On Fri, 21 Jun 2024 09:41:10 +0100 Dale Mellor <guix-devel-0br...@rdmp.org> wrote:
> On Thu, 2024-06-20 at 22:59 +0200, Ekaitz Zarraga wrote: > > Hi, > > > > On 2024-06-20 22:54, Andreas Enge wrote: > > > Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor: > > > > I'm sure guix lint tried to push my code out to them the last time I > > > > tried. > > > > > > Ah indeed, there is this in guix/lint.scm: > > > > > > So it does not push code, but a URL from which the code can be downloaded. > > > Thus it requires the code to be available from the Internet; local code > > > is "safe" from SWH. > > But this is still leaking information. > > > > Now I do not know what will happen if you save your code as a git > > > repository at a hidden URL. For instance, does SWH check the license? > > > I would hope so. > > Hope is not really good enough, there needs to be certainty in this. > > > > > For this specific case we could add some flag to the command line like > > `--do-not-archive` or something like that. > > `-x archival` does it, but it is too easy to forget and once the cat is out > of the bag privacy is lost. I really think this should be default behaviour, > or > at least there should be a flag in the package definition. I would still be > uncomfortable with the last option, as everyone would be relying on the > collective of Guix maintainers to not screw up and accidentally leak private > data. > > Dale Yeah very much agree this should be the default behavior. Archiving should be opt-in to avoid any surprises for the person running it. I am surprised it became default actually. MSavoritias
