On Tue, Nov 12, 2024 at 05:49:13PM +0100, Nicolas Graves wrote:
> On 2024-11-12 09:50, Suhail Singh wrote:
>
> > I was under the impression that the build phase in guix is always
> > containerized and without network access. Could you please elaborate on
> > this?
>
> Building a package yes, but
Nicolas Graves writes:
> Building a package yes, but you can have external commands in a
> manifest.scm or guix.scm.
>
> ...
>
> What I was saying is that we could restrain recording `guix shell --allow`
> only if the manifest builds properly containerized and without network
> access (outside pa
On 2024-11-12 09:50, Suhail Singh wrote:
> I was under the impression that the build phase in guix is always
> containerized and without network access. Could you please elaborate on
> this?
Building a package yes, but you can have external commands in a
manifest.scm or guix.scm. Saku provided
Nicolas Graves writes:
> My last message to Saku basically agreed to this ;)
Yes, my bad for only noticing that message after having sent mine.
Whoops.
> I'm actually willing to improve that patch series if you have better
> ideas/implementations, I was just building on what I know
> (direnv/.d
On 2024-11-11 20:46, Suhail Singh wrote:
> Saku Laesvuori via Bug reports for GNU Guix writes:
>
>> Anyway, I am not opposed to this change. The only effects for my use
>> cases are positive (nicer UI with the --allow flag). I just want to
>> point out that I don't think this makes any attacks si
Saku Laesvuori via Bug reports for GNU Guix writes:
> Anyway, I am not opposed to this change. The only effects for my use
> cases are positive (nicer UI with the --allow flag). I just want to
> point out that I don't think this makes any attacks significantly
> harder.
FWIW, this summarizes my
On 2024-11-11 09:54, Saku Laesvuori wrote:
> Is it common to source other files from direnv or do people normally
> just set environment variables and run programs from system PATH? If
> sourcing other files is very rare with direnv and very common with guix
> shell, comparing the security models
> > I do agree that it seems more convenient to run `guix shell --allow`
> > than copy a rather long line from the hint and run it to append a line
> > to shell-authorized-directories.
> >
> > Authorizing files instead of directories does not seem that great of an
> > idea to me. I doubt it really
On 2024-11-10 11:58, Saku Laesvuori wrote:
>
> I do agree that it seems more convenient to run `guix shell --allow`
> than copy a rather long line from the hint and run it to append a line
> to shell-authorized-directories.
>
> Authorizing files instead of directories does not seem that great of a
On Sat, Nov 09, 2024 at 03:12:44PM +0100, Nicolas Graves wrote:
> On 2024-09-11 16:11, Nicolas Graves wrote:
>
> >> That option would add a line to ‘shell-autorized-directories’?
> >
> > Yes. Actually I would like to develop a little more after thinking about
> > that.
> >
> > Let's say you git pu
On 2024-09-11 16:11, Nicolas Graves wrote:
>> That option would add a line to ‘shell-autorized-directories’?
>
> Yes. Actually I would like to develop a little more after thinking about
> that.
>
> Let's say you git pull code from a guix-shell-authorized repo and the
> pull includes some potentia
On 2024-09-11 11:52, Ludovic Courtès wrote:
> Hi,
>
> Nicolas Graves skribis:
>
> Is it that clear-cut? It can be viewed as config rather than state too,
> no?
Possibly, though I'm not sure which use-case will make more sense using
this file as config rather than state.
In my use-case I tried
Hi,
Nicolas Graves skribis:
> According to current uses of the XDG base dirs specification, I think
> guix shell-autorized-directories is in the wrong place, and should
> instead be in $XDG_STATE_HOME/guix/
>
> direnv uses $XDG_STATE_HOME too to store authorized directories, and it
> also makes
According to current uses of the XDG base dirs specification, I think
guix shell-autorized-directories is in the wrong place, and should
instead be in $XDG_STATE_HOME/guix/
direnv uses $XDG_STATE_HOME too to store authorized directories, and it
also makes more sense in the context of immutable c
14 matches
Mail list logo
