From: ludo@gnu.org (Ludovic Courtès)
To: "Cook, Malcolm" <MEC@stowers.org>
Cc: Guix-devel <guix-devel@gnu.org>, "McGee, Jenny" <jmc@stowers.org>
Subject: Re: security concerns of using guix packages
Date: Sat, 04 Jul 2015 16:22:20 +0200 [thread overview]
Message-ID: <87a8vcuhnn.fsf@gnu.org> (raw)
In-Reply-To: <b8e4a6d5187546c4be988297bc1b7297@exchsrv2.sgc.loc> (Malcolm Cook's message of "Fri, 3 Jul 2015 00:38:49 +0000")
[-- Attachment #1: Type: text/plain, Size: 2215 bytes --]
Hi!
"Cook, Malcolm" <MEC@stowers.org> skribis:
> Hello Guixen (Guixers? Guix-noscenti?)
Simply “Guix” (pronounced like “geeks”.) :-)
> The sys admin at my institute expresses concern that we would potentially expose ourselves to additional security risk by building scientific software stack in Guix where we might depend on alternate versions of, say, openssl.
>
> Do you agree this is a reasonable concern, and, if so, is there a "position statement" on the matter?
Guix provides guarantees that no traditional distro provides.
Guix users can choose to use substitutes (pre-built binaries.) In that
case, they have to trust the binary provider:
http://www.gnu.org/software/guix/manual/html_node/Substitutes.html
But the first big difference compared to Debian, Fedora, etc. is that
users can:
1. Choose their binary provider–it doesn’t have to be hydra.gnu.org.
2. Choose *not* to use binaries from a third-party, and instead build
packages locally.
(By contrast, see the description of Debian’s “dirtiest secret” by the
former DPL in
<http://video.fosdem.org/2015/devroom-distributions/distributions_boring_solved_problem.mp4>,
at around 28 mn.)
In addition, the functional package management paradigm (see
<http://www.gnu.org/software/guix/manual/html_node/Introduction.html>)
allows users to know exactly how a package is built. For instance,
anyone can trivially audit the recipe at
<http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/openssl.scm#n29>.
By construction, the result of ‘guix build openssl’ corresponds
precisely to the build process that this recipe and the ones it depends
on describe.
A concern could be the time it takes for the project to deploy security
fixes. Obviously there are much fewer Guix contributors than Debian
contributors, but so far we do pretty well nevertheless (thanks to
Mark H Weaver for the most part.)
A related concern is the time it takes to actually deploy the fixed
binaries on your machine. This is discussed at:
http://www.gnu.org/software/guix/manual/html_node/Security-Updates.html
I hope this clarifies things!
Thanks,
Ludo’.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 818 bytes --]
next prev parent reply other threads:[~2015-07-04 14:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-03 0:38 security concerns of using guix packages Cook, Malcolm
2015-07-03 4:44 ` John Darrington
2015-07-03 5:40 ` Claes Wallin (韋嘉誠)
2015-07-04 14:32 ` Ludovic Courtès
2015-07-04 13:50 ` Pjotr Prins
2015-07-04 14:22 ` Ludovic Courtès [this message]
2015-07-04 14:37 ` Pjotr Prins
2015-07-04 19:51 ` Claes Wallin (韋嘉誠)
2015-07-04 20:43 ` John Darrington
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a8vcuhnn.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=MEC@stowers.org \
--cc=guix-devel@gnu.org \
--cc=jmc@stowers.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.