From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id r/K4H40PW2DVfAAA0tVLHw (envelope-from ) for ; Wed, 24 Mar 2021 10:08:13 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id QCkDG40PW2BUFQAAbx9fmQ (envelope-from ) for ; Wed, 24 Mar 2021 10:08:13 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id C42C51A842 for ; Wed, 24 Mar 2021 11:08:12 +0100 (CET) Received: from localhost ([::1]:45136 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lP0Qt-0007PA-Di for larch@yhetil.org; Wed, 24 Mar 2021 06:08:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:60428) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lP0Qn-0007Mn-SC for gwl-devel@gnu.org; Wed, 24 Mar 2021 06:08:06 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:38017) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lP0Ql-000400-Dq for gwl-devel@gnu.org; Wed, 24 Mar 2021 06:08:05 -0400 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id A10CB5C00A6; Wed, 24 Mar 2021 06:08:02 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute1.internal (MEProxy); Wed, 24 Mar 2021 06:08:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.net; h= from:to:cc:subject:in-reply-to:references:date:message-id :mime-version:content-type; s=fm3; bh=lhjBDiZvo7kOEkeEjxDj8zv2u1 O9kGM1dxh6UuLYD9Q=; b=BQ5HM53jxPM1g+6XRKU8Ed0qm8ckqBKbVIh4Ws9WdI m9NKV1Iv1qBvTXuJ+psn3Z042+4AoS20Q7HxH6PEpABQMKz9O9hwYrc14u3iU7Tt V6xhtA4o/Iycjth9njRD/xVR8PZlpEHvUdxZi0eDQmj56dp8MUNyqaLX1KXbTW2O 8tN7KqTKsjjvBmV7Rpm52xVKvswQtzyVjRiCkfyuQfO73UbIQXa1dibzsMYRre/t KreM69otYpSrL0sddVmTS5tleEI94RHshR3l0aupQk/Jt3SMwFvgumqoLTa1Ouxq DrqL99DVwMR+LTXv9SzQytxUz81OYnx1CFaHHYdk0h3A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=lhjBDi Zvo7kOEkeEjxDj8zv2u1O9kGM1dxh6UuLYD9Q=; b=M0Qc4fYPw3kmMS62kFXbpl iyH4HYhWsR6C2oeBqhF4GpuD4aAmvSySj7xjD8DlhwqQtzTGPybuqwbvzIHCtEl7 3uRjbpskMSyRPOeg7JpcXvZXheeHbDvBzlAr+tet9vKT1/uYWyKAfiFFRigmpiQa G89Qn7TkxJtnMVZ/pc4qGOAyv6MyI7o3YkVsC1bibX40qBqshSoIEmWTAVEyuGpC F7u81dOqIauQZEWTjoTmdg/6JUV87OnX8SQxaBJvkLz7FHLFQFxcWR2gqdZXrIrw dAjUsd1E3fnUbply3w1/VDmMc5S9LFIGBFm/b3BUXM0oqebHOBRkpjgpwv58/nyw == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudegkedguddtucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefhvffujghffffkgggtsehttdertd dttddtnecuhfhrohhmpefmohhnrhgrugcujfhinhhsvghnuceokhhonhhrrggurdhhihhn shgvnhesfhgrshhtmhgrihhlrdhnvghtqeenucggtffrrghtthgvrhhnpeeikeejjeevue eifeejhedtgeethfdutefgveffhfeuheejveeiieegvdfhtdeifeenucfkphepkeeirddv geejrdegkedrheeknecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilh hfrhhomhepkhhonhhrrggurdhhihhnshgvnhesfhgrshhtmhgrihhlrdhnvght X-ME-Proxy: Received: from ordinateur-de-catherine--konrad.home (lfbn-idf2-1-840-58.w86-247.abo.wanadoo.fr [86.247.48.58]) by mail.messagingengine.com (Postfix) with ESMTPA id E39B7240356; Wed, 24 Mar 2021 06:08:01 -0400 (EDT) From: Konrad Hinsen To: zimoun Subject: Re: Getting started with GWL 0.3.0 In-Reply-To: References: <86y2efzc08.fsf@gmail.com> Date: Wed, 24 Mar 2021 11:08:00 +0100 Message-ID: MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=66.111.4.28; envelope-from=konrad.hinsen@fastmail.net; helo=out4-smtp.messagingengine.com X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: gwl-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: gwl-devel@gnu.org Errors-To: gwl-devel-bounces+larch=yhetil.org@gnu.org Sender: "gwl-devel" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1616580493; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=lhjBDiZvo7kOEkeEjxDj8zv2u1O9kGM1dxh6UuLYD9Q=; b=lBtStmj6+D2yrGENR61zjy4zAe7XIgpwtgv3RXPayoApeFuQVcWK29EkFHlM+vhVhsg8eN