Hi Jack, Jack Hill <jackh...@jackhill.us> writes:
> It seems that work has noticed the GuixSD host that I brought into the > office. The security office maintains a risk profile be collecting lists > of installed packages, this may seem "tangent" but I think your is a *very* interesting use case, others gave you some tips on how to get a list of "installed packages" but I'm (others?) very interested in _how_ your security office use this list to evaluate a "risk profile" Jack: do you have any info you could share on this please? your use case could be the use case (or "class" of use cases) of thousand of potential Guix users all of us here are *very* concerned about the security risk of our installed binaries, this is the reason we are seeking a reproducible *and* bootsrappable based "software environment" like Guix ...unless your security team is keeping an internal list of applications and associated risk level, but _how_ to reliably assess that? i.e. are they fine with "Oracle DBMS" installed via a Docker bundle? would they be fine if you brought a Windows10 host into the office? as a *sysadmin* and user (*not* as part of the developers community) I'd like to _forget_ the "sysadmin/user accessed risk profile" (an illusion?) of my binaries and choose them for their features alone maybe your security team could share their views with the Guix community so we can better understand their concerns if I were a member of your security team I'd say: «uhm... Guix, Ok show me your channels» ;-) e.g. Ricardo Wurmus yesterday in this thread said: > I’m curious to know if the security folks would also object to you > building packages from source without Guix. Do they ask everyone with a > compiler to provide a list of dependencies? this is an interesting point: AFAIK it's common practice by sysadmins in "corporate" infrastructures to forbid users installing packages in /usr and alike and sometimes /home is also mounted noexec :-O... so maybe they manage to also systematically forbid users from executing self-compiled binaries ...but is it an effective security policy? Thanks Giovanni -- Giovanni Biscuolo Xelera IT Infrastructures
signature.asc
Description: PGP signature
