From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id OFwyDMvcv1/jOwAA0tVLHw (envelope-from ) for ; Thu, 26 Nov 2020 16:50:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iEAHCMvcv1+RXwAAB5/wlQ (envelope-from ) for ; Thu, 26 Nov 2020 16:50:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4286E9403CA for ; Thu, 26 Nov 2020 16:50:18 +0000 (UTC) Received: from localhost ([::1]:52356 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1kiKTH-00014d-Mh for larch@yhetil.org; Thu, 26 Nov 2020 11:50:15 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:54060) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiKT1-00014J-9Q for help-guix@gnu.org; Thu, 26 Nov 2020 11:50:01 -0500 Received: from sender4-of-o51.zoho.com ([136.143.188.51]:21112) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kiKSw-0007AW-QR for help-guix@gnu.org; Thu, 26 Nov 2020 11:49:59 -0500 ARC-Seal: i=1; a=rsa-sha256; t=1606409390; cv=none; d=zohomail.com; s=zohoarc; b=WuLzvbjalmXZ9dS6Ak2/Oij+/mzc8nEZ6jamMlwGi7JWcuutUG+1b4yUgvk/014apE8gvF1koGsKwuNyI1V/g29QTyoa0imm/QYlTZ4EMPMLlgdq4OvZFwxkg0+Ls1/ngwuWhc/D79MmEnoJeO3aPpyMlMQULBLqlmpUpfWYqIU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1606409390; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:MIME-Version:Message-ID:References:Subject:To; bh=zjCcLcjp7R44ft3ybAz322SLgZGWfFtC7kY3iqO5NOE=; b=oJyLcs6qYTY7pfOea4dJyKzlmMGsQFFymJbfkutpUgagBHUpM7d7kf1W3UipbkZRnXeaGPQE3oxEGnd1axdlGco9h/B4We+ESUrZvoITabCm+7ja3CLyPLIfra6MAxDryU7JTeYwyct1Uggpzgan3nSDifYK5x9ewexX0Abtnt8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=elephly.net; spf=pass smtp.mailfrom=rekado@elephly.net; dmarc=pass header.from= header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1606409390; s=zoho; d=elephly.net; i=rekado@elephly.net; h=References:From:To:Cc:Subject:In-reply-to:Date:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding; bh=zjCcLcjp7R44ft3ybAz322SLgZGWfFtC7kY3iqO5NOE=; b=Z3PjRLxhq6vrHChLUwZNgAf5xGYVI4mzDvmTw+U6RRL8huOlXlb6pIU5nfvc6GTV nCOVVuY1QUYPckzGrG0vaFe7NwNhnlASny1s8PRT+zkIq6kCFKX0PkV59JRVO7TC19P YaTAgWfn5WcnDmxWfK5PeZwlObZ5fwaBn8cey4+I= Received: from localhost (p54ad4858.dip0.t-ipconnect.de [84.173.72.88]) by mx.zohomail.com with SMTPS id 1606409388953227.4531733939151; Thu, 26 Nov 2020 08:49:48 -0800 (PST) References: <855z5sqoxm.fsf@beadling.co.uk> <86eekgrtsl.fsf@gmail.com> User-agent: mu4e 1.4.13; emacs 27.1 From: Ricardo Wurmus To: zimoun Subject: Re: Security of packages in official repo In-reply-to: <86eekgrtsl.fsf@gmail.com> X-URL: https://elephly.net X-PGP-Key: https://elephly.net/rekado.pubkey X-PGP-Fingerprint: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC Date: Thu, 26 Nov 2020 17:51:45 +0100 Message-ID: <87blfk83j2.fsf@elephly.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-ZohoMailClient: External Received-SPF: pass client-ip=136.143.188.51; envelope-from=rekado@elephly.net; helo=sender4-of-o51.zoho.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: help-guix@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: help-guix@gnu.org Errors-To: help-guix-bounces+larch=yhetil.org@gnu.org Sender: "Help-Guix" X-Migadu-Flow: inc X-Scanner: ns3122888.ip-94-23-21.eu Authentication-Results: aspmx1.migadu.com; dkim=fail (headers rsa verify failed) header.d=elephly.net header.s=zoho header.b=Z3PjRLxh; arc=reject (signature check failed: fail, {[1] = sig:zohomail.com:reject}); dmarc=none; spf=pass (aspmx1.migadu.com: domain of help-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=help-guix-bounces@gnu.org X-Spam-Score: 3.49 X-TUID: bFO8NT6Yt7i5 zimoun writes: > Hi, > > On Thu, 26 Nov 2020 at 12:32, Phil wrote: > >> However, can anyone point me to, or explain - what is done to audit >> packages in the official Repo in the first place - i.e. how do I know >> that a piece of software supplied to me by Guix is not only >> delivered in a safe/reliable fashion, but is also free from malware pote= ntially >> introduced by the authors/maintainers themselves? > > Nothing. It=E2=80=99s a little more than nothing in some cases. For example, there = was extensive work to gain confidence that Ungoogled Chromium does not phone home. Generally, anti-features such as update checkers that phone home are patched out. We generally take the code as is, however, and don=E2=80=99t assume that ev= ery bit of free software out there is malware in disguise until it is demonstrated beyond reasonable doubt that this is not the case. That would neither be feasible nor would it guarantee satisfactory results. --=20 Ricardo