Re: security concerns of using guix packages

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: security concerns of using guix packages

From:	Ludovic Courtès
Subject:	Re: security concerns of using guix packages
Date:	Sat, 04 Jul 2015 16:22:20 +0200
User-agent:	Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)

Hi!

"Cook, Malcolm" <address@hidden> skribis:

> Hello Guixen (Guixers?  Guix-noscenti?)

Simply “Guix” (pronounced like “geeks”.)   :-)

> The sys admin at my institute expresses concern that we would potentially 
> expose ourselves to additional security risk by building scientific software 
> stack in Guix where we might depend on alternate versions of, say, openssl.
>
> Do you agree this is a reasonable concern, and, if so, is there a "position 
> statement" on the matter?  

Guix provides guarantees that no traditional distro provides.

Guix users can choose to use substitutes (pre-built binaries.)  In that
case, they have to trust the binary provider:

  http://www.gnu.org/software/guix/manual/html_node/Substitutes.html

But the first big difference compared to Debian, Fedora, etc. is that
users can:

  1. Choose their binary provider–it doesn’t have to be hydra.gnu.org.

  2. Choose *not* to use binaries from a third-party, and instead build
     packages locally.

(By contrast, see the description of Debian’s “dirtiest secret” by the
former DPL in
<http://video.fosdem.org/2015/devroom-distributions/distributions_boring_solved_problem.mp4>,
at around 28 mn.)

In addition, the functional package management paradigm (see
<http://www.gnu.org/software/guix/manual/html_node/Introduction.html>)
allows users to know exactly how a package is built.  For instance,
anyone can trivially audit the recipe at
<http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/openssl.scm#n29>.
By construction, the result of ‘guix build openssl’ corresponds
precisely to the build process that this recipe and the ones it depends
on describe.


A concern could be the time it takes for the project to deploy security
fixes.  Obviously there are much fewer Guix contributors than Debian
contributors, but so far we do pretty well nevertheless (thanks to
Mark H Weaver for the most part.)

A related concern is the time it takes to actually deploy the fixed
binaries on your machine.  This is discussed at:

  http://www.gnu.org/software/guix/manual/html_node/Security-Updates.html


I hope this clarifies things!

Thanks,
Ludo’.

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

security concerns of using guix packages, Cook, Malcolm, 2015/07/02
- Re: security concerns of using guix packages, John Darrington, 2015/07/03
  - Re: security concerns of using guix packages, 韋嘉誠, 2015/07/03
    - Re: security concerns of using guix packages, Ludovic Courtès, 2015/07/04
- Re: security concerns of using guix packages, Pjotr Prins, 2015/07/04
- Re: security concerns of using guix packages, Ludovic Courtès <=
  - Re: security concerns of using guix packages, Pjotr Prins, 2015/07/04
  - Re: security concerns of using guix packages, 韋嘉誠, 2015/07/04
    - Re: security concerns of using guix packages, John Darrington, 2015/07/04

Prev by Date: Re: [PATCH] ruby-rake-compiler
Next by Date: Re: [PATCH] ruby-rake-compiler
Previous by thread: Re: security concerns of using guix packages
Next by thread: Re: security concerns of using guix packages
Index(es):
- Date
- Thread