Hi, Zhu Zihao <all_but_l...@163.com> skribis:
> https://www.bleepingcomputer.com/news/security/dev-corrupts-npm-libs-colors-and-faker-breaking-thousands-of-apps/ > > Here's a detailed report about Marak and faker.js. Interesting. But yeah, a Guix committer could change Guix anytime to print “LIBERTY” (that’s very much the spirit of the project ;-)) or they could, simply, unwillingly introduce bugs. No technical mechanism can prevent that. >>> In Nix flakes, there's pure evaluation to make sure no side-effectful >>> code is allowed. But Guix channel is less restricted than a Nix flake. >>> It's a important problem to make sure the evaluation is safe for the user. >> >> Yes, I understand. I don’t think that makes a practical difference >> though: when you pull from a Guix channel or fetch a Nix flake, that’s >> because you want to install software according to what that >> channel/flake provides. So whether evil code is in the channel/flake >> (as Scheme/Nix code) or in the package(s) themselves makes little >> difference. >> >> Does that make sense? > > My two cents: When depolying a manifest, we use `guix package -p > <path-to-profile> -m <path-to-manifest>`, This command consists two > parts. Guix will first evaluate the packages specified in the manifest, > and build the profile. And then populate the profile to given > destination. The first part can be done in a sandboxed environment, or a > non-privileged account like "nobody". Sure, though at a technical level is trickier than this, and again, it doesn’t change the fact that you’ll end up running code provided by the very same developers. Thanks, Ludo’.
