From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gwl-devel-bounces+larch=yhetil.org@gnu.org>
Received: from mp1 ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by ms11 with LMTPS
	id yA/yILXlWWCKQQAA0tVLHw
	(envelope-from <gwl-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 23 Mar 2021 12:57:25 +0000
Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits))
	by mp1 with LMTPS
	id WMsLHLXlWWDNEgAAbx9fmQ
	(envelope-from <gwl-devel-bounces+larch=yhetil.org@gnu.org>)
	for <larch@yhetil.org>; Tue, 23 Mar 2021 12:57:25 +0000
Received: from lists.gnu.org (lists.gnu.org [209.51.188.17])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by aspmx1.migadu.com (Postfix) with ESMTPS id 0AAFD22EC1
	for <larch@yhetil.org>; Tue, 23 Mar 2021 13:57:23 +0100 (CET)
Received: from localhost ([::1]:54560 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <gwl-devel-bounces+larch=yhetil.org@gnu.org>)
	id 1lOgb3-0006Zj-Ia
	for larch@yhetil.org; Tue, 23 Mar 2021 08:57:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:48604)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <konrad.hinsen@fastmail.net>)
 id 1lOgb0-0006Wy-PY
 for gwl-devel@gnu.org; Tue, 23 Mar 2021 08:57:18 -0400
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:46697)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <konrad.hinsen@fastmail.net>)
 id 1lOgay-0005Y0-LB
 for gwl-devel@gnu.org; Tue, 23 Mar 2021 08:57:18 -0400
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44])
 by mailout.nyi.internal (Postfix) with ESMTP id 789D05C0102;
 Tue, 23 Mar 2021 08:57:14 -0400 (EDT)
Received: from mailfrontend2 ([10.202.2.163])
 by compute4.internal (MEProxy); Tue, 23 Mar 2021 08:57:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.net; h=
 from:to:cc:subject:in-reply-to:references:date:message-id
 :mime-version:content-type; s=fm3; bh=8UdcRB99EMKJm8fa5EDXUwf9cT
 0lQsid8dY0m7YBA0U=; b=gCZnwpx0EvXwwMIC4WuC2dekhgxOZ+aD7cdqQu1klk
 ufVooOKsCCr0pcrmhPntz8h0MxpFl9Dp2n3V7KzDLbRMLP/TIQzSHcWXFQe0CzYl
 6qfkZuNrUg6i/TGvOgo8jKMXaiCoWnIfRd3Lrybi9RwQtiWJDqKmsqo5YD9jGYyI
 v0cMaLpAugPGjSdCq7sAWlqDEBA6k9+KoQeUP9cb75b+ylJRmt/pabyU12nKCrKp
 RGFIpSOK0ZmHHWv+N2rKaGDpMVhY0WXH9LPzsUoj78J1xhzhIzy+eKmgxU45U9+t
 nb+nqEIiBll0A5mf8FxRzHR7S75KA9w2DHTVaIbcJrKQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=cc:content-type:date:from:in-reply-to
 :message-id:mime-version:references:subject:to:x-me-proxy
 :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8UdcRB
 99EMKJm8fa5EDXUwf9cT0lQsid8dY0m7YBA0U=; b=UHBSR2x+Xr/EitZ9f3wk5m
 rqTQV36wkppifqLjTrSJKXIU87kIk8N7ncNBo9nuC2BTdF4gvkhV2xSXn1T7Pc1j
 J6KpAEixSpRpv2Mazn+Dov0Kx2RCjaAL1Ngb6uo6NNQi/vtZutZBMT/SbCEjcE8u
 X+1z+8Ji8Bnz6tIU1WZcblc9kfZLJD2JHhDD42rnPDTEK9lj9m/Qg4/STGun/NNt
 IZtnLguJaXshjYcs1Qg81Ou38Vj/eNnxQ+QoBf6bKGKAuEdtUc7zcx31XT52aueP
