fG3h0kst3S 5q7Bl7bETdZFjyC8JixwX44bah8QIJZ0jqawlUDvlBBRVOCAarl3mPpzt/lzvd0+sDFc ZSRCkeYEMWmMZjqwpERQDai+sU5TANfyQROLBIaEMk3D6J3g9J3EFy8YNloYPz3cBfxN /4HyBM7qcvKxdrP43ZJN+u/hhUjt4fs+ozhBg1wxP/zqVB6Cl/Iud7wvdPOIT8xKSXBu UqxQ== X-Gm-Message-State: ACrzQf1mrmD3gVzs4Gv/SLVQMd7AZDaYLwJGlarpxd7iqvxhvxPncLg5 re7ujRITfAL4F/joDYmMuDU= X-Google-Smtp-Source: AMsMyM7QozILes7vnhwvVfAI/2G+7ruMF+45IBxnp4X2hnp20OJ+mrzdIHefLBotlivMjY4JG5EsNA== X-Received: by 2002:a17:906:9b86:b0:73d:72cf:72af with SMTP id dd6-20020a1709069b8600b0073d72cf72afmr767084ejc.440.1665685388212; Thu, 13 Oct 2022 11:23:08 -0700 (PDT) Received: from lumine.fritz.box (85-127-52-93.dsl.dynamic.surfer.at. [85.127.52.93]) by smtp.gmail.com with ESMTPSA id v3-20020a1709063bc300b0077a201f6d1esm223086ejf.87.2022.10.13.11.23.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Oct 2022 11:23:07 -0700 (PDT) Message-ID: <603e94929389d6d4c61939fb3a7251ea74d632ae.camel@gmail.com> From: Liliana Marie Prikler Date: Thu, 13 Oct 2022 20:23:06 +0200 In-Reply-To: <87wn943w9p.fsf@gmail.com> References: <12eb8b51fe6c9508517e19bdeed923c389cafe1f.camel@gmail.com> <6873fe86a05a548e7427d2de7df04a27a967713a.camel@gmail.com> <87wn943w9p.fsf@gmail.com> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.46.0 MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1665685468; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=GAvaw0J7x1dLdh6L3EuOahpw8j1Gu2nWcw4Uhu+J6jA=; b=mSE2seTOYAunYjWI8t5PATkyfZuC8X0uXqxqw/5KV7SHAg1QRVCs1LA49uOHpGuyYanc3T eXfoSvkN2DxtYs7CeRYk8YyJnPkw6exHb8fzy0v4pqkTfvf3JTy+I0CSX6/mLCxo9qZC7X 1L+xNGef79Tgq+DUFoY4CVW1qZcQsJOWU3wiM72jxBLwlvPE5uf0/MHxwK5pmaBrY6+cOo GaqrJhvkwyC7rtkQxWIsVqAvDnVvHwzMh+9DFBW3V9XB5QZJpR4199cNNp8jzw38zcMPFk mvzNDX0h6jr17BzgQU0n39bMXQVqvIAccRB+WW7gbNJ9XWuBqeglMJrLqFFLMQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1665685468; a=rsa-sha256; cv=none; b=sHCHXSc5wwhS1HAca+WhZIOxHP4hZPPTfqUhMzAWEVt3voDc3PE3poupNE4MWgYfVjDOPh TB5OUsCtS/OH1yWXg9gfLUH26uHKiR4MKt/dh9+jsMzDhnyTuUsrIlv4gOy/uIh4TeswVS Jjy/uQyD1t37Tku6g2kZJe3C4FUzdrJVgEqEgAMLDGOhkPdvNBv4hM5tVPbz+wZxCm3N3I /rhocZJxqHj8/aVEKfwS2zBHOxkjsG6E8qi1OTUv2JeljKUvag0/W9I4QAsa9qFcn00QXo 7PSIwH/Bn+pgMMoLCuM1Psq4qBcil/AbxZ3eWCdN+NryFJWoXPSLG2JjVO+Ltg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Kn4wb4dS; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 9.10 X-Spam: Yes Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20210112 header.b=Kn4wb4dS; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "bug-guix-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="bug-guix-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 5271F1B36E X-Spam-Score: 9.10 X-Migadu-Spam: Yes X-Migadu-Scanner: scn1.migadu.com X-TUID: KvTloXHzFByX Am Donnerstag, dem 13.10.2022 um 12:31 +0300 schrieb Max Brieiev: > > I think this reasoning really falls flat in presence of any non- > > Emacs package manager.=C2=A0 Like, obviously wanting to natively compil= e > > packages managed by (dpkg, rpm, pacman, emerge, guix), but not > > natively compiling a random elisp script you just downloaded from > > the web is a legitimate use case. >=20 > If security is a concern, you should not load random Elisp in the > first place. It is much easier to just directly run harmful elisp, > then to exploit native compiler, which stays silent until after you > evaluate some (possibly harmful) elisp. The nature of compiled code being compiled makes it much easier to exploit, however. Assume you have a genuine dash.el, but a malicious person delivers you a dash.eln with some backdoor. Unless you know how to read x86 assembly, you won't debug the latter, whereas you could reasonably find the former if you're an Elisp hacker. This is typically not a concern for Guix, where the challenge mechanism provides tools to highlight that something is going wrong, but it might be a concern for traditional distros. Then again, the same applies to bytecode too, and here as well the solution is to typically use a trusted package manager. Cheers