guix-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A better XML, config is code (was Re: Profiles/manifests-related com

From: Konrad Hinsen
Subject: Re: A better XML, config is code (was Re: Profiles/manifests-related command line...)
Date: Wed, 13 Nov 2019 16:28:58 +0100 
Hi Giovanni,

> The real question is: a configure file is code or data?  IMHO is code,

Code is data with execution semantics, so "code" is a subset of "data".

I'd reformulate the question as: should configuration data be
literal data, or the result of a computation? The second opton
is more general, and therefore more powerful. If that is good or bad
depends on the application. If you are writing the configuration, you
appreciate more power. If you use someone else's, you might well prefer
it not being more powerful than what you can understand.

> Mumble... but every user *is* a power user when installing and
> configuring a system, no?

"Is", no. That would assume that everybody knows their limits. Not true
in my experience with human nature.

> ...so yes, if it's not a channel under your control - or of someone you
> decide to trust - you should better not use it (and do not copy/paste
> configuration files you do not understand)

Fine with me, but then we should (1) say so somewhere in the manual and
(2) not recommend using such configuration files for performing tasks
that ought to be accessible to ordinary users.

> I recently read this "Curl to shell isn't so bad" article (thanks ARota)
> https://arp242.net/curl-to-sh.html
>
> «In the end it’s still just running code you didn’t personally audit on
> your computer, and a matter of trust.»

Exactly. It's OK for us to ask users to trust the Guix team, which they
have to do anyway if they use Guix. So configuration files provided by
Guix itself are not a problem.

But if we tell people that Guix is great for reproducing someone else's
computation, and that the best way to share a computation is publishing
a manifest file, then we are encouraging people to run code from
untrusted sources. Which leaves three options:
 1. Provide a safe way to re-create environments from untrusted
    sources.
 2. Don't recommend reproducing someone else's computation using Guix.
 3. Explain why reproducing someone else's computation is
    a risky procedure that should be reserved to power users.

Cheers,
  Konrad.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]