From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id cFe/D5Ggv18nfgAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 12:33:21 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id oPmRC5Ggv18KYAAA1q6Kng (envelope-from ) for ; Thu, 26 Nov 2020 12:33:21 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C20209404C5 for ; Thu, 26 Nov 2020 12:33:19 +0000 (UTC) Received: from localhost ([::1]:53852 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiGSb-0002I9-FX for larch@yhetil.org; Thu, 26 Nov 2020 07:33:17 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56748) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiGRY-0002GY-OW for help-guix@gnu.org; Thu, 26 Nov 2020 07:32:13 -0500 Received: from mail-wr1-x42a.google.com ([2a00:1450:4864:20::42a]:41071) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1kiGRV-0001su-LR for help-guix@gnu.org; Thu, 26 Nov 2020 07:32:12 -0500 Received: by mail-wr1-x42a.google.com with SMTP id 23so1955505wrc.8 for ; Thu, 26 Nov 2020 04:32:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=beadling-co-uk.20150623.gappssmtp.com; s=20150623; h=user-agent:from:to:subject:date:message-id:mime-version; bh=Fs58aMSU/iks8qIlPdOg8ecvHSCZTzp8w/1E8Yef21g=; b=Rj7j+/FcJ2AJdGYK6YXVe+zYydnKn/mhmItmNppu4bgHFBBXWYhru03XDiyRbiTYSG YsRgTGyugnwNZZDlCuRbISqFYZiFcqKtqOx9GK8n6g7tH9HcT9i28Z1eJgYQ6D1k2bc0 eOOHKoSecdKjuojHTOksiDojkYMHbFjEwTLseBax6rqHUbN4grmMkvfnKxpswYgG6dZw XDbaZWj+iwg0y2BbtPa5hnrE172Rw1YfOmiu7f5EZiIsysigdNESyzV8jDNC9MYdDJAr sgZRPJrbIovS1vunxkXZlTWzLanf7pMp6jJDmtRvlm9GkuN/RPlnxkIES+ec0fZntwxw gBZg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:from:to:subject:date:message-id :mime-version; bh=Fs58aMSU/iks8qIlPdOg8ecvHSCZTzp8w/1E8Yef21g=; b=KRcP3ORfGa+GgFaoU1fUyjMWVQXz1Y71cONwyp81gfAKFn5UpHXB4MRLXJGQ83I3Ew lFWRYLNsjv5SGMU53F0WpMjCIEA8PQz6wEQgMyJ/NvPsBrODgzbsNA/fHtLzwd1IxhI7 /cf5Mp1fGsf6zS90Ms7IfLFfBl8xogW3E9tdarhtVln6JiMYBlEGpZxnxEuCZQNvTpRs cyKuUVeGd0QySQomH5OSqWE9GCJl+J9mLUEQBx3H4ZKnBHH3kbWSHcSavPLRQX3Vd0TN kXzguto8UqC7opwenPo2+F8xOrt9k6XtCeiZu9Q2J+T75BD29eHYZWi6AUCMqN8ecD7n rszw== X-Gm-Message-State: AOAM533E1IvuXYqFh0SCpn1UPY6QQ9g6/ucBsHlXAaMqf5e5LniHIvBD HrCnoeiTBEXDzPLniqLXtnmz9PVdCBQJPagVFfI= X-Google-Smtp-Source: ABdhPJx+rk1daFMO1phDOD4JaMNxYYkqTqqRozPGnFKegiQtLKmhx9hQS+7IjF0pj9YD9R6cP7Zeaw== X-Received: by 2002:adf:f183:: with SMTP id h3mr3461845wro.239.1606393926964; Thu, 26 Nov 2020 04:32:06 -0800 (PST) Received: from phil-XPS-13-9360 (88-111-129-212.dynamic.dsl.as9105.com. [88.111.129.212]) by smtp.gmail.com with ESMTPSA id e1sm9689955wra.22.2020.11.26.04.32.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 26 Nov 2020 04:32:06 -0800 (PST) User-agent: mu4e 1.2.0; emacs 26.3 From: Phil To: help-guix@gnu.org Subject: Security of packages in official repo Date: Thu, 26 Nov 2020 12:32:05 +0000 Message-ID: <855z5sqoxm.fsf@beadling.co.uk> MIME-Version: 1.0 Content-Type: text/plain Received-SPF: none client-ip=2a00:1450:4864:20::42a; envelope-from=phil@beadling.co.uk; helo=mail-wr1-x42a.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=beadling-co-uk.20150623.gappssmtp.com header.s=20150623 header.b=Rj7j+/Fc; dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 0.29 X-TUID: Qt8zUgXL+hr9 Hi all, I can find a few articles that give a good overview of Guix security with regard to ensuring that what is pulled onto my local server is always a true representation of the packages as intended by the package authors. There's also a good process for alerting Guix of potential security issues. However, can anyone point me to, or explain - what is done to audit packages in the official Repo in the first place - i.e. how do I know that a piece of software supplied to me by Guix is not only delivered in a safe/reliable fashion, but is also free from malware potentially introduced by the authors/maintainers themselves? How are new packages or updates audited or reviewed before being accepted into Guix's official repo? It's a paranoid question I know - but it's a regular one on security audits to sign-off software use.... I know that nobody is going to audit every single line of code of every package, but knowing that some process exist is normally enough to satisfy the audit? A similar question and fairly reassuring answer from the Ubuntu Security Team is given here - I was hoping to find something similar for Guix: https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited Thanks, Phil