Re: “Building a Secure Software Supply Chain with GNU Guix”

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: “Building a Secure Software Supply Chain with GNU Guix”

From:	zimoun
Subject:	Re: “Building a Secure Software Supply Chain with GNU Guix”
Date:	Mon, 04 Jul 2022 10:21:13 +0200

Hi,

On Sun, 03 Jul 2022 at 12:38, Bengt Richter <bokr@bokr.com> wrote:
>> I do not think committers are pushing code about #1, #2 or #3 that they
>> know beforehand it will cause a problem.
>
> Hm, -- unless <context-requirements-not-met> ... ? :)
>

I do not understand what you mean?

>> The GPG trust level works because it is based on the web of trust.
>> Here, there is no web, IMHO.
>
> Well, guix developers who know each other well "in real life" have a pretty
> good web, if not formal, no? :)

Maybe I miss something.  IIUC, you are proposing to attach a level of
trust to each commit.

If this level for one commit is set by one committer, then the outcome
is poor because this level strongly depends on the committer.  Committer
A could say 0 and committer B would say 3 for the same commit, other
said the level depends on who do the job; therefore it is too dependent
on the committer mood to be useful, security-wise.  In this case, there
is no web of trust.

If this level for one commit is set by more than one committer, then it
is not affordable because it means we are doing double (or more) review
when the project is trying to just deal with merging all the
submissions.  In this case, there is a web of trust.  But it is not
doable considering the rate of commits.

> I'm just looking for some greppable coded hint of the difference between
> a package that consists of e.g. a reverse polish calculator homework
> assignemnt that a nerdy friend showed how to submit as a package, vs.
> e.g. a package where the comments say over 10K subscribers have now been
> running this hundreds of times daily for 2 months of beta testing with
> no reported problems. Vs. This is alpha stuff, but seems harmless enough
> if you run it in a container.

Run OpenBSD. ;-)

> I'm not asking any guarantees, just a professional's quick judgement.
> Like a chef's quick opinion on the cantaloupes at the open market. 

Why this professional's quick judgment should come from the package
manager (packager, reviewer, committer) and not from a community around
the specific software whatever how it is distributed?

Cheers,
simon

[Prev in Thread]

Current Thread

[Next in Thread]

Re: “Building a Secure Software Supply Chain with GNU Guix”, zimoun, 2022/07/01
- Re: “Building a Secure Software Supply Chain with GNU Guix”, Bengt Richter, 2022/07/03
  - Re: “Building a Secure Software Supply Chain with GNU Guix”, zimoun <=
    - Re: “Building a Secure Software Supply Chain with GNU Guix”, Bengt Richter, 2022/07/04
- Re: “Building a Secure Software Supply Chain with GNU Guix”, Ludovic Courtès, 2022/07/04
- Re: “Building a Secure Software Supply Chain with GNU Guix”, Zhu Zihao, 2022/07/17
  - Re: “Building a Secure Software Supply Chain with GNU Guix”, Ludovic Courtès, 2022/07/18
    - Re: “Building a Secure Software Supply Chain with GNU Guix”, Zhu Zihao, 2022/07/18
    - Re: “Building a Secure Software Supply Chain with GNU Guix”, Ludovic Courtès, 2022/07/18
    - Re: “Building a Secure Software Supply Chain with GNU Guix”, Ricardo Wurmus, 2022/07/18
    - Re: “Building a Secure Software Supply Chain with GNU Guix”, Maxime Devos, 2022/07/19
- Re: “Building a Secure Software Supply Chain with GNU Guix”, Arun Isaac, 2022/07/19
  - Re: “Building a Secure Software Supply Chain with GNU Guix”, Ludovic Courtès, 2022/07/19

Prev by Date: Re: “Building a Secure Software Supply Chain with GNU Guix”
Next by Date: Re: repl macro (metacommand?) for guix CLI (sub)commands
Previous by thread: Re: “Building a Secure Software Supply Chain with GNU Guix”
Next by thread: Re: “Building a Secure Software Supply Chain with GNU Guix”
Index(es):
- Date
- Thread