On 2024-11-12 09:50, Suhail Singh wrote: > I was under the impression that the build phase in guix is always > containerized and without network access. Could you please elaborate on > this?
Building a package yes, but you can have external commands in a manifest.scm or guix.scm. Saku provided an example in an earlier email of a valid but dangerous manifest: ```scheme (system* "rm -rf $HOME") (specifications->manifest (list "hello")) ``` We could also have one that downloads malicious code, or uploads private info, the POC is left as an an exercice for the reader ;) What I was saying is that we could restrain recording `guix shell --allow` only if the manifest builds properly containerized and without network access (outside package building I mean), and otherwise refuse to allow (failing manifest, possibly because it tries to access the network or files outside the repo) with a warning message, providing the ability to restrain "automatic loading" to certain "safer" conditions only. This would in turn mean that (given the same guix revision) we can always run a `guix shell --allow`-ed using `guix shell --container` which actually makes a lot of sense in my use-case. I don't really know about other use-cases, but I guess it's the same, even a scheme developper would probably want a manifest that doesn't depend on files outside of his repo or the network. Saku, do you have an opinion on this? The downside is that we would have to basically run `guix shell --container` (and build all there is to build) before being able to run `guix shell --allow`. WDYT? -- Best regards, Nicolas Graves