Hi! "Cook, Malcolm" skribis: > Hello Guixen (Guixers? Guix-noscenti?) Simply “Guix” (pronounced like “geeks”.) :-) > The sys admin at my institute expresses concern that we would potentially expose ourselves to additional security risk by building scientific software stack in Guix where we might depend on alternate versions of, say, openssl. > > Do you agree this is a reasonable concern, and, if so, is there a "position statement" on the matter? Guix provides guarantees that no traditional distro provides. Guix users can choose to use substitutes (pre-built binaries.) In that case, they have to trust the binary provider: http://www.gnu.org/software/guix/manual/html_node/Substitutes.html But the first big difference compared to Debian, Fedora, etc. is that users can: 1. Choose their binary provider–it doesn’t have to be hydra.gnu.org. 2. Choose *not* to use binaries from a third-party, and instead build packages locally. (By contrast, see the description of Debian’s “dirtiest secret” by the former DPL in , at around 28 mn.) In addition, the functional package management paradigm (see ) allows users to know exactly how a package is built. For instance, anyone can trivially audit the recipe at . By construction, the result of ‘guix build openssl’ corresponds precisely to the build process that this recipe and the ones it depends on describe. A concern could be the time it takes for the project to deploy security fixes. Obviously there are much fewer Guix contributors than Debian contributors, but so far we do pretty well nevertheless (thanks to Mark H Weaver for the most part.) A related concern is the time it takes to actually deploy the fixed binaries on your machine. This is discussed at: http://www.gnu.org/software/guix/manual/html_node/Security-Updates.html I hope this clarifies things! Thanks, Ludo’.