On 2023-01-13 14:48, Ludovic Courtès wrote:
[..]
I think it would be best to error out if multiple channels provide
same-named files.
Thoughts?
An option to erroring out: how about make it a feature to be able to
specify precedence-order, say in the .guix-channel file. For example,
that
Hi,
On lun., 16 janv. 2023 at 10:00, Ludovic Courtès
wrote:
>> Well, the assumption for a similar attack using Guix channels is that
>> the user first adds the channel to their channel list. Therefore, they
>> trust what they consider able to be trust. ;-)
>
> Right, users would have to
Hello,
Simon Tournier skribis:
> On ven., 13 janv. 2023 at 14:48, Ludovic Courtès
> wrote:
>
>> Nothing, because the ‘guix’ channel always comes first in the module
>> search path (see ‘%package-module-path’ in (gnu packages)). Good.
>>
>> Now same scenario, but with references to another
Hi,
On ven., 13 janv. 2023 at 14:48, Ludovic Courtès
wrote:
> Nothing, because the ‘guix’ channel always comes first in the module
> search path (see ‘%package-module-path’ in (gnu packages)). Good.
>
> Now same scenario, but with references to another channel, for example
> (@ (past packages
In the light of the “dependency confusion” attack on PyTorch¹, one might
wonder how such a thing could affect Guix. The threat model is quite
different though because the ‘guix’ channel is peer-reviewed and curated
whereas PyPI isn’t.
Yet, one way to “translate” the attack to Guix is by looking