From mboxrd@z Thu Jan  1 00:00:00 1970
From: =?UTF-8?B?Q2xhZXMgV2FsbGluICjpn4vlmInoqqAp?=
	<gnu@clacke.user.lysator.liu.se>
Subject: Re: security concerns of using guix packages
Date: Sat, 4 Jul 2015 21:51:22 +0200
Message-ID: <CAGv_=BrtmBiGtWL5rMXVa6Zk=Ptrc7fTwyQeDxLuodVqCiumjA@mail.gmail.com>
References: <b8e4a6d5187546c4be988297bc1b7297@exchsrv2.sgc.loc>
	<87a8vcuhnn.fsf@gnu.org>
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary=001a11403cae419571051a11ff4a
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:41820)
	by lists.gnu.org with esmtp (Exim 4.71) (envelope-from
	<SRS0+FIV/=HM=clacke.user.lysator.liu.se=gnu@lysator.liu.se>)
	id 1ZBTTH-0004Im-QM
	for guix-devel@gnu.org; Sat, 04 Jul 2015 15:51:32 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from
	<SRS0+FIV/=HM=clacke.user.lysator.liu.se=gnu@lysator.liu.se>)
	id 1ZBTTE-0002D7-Gh
	for guix-devel@gnu.org; Sat, 04 Jul 2015 15:51:31 -0400
In-Reply-To: <87a8vcuhnn.fsf@gnu.org>
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= <ludo@gnu.org>
Cc: guix-devel <guix-devel@gnu.org>

--001a11403cae419571051a11ff4a
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 04-Jul-2015 4:22 pm, "Ludovic Court=C3=A8s" <ludo@gnu.org> wrote:

> A related concern is the time it takes to actually deploy the fixed
> binaries on your machine.  This is discussed at:
>
>   http://www.gnu.org/software/guix/manual/html_node/Security-Updates.html

Ok, this is great. Gives sysadmins a chance to affect packages users have
installed rather than having to help or force them to upgrade.

Still, if an installed package is not depending on the latest version of
the vulnerable package, the graft won't reach them. So there is still some
education and continuous information necessary if you want to be on top of
things.

Still, as was mentioned elsewhere in the conversation, if the alternative
is home-rolled software in every home directory, which is probably the
case, then guix is superior in several ways.

--001a11403cae419571051a11ff4a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<p dir=3D"ltr"><br>
On 04-Jul-2015 4:22 pm, &quot;Ludovic Court=C3=A8s&quot; &lt;<a href=3D"mai=
lto:ludo@gnu.org">ludo@gnu.org</a>&gt; wrote:<br></p>
<p dir=3D"ltr">&gt; A related concern is the time it takes to actually depl=
oy the fixed<br>
&gt; binaries on your machine.=C2=A0 This is discussed at:<br>
&gt;<br>
&gt; =C2=A0 <a href=3D"http://www.gnu.org/software/guix/manual/html_node/Se=
curity-Updates.html">http://www.gnu.org/software/guix/manual/html_node/Secu=
rity-Updates.html</a></p>
<p dir=3D"ltr">Ok, this is great. Gives sysadmins a chance to affect packag=
es users have installed rather than having to help or force them to upgrade=
.</p>
<p dir=3D"ltr">Still, if an installed package is not depending on the lates=
t version of the vulnerable package, the graft won&#39;t reach them. So the=
re is still some education and continuous information necessary if you want=
 to be on top of things.</p>
<p dir=3D"ltr">Still, as was mentioned elsewhere in the conversation, if th=
e alternative is home-rolled software in every home directory, which is pro=
bably the case, then guix is superior in several ways.</p>

--001a11403cae419571051a11ff4a--