From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <help-guix-bounces+larch=yhetil.org@gnu.org>
Received: from mp2 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id GKfrHa0DwF+IOQAA0tVLHw
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 26 Nov 2020 19:36:13 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp2 with LMTPS
	id 4IO+Ga0DwF9fTQAAB5/wlQ
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Thu, 26 Nov 2020 19:36:13 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id C8ADB9404E7
	for <larch@yhetil.org>; Thu, 26 Nov 2020 19:36:12 +0000 (UTC)
Received: from localhost ([::1]:37834 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-guix-bounces+larch=yhetil.org@gnu.org>)
	id 1kiN3r-0006Ln-Ks
	for larch@yhetil.org; Thu, 26 Nov 2020 14:36:11 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:36746)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <zimon.toutoune@gmail.com>)
 id 1kiN2S-0005Uc-Vt
 for help-guix@gnu.org; Thu, 26 Nov 2020 14:34:45 -0500
Received: from mail-wr1-x42a.google.com ([2a00:1450:4864:20::42a]:46366)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <zimon.toutoune@gmail.com>)
 id 1kiN2O-0007Yg-N3
 for help-guix@gnu.org; Thu, 26 Nov 2020 14:34:42 -0500
Received: by mail-wr1-x42a.google.com with SMTP id g14so3276436wrm.13
 for <help-guix@gnu.org>; Thu, 26 Nov 2020 11:34:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version:content-transfer-encoding;
 bh=7UB8vD8EgQ5VDkp5F1rmX2ibX4MIArHnr6/7QwMIDD4=;
 b=KfJxQkGbUSAx3qfLg9xuSlhKKJpMY75UikyxPK3zoRrugiWhspAjY7twgEsk7JImyN
 VT3e2WSIFg2IP0g5srIogc8byH+8NF2PjVP8O1q2NZKyoKsV9E2QFKXoiHVdlB167UBJ
 54hFehelHEzFqWqHyaV0pjrbqfnxWfmRR4zimGc+OQoQJQ5YuBjiZba2MosX5j4pYLO1
 mVCvqkqDpHxOWYv68Gsu2fMa+ROYVvkvfEn1SPaa5ebygOg0DIJhUY5DIY4HWaFwCXaV
 FEQcqkYDNONfczEJ/vTDagaqy2+u08WbqUgV0rSzL91aZ4t/jvfyoghwKBRb9NRDF9aG
 RAzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date
 :message-id:mime-version:content-transfer-encoding;
 bh=7UB8vD8EgQ5VDkp5F1rmX2ibX4MIArHnr6/7QwMIDD4=;
 b=X5IDVMdbVMJtHd5viyd3JNfwwbmudpFj4JYRgojBFe15RkViaLFkNcmzf/aD6oJv5X
 4WSqSwpZxwD+mYlucJgKuMiRfVPxaXFzQZ5Z2baxOmmXkIXceBaqVrP9gXRomIlXvQzD
 +kt5Nv7slum3nneLr6CrEyhhdxAFmwlBRX3E//xVayRl3JDdoQM65ow/K7J3EZVNRd7O
 9JcvgM2GiyUtFlEwW55KC4Z9WqxvHh8a7rh0numQyZej6qjqoB6x2+Omr7zqxQlXyZ8F
 cX/YIJZKCr+AAvieWnldXCQbcMFrRugZDeia6YYavREFATNQhz9gQ0WyQUES+rYlw66W
 yZxQ==
X-Gm-Message-State: AOAM533JCzaP5zjGYjUkMw8vXOwEPEJYa4DQGL5f/dc8c91L4MVU5j7k
 g3kMrYASWBuAQZsJCMn68Ig307aZMjXBlw==
X-Google-Smtp-Source: ABdhPJwtGrkCjdbrWVl1uyX4AxaeTWyZDgAJG11Xi9RSdmY+HpQiFOKLBelT2gMSEDfyrup1VJBYzw==
X-Received: by 2002:a5d:4b8f:: with SMTP id b15mr5893458wrt.38.1606419278634; 
 Thu, 26 Nov 2020 11:34:38 -0800 (PST)
Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e])
 by smtp.gmail.com with ESMTPSA id x4sm10612024wrv.81.2020.11.26.11.34.37
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 26 Nov 2020 11:34:38 -0800 (PST)
From: zimoun <zimon.toutoune@gmail.com>
To: Ricardo Wurmus <rekado@elephly.net>
Subject: Re: Security of packages in official repo
In-Reply-To: <87blfk83j2.fsf@elephly.net>
References: <855z5sqoxm.fsf@beadling.co.uk> <86eekgrtsl.fsf@gmail.com>
 <87blfk83j2.fsf@elephly.net>
Date: Thu, 26 Nov 2020 20:30:11 +0100
Message-ID: <86blfjsypo.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Received-SPF: pass client-ip=2a00:1450:4864:20::42a;
 envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x42a.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-guix@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
 <mailto:help-guix-request@gnu.org?subject=subscribe>
Cc: help-guix@gnu.org
Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
X-Scanner: ns3122888.ip-94-23-21.eu
Authentication-Results: aspmx1.migadu.com;
	dkim=fail (headers rsa verify failed) header.d=gmail.com header.s=20161025 header.b=KfJxQkGb;
	dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none);
	spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org
X-Spam-Score: 1.59
X-TUID: W45xotLXnPgT

Hi Ricardo,

On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rekado@elephly.net> wrote:
> zimoun <zimon.toutoune@gmail.com> writes:
>> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>>
>>> However, can anyone point me to, or explain - what is done to audit
>>> packages in the official Repo in the first place - i.e. how do I know
>>> that a piece of software supplied to me by Guix is not only
>>> delivered in a safe/reliable fashion, but is also free from malware pot=
entially
>>> introduced by the authors/maintainers themselves?
>>
>> Nothing.

The correct quote is: =C2=ABNothing.  It is about trust, as with any
distribution.=C2=BB=20

> It=E2=80=99s a little more than nothing in some cases.  For example, ther=
e was
> extensive work to gain confidence that Ungoogled Chromium does not phone
> home.  Generally, anti-features such as update checkers that phone home
> are patched out.
>
> We generally take the code as is, however, and don=E2=80=99t assume that =
every
> bit of free software out there is malware in disguise until it is
> demonstrated beyond reasonable doubt that this is not the case.  That
> would neither be feasible nor would it guarantee satisfactory results.

Even if I agree and your complement makes totally sense, and for sure I
thank a lot all the collectively tough work done, I still claim that
=E2=80=9Cyou do not know that a piece of software supplied to you by <name-=
it>
is free from malware potentially introduced by <whatever>=E2=80=9D.  The on=
ly
way to know is to audit yourself, compiled yourself using a toolchain
that you audited yourself.

Therefore, it is about trust.

The question is: what does Guix do to be trust-able?  I think all the
code around speaks by itself.  And personally I trust people doing that
job and then pushing to Guix.


Cheers,
simon