From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: security concerns of using guix packages Date: Sat, 04 Jul 2015 16:32:01 +0200 Message-ID: <87h9pkt2n2.fsf@gnu.org> References: <20150703044421.GA13727@jocasta.intra> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:59205) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZBOUG-0006Zk-AP for guix-devel@gnu.org; Sat, 04 Jul 2015 10:32:13 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZBOUE-0005jY-AG for guix-devel@gnu.org; Sat, 04 Jul 2015 10:32:12 -0400 In-Reply-To: ("Claes Wallin \=\?utf-8\?B\?KOmfi+WYieiqoCkiJ3M\=\?\= message of "Fri, 3 Jul 2015 07:40:59 +0200") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: =?utf-8?B?Q2xhZXMgV2FsbGluICjpn4vlmInoqqAp?= Cc: guix-devel , "McGee, Jenny" "Claes Wallin (=E9=9F=8B=E5=98=89=E8=AA=A0)" = skribis: > If I'm interpreting the OP's IT department correctly, this is not about > trusting guix or Red Hat regarding malice, not about binaries and > substitutions, but regarding competence and diligence, and the package > tree. If there are important patches coming out, will they get into > guix/Red Hat fast enough and will they get to users fast enough? That=E2=80=99s a valid concern, and there=E2=80=99s not much we can say oth= er than we=E2=80=99ve been doing our best and will continue to do so. That said, sysadmins don=E2=80=99t have to wait for upstream Guix to provid= e the patch; in case of urgency, they could easily add the necessary patches to, say, , upgrade their software, and share the patch with upstream Guix. Of course that would be a last resort, and I hope users don=E2=80=99t run i= nto it. But what it means is that users are more independent than with a traditional distro. Ludo=E2=80=99.