guix-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security concerns of using guix packages


From: Ludovic Courtès
Subject: Re: security concerns of using guix packages
Date: Sat, 04 Jul 2015 16:32:01 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

"Claes Wallin (韋嘉誠)" <address@hidden> skribis:

> If I'm interpreting the OP's IT department correctly, this is not about
> trusting guix or Red Hat regarding malice, not about binaries and
> substitutions, but regarding competence and diligence, and the package
> tree. If there are important patches coming out, will they get into
> guix/Red Hat fast enough and will they get to users fast enough?

That’s a valid concern, and there’s not much we can say other than we’ve
been doing our best and will continue to do so.

That said, sysadmins don’t have to wait for upstream Guix to provide the
patch; in case of urgency, they could easily add the necessary patches
to, say,
<http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/openssl.scm#n29>,
upgrade their software, and share the patch with upstream Guix.

Of course that would be a last resort, and I hope users don’t run into
it.  But what it means is that users are more independent than with a
traditional distro.

Ludo’.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]