help-guix
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security of packages in official repo


From: Ricardo Wurmus
Subject: Re: Security of packages in official repo
Date: Thu, 26 Nov 2020 17:51:45 +0100
User-agent: mu4e 1.4.13; emacs 27.1

zimoun <zimon.toutoune@gmail.com> writes:

> Hi,
>
> On Thu, 26 Nov 2020 at 12:32, Phil <phil@beadling.co.uk> wrote:
>
>> However, can anyone point me to, or explain - what is done to audit
>> packages in the official Repo in the first place - i.e. how do I know
>> that a piece of software supplied to me by Guix is not only
>> delivered in a safe/reliable fashion, but is also free from malware 
>> potentially
>> introduced by the authors/maintainers themselves?
>
> Nothing.

It’s a little more than nothing in some cases.  For example, there was
extensive work to gain confidence that Ungoogled Chromium does not phone
home.  Generally, anti-features such as update checkers that phone home
are patched out.

We generally take the code as is, however, and don’t assume that every
bit of free software out there is malware in disguise until it is
demonstrated beyond reasonable doubt that this is not the case.  That
would neither be feasible nor would it guarantee satisfactory results.

-- 
Ricardo



reply via email to

[Prev in Thread] Current Thread [Next in Thread]