From mboxrd@z Thu Jan 1 00:00:00 1970 From: John Darrington Subject: Re: security concerns of using guix packages Date: Fri, 3 Jul 2015 06:44:21 +0200 Message-ID: <20150703044421.GA13727@jocasta.intra> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF" Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:46120) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZAspy-000692-Kd for guix-devel@gnu.org; Fri, 03 Jul 2015 00:44:31 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZAspv-0007Vy-7U for guix-devel@gnu.org; Fri, 03 Jul 2015 00:44:30 -0400 Received: from de.cellform.com ([88.217.224.109]:39375 helo=jocasta.intra) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZAspu-0007Vg-Ok for guix-devel@gnu.org; Fri, 03 Jul 2015 00:44:27 -0400 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: "Cook, Malcolm" Cc: Guix-devel , "McGee, Jenny" --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 03, 2015 at 12:38:49AM +0000, Cook, Malcolm wrote: Hello Guixen (Guixers? Guix-noscenti?) =20 The sys admin at my institute expresses concern that we would potentia= lly expose ourselves to additional security risk by building scientific sof= tware stack in Guix where we might depend on alternate versions of, say, op= enssl. =20 Do you agree this is a reasonable concern, and, if so, is there a "pos= ition statement" on the matter? =20 =20 I'm guessing this is in part a matter of trust - i.e. do we trust GNU/= guix gang as much as, say the Red Hat/CentOS gang. Or am I perhaps misunde= rstanding the consideration? =20 =20 When you install (say Redhat), like you say, you have to trust that Redhat= =20 hasn't (deliberately or maliciously) put malware into any of the MANY THOUS= AND=20 binaries that make up the OS. When you install Guix, you have to trust that Guix hasn't put malware into = any=20 of the FIVE bootstrap binaries. If you trust these five binaries, then you= can=20 do one of two things: 1. Build everything else from source. That way you know they are kosher, because you built it. This can be done automatically, but takes rather a long time. 2. Choose to trust the server at hydra.gnu.org, and have Guix download "substitutes". This is a lot quicker, but you have to trust that the people who control that server haven't inserted malware.=20 J' =20 --=20 PGP Public key ID: 1024D/2DE827B3=20 fingerprint =3D 8797 A26D 0854 2EAB 0285 A290 8A67 719C 2DE8 27B3 See http://sks-keyservers.net or any PGP keyserver for public key. --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlWWEyUACgkQimdxnC3oJ7OhDwCfQAv7Y5e6F3QqX/dl6jifUPLU pyYAnjIv9zp3k+wV3jv89EeqSFw1Arqq =V1fb -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF--