From mboxrd@z Thu Jan 1 00:00:00 1970 From: Konrad Hinsen Subject: Re: Profiles/manifests-related command line interface enhancements Date: Tue, 12 Nov 2019 21:07:07 +0100 Message-ID: References: <87mudrxvs8.fsf@ambrevar.xyz> <87mudd59ho.fsf@gnu.org> <877e4glyc3.fsf@ambrevar.xyz> <87v9rxx8ri.fsf@gnu.org> <87d0e4oy51.fsf@ambrevar.xyz> <878sop6icq.fsf@gnu.org> <87ftit324g.fsf@igalia.com> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:52396) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iUcRX-0005MR-8K for guix-devel@gnu.org; Tue, 12 Nov 2019 15:07:19 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iUcRW-0007IF-3Y for guix-devel@gnu.org; Tue, 12 Nov 2019 15:07:15 -0500 In-Reply-To: <87ftit324g.fsf@igalia.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Andy Wingo Cc: guix-devel@gnu.org Hi Andy, > I wrote this for that purpose: > > https://www.gnu.org/software/guile/manual/html_node/Sandboxed-Evaluation.html Right, I had found this when searching for something. It seems to solve a couple of problems that I don't quite understand, but not so much those I do (file/network access). Would be nice to see this extended. > In practice Guix's "containerized" build jobs are much more effective > than in-language barriers. Indeed, but if Guix is compromised by malware, the build jobs may build code that has already been tampered with. Maybe one could have config and manifest files interpreted by the build daemon for safety. Except that some manifest files (read: mine) need read access to the file system. Cheers, Konrad.