Re: security concerns of using guix packages

[Pjotr Prins]

On Fri, Jul 03, 2015 at 12:38:49AM +0000, Cook, Malcolm wrote:
> The sys admin at my institute expresses concern that we would
> potentially expose ourselves to additional security risk by building
> scientific software stack in Guix where we might depend on alternate
> versions of, say, openssl.
> 
> Do you agree this is a reasonable concern, and, if so, is there a
> "position statement" on the matter?  
> 
> I'm guessing this is in part a matter of trust - i.e. do we trust
> GNU/guix gang as much as, say the Red Hat/CentOS gang.  Or am I
> perhaps misunderstanding the consideration?

If openssl security is a concern, that would mostly be relevant for
packages that may have root privileges and/or run as an internet
service. When it comes to such exploits Red Hat and others do fix and
distribute them - which comes as public information. It is not in
their interest to hide fixes (even if they could). It is not the
nature of FOSS. That means GNU Guix will be one of the first to pick
fixes up as there are ample people running GNU Guix that are concerned
about their servers and GNU Guix packages can be updated quickly and
incrementally (Guix does not need special security repositories).

Note that most real world exploits are based on systems running older
software.

GNU Guix packages tend to be very up-to-date, though it depends on the
admin to keep track of that for a running system. I would be very
happy to run GNU Guix for critical services (such as ssh-server).

I could write a much longer E-mail, but I think what you should do is
avoid discussing particular privileged services and convince the
system administrator that all privileged services can still be Red
Hat/CentOS packages (so 'safe' in his book). All you are installing is
user land software in a nice and controlled environment.

That is no different from compiling packages by hand and installing
them in $HOME. To run the installed software as privileged you still
need to start them as root. Therefore GNU Guix installed packages can
do no more harm than self-built software.

A good system administrator should be able to grasp that. Maybe you
can have your system administrator speak with Ricardo's system
administrators. They allowed the cluster-wide network mount in an
academic setting. In science we have to be able to install our own
software on compute clusters. The current (and common)
build-it-yourself in $HOME route is laborious and error prone. 

The reason I am investing in GNU Guix is that I now have a packaging
system that allows me to leverage and share package management with
other scientists and it goes some way towards reproducible science. It
is a great step forward. The environments that 'get' this quickest
will do better than others at supporting science.

It is just a matter of time that our way of deploying software will
become the norm.

I hope that helps.

Pj.