From mboxrd@z Thu Jan  1 00:00:00 1970
From: Giovanni Biscuolo <g@xelera.eu>
Subject: Re: List of installed package, version pairs
Date: Fri, 18 Jan 2019 09:36:22 +0100
Message-ID: <87va2muzuh.fsf@roquette.mug.biscuolo.net>
References: <alpine.DEB.2.20.1901091703170.7735@marsh.hcoop.net>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([209.51.188.92]:55135)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from <g@xelera.eu>)
	id 1gkPds-00053H-Bt
	for help-guix@gnu.org; Fri, 18 Jan 2019 03:36:45 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <g@xelera.eu>) id 1gkPdr-0005Qi-GU
	for help-guix@gnu.org; Fri, 18 Jan 2019 03:36:44 -0500
Received: from ns13.heimat.it ([46.4.214.66]:40240)
	by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from <g@xelera.eu>)
	id 1gkPdr-0005EX-4i
	for help-guix@gnu.org; Fri, 18 Jan 2019 03:36:43 -0500
In-Reply-To: <alpine.DEB.2.20.1901091703170.7735@marsh.hcoop.net>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: Jack Hill <jackhill@jackhill.us>, help-guix@gnu.org

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Hi Jack,

Jack Hill <jackhill@jackhill.us> writes:

> It seems that work has noticed the GuixSD host that I brought into the=20
> office. The security office maintains a risk profile be collecting lists=
=20
> of installed packages,

this may seem "tangent" but I think your is a *very* interesting use
case, others gave you some tips on how to get a list of "installed
packages" but I'm (others?) very interested in _how_ your security
office use this list to evaluate a "risk profile"

Jack: do you have any info you could share on this please? your use case
could be the use case (or "class" of use cases) of thousand of potential
Guix users

all of us here are *very* concerned about the security risk of our
installed binaries, this is the reason we are seeking a reproducible
*and* bootsrappable based "software environment" like Guix

...unless your security team is keeping an internal list of applications
and associated risk level, but _how_ to reliably assess that?
i.e. are they fine with "Oracle DBMS" installed via a Docker bundle?
would they be fine if you brought a Windows10 host into the office?

as a *sysadmin* and user (*not* as part of the developers community) I'd
like to _forget_ the "sysadmin/user accessed risk profile" (an
illusion?) of my binaries and choose them for their features alone

maybe your security team could share their views with the Guix community
so we can better understand their concerns

if I were a member of your security team I'd say: =C2=ABuhm... Guix, Ok show
me your channels=C2=BB ;-)

e.g. Ricardo Wurmus yesterday in this thread said:

> I=E2=80=99m curious to know if the security folks would also object to you
> building packages from source without Guix.  Do they ask everyone with a
> compiler to provide a list of dependencies?

this is an interesting point: AFAIK it's common practice by sysadmins in
"corporate" infrastructures to forbid users installing packages in /usr
and alike and sometimes /home is also mounted noexec :-O... so maybe
they manage to also systematically forbid users from executing
self-compiled binaries

...but is it an effective security policy?

Thanks
Giovanni

=2D-=20
Giovanni Biscuolo

Xelera IT Infrastructures

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEERcxjuFJYydVfNLI5030Op87MORIFAlxBkAYACgkQ030Op87M
ORIRgw//SVAjyVQXDVU4XR9fpigMnOmhC8nv1nvSW0UC5LBp3dgDtWjBZikLga1V
BfXs6GXt3MYCX+kNrJPdVl/TyYK4M+Rnu3UoA51TIFz7Hu/1lSRVhhmPjIx7PNB/
CPPlJhXIBDXft7QE1671c+0piVp0yYyDAnsjumRWBtSXHWGyjoII2poYnkBW/nyE
HqlvdToXJFH6iKHUyYca19D8G+UwPM65hJP4fD+V28i8bk+neHqYQ8XzkfvqEhzI
1uUUPbXTKQkiZEk4bYloIc3C0yDQW4xl0AzLry0UCCqQ96fu3sjaRMhrLan04qgQ
DG3d3HS8rtCd1JLlYjWop4W8Dxx1IJMtudKCnfJ21q8O5DV9wtlx/AE/PtP4JIbP
gmFK9s1by+xQgq+NKtYxO7pUOXfkraAxUOWaRJZzsxKKjhffBcgy2i7GBlX72A0v
iBJI2YU8P+0s+tn8UxrkMA7/sWmYK7Y7Ufbc/BRNkwLWytMPRDl2dzvtWC+9S1cL
cTCc8ybAOL6EhvzfffdjR/wxU2vXaq3RVYqSrBQC/wa+tdnZpFrWUK0Wj4405PeW
Z1uvKq2YloBzUIjk9UA8AK/f1dvAlyHFfhgIWGiJvZW8HToa/wCDMaXnk1Ivwu3G
rHpByWoIpwzQ62kLL/8L0EGzjaaWSR8NozbE2ZjiYJPnJwGhaRA=
=ZCJM
-----END PGP SIGNATURE-----
--=-=-=--