From mboxrd@z Thu Jan 1 00:00:00 1970 From: Giovanni Biscuolo Subject: Re: List of installed package, version pairs Date: Fri, 18 Jan 2019 09:36:22 +0100 Message-ID: <87va2muzuh.fsf@roquette.mug.biscuolo.net> References: Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:55135) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkPds-00053H-Bt for help-guix@gnu.org; Fri, 18 Jan 2019 03:36:45 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1gkPdr-0005Qi-GU for help-guix@gnu.org; Fri, 18 Jan 2019 03:36:44 -0500 Received: from ns13.heimat.it ([46.4.214.66]:40240) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1gkPdr-0005EX-4i for help-guix@gnu.org; Fri, 18 Jan 2019 03:36:43 -0500 In-Reply-To: List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: "Help-Guix" To: Jack Hill , help-guix@gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Hi Jack, Jack Hill writes: > It seems that work has noticed the GuixSD host that I brought into the=20 > office. The security office maintains a risk profile be collecting lists= =20 > of installed packages, this may seem "tangent" but I think your is a *very* interesting use case, others gave you some tips on how to get a list of "installed packages" but I'm (others?) very interested in _how_ your security office use this list to evaluate a "risk profile" Jack: do you have any info you could share on this please? your use case could be the use case (or "class" of use cases) of thousand of potential Guix users all of us here are *very* concerned about the security risk of our installed binaries, this is the reason we are seeking a reproducible *and* bootsrappable based "software environment" like Guix ...unless your security team is keeping an internal list of applications and associated risk level, but _how_ to reliably assess that? i.e. are they fine with "Oracle DBMS" installed via a Docker bundle? would they be fine if you brought a Windows10 host into the office? as a *sysadmin* and user (*not* as part of the developers community) I'd like to _forget_ the "sysadmin/user accessed risk profile" (an illusion?) of my binaries and choose them for their features alone maybe your security team could share their views with the Guix community so we can better understand their concerns if I were a member of your security team I'd say: =C2=ABuhm... Guix, Ok show me your channels=C2=BB ;-) e.g. Ricardo Wurmus yesterday in this thread said: > I=E2=80=99m curious to know if the security folks would also object to you > building packages from source without Guix. Do they ask everyone with a > compiler to provide a list of dependencies? this is an interesting point: AFAIK it's common practice by sysadmins in "corporate" infrastructures to forbid users installing packages in /usr and alike and sometimes /home is also mounted noexec :-O... so maybe they manage to also systematically forbid users from executing self-compiled binaries ...but is it an effective security policy? Thanks Giovanni =2D-=20 Giovanni Biscuolo Xelera IT Infrastructures --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlxBkAYACgkQ030Op87M ORIRgw//SVAjyVQXDVU4XR9fpigMnOmhC8nv1nvSW0UC5LBp3dgDtWjBZikLga1V BfXs6GXt3MYCX+kNrJPdVl/TyYK4M+Rnu3UoA51TIFz7Hu/1lSRVhhmPjIx7PNB/ CPPlJhXIBDXft7QE1671c+0piVp0yYyDAnsjumRWBtSXHWGyjoII2poYnkBW/nyE HqlvdToXJFH6iKHUyYca19D8G+UwPM65hJP4fD+V28i8bk+neHqYQ8XzkfvqEhzI 1uUUPbXTKQkiZEk4bYloIc3C0yDQW4xl0AzLry0UCCqQ96fu3sjaRMhrLan04qgQ DG3d3HS8rtCd1JLlYjWop4W8Dxx1IJMtudKCnfJ21q8O5DV9wtlx/AE/PtP4JIbP gmFK9s1by+xQgq+NKtYxO7pUOXfkraAxUOWaRJZzsxKKjhffBcgy2i7GBlX72A0v iBJI2YU8P+0s+tn8UxrkMA7/sWmYK7Y7Ufbc/BRNkwLWytMPRDl2dzvtWC+9S1cL cTCc8ybAOL6EhvzfffdjR/wxU2vXaq3RVYqSrBQC/wa+tdnZpFrWUK0Wj4405PeW Z1uvKq2YloBzUIjk9UA8AK/f1dvAlyHFfhgIWGiJvZW8HToa/wCDMaXnk1Ivwu3G rHpByWoIpwzQ62kLL/8L0EGzjaaWSR8NozbE2ZjiYJPnJwGhaRA= =ZCJM -----END PGP SIGNATURE----- --=-=-=--