From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp0 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id eAueC+v8v18AeAAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 26 Nov 2020 19:07:23 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp0 with LMTPS
	id UNVQB+v8v19gbgAA1q6Kng
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 26 Nov 2020 19:07:23 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 8DE9F9404C5
	for <larch@yhetil.org>; Thu, 26 Nov 2020 19:07:22 +0000 (UTC)
Received: from localhost ([::1]:53838 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1kiMbx-0007Qk-7w
	for larch@yhetil.org; Thu, 26 Nov 2020 14:07:21 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:60258)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <phil@beadling.co.uk>)
 id 1kiMbl-0007QX-Np
 for help-guix@gnu.org; Thu, 26 Nov 2020 14:07:09 -0500
Received: from mail-wm1-x32b.google.com ([2a00:1450:4864:20::32b]:55616)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <phil@beadling.co.uk>)
 id 1kiMbj-0006bQ-6Y
 for help-guix@gnu.org; Thu, 26 Nov 2020 14:07:09 -0500
Received: by mail-wm1-x32b.google.com with SMTP id x22so3009507wmc.5
 for <help-guix@gnu.org>; Thu, 26 Nov 2020 11:07:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=beadling-co-uk.20150623.gappssmtp.com; s=20150623;
 h=references:user-agent:from:to:cc:subject:in-reply-to:date
 :message-id:mime-version;
 bh=oybfXFAmoz1gqFYlHNu8EXiUnQqa74k30JDrEbDH9/E=;
 b=1Skie1M+lD3463wNY6rwXj3G+Pgts2aL7N75Xdt1SvnGARNgG0q1LcVs1H9esseSnD
 iMY/NNEqK7xdF5vssI56aZNsPnZZfvAIKJqhg36AT1C7M3L4Yv4hoUOZQcbqNweVC7IY
 C8MvnHqY8PJzDpJ/Wke7jShZw7sYl5d7nqMC2wxuL4Dps+H0kgTobgjmpOIe5lTKyz3K
 Nk4ZhN5fUGNh7aFEb8bs5raSGaMldqB0BtRewcgW67ewWPSUlyvhB9wlr6OcWMQcYaY1
 i+Cd3k3ccWqku3ZKMrhWsa40uuBhxzWGWKbEIpFsKPeon3nbL7GRJ20yDLZH7PdwYWiI
 oN+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:references:user-agent:from:to:cc:subject
 :in-reply-to:date:message-id:mime-version;
 bh=oybfXFAmoz1gqFYlHNu8EXiUnQqa74k30JDrEbDH9/E=;
 b=oNgVJaMP2bdmDNwji5Z3aJ/7pqOyOhetKvIGBcBfIDbmXvZr9xwC1CoogEdWzIKm5S
 U9KWdE0jknET5GKrh0aLnmaSFiKUn34k6v0172S3b3cPwXUVJV8g/+f1L/0Qh9y8mRIo
 6TvXQqsTgeaXKlpX9i2gNXZZB3m5MXGFhgLZ8ABeLqxqwZggvu5pgvHVSucq3cqJtEVV
 6auWnnhp6K2NrYCjgtsNVVbKZPMte47UPyDcL53f0UTD6qBDZ+R/KgJ2diAn2H1KIxnV
 7J5nTbpsqAF7IreQs0jUoVLkpA1FhkqCw0leGUdye6oPguJLY3zyPyGxuGBK1huzZ7+8
 Na/w==
X-Gm-Message-State: AOAM530nALjL8JBhwlGH46d3Qf2lcqJu3h14G1ETK17iiR/oYnrtVVpk
 tZghnaKAJfxhfcGHFYahsJS9J3HNm7+r0SlDnfY=
X-Google-Smtp-Source: ABdhPJyKPMF8yw+T+RIGS4hzR9TPZc5ULl0rwbnbbDLrYV/cOqJS9BHIJIpr0UiOqoYHvKZ8n8AESw==
X-Received: by 2002:a05:600c:288:: with SMTP id
 8mr5024423wmk.106.1606417622399; 
 Thu, 26 Nov 2020 11:07:02 -0800 (PST)
Received: from phil-XPS-13-9360 (88-111-129-212.dynamic.dsl.as9105.com.
 [88.111.129.212])
 by smtp.gmail.com with ESMTPSA id a15sm9834526wmj.2.2020.11.26.11.07.01
 (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256);
 Thu, 26 Nov 2020 11:07:01 -0800 (PST)
References: <855z5sqoxm.fsf@beadling.co.uk> <86eekgrtsl.fsf@gmail.com>
User-agent: mu4e 1.2.0; emacs 26.3
From: Phil <phil@beadling.co.uk>
To: zimoun <zimon.toutoune@gmail.com>
Subject: Re: Security of packages in official repo
In-reply-to: <86eekgrtsl.fsf@gmail.com>
Date: Thu, 26 Nov 2020 19:07:01 +0000
Message-ID: <854klcq6ne.fsf@beadling.co.uk>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: none client-ip=2a00:1450:4864:20::32b;
 envelope-from=phil@beadling.co.uk; helo=mail-wm1-x32b.google.com
X-Spam_score_int: -18
X-Spam_score: -1.9
X-Spam_bar: -
X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_NONE=0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Cc: help-guix@gnu.org
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=beadling-co-uk.20150623.gappssmtp.com header.s=20150623 header.b=1Skie1M+;
	dmarc=none;
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-Spam-Score: 0.29
X-TUID: Q1ARJh4KMTdF

Thanks for the reply Simon.

zimoun writes:

> Nothing.  It is about trust, as with any distribution.  Now, you can
> audit by yourself the source code, compiled by yourself and check if it
> is the same that the substitutes serve you.

I understand that Guix makes the process of reproducability and auditing
much more rock-solid than most other distributions - and this more than
satisfies any requirements I have for proving that software package X,
is a true representation of source code X, built with toolchain Y.

This is great - but my question is more mundane than that.

The good news is I think it's answered here:
https://guix.gnu.org/manual/en/guix.html#Submitting-Patches

Say I have a new piece of software I've developed and I want to make it
available through Guix's offical repo.  I define a new Guix package for
that app - and create a patch for it.

The important point is that the patch is vetted by the members of
guix-patches@gnu.org mail list.  And I assume packages which appear
inappropriate for whatever reason are not accepted by members of this
list?

This is different to PyPi for example where (I believe) anyone can upload
any content and have the public downloading it immediately without any
approval or vetting - it's pretty Wild West.

This makes some institutions unwilling to give students/employees/etc
access to systems like PyPi... but on other systems where there is a
degree of scrutiny required (such as patch vetting on Guix) - this can
make a world of difference in terms of getting a tick in the right box.

Whether there is wisdom or any real protection is a separate question
of course (nobody will guarantee every line of every source repo!), but
nevertheless from a practical point of view, it can prove useful in
getting software like Guix adopted - which is what I'm keen to do.

As a workaround it would seem perfectly possible to host a private Guix
channel with a subset of packages on that have been internally vetted,
but it would be more in the spirit of Guix to contribute and use the
official package repo.


Thanks - hopefully I haven't overly laboured my point!

Phil