Hi Ricardo,
On Thu, 26 Nov 2020 at 22:10, Ricardo Wurmus wrote:
> Certainly, I do not disagree. When someone does extra work to audit the
> code and nobody is there to witness it … “does it make a sound”? :)
Thoughtful as a Chinese koan. :-) I am so grateful for all this extra work.
Cheers,
zimoun writes:
> Hi Ricardo,
>
> On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus wrote:
>> zimoun writes:
>>> On Thu, 26 Nov 2020 at 12:32, Phil wrote:
>>>
However, can anyone point me to, or explain - what is done to audit
packages in the official Repo in the first place - i.e. how d
Hi,
On Thu, 26 Nov 2020 at 19:07, Phil wrote:
> The important point is that the patch is vetted by the members of
> guix-patc...@gnu.org mail list. And I assume packages which appear
> inappropriate for whatever reason are not accepted by members of this
> list?
Anyone can subscribe to guix-pa
Hi Ricardo,
On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus wrote:
> zimoun writes:
>> On Thu, 26 Nov 2020 at 12:32, Phil wrote:
>>
>>> However, can anyone point me to, or explain - what is done to audit
>>> packages in the official Repo in the first place - i.e. how do I know
>>> that a piece of
Thanks for the reply Simon.
zimoun writes:
> Nothing. It is about trust, as with any distribution. Now, you can
> audit by yourself the source code, compiled by yourself and check if it
> is the same that the substitutes serve you.
I understand that Guix makes the process of reproducability an
zimoun writes:
> Hi,
>
> On Thu, 26 Nov 2020 at 12:32, Phil wrote:
>
>> However, can anyone point me to, or explain - what is done to audit
>> packages in the official Repo in the first place - i.e. how do I know
>> that a piece of software supplied to me by Guix is not only
>> delivered in a
Hi,
On Thu, 26 Nov 2020 at 12:32, Phil wrote:
> However, can anyone point me to, or explain - what is done to audit
> packages in the official Repo in the first place - i.e. how do I know
> that a piece of software supplied to me by Guix is not only
> delivered in a safe/reliable fashion, but is
Hi all,
I can find a few articles that give a good overview of Guix security
with regard to ensuring that what is pulled onto my local server is always a
true
representation of the packages as intended by the package authors.
There's also a good process for alerting Guix of potential security is
