[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: List of installed package, version pairs

From: Giovanni Biscuolo
Subject: Re: List of installed package, version pairs
Date: Fri, 18 Jan 2019 09:36:22 +0100

Hi Jack,

Jack Hill <address@hidden> writes:

> It seems that work has noticed the GuixSD host that I brought into the 
> office. The security office maintains a risk profile be collecting lists 
> of installed packages,

this may seem "tangent" but I think your is a *very* interesting use
case, others gave you some tips on how to get a list of "installed
packages" but I'm (others?) very interested in _how_ your security
office use this list to evaluate a "risk profile"

Jack: do you have any info you could share on this please? your use case
could be the use case (or "class" of use cases) of thousand of potential
Guix users

all of us here are *very* concerned about the security risk of our
installed binaries, this is the reason we are seeking a reproducible
*and* bootsrappable based "software environment" like Guix

...unless your security team is keeping an internal list of applications
and associated risk level, but _how_ to reliably assess that?
i.e. are they fine with "Oracle DBMS" installed via a Docker bundle?
would they be fine if you brought a Windows10 host into the office?

as a *sysadmin* and user (*not* as part of the developers community) I'd
like to _forget_ the "sysadmin/user accessed risk profile" (an
illusion?) of my binaries and choose them for their features alone

maybe your security team could share their views with the Guix community
so we can better understand their concerns

if I were a member of your security team I'd say: «uhm... Guix, Ok show
me your channels» ;-)

e.g. Ricardo Wurmus yesterday in this thread said:

> I’m curious to know if the security folks would also object to you
> building packages from source without Guix.  Do they ask everyone with a
> compiler to provide a list of dependencies?

this is an interesting point: AFAIK it's common practice by sysadmins in
"corporate" infrastructures to forbid users installing packages in /usr
and alike and sometimes /home is also mounted noexec :-O... so maybe
they manage to also systematically forbid users from executing
self-compiled binaries

...but is it an effective security policy?


Giovanni Biscuolo

Xelera IT Infrastructures

Attachment: signature.asc
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]