Hi all, I can find a few articles that give a good overview of Guix security with regard to ensuring that what is pulled onto my local server is always a true representation of the packages as intended by the package authors.
There's also a good process for alerting Guix of potential security issues. However, can anyone point me to, or explain - what is done to audit packages in the official Repo in the first place - i.e. how do I know that a piece of software supplied to me by Guix is not only delivered in a safe/reliable fashion, but is also free from malware potentially introduced by the authors/maintainers themselves? How are new packages or updates audited or reviewed before being accepted into Guix's official repo? It's a paranoid question I know - but it's a regular one on security audits to sign-off software use.... I know that nobody is going to audit every single line of code of every package, but knowing that some process exist is normally enough to satisfy the audit? A similar question and fairly reassuring answer from the Ubuntu Security Team is given here - I was hoping to find something similar for Guix: https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited Thanks, Phil