From: zimoun <zimon.toutoune@gmail.com>
To: Bengt Richter <bokr@bokr.com>
Cc: "Ludovic Courtès" <ludovic.courtes@inria.fr>,
guix-devel <guix-devel@gnu.org>,
guix-science@gnu.org
Subject: Re: “Building a Secure Software Supply Chain with GNU Guix”
Date: Mon, 04 Jul 2022 10:21:13 +0200 [thread overview]
Message-ID: <86ilod1e6e.fsf@gmail.com> (raw)
In-Reply-To: <20220703103839.GA41557@LionPure>
Hi,
On Sun, 03 Jul 2022 at 12:38, Bengt Richter <bokr@bokr.com> wrote:
>> I do not think committers are pushing code about #1, #2 or #3 that they
>> know beforehand it will cause a problem.
>
> Hm, -- unless <context-requirements-not-met> ... ? :)
>
I do not understand what you mean?
>> The GPG trust level works because it is based on the web of trust.
>> Here, there is no web, IMHO.
>
> Well, guix developers who know each other well "in real life" have a pretty
> good web, if not formal, no? :)
Maybe I miss something. IIUC, you are proposing to attach a level of
trust to each commit.
If this level for one commit is set by one committer, then the outcome
is poor because this level strongly depends on the committer. Committer
A could say 0 and committer B would say 3 for the same commit, other
said the level depends on who do the job; therefore it is too dependent
on the committer mood to be useful, security-wise. In this case, there
is no web of trust.
If this level for one commit is set by more than one committer, then it
is not affordable because it means we are doing double (or more) review
when the project is trying to just deal with merging all the
submissions. In this case, there is a web of trust. But it is not
doable considering the rate of commits.
> I'm just looking for some greppable coded hint of the difference between
> a package that consists of e.g. a reverse polish calculator homework
> assignemnt that a nerdy friend showed how to submit as a package, vs.
> e.g. a package where the comments say over 10K subscribers have now been
> running this hundreds of times daily for 2 months of beta testing with
> no reported problems. Vs. This is alpha stuff, but seems harmless enough
> if you run it in a container.
Run OpenBSD. ;-)
> I'm not asking any guarantees, just a professional's quick judgement.
> Like a chef's quick opinion on the cantaloupes at the open market.
Why this professional's quick judgment should come from the package
manager (packager, reviewer, committer) and not from a community around
the specific software whatever how it is distributed?
Cheers,
simon
next prev parent reply other threads:[~2022-07-04 8:27 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-30 14:13 “Building a Secure Software Supply Chain with GNU Guix” Ludovic Courtès
2022-06-30 21:37 ` bokr
2022-07-01 9:21 ` zimoun
2022-07-03 10:38 ` Bengt Richter
2022-07-04 8:21 ` zimoun [this message]
2022-07-04 14:56 ` Bengt Richter
2022-07-04 7:44 ` Ludovic Courtès
2022-07-17 7:54 ` Zhu Zihao
2022-07-18 8:45 ` Ludovic Courtès
2022-07-18 9:40 ` Zhu Zihao
2022-07-18 12:30 ` Ludovic Courtès
2022-07-18 12:38 ` Ricardo Wurmus
2022-07-19 13:53 ` Maxime Devos
2022-07-19 7:21 ` Arun Isaac
2022-07-19 12:11 ` Ludovic Courtès
2022-07-20 6:17 ` Arun Isaac
2022-07-19 13:45 ` Maxime Devos
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86ilod1e6e.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=bokr@bokr.com \
--cc=guix-devel@gnu.org \
--cc=guix-science@gnu.org \
--cc=ludovic.courtes@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).