From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?utf-8?B?VG9tw6HFoSDEjGVjaA==?= Subject: Re: A registry for distributed sources and binaries Date: Mon, 25 Jul 2016 09:18:49 +0200 Message-ID: <20160725071849.kx355nuzhdddvzlr@venom> References: <579027b7.VHXjhpPxQC3AAmeY%pjotr.public12@email> <8760rznoh1.fsf@gnu.org> <20160722004130.GA10340@thebird.nl> <874m7hk6dz.fsf_-_@gnu.org> <20160724033027.GA20236@thebird.nl> <87wpka7p0g.fsf@elephly.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="ncg2ybeufnrkn6hj" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:55040) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRaAC-0003Tn-Hc for guix-devel@gnu.org; Mon, 25 Jul 2016 03:18:57 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bRaA8-0006k7-8I for guix-devel@gnu.org; Mon, 25 Jul 2016 03:18:55 -0400 Received: from mx2.suse.de ([195.135.220.15]:34820) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bRaA8-0006k3-1F for guix-devel@gnu.org; Mon, 25 Jul 2016 03:18:52 -0400 Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id ADE75AC2F for ; Mon, 25 Jul 2016 07:18:50 +0000 (UTC) Content-Disposition: inline In-Reply-To: <87wpka7p0g.fsf@elephly.net> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org --ncg2ybeufnrkn6hj Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline On Sun, Jul 24, 2016 at 10:35:43PM +0200, Ricardo Wurmus wrote: >What do you think about that? Does this align with your vision? > >What do others think? Is this something that would benefit the Guix >project and its audience? I like the idea a lot. I'm only concerned with security of such thing. When the number of other package sources will grow, it should be ensured that some package definition will not touch core/library without user consent. If they will take packages from random sources (as they are careful when downloading applications for windows from various sources or reading licenses), it may easily become security threat to whole system. I'd be glad if we can stop using GUIX_PACKAGE_PATH environment variable (which is a bit clumsy) and have support for multiple source, with priorities (for cases of collisions) and maybe in future support for some digital signatures. \o/ S_W --ncg2ybeufnrkn6hj Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJXlb1ZAAoJEEoj40+gM0Nt/GoP/3n+sKM9S8ViyzsDv0P4ZLEy Lebs7DinGP0OA3PW14N4CGUb8qHsv7cOZ+raIG2Se3R4cIz7hw3GIejlaeiLViUM EjeGcOSRf0lVW28C/DsX3WNUBqqy45rZzquEwWFUNF6AOhWY/aAjWG3KYack4saz K4eoHAcjHZquEMk1s0Uww40aWKloREIKyt8am8Rt3rQp/BnueE4XcHm7nEYC0Upb QxBxF2nUaKxzxkq6S0vT+GduWqJFiwd3BmqRs3VxFc5bfZoqIIelaDHAeZMp0DMg I+k/2edeqp3bjP8CI8gVhbV1SoxpGe2aYfSBCwHUqSr8KZVGCDEY0DTTzTw5Udqu 1NJ7s7W2v0raWjH9RVfKhQtWrR1DwSxEHd0CDXmqGK7f+PUEXvOHzHwoCyj6Kp/9 2g3TS1UBdndBHtigMuIWxaEWxwHK8xFy5A54ecs02M9ViR0QQnTtUyasS4Vy35cz Luu9Po8KZa/fHz6LtSWzWL08320f9OODrMoQ12ePH4Anp5G8DuQ46zUZeYe+7INN E0wzUwDa7dcSpgaZbmGbEzGChVDl4B/dP6kl4MhBslxCUT1iRp1tkfH2TYhXOUVb IsugtZtz29vE7b7K6jDXnfpFu7av6xri5PNVK4tsylOoiwI0Y1HtXRtnwmfG0+/9 Vd2YRWRRGKBYMcW9yJU7 =iMq6 -----END PGP SIGNATURE----- --ncg2ybeufnrkn6hj--