From: "Ludovic Courtès" <ludo@gnu.org>
To: Zhu Zihao <all_but_last@163.com>
Cc: guix-science@gnu.org, guix-devel@gnu.org
Subject: Re: “Building a Secure Software Supply Chain with GNU Guix”
Date: Mon, 18 Jul 2022 14:30:43 +0200 [thread overview]
Message-ID: <87lesqzjpo.fsf@gnu.org> (raw)
In-Reply-To: <86v8rug31z.fsf@163.com> (Zhu Zihao's message of "Mon, 18 Jul 2022 17:40:53 +0800")
Hi,
Zhu Zihao <all_but_last@163.com> skribis:
> https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
>
> Here's a detailed report about Marak and faker.js.
Interesting. But yeah, a Guix committer could change Guix anytime to
print “LIBERTY” (that’s very much the spirit of the project ;-)) or they
could, simply, unwillingly introduce bugs. No technical mechanism can
prevent that.
>>> In Nix flakes, there's pure evaluation to make sure no side-effectful
>>> code is allowed. But Guix channel is less restricted than a Nix flake.
>>> It's a important problem to make sure the evaluation is safe for the user.
>>
>> Yes, I understand. I don’t think that makes a practical difference
>> though: when you pull from a Guix channel or fetch a Nix flake, that’s
>> because you want to install software according to what that
>> channel/flake provides. So whether evil code is in the channel/flake
>> (as Scheme/Nix code) or in the package(s) themselves makes little
>> difference.
>>
>> Does that make sense?
>
> My two cents: When depolying a manifest, we use `guix package -p
> <path-to-profile> -m <path-to-manifest>`, This command consists two
> parts. Guix will first evaluate the packages specified in the manifest,
> and build the profile. And then populate the profile to given
> destination. The first part can be done in a sandboxed environment, or a
> non-privileged account like "nobody".
Sure, though at a technical level is trickier than this, and again, it
doesn’t change the fact that you’ll end up running code provided by the
very same developers.
Thanks,
Ludo’.
next prev parent reply other threads:[~2022-07-18 12:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
2022-06-30 21:37 ` bokr
2022-07-01 9:21 ` zimoun
2022-07-03 10:38 ` Bengt Richter
2022-07-04 8:21 ` zimoun
2022-07-04 14:56 ` Bengt Richter
2022-07-04 7:44 ` Ludovic Courtès
2022-07-17 7:54 ` Zhu Zihao
2022-07-18 8:45 ` Ludovic Courtès
2022-07-18 9:40 ` Zhu Zihao
2022-07-18 12:30 ` Ludovic Courtès [this message]
2022-07-18 12:38 ` Ricardo Wurmus
2022-07-19 13:53 ` Maxime Devos
2022-07-19 7:21 ` Arun Isaac
2022-07-19 12:11 ` Ludovic Courtès
2022-07-20 6:17 ` Arun Isaac
2022-07-19 13:45 ` Maxime Devos
-- strict thread matches above, loose matches on Subject: below --
2022-07-19 0:35 Jeremiah
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87lesqzjpo.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=all_but_last@163.com \
--cc=guix-devel@gnu.org \
--cc=guix-science@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).