Hi Andy, > I wrote this for that purpose: > > > https://www.gnu.org/software/guile/manual/html_node/Sandboxed-Evaluation.html
Right, I had found this when searching for something. It seems to solve a couple of problems that I don't quite understand, but not so much those I do (file/network access). Would be nice to see this extended. > In practice Guix's "containerized" build jobs are much more effective > than in-language barriers. Indeed, but if Guix is compromised by malware, the build jobs may build code that has already been tampered with. Maybe one could have config and manifest files interpreted by the build daemon for safety. Except that some manifest files (read: mine) need read access to the file system. Cheers, Konrad.