f4sY82GhAmKpthZumu3AtrtXJX4tJ71GkD6lAD5/jg+QoUNywrmcFgRjzrvHx/IMX5iRqp 1tiN/hLLWLD6GUs2MAi0QORiwGQLIKfRTWM0Nkr78K0QwA3w8YNAuzCY4thWB5MSBxeuGg DZudJnoIib4HXNnx9IRrrW3h3rCcu2dSfcNg2PuxTdFdHk8Tv0uo6NXPITgSCb6/kNGSN3 YY1nASzmEqrm9TTQhDuCOQYFfCIWtuPzNu4nIHx3YGlWC07DwbUFrY5UuF2EqQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1616580493; a=rsa-sha256; cv=none; b=rpVwrtP5v7fi6wdbv4EYQLGK2udG+weri46S654RGOAXXsa4FGD7VYLXo3Z2IDs+fzRcNx xJPcbxln/Z6irk80pqEhrySQGIMhKRcTuQKqnZVB2Y+jHiy/lOzWSzi817Ms3YKZ57I2wG 2fCMM49+EXniZPbNoDsOBIkZiB1N0S2oUgPMZdl2lcKaaF515uBezninG9YvhlW3GLrlfc VE8dvT/10eFhLPwfqO+Q4H0ehtq3drhMj72zADU4xtLupnj94KawwO+vBEJco1dJGWHoRm CB3BFyQ5LWn4pfGOHe+rn0KGDJgeHs0xTyvjuNzR3kEtjqyY1SatZYssKYVw+w== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=fastmail.net header.s=fm3 header.b=BQ5HM53j; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=M0Qc4fYP; spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org X-Migadu-Spam-Score: -3.12 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=fastmail.net header.s=fm3 header.b=BQ5HM53j; dkim=pass header.d=messagingengine.com header.s=fm2 header.b=M0Qc4fYP; dmarc=pass (policy=none) header.from=fastmail.net; spf=pass (aspmx1.migadu.com: domain of gwl-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=gwl-devel-bounces@gnu.org X-Migadu-Queue-Id: C42C51A842 X-Spam-Score: -3.12 X-Migadu-Scanner: scn0.migadu.com X-TUID: eRyePrhb9WBo Hi Simon, >> As for trusting channels and packages, this is not much of an issue >> today, but if Guix ever becomes as popular as Debian is today, then we >> will have plenty of users with no clue about who or what they can trust. > > ...and you can do the same with any package manager. For instance, Yes, exactly. Trusting software sources is becoming an ever more important issue everywhere, as people rely on ever more complex software assemblies whose components they can no longer verify individually. Which is also why package managers now become targets of attacks. > The issue at first is the channel. There is official channels that > you are trusting and other channels that you cannot trust. Well, your The channel is only the top level. Do I trust the "Guix" channel? More than other channels, but I don't really know how much the current maintainers check each individual package submission. They certainly look at the package definition itself, but do they also check that the packaged software itself is free from malware? If so, how thorough are those checks? There are so many possible levels of attack today. > Well, checking at each command invocation could slow Guix, since it is > already not the fastest CLI of West. :-) Such checks could happen at a higher level, e.g. shell or terminal, to cover not only Guix but also everything else. As Ricardo pointed out, such checks cannot be perfect, but that's true for spell checkers as well, which nevertheless turn out to be useful. The goal is not provably absolute security, but noticeably increased security. BTW, I consider IT security and reproducibility in research as almost the same problem. The former's enemy is malice, the latter's enemy is mistakes, but the common aspect of both is users not fully knowing which exact software they are running. In reproducibility, typos are a well-known issue and one reason why we recommend scripting everything, to turn the random typo into a reproducible typo. Cheers, Konrad.