Andreas Enge <andr...@enge.fr> writes: > Am Sat, Feb 08, 2025 at 05:43:20PM +0100 schrieb Ludovic Courtès: >> I gave the example of Nixpkgs, where package maintainers, who are not >> necessarily committers, can trigger merges for some changes that touch >> their packages and that pass a number of tests. > > Maybe this is semantic nitpicking, but people who are able to merge are > effectively committers, if only potentially limited to some parts of > the code.
Given that Guix is (effectively) just a large Scheme program, does the "limited to some parts of the code" bring any security compared to full access? If I specify `version' field of a package to be --8<---------------cut here---------------start------------->8--- (begin (system "rm -rf /") "1") --8<---------------cut here---------------end--------------->8--- I am changing just "my" package, but I am unsure when would that code execute? Does it get executed on for example `guix search'? Or only when installing? Tomas -- There are only two hard things in Computer Science: cache invalidation, naming things and off-by-one errors.
signature.asc
Description: PGP signature
