[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Getting started with GWL 0.3.0
From: |
zimoun |
Subject: |
Re: Getting started with GWL 0.3.0 |
Date: |
Wed, 24 Mar 2021 11:44:19 +0100 |
Hi Konrad,
On Wed, 24 Mar 2021 at 11:08, Konrad Hinsen <konrad.hinsen@fastmail.net> wrote:
>>> As for trusting channels and packages, this is not much of an issue
>>> today, but if Guix ever becomes as popular as Debian is today, then we
>>> will have plenty of users with no clue about who or what they can trust.
>>
>> ...and you can do the same with any package manager. For instance,
>
> Yes, exactly. Trusting software sources is becoming an ever more
> important issue everywhere, as people rely on ever more complex software
> assemblies whose components they can no longer verify individually.
> Which is also why package managers now become targets of attacks.
I totally agree. And currently it is hard to introduce a malware to the
official Guix channel, in the meaning the commits are pushed by a small
set of vouched people. Which is not the case for these npm and other
PyPI repositories. Other said, “malware” could only be “mistake” and
not “malice”.
>> The issue at first is the channel. There is official channels that
>> you are trusting and other channels that you cannot trust. Well, your
>
> The channel is only the top level. Do I trust the "Guix" channel? More
> than other channels, but I don't really know how much the current
> maintainers check each individual package submission. They certainly
> look at the package definition itself, but do they also check that the
> packaged software itself is free from malware? If so, how thorough are
> those checks? There are so many possible levels of attack today.
I agree, again. :-) However, I miss your security flaw about extensions
because these extensions should come from this “trusted” channel, as any
other packages.
I miss why you trust enough the official channel to install the package
<foo> but not the extension <bar>. I do not see any difference. To me,
extensions are Guile programs which are allowed to run with the
command-line call “guix <bar>” and I do not see why the call using
“guix” is more important than other calls; as “git annex”.
Anyway! We agree that we disagree. :-)
>> Well, checking at each command invocation could slow Guix, since it is
>> already not the fastest CLI of West. :-)
>
> Such checks could happen at a higher level, e.g. shell or terminal, to
> cover not only Guix but also everything else. As Ricardo pointed out,
> such checks cannot be perfect, but that's true for spell checkers as
> well, which nevertheless turn out to be useful. The goal is not provably
> absolute security, but noticeably increased security.
I agree, again again. :-)
BTW, Guix has now a subcommand and option-name dumb recommender for
typo:
--8<---------------cut here---------------start------------->8---
$ guix environement --ad-foc hello
guix: environement: command not found
hint: Did you mean `environment'?
Try `guix --help' for more information.
$ guix environment --ad-foc hello
guix environment: error: ad-foc: unrecognized option
hint: Did you mean `ad-hoc'?
--8<---------------cut here---------------end--------------->8---
> BTW, I consider IT security and reproducibility in research as almost
> the same problem. The former's enemy is malice, the latter's enemy
> is mistakes, but the common aspect of both is users not fully knowing
> which exact software they are running. In reproducibility, typos are a
> well-known issue and one reason why we recommend scripting everything,
> to turn the random typo into a reproducible typo.
I agree, again again again.
Finally, I do not know on what exactly we agree to disagree. ;-)
Cheers,
simon
- Re: Getting started with GWL 0.3.0, (continued)
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/22
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/22
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/22
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/22
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/22
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/23
- Re: Getting started with GWL 0.3.0, Ricardo Wurmus, 2021/03/23
- Re: Getting started with GWL 0.3.0, Roel Janssen, 2021/03/23
- Re: Getting started with GWL 0.3.0, zimoun, 2021/03/23
- Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/24
- Re: Getting started with GWL 0.3.0,
zimoun <=
Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/23
Re: Getting started with GWL 0.3.0, Konrad Hinsen, 2021/03/24