Hi Ricardo, On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <rek...@elephly.net> wrote: > zimoun <zimon.touto...@gmail.com> writes: >> On Thu, 26 Nov 2020 at 12:32, Phil <p...@beadling.co.uk> wrote: >> >>> However, can anyone point me to, or explain - what is done to audit >>> packages in the official Repo in the first place - i.e. how do I know >>> that a piece of software supplied to me by Guix is not only >>> delivered in a safe/reliable fashion, but is also free from malware >>> potentially >>> introduced by the authors/maintainers themselves? >> >> Nothing.
The correct quote is: «Nothing. It is about trust, as with any distribution.» > It’s a little more than nothing in some cases. For example, there was > extensive work to gain confidence that Ungoogled Chromium does not phone > home. Generally, anti-features such as update checkers that phone home > are patched out. > > We generally take the code as is, however, and don’t assume that every > bit of free software out there is malware in disguise until it is > demonstrated beyond reasonable doubt that this is not the case. That > would neither be feasible nor would it guarantee satisfactory results. Even if I agree and your complement makes totally sense, and for sure I thank a lot all the collectively tough work done, I still claim that “you do not know that a piece of software supplied to you by <name-it> is free from malware potentially introduced by <whatever>”. The only way to know is to audit yourself, compiled yourself using a toolchain that you audited yourself. Therefore, it is about trust. The question is: what does Guix do to be trust-able? I think all the code around speaks by itself. And personally I trust people doing that job and then pushing to Guix. Cheers, simon