[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Getting started with GWL 0.3.0
|
From: |
Konrad Hinsen |
|
Subject: |
Re: Getting started with GWL 0.3.0 |
|
Date: |
Wed, 24 Mar 2021 11:08:00 +0100 |
Hi Simon,
>> As for trusting channels and packages, this is not much of an issue
>> today, but if Guix ever becomes as popular as Debian is today, then we
>> will have plenty of users with no clue about who or what they can trust.
>
> ...and you can do the same with any package manager. For instance,
Yes, exactly. Trusting software sources is becoming an ever more
important issue everywhere, as people rely on ever more complex software
assemblies whose components they can no longer verify individually.
Which is also why package managers now become targets of attacks.
> The issue at first is the channel. There is official channels that
> you are trusting and other channels that you cannot trust. Well, your
The channel is only the top level. Do I trust the "Guix" channel? More
than other channels, but I don't really know how much the current
maintainers check each individual package submission. They certainly
look at the package definition itself, but do they also check that the
packaged software itself is free from malware? If so, how thorough are
those checks? There are so many possible levels of attack today.
> Well, checking at each command invocation could slow Guix, since it is
> already not the fastest CLI of West. :-)
Such checks could happen at a higher level, e.g. shell or terminal, to
cover not only Guix but also everything else. As Ricardo pointed out,
such checks cannot be perfect, but that's true for spell checkers as
well, which nevertheless turn out to be useful. The goal is not provably
absolute security, but noticeably increased security.
BTW, I consider IT security and reproducibility in research as almost
the same problem. The former's enemy is malice, the latter's enemy
is mistakes, but the common aspect of both is users not fully knowing
which exact software they are running. In reproducibility, typos are a
well-known issue and one reason why we recommend scripting everything,
to turn the random typo into a reproducible typo.
Cheers,
Konrad.
- Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/22
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/22
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/22
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/22
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/22
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/22
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/23
- Re: Getting started with GWL 0.3.0, Ricardo Wurmus, 2021/03/23
- Re: Getting started with GWL 0.3.0, Roel Janssen, 2021/03/23
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/23
- Re: Getting started with GWL 0.3.0,
Konrad Hinsen <=
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/24
Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/23
Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/24