On Monday, October 18th, 2021 at 7:40 AM, Ludovic Courtès <ludovic.cour...@inria.fr> wrote:
> Hi Ryan, > How would we define “bad” though? A definition isn't necessary, this can be an "I know it when I see it" thing. If we have an oops or discover an issue, and say oh darn that lives in the repo forever now, we'd be able to leave a note to all who try in the future to visit impacted commits that all was not well. Some of this is already captured by our CVE scanning feature, but other things (like your hypothetical "somebody snuck a bad `sed` in!") would benefit from yet more explanation. We don't need a perfect and complete definition of "bad" to agree that any commit where `sed` is actually `grep` (or malware) is a bad commit & merits a warning. This should not interfere with people who want to keep using their pinned version of Guix & aren't impacted by the bad package, which remains useful as you note.