Re: Security of packages in official repo

unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed

From: Ricardo Wurmus <rekado@elephly.net>
To: zimoun <zimon.toutoune@gmail.com>
Cc: help-guix@gnu.org
Subject: Re: Security of packages in official repo
Date: Thu, 26 Nov 2020 17:51:45 +0100	[thread overview]
Message-ID: <87blfk83j2.fsf@elephly.net> (raw)
In-Reply-To: <86eekgrtsl.fsf@gmail.com>

zimoun <zimon.toutoune@gmail.com> writes:

> Hi,
>
> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>
>> However, can anyone point me to, or explain - what is done to audit
>> packages in the official Repo in the first place - i.e. how do I know
>> that a piece of software supplied to me by Guix is not only
>> delivered in a safe/reliable fashion, but is also free from malware potentially
>> introduced by the authors/maintainers themselves?
>
> Nothing.

It’s a little more than nothing in some cases.  For example, there was
extensive work to gain confidence that Ungoogled Chromium does not phone
home.  Generally, anti-features such as update checkers that phone home
are patched out.

We generally take the code as is, however, and don’t assume that every
bit of free software out there is malware in disguise until it is
demonstrated beyond reasonable doubt that this is not the case.  That
would neither be feasible nor would it guarantee satisfactory results.

-- 
Ricardo

next prev parent reply	other threads:[~2020-11-26 16:50 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-26 12:32 Security of packages in official repo Phil
2020-11-26 16:01 ` zimoun
2020-11-26 16:51   ` Ricardo Wurmus [this message]
2020-11-26 19:30     ` zimoun
2020-11-26 21:10       ` Ricardo Wurmus
2020-11-26 21:35         ` zimoun
2020-11-26 19:07   ` Phil
2020-11-26 19:50     ` zimoun

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87blfk83j2.fsf@elephly.net \
    --to=rekado@elephly.net \
    --cc=help-guix@gnu.org \
    --cc=zimon.toutoune@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).