From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id CBkoIcdMWmCaJgAA0tVLHw (envelope-from ) for ; Tue, 23 Mar 2021 20:17:11 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id gLVTHMdMWmBjSQAAbx9fmQ (envelope-from ) for ; Tue, 23 Mar 2021 20:17:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id F3669D428 for ; Tue, 23 Mar 2021 21:17:10 +0100 (CET) Received: from localhost ([::1]:55526 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lOnSf-0006xi-RB for larch@yhetil.org; Tue, 23 Mar 2021 16:17:09 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:48888) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lOnSY-0006tl-SS for gwl-devel@gnu.org; Tue, 23 Mar 2021 16:17:05 -0400 Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729]:37721) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lOnST-00009A-Us for gwl-devel@gnu.org; Tue, 23 Mar 2021 16:17:00 -0400 Received: by mail-qk1-x729.google.com with SMTP id g15so15804045qkl.4 for ; Tue, 23 Mar 2021 13:16:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=7nSm55sKw2sExWbO0arIYPFlMhwfdQSXdGmt6OPwl+U=; b=HibWNLTl9zIi23S4l6RVOKOZxI39zg+dzO+Qve9tlHZXoW6p1Rblx4jsjfQpu1trTt v+jN4sUpxxe0/2a1oGAfGLEI7OS0f2rUbKRWkwA7/RvVgdEEP9vvX7bm6qSFitVqS8EZ n6FxxMHhQ/K3+tFjdIfzI9rnrodH0slpULPgvrO79GaHJ7CATcOv/zvW3U4hMVcjXcV6 +JMntJGyC4ggrLnZcJOjENcvC+XX1xnYTPo8q1S3MBFmRGmdkdwDcX9spHMlxitqH+6T 6RvpuFYrmpLLDkccApdEteZ7JQ739k/NjKNTfEwYYj4PBnxMRaXhvXVWrbEY99niW63/ Rf+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=7nSm55sKw2sExWbO0arIYPFlMhwfdQSXdGmt6OPwl+U=; b=HsKAdNm9FBA0WJBlWWcxo1n/yJUTCD5F3Cm48msL5Uamb7s0QCHok2bA+sSqJO2R4Y MX0e1dWKLQSltlIB6/wZkwiskMlwEJxjcDo4SeWN79PaDdc5nJaq/Gpd1mcZ1Zjbt206 Gb1lGxrbivLFKDopqShsMznPrzWszkgy19o4VO8kO7HVQ0+zS2OhFiLVJeU42TW8epSA FIH+u8ID4IlEwoOiCOnE0OOvnxBVuzHmGjGVkc/0INxCKmcKSZX8vOe0dOC6vHHUsb+g +KfoTz91JJu6j/Li9/ASkDYpDf0hR8mKdns7tcjaeHKxhI43oT2NyxEzV6A2layyiiW5 jIhA== X-Gm-Message-State: AOAM532AhbJoHfbFxiC6tiTdHWGuiHTwwteQbGAzz2YZneeEljS5mwyw 5VJBgMGb5oNrji4kuZhcM7YzS0notbXFbR82DFo= X-Google-Smtp-Source: ABdhPJyMNVcwexhHJ4D6sHAwKSxzjZm7ZFNgSozqYHIIpJX53ucEN6uR6UHMdWEMGAcmkymStXa1a3hV24FgzWwh5bc= X-Received: by 2002:a05:620a:91b:: with SMTP id v27mr7374641qkv.201.1616530615489; Tue, 23 Mar 2021 13:16:55 -0700 (PDT) MIME-Version: 1.0 References: <86y2efzc08.fsf@gmail.com> In-Reply-To: From: zimoun Date: Tue, 23 Mar 2021 21:16:43 +0100 Message-ID: Subject: Re: Getting started with GWL 0.3.0 To: Konrad Hinsen Content-Type: text/plain; charset="UTF-8" Received-SPF: pass client-ip=2607:f8b0:4864:20::729; envelope-from=zimon.toutoune@gmail.com; helo=mail-qk1-x729.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: gwl-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: gwl-devel@gnu.org Errors-To: gwl-devel-bounces+larch=yhetil.org@gnu.org Sender: "gwl-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616530631; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=7nSm55sKw2sExWbO0arIYPFlMhwfdQSXdGmt6OPwl+U=; b=QY5mPflBEnjjswMFJxWQWTCU7R/lHVwDrd8iaEeQRm7Q1KVoQNaDSvFusokHmZ1X/W1TNK jA2ucW9qehjXRKkvi8pBQMwRDUor0wgBQP7R3/BCpNTKHontIn7+3EzH4rRscMwWgv9Hn/ QoYZGgvqBZv3MUai9YHUzGfOTQPu56dViUmHJJfRXjww8dix+CBa3KPOJL5ndJRDTAdWee TgljjfT63QP+r0pmXvXNWDZVKGYYUuttZk05fVpguWDlbVdnKHtuhtmk3A8ZWQeBpNz1ul u62ALGmdsSAVf2EMIFW3HTDFv0xD9ONrDx9BH471UxS02QIYI35ENKp2JA2J7w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616530631; a=rsa-sha256; cv=none; b=lxZH/+0aiYCjqbp8zvvaWTPSVVaUIshn29TtmuYgtY7aPXlK7WbkLkhqnbC8fZKf9+eZ87 1ieX4KsuJTHLeSsSU+cMcjJz7uQvv5PUpUgZe/QMWshmwuYo9/C3ulMRgmDAqEaOjnp3g/ Yfi7wbBRR7odnOyoMln37WgWgRm8RSj1P/lkM2k/ugGZHyVVJLOLpaEr6D42YGwExgN0or yFnLBczfLNurQAwkLQgrbPA6b3swLqlcYQwj5uTY9RY1SvPOO/c3aezpKs0Lrp+ZE9dlVY RrMPjxNmu+6GeDvdpZLXhu9EoRwaxUrMz9fPVBw4mCXTTeXlJVZw+SX9ykbh5A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=HibWNLTl; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=gmail.com header.s=20161025 header.b=HibWNLTl; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org X-Migadu-Queue-Id: F3669D428 X-Spam-Score: -3.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: DLIgD5GrkW4R Hi Konrad, On Tue, 23 Mar 2021 at 13:57, Konrad Hinsen wrote: > Yes, exactly. Like what happened to npm: > > https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/ > > Apparently this is now called typo-squatting. And PyPI and.. whatever "store" with no clear policy... > > typo can have bad surprise. But at first, you need to trust a channel > > providing this malware-package, then second you need to install this > > malware-package and third make the typo. > > The last part comes with zero effort :-) > > As for trusting channels and packages, this is not much of an issue > today, but if Guix ever becomes as popular as Debian is today, then we > will have plenty of users with no clue about who or what they can trust. ...and you can do the same with any package manager. For instance, add an evil channel to your /etc/apt/sources.list, then "apt-get update" and then you have no guarantee on what you are installing, for example, "apt-get install git" will install regular Git with a git-pul typo malware, or even the Git version you get is a malware. The issue at first is the channel. There is official channels that you are trusting and other channels that you cannot trust. Well, your concern is about any a suspicious channel, for instance, if I blindly install the python-paper-foo package then I have no guarantee that this package also install the malicious 'emasc' binary which is a typo I often make. > In the long run, maybe a command spell-checker would be a nice way out. > Some piece of software that decides, based on my command history, > whether a command I type is more likely a typo or the intention to run > some exotic software. Well, checking at each command invocation could slow Guix, since it is already not the fastest CLI of West. :-) Cheers, simon