Re: should auto updaters be disabled?

guix-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: should auto updaters be disabled?

From:	Leo Famulari
Subject:	Re: should auto updaters be disabled?
Date:	Sat, 29 Feb 2020 17:00:48 -0500

On Sat, Feb 29, 2020 at 09:41:17PM +0100, Bengt Richter wrote:
> IMO auto-update is like buying an appliance and giving
> the install crew a permanent key to the kitchen door.

I don't think this metaphor is wrong, but it's not very exact. Short of
auditing every single line of code in a package, and skillfully
detecting obfuscated malware, all of our packages may try to download
and execute software at run-time. It's just the nature of computers with
network access.

In any case, it's extremely unlikely that a package autoupdater will
work in Guix because they usually target the executable's directory and
that is read-only in /gnu/store. But we should still try to disable them
as a matter of Guix policy.

[Prev in Thread]

Current Thread

[Next in Thread]

should auto updaters be disabled?, raingloom, 2020/02/26
- Re: should auto updaters be disabled?, Arun Isaac, 2020/02/28
  - Re: should auto updaters be disabled?, Leo Famulari, 2020/02/28
    - Re: should auto updaters be disabled?, Bengt Richter, 2020/02/29
    - Re: should auto updaters be disabled?, Leo Famulari <=

Prev by Date: Potential for a race condition with latest-repository-commit
Previous by thread: Re: should auto updaters be disabled?
Next by thread: [GSOC 2020] Discussing GNU Guix project ideas?
Index(es):
- Date
- Thread