Re: “Building a Secure Software Supply Chain with GNU Guix”

[Ricardo Wurmus]

Ludovic Courtès <ludo@gnu.org> writes:

>> My two cents: When depolying a manifest, we use `guix package -p
>> <path-to-profile> -m <path-to-manifest>`, This command consists two
>> parts. Guix will first evaluate the packages specified in the manifest,
>> and build the profile. And then populate the profile to given
>> destination. The first part can be done in a sandboxed environment, or a
>> non-privileged account like "nobody".
>
> Sure, though at a technical level is trickier than this, and again, it
> doesn’t change the fact that you’ll end up running code provided by the
> very same developers.

It may still be worthwhile adding a few restrictions.  One scenario that
caught me by suprise: deleting files in a snippet.  I forgot quoting the
snippet and ended up running the deletion code on the host side – in my
working directory.  Nothing bad happened and we’ve never committed any
mistake like that to the repository, but it is conceivable that
something like this gets past the review and ends up deleting files.

A safety net would prevent a small mistake like a missing quote from
having potentially large side effects.

Of course, all this is orthogonal to securing the supply chain, which is
what the paper is about.

-- 
Ricardo