From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?Q2xhZXMgV2FsbGluICjpn4vlmInoqqAp?= Subject: Re: security concerns of using guix packages Date: Fri, 3 Jul 2015 07:40:59 +0200 Message-ID: References: <20150703044421.GA13727@jocasta.intra> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=e89a8f83a8c53482c60519f200d5 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:58276) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZAtih-0002rj-EH for guix-devel@gnu.org; Fri, 03 Jul 2015 01:41:04 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZAtig-0006bw-01 for guix-devel@gnu.org; Fri, 03 Jul 2015 01:41:03 -0400 Received: from mail-ob0-x22c.google.com ([2607:f8b0:4003:c01::22c]:33507) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZAtif-0006aQ-Pv for guix-devel@gnu.org; Fri, 03 Jul 2015 01:41:01 -0400 Received: by obpn3 with SMTP id n3so63209548obp.0 for ; Thu, 02 Jul 2015 22:40:59 -0700 (PDT) In-Reply-To: <20150703044421.GA13727@jocasta.intra> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: John Darrington Cc: guix-devel , "McGee, Jenny" --e89a8f83a8c53482c60519f200d5 Content-Type: text/plain; charset=UTF-8 On Jul 3, 2015 6:44 AM, "John Darrington" wrote: > On Fri, Jul 03, 2015 at 12:38:49AM +0000, Cook, Malcolm wrote: >> The sys admin at my institute expresses concern that we would potentially expose ourselves to additional security risk by building scientific software stack in Guix where we might depend on alternate versions of, say, openssl. > When you install (say Redhat), like you say, you have to trust that Redhat > hasn't (deliberately or maliciously) put malware into any of the MANY THOUSAND > binaries that make up the OS. If I'm interpreting the OP's IT department correctly, this is not about trusting guix or Red Hat regarding malice, not about binaries and substitutions, but regarding competence and diligence, and the package tree. If there are important patches coming out, will they get into guix/Red Hat fast enough and will they get to users fast enough? The IT department does have a point. First, Red Hat has a billion dollar turnover and hundreds of developers and integrators and a full-time security team. Guix has a handful to a few dozen volunteers, depending on how you count. Second, users manage packages themselves, which could lead to a user running on a two-year-old OpenSSL because they didn't do guix package -u. On the other hand, vulnerabilities are the most serious when they are in network-accessible services, which are probably run by the IT department using commercial or commercial-derived packages. I would kindly ask the sysadmin to chill. Or contribute to guix when CentOS gets an OpenSSL security patch. ;-) --e89a8f83a8c53482c60519f200d5 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

On Jul 3, 2015 6:44 AM, "John Darrington" <john@darrington.wattle.id.au> wrote:
> On Fri, Jul 03, 2015 at 12:38:49AM +0000, Cook, Malcolm wrote:

>> =C2=A0 =C2=A0 =C2=A0The sys admin at my institute e= xpresses concern that we would potentially expose ourselves to additional s= ecurity risk by building scientific software stack in Guix where we might d= epend on alternate versions of, say, openssl.

> When you install (say Redhat), like you say, you have t= o trust that Redhat
> hasn't (deliberately or maliciously) put malware into any of the M= ANY THOUSAND
> binaries that make up the OS.

If I'm interpreting the OP's IT department correctly= , this is not about trusting guix or Red Hat regarding malice, not about bi= naries and substitutions, but regarding competence and diligence, and the p= ackage tree. If there are important patches coming out, will they get into = guix/Red Hat fast enough and will they get to users fast enough?

The IT department does have a point. First, Red Hat has a bi= llion dollar turnover=C2=A0 and hundreds of developers and integrators and = a full-time security team. Guix has a handful to a few dozen volunteers, de= pending on how you count.

Second, users manage packages themselves, which could lead t= o a user running on a two-year-old OpenSSL because they didn't do guix = package -u.

On the other hand, vulnerabilities are the most serious when= they are in network-accessible services, which are probably run by the IT = department using commercial or commercial-derived packages.

I would kindly ask the sysadmin to chill. Or contribute to g= uix when CentOS gets an OpenSSL security patch. ;-)

--e89a8f83a8c53482c60519f200d5--