[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: “Building a Secure Software Supply Chain with GNU Guix”
From: |
Ludovic Courtès |
Subject: |
Re: “Building a Secure Software Supply Chain with GNU Guix” |
Date: |
Mon, 18 Jul 2022 14:30:43 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) |
Hi,
Zhu Zihao <all_but_last@163.com> skribis:
> https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
>
> Here's a detailed report about Marak and faker.js.
Interesting. But yeah, a Guix committer could change Guix anytime to
print “LIBERTY” (that’s very much the spirit of the project ;-)) or they
could, simply, unwillingly introduce bugs. No technical mechanism can
prevent that.
>>> In Nix flakes, there's pure evaluation to make sure no side-effectful
>>> code is allowed. But Guix channel is less restricted than a Nix flake.
>>> It's a important problem to make sure the evaluation is safe for the user.
>>
>> Yes, I understand. I don’t think that makes a practical difference
>> though: when you pull from a Guix channel or fetch a Nix flake, that’s
>> because you want to install software according to what that
>> channel/flake provides. So whether evil code is in the channel/flake
>> (as Scheme/Nix code) or in the package(s) themselves makes little
>> difference.
>>
>> Does that make sense?
>
> My two cents: When depolying a manifest, we use `guix package -p
> <path-to-profile> -m <path-to-manifest>`, This command consists two
> parts. Guix will first evaluate the packages specified in the manifest,
> and build the profile. And then populate the profile to given
> destination. The first part can be done in a sandboxed environment, or a
> non-privileged account like "nobody".
Sure, though at a technical level is trickier than this, and again, it
doesn’t change the fact that you’ll end up running code provided by the
very same developers.
Thanks,
Ludo’.
Re: “Building a Secure Software Supply Chain with GNU Guix”, Arun Isaac, 2022/07/19