From: Phil <phil@beadling.co.uk>
To: help-guix@gnu.org
Subject: Security of packages in official repo
Date: Thu, 26 Nov 2020 12:32:05 +0000 [thread overview]
Message-ID: <855z5sqoxm.fsf@beadling.co.uk> (raw)
Hi all,
I can find a few articles that give a good overview of Guix security
with regard to ensuring that what is pulled onto my local server is always a true
representation of the packages as intended by the package authors.
There's also a good process for alerting Guix of potential security issues.
However, can anyone point me to, or explain - what is done to audit
packages in the official Repo in the first place - i.e. how do I know
that a piece of software supplied to me by Guix is not only
delivered in a safe/reliable fashion, but is also free from malware potentially
introduced by the authors/maintainers themselves?
How are new packages or updates audited or reviewed before being accepted
into Guix's official repo?
It's a paranoid question I know - but it's a regular one on security
audits to sign-off software use.... I know that nobody is going to audit
every single line of code of every package, but knowing that some
process exist is normally enough to satisfy the audit?
A similar question and fairly reassuring answer from the Ubuntu Security
Team is given here - I was hoping to find something similar for Guix:
https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited
Thanks,
Phil
next reply other threads:[~2020-11-26 12:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-26 12:32 Phil [this message]
2020-11-26 16:01 ` Security of packages in official repo zimoun
2020-11-26 16:51 ` Ricardo Wurmus
2020-11-26 19:30 ` zimoun
2020-11-26 21:10 ` Ricardo Wurmus
2020-11-26 21:35 ` zimoun
2020-11-26 19:07 ` Phil
2020-11-26 19:50 ` zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=855z5sqoxm.fsf@beadling.co.uk \
--to=phil@beadling.co.uk \
--cc=help-guix@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).