[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: server and client in one package -> security issue
From: |
Andy Wingo |
Subject: |
Re: server and client in one package -> security issue |
Date: |
Tue, 14 Feb 2017 12:19:09 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
On Tue 14 Feb 2017 11:28, Hartmut Goebel <address@hidden> writes:
> Am 13.02.2017 um 15:13 schrieb Ludovic Courtès:
>> Now, back to the “only install the required software”, I wouldn’t go as
>> far as you do. I generally agree with the rule, but I’m skeptical as to
>> what this buys you from a security perspective: users can always install
>> whatever they want by hand anyway, and do you have an idea as to how
>> much code they install via their browser?
>
> Looks like we are talking about different systems. I'm talking about
> hardened systems, esp. servers, where users are not allowed to install
> additional software – not even browser add-on.
If the user has no access to the Guix store and daemon, so they can't
even "guix package --install foo", then you're operating on effectively
a snapshot of the store, right? So perhaps you want a facility that
when exporting this store snapshot can remove some subset of files, like
for example the include/ tree on all store directories. But because
this is just an snapshot/export of the store, it doesn't seem necessary
to actually change any particular Guix package to reach your goal, as
far as I understand things anyway.
Andy
- Re: Add murmur., (continued)
- Re: Add murmur., ng0, 2017/02/14
- server and client in one package -> security issue (was: Add murmur), Hartmut Goebel, 2017/02/12
- Re: server and client in one package -> security issue (was: Add murmur), ng0, 2017/02/12
- Re: server and client in one package -> security issue (was: Add murmur), David Craven, 2017/02/12
- Re: server and client in one package -> security issue, Hartmut Goebel, 2017/02/12
- Re: server and client in one package -> security issue, Ludovic Courtès, 2017/02/13
- Re: server and client in one package -> security issue, Hartmut Goebel, 2017/02/14
- Re: server and client in one package -> security issue,
Andy Wingo <=
- Re: server and client in one package -> security issue (was: Add murmur), Danny Milosavljevic, 2017/02/14
- Re: server and client in one package -> security issue (was: Add murmur), ng0, 2017/02/14
- Re: server and client in one package -> security issue, Hartmut Goebel, 2017/02/14