From: zimoun <zimon.toutoune@gmail.com>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: help-guix@gnu.org
Subject: Re: Security of packages in official repo
Date: Thu, 26 Nov 2020 20:30:11 +0100 [thread overview]
Message-ID: <86blfjsypo.fsf@gmail.com> (raw)
In-Reply-To: <87blfk83j2.fsf@elephly.net>
Hi Ricardo,
On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote:
> zimoun <zimon.toutoune@gmail.com> writes:
>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>>
>>> However, can anyone point me to, or explain - what is done to audit
>>> packages in the official Repo in the first place - i.e. how do I know
>>> that a piece of software supplied to me by Guix is not only
>>> delivered in a safe/reliable fashion, but is also free from malware potentially
>>> introduced by the authors/maintainers themselves?
>>
>> Nothing.
The correct quote is: «Nothing. It is about trust, as with any
distribution.»
> It’s a little more than nothing in some cases. For example, there was
> extensive work to gain confidence that Ungoogled Chromium does not phone
> home. Generally, anti-features such as update checkers that phone home
> are patched out.
>
> We generally take the code as is, however, and don’t assume that every
> bit of free software out there is malware in disguise until it is
> demonstrated beyond reasonable doubt that this is not the case. That
> would neither be feasible nor would it guarantee satisfactory results.
Even if I agree and your complement makes totally sense, and for sure I
thank a lot all the collectively tough work done, I still claim that
“you do not know that a piece of software supplied to you by <name-it>
is free from malware potentially introduced by <whatever>”. The only
way to know is to audit yourself, compiled yourself using a toolchain
that you audited yourself.
Therefore, it is about trust.
The question is: what does Guix do to be trust-able? I think all the
code around speaks by itself. And personally I trust people doing that
job and then pushing to Guix.
Cheers,
simon
next prev parent reply other threads:[~2020-11-26 19:36 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-26 12:32 Security of packages in official repo Phil
2020-11-26 16:01 ` zimoun
2020-11-26 16:51 ` Ricardo Wurmus
2020-11-26 19:30 ` zimoun [this message]
2020-11-26 21:10 ` Ricardo Wurmus
2020-11-26 21:35 ` zimoun
2020-11-26 19:07 ` Phil
2020-11-26 19:50 ` zimoun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86blfjsypo.fsf@gmail.com \
--to=zimon.toutoune@gmail.com \
--cc=help-guix@gnu.org \
--cc=rekado@elephly.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).