Re: Getting started with GWL 0.3.0

[zimoun <zimon.toutoune@gmail.com>]

Hi Konrad,

On Wed, 24 Mar 2021 at 11:08, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:
>>> As for trusting channels and packages, this is not much of an issue
>>> today, but if Guix ever becomes as popular as Debian is today, then we
>>> will have plenty of users with no clue about who or what they can trust.
>>
>> ...and you can do the same with any package manager.  For instance,
>
> Yes, exactly. Trusting software sources is becoming an ever more
> important issue everywhere, as people rely on ever more complex software
> assemblies whose components they can no longer verify individually.
> Which is also why package managers now become targets of attacks.

I totally agree.  And currently it is hard to introduce a malware to the
official Guix channel, in the meaning the commits are pushed by a small
set of vouched people.  Which is not the case for these npm and other
PyPI repositories.  Other said, “malware” could only be “mistake” and
not “malice”.

>> The issue at first is the channel.  There is official channels that
>> you are trusting and other channels that you cannot trust.  Well, your
>
> The channel is only the top level. Do I trust the "Guix" channel? More
> than other channels, but I don't really know how much the current
> maintainers check each individual package submission. They certainly
> look at the package definition itself, but do they also check that the
> packaged software itself is free from malware? If so, how thorough are
> those checks? There are so many possible levels of attack today.

I agree, again. :-) However, I miss your security flaw about extensions
because these extensions should come from this “trusted” channel, as any
other packages.

I miss why you trust enough the official channel to install the package
<foo> but not the extension <bar>.  I do not see any difference.  To me,
extensions are Guile programs which are allowed to run with the
command-line call “guix <bar>” and I do not see why the call using
“guix” is more important than other calls; as “git annex”.

Anyway!  We agree that we disagree. :-)

>> Well, checking at each command invocation could slow Guix, since it is
>> already not the fastest CLI of West. :-)
>
> Such checks could happen at a higher level, e.g. shell or terminal, to
> cover not only Guix but also everything else. As Ricardo pointed out,
> such checks cannot be perfect, but that's true for spell checkers as
> well, which nevertheless turn out to be useful. The goal is not provably
> absolute security, but noticeably increased security.

I agree, again again. :-)

BTW, Guix has now a subcommand and option-name dumb recommender for
typo:

--8<---------------cut here---------------start------------->8---
$ guix environement --ad-foc hello
guix: environement: command not found
hint: Did you mean `environment'?

Try `guix --help' for more information.

$ guix environment --ad-foc hello
guix environment: error: ad-foc: unrecognized option
hint: Did you mean `ad-hoc'?
--8<---------------cut here---------------end--------------->8---


> BTW, I consider IT security and reproducibility in research as almost
> the same problem. The former's enemy is malice, the latter's enemy
> is mistakes, but the common aspect of both is users not fully knowing
> which exact software they are running. In reproducibility, typos are a
> well-known issue and one reason why we recommend scripting everything,
> to turn the random typo into a reproducible typo.

I agree, again again again.

Finally, I do not know on what exactly we agree to disagree. ;-)


Cheers,
simon