From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Darrington Subject: Re: security concerns of using guix packages Date: Sat, 4 Jul 2015 22:43:04 +0200 Message-ID: <20150704204304.GA15555@jocasta.intra> References: <87a8vcuhnn.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:54189) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZBUHa-00015m-Uk for guix-devel@gnu.org; Sat, 04 Jul 2015 16:43:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZBUHZ-0003Ys-Qn for guix-devel@gnu.org; Sat, 04 Jul 2015 16:43:30 -0400 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Claes Wallin (?????????)" Cc: guix-devel --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Jul 04, 2015 at 09:51:22PM +0200, Claes Wallin (?????????) wrote: On 04-Jul-2015 4:22 pm, "Ludovic Court??s" wrote: =20 =20 Still, if an installed package is not depending on the latest version = of the vulnerable package, the graft won't reach them. So there is still = some education and continuous information necessary if you want to be on to= p of things. This is true. However, one advantage of Guix is, that because of the rollb= ack mechanism,=20 if you suddenly hear that there was a gaping great security hole introduced= into package foo in version 1.2.3 and no fix is yet available, it is very easy to rollback t= o version 1.2.2 J' --=20 PGP Public key ID: 1024D/2DE827B3=20 fingerprint =3D 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlWYRVgACgkQimdxnC3oJ7NX8wCfezA3rwnCFw5rtGJqNV6ZB/Y4 wiYAn2QtDPkOBAin0pC2kHWWSu2e4OdI =Qy1f -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp--