From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id O9GfLF0ZwF/dfAAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 21:08:45 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id +C8eKF0ZwF8pDgAAB5/wlQ (envelope-from ) for ; Thu, 26 Nov 2020 21:08:45 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 38E949404E4 for ; Thu, 26 Nov 2020 21:08:44 +0000 (UTC) Received: from localhost ([::1]:43062 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiOVN-0001p1-Iz for larch@yhetil.org; Thu, 26 Nov 2020 16:08:41 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:56862) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiOVF-0001oq-DV for help-guix@gnu.org; Thu, 26 Nov 2020 16:08:34 -0500 Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21101) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiOVD-0007n5-Gc for help-guix@gnu.org; Thu, 26 Nov 2020 16:08:33 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1606424906; cv=none; d=zohomail.com; s=zohoarc; b=da1FHr8B7LEmz6LW4I02SzymGfUl4DYNCPnBCkRk41RbSkrgxlcZoEX+IFAcBgeO9liA7NV231y5sMuyqrstJ3wWV26Y5tbr71UPQQV7wLEmN4uDC6q3gDLpiYGjwmfex3pY6rkyaU/43EqrNqLNzYScmApXBapAF2RE1zOLDDE= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606424906; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=crV26+lc5OB7+youXenO+nlmodTH/UwhOt+sLxGa7bg=; b=gWOV4j6SL0qlNVtea2vraUZ3d4g5tYtrYV0+T5IqRhEzODi8yrhDCJGpqLtmluYwlOiJ9GwL3V7KiErPN4QLYuyko/bxEzerlmg9l5MAKhTZo/2gAJG1KQdlSdIbMuvt4vbnfNqwX77n/UMBAb9HkcbFT2gTZnapKxpdbsiPSUc= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1606424906; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=crV26+lc5OB7+youXenO+nlmodTH/UwhOt+sLxGa7bg=; b=F06fEiEBXcFXPfhIPvP6OWmpaa1zJgDGpdZSdQiNGh1pQL8cRVH9f2hEPGl4zClW 8Q6Z7pequfCm6/06Pun5u7Vyv4oTB95ri1RvN5fchJbM7IMewPZlL2nPsay3o21f/Yx MN85mVmWAiPMNyDjQCw+7jyxRwAyIgd+GDo7zppg= Received: from localhost (p54ad4858.dip0.t-ipconnect.de [84.173.72.88]) by mx.zohomail.com with SMTPS id 1606424904081540.7466311876204; Thu, 26 Nov 2020 13:08:24 -0800 (PST) References: <855z5sqoxm.fsf@beadling.co.uk> <86eekgrtsl.fsf@gmail.com> <87blfk83j2.fsf@elephly.net> <86blfjsypo.fsf@gmail.com> User-agent: mu4e 1.4.13; emacs 27.1 From: Ricardo Wurmus To: zimoun Subject: Re: Security of packages in official repo In-reply-to: <86blfjsypo.fsf@gmail.com> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Thu, 26 Nov 2020 22:10:21 +0100 Message-ID: <875z5r964i.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.51; envelope-from=rekado@elephly.net; helo=sender4-of-o51.zoho.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: 1.79 X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=elephly.net header.s=zoho header.b=F06fEiEB; arc=reject (signature check failed: fail, {[1] = sig:zohomail.com:reject}); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-TUID: B4/ImgohynDy zimoun writes: > Hi Ricardo, > > On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus wrote: >> zimoun writes: >>> On Thu, 26 Nov 2020 at 12:32, Phil wrote: >>> >>>> However, can anyone point me to, or explain - what is done to audit >>>> packages in the official Repo in the first place - i.e. how do I know >>>> that a piece of software supplied to me by Guix is not only >>>> delivered in a safe/reliable fashion, but is also free from malware po= tentially >>>> introduced by the authors/maintainers themselves? >>> >>> Nothing. > > The correct quote is: =C2=ABNothing. It is about trust, as with any > distribution.=C2=BB [=E2=80=A6] > Therefore, it is about trust. Certainly, I do not disagree. When someone does extra work to audit the code and nobody is there to witness it =E2=80=A6 =E2=80=9Cdoes it make a so= und=E2=80=9D? :) All dilligence here is trust with extra steps, but it still is trust-based. --=20 Ricardo