Re: Getting started with GWL 0.3.0

[Konrad Hinsen]

Hi Simon,

> Well, I understand your concerns but I am not convinced to share them.

We can certainly agree to disagree!

> IIUC, you are saying that "git annex" or "git lfs" which are
> extensions to Git are a security issue because if any malware-package
> providing a "git-pul" malware, then a user typing "git pul" with a

Yes, exactly. Like what happened to npm:

  
https://threatpost.com/attackers-use-typo-squatting-to-steal-npm-credentials/127235/

Apparently this is now called typo-squatting.

> typo can have bad surprise.  But at first, you need to trust a channel
> providing this malware-package, then second  you need to install this
> malware-package and third make the typo.

The last part comes with zero effort :-)

As for trusting channels and packages, this is not much of an issue
today, but if Guix ever becomes as popular as Debian is today, then we
will have plenty of users with no clue about who or what they can trust.

In the long run, maybe a command spell-checker would be a nice way out.
Some piece of software that decides, based on my command history,
whether a command I type is more likely a typo or the intention to run
some exotic software.

Cheers,
  Konrad.