From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: security concerns of using guix packages Date: Sat, 04 Jul 2015 16:22:20 +0200 Message-ID: <87a8vcuhnn.fsf@gnu.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:56338) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZBOKv-00060F-Pi for guix-devel@gnu.org; Sat, 04 Jul 2015 10:22:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZBOKu-0008VI-JR for guix-devel@gnu.org; Sat, 04 Jul 2015 10:22:33 -0400 In-Reply-To: (Malcolm Cook's message of "Fri, 3 Jul 2015 00:38:49 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Cook, Malcolm" Cc: Guix-devel , "McGee, Jenny" --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi! "Cook, Malcolm" skribis: > Hello Guixen (Guixers? Guix-noscenti?) Simply =E2=80=9CGuix=E2=80=9D (pronounced like =E2=80=9Cgeeks=E2=80=9D.) = :-) > The sys admin at my institute expresses concern that we would potentially= expose ourselves to additional security risk by building scientific softwa= re stack in Guix where we might depend on alternate versions of, say, opens= sl. > > Do you agree this is a reasonable concern, and, if so, is there a "positi= on statement" on the matter?=20=20 Guix provides guarantees that no traditional distro provides. Guix users can choose to use substitutes (pre-built binaries.) In that case, they have to trust the binary provider: http://www.gnu.org/software/guix/manual/html_node/Substitutes.html But the first big difference compared to Debian, Fedora, etc. is that users can: 1. Choose their binary provider=E2=80=93it doesn=E2=80=99t have to be hyd= ra.gnu.org. 2. Choose *not* to use binaries from a third-party, and instead build packages locally. (By contrast, see the description of Debian=E2=80=99s =E2=80=9Cdirtiest sec= ret=E2=80=9D by the former DPL in , at around 28=C2=A0mn.) In addition, the functional package management paradigm (see ) allows users to know exactly how a package is built. For instance, anyone can trivially audit the recipe at . By construction, the result of =E2=80=98guix build openssl=E2=80=99 corresp= onds precisely to the build process that this recipe and the ones it depends on describe. A concern could be the time it takes for the project to deploy security fixes. Obviously there are much fewer Guix contributors than Debian contributors, but so far we do pretty well nevertheless (thanks to Mark=C2=A0H Weaver for the most part.) A related concern is the time it takes to actually deploy the fixed binaries on your machine. This is discussed at: http://www.gnu.org/software/guix/manual/html_node/Security-Updates.html I hope this clarifies things! Thanks, Ludo=E2=80=99. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJVl+wfAAoJEAkLEZk9muu1R5wP/3G783A7TwuQutXw4QOkuc1V B0EgK3boA3gEuGV4LbmZil2ohSaoD59iawuZJ010KWWJ/bmRPQ+IEXyYAO339APh cQsHvgEUT4D1R2ECxJo7yafejO6dJ+RO6+/UJj11+YIYkWMf3p3q/L9dfWW8SIjw pYX1gHMOFcmUFzKx5hMzO1/hsOP0CyQ7upt+PzkAkXl9OrXNEIgykIToYGsMOoHb AXMi3+bq6uCWdSDIG63FaoUcdjj/T2itoNVzE1qG+krc0UE+EW7C/J5QoAo51OR8 jEF6tPG4Kwcm7aTc4EfpLXqIQNPdC2I3TD/xkqBtnigTYzY5qjiYNPhJHbAv/h/3 99i5Qrwg03/JnbWVqAobyloQe/87ElZKmHQiiFubsJto5hjEz0otLx71pi6UGJi0 k4RHMUhpmwpUrcrH3ROurblQTcnLSeVAAIKLY5J8QCTphxxDMTLEJHzLpG2Qhjhs 46RmBiMxsRkHPRfk7gW6VZtteMOVr4ScxY1N5uZyTzn1o8N1ndLGk6AUsBoxHFFS e/LCPKz2TwiPR+qyHktxmsYRHG2wNaU/UrHG65RTjPzRPGVeRjyUtEXxoCYsXi6/ lC9I4Wn/H9CP6pyIF7FlzP1dHZQUujHthvAb6aizjEOiTAyJb84uWzipnTFEFAuo 2vkXBilL1PNl2pu+vXWE =NGfW -----END PGP SIGNATURE----- --=-=-=--