Re: “Building a Secure Software Supply Chain with GNU Guix”

[Ludovic Courtès]

Hi,

Zhu Zihao <all_but_last@163.com> skribis:

> https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/
>
> Here's a detailed report about Marak and faker.js.

Interesting.  But yeah, a Guix committer could change Guix anytime to
print “LIBERTY” (that’s very much the spirit of the project ;-)) or they
could, simply, unwillingly introduce bugs.  No technical mechanism can
prevent that.

>>> In Nix flakes, there's pure evaluation to make sure no side-effectful
>>> code is allowed. But Guix channel is less restricted than a Nix flake.
>>> It's a important problem to make sure the evaluation is safe for the user.
>>
>> Yes, I understand.  I don’t think that makes a practical difference
>> though: when you pull from a Guix channel or fetch a Nix flake, that’s
>> because you want to install software according to what that
>> channel/flake provides.  So whether evil code is in the channel/flake
>> (as Scheme/Nix code) or in the package(s) themselves makes little
>> difference.
>>
>> Does that make sense?
>
> My two cents: When depolying a manifest, we use `guix package -p
> <path-to-profile> -m <path-to-manifest>`, This command consists two
> parts. Guix will first evaluate the packages specified in the manifest,
> and build the profile. And then populate the profile to given
> destination. The first part can be done in a sandboxed environment, or a
> non-privileged account like "nobody".

Sure, though at a technical level is trickier than this, and again, it
doesn’t change the fact that you’ll end up running code provided by the
very same developers.

Thanks,
Ludo’.