 BDIFwG+VEBp8H04gfPuS4TELKVRmNlsS3tQxdFpAsQly+fBByb+YoTDQW8OFQLKA
 ==
X-ME-Sender: <xms:quVZYORS49FDk29cQrh4PpFF3hfqZNlSpst2MQ1wICtkEF5026iiNw>
 <xme:quVZYKTC4CE8X6DDMyuT9PA3xU0SDy3Pwn8ZxDTSGwSaWMNOUQmBUeW0Frj2mI9L1
 KKLjHVWdcPPXM3G>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegiedggeejucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffujghffffkgggtsehttdertd
 dttddtnecuhfhrohhmpefmohhnrhgrugcujfhinhhsvghnuceokhhonhhrrggurdhhihhn
 shgvnhesfhgrshhtmhgrihhlrdhnvghtqeenucggtffrrghtthgvrhhnpeevheeivdevhf
 effedtheehveeuteeviefftdfhtdffjeeltdetvdekkeeigeeiveenucffohhmrghinhep
 thhhrhgvrghtphhoshhtrdgtohhmnecukfhppeekiedrvdegjedrgeekrdehkeenucevlh
 hushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehkohhnrhgrugdr
 hhhinhhsvghnsehfrghsthhmrghilhdrnhgvth
X-ME-Proxy: <xmx:quVZYJ1CrJs_MxRIqIOKrJdARAV4JkJvFA37IUBiFaozAY-GO5IRZQ>
 <xmx:quVZYMy2l6h_Kac9b4S1kdihnGNCA-eOvb9CgyHP1Z4V2FHxLU7yaQ>
 <xmx:quVZYNz_0fxeduyYAJ0s-M00s1p6TLv7nE1YG731UBjH-UK5Hc_hGg>
 <xmx:quVZYPTpLF2OoIwaTpTxVBpp7msz5IZDlNM4qO11BjsfM4ToLUo_rw>
Received: from ordinateur-de-catherine--konrad.home
 (lfbn-idf2-1-840-58.w86-247.abo.wanadoo.fr [86.247.48.58])
 by mail.messagingengine.com (Postfix) with ESMTPA id D118B108005C;
 Tue, 23 Mar 2021 08:57:13 -0400 (EDT)
From: Konrad Hinsen <konrad.hinsen@fastmail.net>
To: zimoun <zimon.toutoune@gmail.com>
Subject: Re: Getting started with GWL 0.3.0
In-Reply-To: <CAJ3okZ0tYihuntVjjB31-zhCtVgyi0EG-zUDC1uO5EzX7C11tg@mail.gmail.com>
References: <m1y2eflbr9.fsf@ordinateur-de-catherine--konrad.home>
 <86y2efzc08.fsf@gmail.com>
 <m1v99jl4pm.fsf@ordinateur-de-catherine--konrad.home>
 <CAJ3okZ2nC7HKZtuNm=Nz3+pmqs-OD+=GLF_u4j1FhVvB71HwQQ@mail.gmail.com>
 <m1mtuvkz0h.fsf@ordinateur-de-catherine--konrad.home>
 <CAJ3okZ0tYihuntVjjB31-zhCtVgyi0EG-zUDC1uO5EzX7C11tg@mail.gmail.com>
Date: Tue, 23 Mar 2021 13:57:10 +0100
Message-ID: <m17dlykoyh.fsf@ordinateur-de-catherine--konrad.home>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=66.111.4.25;
 envelope-from=konrad.hinsen@fastmail.net; helo=out1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-BeenThere: gwl-devel@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: <gwl-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/gwl-devel>,
 <mailto:gwl-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/gwl-devel>
List-Post: <mailto:gwl-devel@gnu.org>
List-Help: <mailto:gwl-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/gwl-devel>,
 <mailto:gwl-devel-request@gnu.org?subject=subscribe>
Cc: gwl-devel@gnu.org
Errors-To: gwl-devel-bounces+larch=yhetil.org@gnu.org
Sender: "gwl-devel" <gwl-devel-bounces+larch=yhetil.org@gnu.org>
X-Migadu-Flow: FLOW_IN
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org;
	s=key1; t=1616504245;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:in-reply-to:in-reply-to:
