From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id TPFYOjcYW2D4KwAA0tVLHw (envelope-from ) for ; Wed, 24 Mar 2021 10:45:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id 4J+4NTcYW2BCbwAA1q6Kng (envelope-from ) for ; Wed, 24 Mar 2021 10:45:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 077D91C4BD for ; Wed, 24 Mar 2021 11:45:11 +0100 (CET) Received: from localhost ([::1]:53498 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lP10f-0007rr-Q3 for larch@yhetil.org; Wed, 24 Mar 2021 06:45:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:41184) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lP10c-0007ri-9b for gwl-devel@gnu.org; Wed, 24 Mar 2021 06:45:06 -0400 Received: from mail-wr1-x429.google.com ([2a00:1450:4864:20::429]:36702) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lP10a-0000DU-BK for gwl-devel@gnu.org; Wed, 24 Mar 2021 06:45:06 -0400 Received: by mail-wr1-x429.google.com with SMTP id k8so23914993wrc.3 for ; Wed, 24 Mar 2021 03:45:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-transfer-encoding; bh=sHNGMyWho61BhsjtdV7qO6S/GkR/y3tbSqV8JZLs98k=; b=Ni23lBsO0g6SnwsbCywi5MTGLf7kIsD+54Jl5oE77IPwrHO7naRNFZ7jr/G2LSnyM9 UfuyqMNsmP304rNfymLgCBaLcWGpZOLnY9GSMkONIG3qi+Y5ttE4QY+Ly8WeVj5Xjn0v /3UewC92WI7T326HpmT3pTUa/G/MO+e87C/FINJVn0NKc6haQbLxUYXMG43SH+xuY1EC 7lOG0om8w1NdeZJtLPx8xlT7XysK2YVz/GS6sP+emcU0bVolv6hePR/m3LjOLheii3XA fPYZsRjSZdQ0QRe2xKQv06xzvXD/1FrMlTqpLPqkwPhUtbTdvoIT4u2uYvOt8tOxQljK gC6g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:in-reply-to:references:date :message-id:mime-version:content-transfer-encoding; bh=sHNGMyWho61BhsjtdV7qO6S/GkR/y3tbSqV8JZLs98k=; b=Ud58FVkakAOgORGMudnF8kgHcKuI2glZ2rhegfjaSYKMJlEG3bvP+eG8+Q3dSZ2CUJ 3m67Th5PiFLKog+hu7WjhmveqmXXHpukNy3ERPftb2KfBhWpx4LdrWdGkVTcCSNWRgyk dK6hT+abGbntFFEFVitA5c4Wp8dOX+mEreg1oB0B/eqi/H/0Es9dcM1MvBEvl1o2kOBj UhhAyi+IJGvv3R+++ZE3LIMJZJEVX2E5SW9QyqhaFAe8budvoY7jo0HCUNbKk4Y3ZKjJ vwXmGasyVpHPwhJfXWKY6FNBri4Izqy/XMTjH2ve3G9JC5vWCUoH0qvU/pdTlnKOvgRb uSjQ== X-Gm-Message-State: AOAM533o7f6dfTY3oH0UxSVeJx6jtSW5xQrflk9OP9Moiqn4bv+FHb69 lqod9s6ghu4+0VC4YH2NAut6zw/D5yo= X-Google-Smtp-Source: ABdhPJyLXfU+5Mps3QwvfnTJ9/zzSU34oXNPj+XBhsSb7fm9ca07BgBD9VcW0gls69pjtm3de7SOcg== X-Received: by 2002:a5d:4fcb:: with SMTP id h11mr1415770wrw.53.1616582702702; Wed, 24 Mar 2021 03:45:02 -0700 (PDT) Received: from lili ([2a01:e0a:59b:9120:65d2:2476:f637:db1e]) by smtp.gmail.com with ESMTPSA id q4sm1890244wma.20.2021.03.24.03.45.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Mar 2021 03:45:02 -0700 (PDT) From: zimoun To: Konrad Hinsen Subject: Re: Getting started with GWL 0.3.0 In-Reply-To: References: <86y2efzc08.fsf@gmail.com> Date: Wed, 24 Mar 2021 11:44:19 +0100 Message-ID: <86a6qshlvg.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=2a00:1450:4864:20::429; envelope-from=zimon.toutoune@gmail.com; helo=mail-wr1-x429.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: gwl-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: gwl-devel@gnu.org Errors-To: gwl-devel-bounces+larch=yhetil.org@gnu.org Sender: "gwl-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616582711; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post:dkim-signature; bh=sHNGMyWho61BhsjtdV7qO6S/GkR/y3tbSqV8JZLs98k=; b=pcxfVmPixK4gUDnZoI04j0oPnljYLUtWpnKEtuhGnpePrd9bZx7ZdGuTN/M4KjpeRotNrD XLDGIpv4AmEdNlPUTMnxUvuOUlzGZATA9ddGWWt5ohr4Tyo2o41s/LEIXTD/qOCY2xA6SZ OoQSxqPUdhJtqV1uEh8VQvxURenNCvMgbYvvHbqwTU4lv7QYoLVAaQ3qfg8/bzwK15daI1 RNkRVlByMprmkSkPpc9DOytTH3YU4SRS50A9CYP5z3yspEXgn95BLrdrBm6MS+hMYB6w73 K/B7GnxulpnKrXL/pxcKQ2z1caD2uNz+piG73lCN+6SmWk5K+Cl6XEsq/3yE7g== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616582711; a=rsa-sha256; cv=none; b=gEJ2CUAH8wS3keMmPcbi969sok3rYdEsDEP/teIt51zLq0OGmjSQb9/tZw/oad3bIITiOi jWSvr7N+/K1XiS4GIEVPxHNzEkYMClmuhsWfNY95b9EEiVwsmDkbwkjNXSyzrO/K4Nnds0 XSUu4zsRhpUR783CvC3Wmcag0BQCRbHDlIZFsH7whuwSxybObLalc+9Ek+0PtHpVy++0E+ +bGJ0MCg4II/yIwr3X6NMogpGqDq8FB3fdTssSKPq2GYoqs5wEgAlgpYk7xSie2h/rpRzQ kut9SUqMNWiw6SBqMOo7M9G6EjQH8b8FrsdnMrRubqA8E4bB0xJsbazwEdsKgg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=Ni23lBsO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=Ni23lBsO; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org X-Migadu-Queue-Id: 077D91C4BD X-Spam-Score: -3.