From mboxrd@z Thu Jan  1 00:00:00 1970
From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=)
Subject: Re: some questions about GUIX
Date: Fri, 01 Jan 2016 15:45:59 +0100
Message-ID: <8737uhmk7s.fsf@gnu.org>
References: <87d1ttmdbd.fsf@gmail.com> <87a8ot47wr.fsf@gnu.org>
	<87vb7h1cwh.fsf@gmail.com> <87a8otax38.fsf@elephly.net>
	<87lh8cvz1v.fsf@gmail.com> <20151231020253.GA23561@jasmine>
	<87mvsqlr9k.fsf@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:56732)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1aF0y0-0002hL-4b
	for help-guix@gnu.org; Fri, 01 Jan 2016 09:46:09 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <ludo@gnu.org>) id 1aF0xv-0000ee-5F
	for help-guix@gnu.org; Fri, 01 Jan 2016 09:46:08 -0500
In-Reply-To: <87mvsqlr9k.fsf@gmail.com> (Sam Halliday's message of "Thu, 31
	Dec 2015 12:46:47 +0000")
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
To: Sam Halliday <sam.halliday@gmail.com>
Cc: help-guix@gnu.org

Sam Halliday <sam.halliday@gmail.com> skribis:

> As a Java / Scala developer, I avoid all repackaged jars unless they
> contain a bug or security fix. I don't see why I should trust a package
> manager (and their machines), who are self-confessed non-experts, more
> than the original author of that library, who has GPG signed their
> artefacts and made their source code available.

Jars are binaries.  What Guix seeks to offer is a way for users to make
sure that the binaries they run correspond to the source code they think
it corresponds to.  See:

  https://savannah.gnu.org/forum/forum.php?forum_id=3D8407

The practice of installing binaries built by a third-party without
having any way to verify that those binaries are authentic is inherently
unsafe.  It=E2=80=99s also a serious attack on user freedom if users aren=
=E2=80=99t able
to rebuild software by themselves.

We set out to address that.  The cost may be, indeed, that it=E2=80=99ll be=
 some
time before a large set of Java/Scala packages can be imported in Guix.

Thanks for your feedback,
Ludo=E2=80=99.