From mboxrd@z Thu Jan 1 00:00:00 1970 From: =?UTF-8?B?Q2xhZXMgV2FsbGluICjpn4vlmInoqqAp?= Subject: Re: security concerns of using guix packages Date: Sat, 4 Jul 2015 21:51:22 +0200 Message-ID: References: <87a8vcuhnn.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary=001a11403cae419571051a11ff4a Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41820) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ZBTTH-0004Im-QM for guix-devel@gnu.org; Sat, 04 Jul 2015 15:51:32 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ZBTTE-0002D7-Gh for guix-devel@gnu.org; Sat, 04 Jul 2015 15:51:31 -0400 In-Reply-To: <87a8vcuhnn.fsf@gnu.org> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: =?UTF-8?Q?Ludovic_Court=C3=A8s?= Cc: guix-devel --001a11403cae419571051a11ff4a Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 04-Jul-2015 4:22 pm, "Ludovic Court=C3=A8s" wrote: > A related concern is the time it takes to actually deploy the fixed > binaries on your machine. This is discussed at: > > http://www.gnu.org/software/guix/manual/html_node/Security-Updates.html Ok, this is great. Gives sysadmins a chance to affect packages users have installed rather than having to help or force them to upgrade. Still, if an installed package is not depending on the latest version of the vulnerable package, the graft won't reach them. So there is still some education and continuous information necessary if you want to be on top of things. Still, as was mentioned elsewhere in the conversation, if the alternative is home-rolled software in every home directory, which is probably the case, then guix is superior in several ways. --001a11403cae419571051a11ff4a Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable


On 04-Jul-2015 4:22 pm, "Ludovic Court=C3=A8s" <ludo@gnu.org> wrote:

> A related concern is the time it takes to actually depl= oy the fixed
> binaries on your machine.=C2=A0 This is discussed at:
>
> =C2=A0 http://www.gnu.org/software/guix/manual/html_node/Secu= rity-Updates.html

Ok, this is great. Gives sysadmins a chance to affect packag= es users have installed rather than having to help or force them to upgrade= .

Still, if an installed package is not depending on the lates= t version of the vulnerable package, the graft won't reach them. So the= re is still some education and continuous information necessary if you want= to be on top of things.

Still, as was mentioned elsewhere in the conversation, if th= e alternative is home-rolled software in every home directory, which is pro= bably the case, then guix is superior in several ways.

--001a11403cae419571051a11ff4a--