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: qSaM8R7ZKNb7 Hi Konrad, On Wed, 24 Mar 2021 at 11:08, Konrad Hinsen wr= ote: >>> As for trusting channels and packages, this is not much of an issue >>> today, but if Guix ever becomes as popular as Debian is today, then we >>> will have plenty of users with no clue about who or what they can trust. >> >> ...and you can do the same with any package manager. For instance, > > Yes, exactly. Trusting software sources is becoming an ever more > important issue everywhere, as people rely on ever more complex software > assemblies whose components they can no longer verify individually. > Which is also why package managers now become targets of attacks. I totally agree. And currently it is hard to introduce a malware to the official Guix channel, in the meaning the commits are pushed by a small set of vouched people. Which is not the case for these npm and other PyPI repositories. Other said, =E2=80=9Cmalware=E2=80=9D could only be =E2= =80=9Cmistake=E2=80=9D and not =E2=80=9Cmalice=E2=80=9D. >> The issue at first is the channel. There is official channels that >> you are trusting and other channels that you cannot trust. Well, your > > The channel is only the top level. Do I trust the "Guix" channel? More > than other channels, but I don't really know how much the current > maintainers check each individual package submission. They certainly > look at the package definition itself, but do they also check that the > packaged software itself is free from malware? If so, how thorough are > those checks? There are so many possible levels of attack today. I agree, again. :-) However, I miss your security flaw about extensions because these extensions should come from this =E2=80=9Ctrusted=E2=80=9D ch= annel, as any other packages. I miss why you trust enough the official channel to install the package but not the extension . I do not see any difference. To me, extensions are Guile programs which are allowed to run with the command-line call =E2=80=9Cguix =E2=80=9D and I do not see why the cal= l using =E2=80=9Cguix=E2=80=9D is more important than other calls; as =E2=80=9Cgit = annex=E2=80=9D. Anyway! We agree that we disagree. :-) >> Well, checking at each command invocation could slow Guix, since it is >> already not the fastest CLI of West. :-) > > Such checks could happen at a higher level, e.g. shell or terminal, to > cover not only Guix but also everything else. As Ricardo pointed out, > such checks cannot be perfect, but that's true for spell checkers as > well, which nevertheless turn out to be useful. The goal is not provably > absolute security, but noticeably increased security. I agree, again again. :-) BTW, Guix has now a subcommand and option-name dumb recommender for typo: --8<---------------cut here---------------start------------->8--- $ guix environement --ad-foc hello guix: environement: command not found hint: Did you mean `environment'? Try `guix --help' for more information. $ guix environment --ad-foc hello guix environment: error: ad-foc: unrecognized option hint: Did you mean `ad-hoc'? --8<---------------cut here---------------end--------------->8--- > BTW, I consider IT security and reproducibility in research as almost > the same problem. The former's enemy is malice, the latter's enemy > is mistakes, but the common aspect of both is users not fully knowing > which exact software they are running. In reproducibility, typos are a > well-known issue and one reason why we recommend scripting everything, > to turn the random typo into a reproducible typo. I agree, again again again. Finally, I do not know on what exactly we agree to disagree. ;-) Cheers, simon