	 references:references:list-id:list-help:list-unsubscribe:
	 list-subscribe:list-post:dkim-signature;
	bh=8UdcRB99EMKJm8fa5EDXUwf9cT0lQsid8dY0m7YBA0U=;
	b=jzM/QU4OZtRI/Y9gipjQoMAH8APcz5QwzLMgiYyni+37h+SxFJq5kE3h4LS/IvrxdZIf6m
	i1N/0Cd4dU3ZsMRXOKcJYDUBjif4uF8TPlhErUrvPGqC2mFJyOMPzOkI8C+DqUBNS0gqZH
	ui2UdtKcCTANJ4uvfFbySxcmidmYHPGmerxFDuyv8dDcvFokz19O8PrU6I0o7Xi/jJpZ68
	cL8gjUdpLcokPRaCjaKlbsD45k5nLZiNIZnpDh18HK+5qoeKIBOqrQAAf4lH935kL2FtaS
	gVCHWJE5JsmOmydPXfyPZUgeCZyLMrioQ1iJ9UnOzIQ2gQDRVedJiVWvQkeo1g==
ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616504245; a=rsa-sha256; cv=none;
	b=IHFJkbytlA6TYOhU1H13ST5X/2kk+7UO2aHshsr0gZh8+lqTwxt9NyaEPW9PngnT+zvKtE
	8Qn57RFYpXg+DJoYclWVj4NEWYf5MQWmwHHRNXw42kl8ipl4+jI1X6Cxn47aMeX7HROLBV
	RAGUAKud16MTnFFthOHibu0CzS16RPlG5SYdgRfHAF9pVLenxphhQdTbeBu8N3roA5dUu3
	vUxXSa0wqIPkARgo0A5fc9GKFkqwKcSTyfXWBOgm4akWl3CAvuR214xh97sUXOJe7Dp0WH
	IVZeCM5IT3YEOTK3K7p2Z3yy/rlSy02PY6RIL538gxYPqKB8v/oKpF6KRDko2g==
ARC-Authentication-Results: i=1;
	aspmx1.migadu.com;
	dkim=pass header.d=fastmail.net header.s=fm3 header.b=gCZnwpx0;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=UHBSR2x+;
	spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org
X-Migadu-Spam-Score: -3.12
Authentication-Results: aspmx1.migadu.com;
	dkim=pass header.d=fastmail.net header.s=fm3 header.b=gCZnwpx0;
	dkim=pass header.d=messagingengine.com header.s=fm2 header.b=UHBSR2x+;
	dmarc=pass (policy=none) header.from=fastmail.net;
	spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org
X-Migadu-Queue-Id: 0AAFD22EC1
X-Spam-Score: -3.12
X-Migadu-Scanner: scn0.migadu.com
X-TUID: 3y1ls6UMYX8W

Hi Simon,

> Well, I understand your concerns but I am not convinced to share them.

We can certainly agree to disagree!

> IIUC, you are saying that "git annex" or "git lfs" which are
> extensions to Git are a security issue because if any malware-package
> providing a "git-pul" malware, then a user typing "git pul" with a

Yes, exactly. Like what happened to npm:

  https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/

Apparently this is now called typo-squatting.

> typo can have bad surprise.  But at first, you need to trust a channel
> providing this malware-package, then second  you need to install this
> malware-package and third make the typo.

The last part comes with zero effort :-)

As for trusting channels and packages, this is not much of an issue
today, but if Guix ever becomes as popular as Debian is today, then we
will have plenty of users with no clue about who or what they can trust.

In the long run, maybe a command spell-checker would be a nice way out.
Some piece of software that decides, based on my command history,
whether a command I type is more likely a typo or the intention to run
some exotic software.

Cheers,
  Konrad.