Re: Mitigating "dependency confusion" attacks on Guix users

2021-02-09 Thread Christopher Baines
Ryan Prior writes: > However, I'm still thinking about how to attack Guix users. Somebody who > adds an internal channel for their own packages could still be > vulnerable to a dependency confusion attack via a compromised or > manipulated Guix maintainer. The target of the attack could install

Re: Mitigating "dependency confusion" attacks on Guix users

2021-02-09 Thread Lars-Dominik Braun
Hi, very interesting read. > However, I'm still thinking about how to attack Guix users. Somebody who > adds an internal channel for their own packages could still be > vulnerable to a dependency confusion attack via a compromised or > manipulated Guix maintainer. The target of the attack could i

Re: ZFS on Guix

2021-02-09 Thread raid5atemyhomework
Hello Danny, > I just wanted to say that I'm not ignoring your patch, I'm just not qualified > to review it. I hope someone steps up to it--otherwise I can't really tell > whether (mbegin %state-monad...) inside a random service procedure is a good > idea. > > Then again, provenance-service-type d

Unexpected --export-manifest with simple transformations

2021-02-09 Thread zimoun
Hi, If the transformations are in the manifest.scm file, then they are lost. For example, consider: --8<---cut here---start->8--- $ guix package \ -p /tmp/profile-cli \ -i python python-numpy \ hello --with-c-toolchain=hello=gcc-toolchain@

Mitigating "dependency confusion" attacks on Guix users

2021-02-09 Thread Ryan Prior
Hi Guix! I've been digesting this piece, published hours ago, describing dependency confusion attacks that revealed severe vulnerabilities at many major organizations: https://medium.com/@alex.birsan/dependency- confusion-4a5d60fec610 Guix users already have a few mitigations against this sort of

Re: Staging branch [substitute availability]

2021-02-09 Thread Ricardo Wurmus
Hi Mathieu, sorry for missing this message (and all the others). Leo pointed me to this message on IRC. (Thanks!) > The easier way to proceed could be to create a VPN for the remote build > machines that are not on berlin local network. Wireguard could be a good > candidate. That would mean th

Re: Guix Day: Notes from the CI session

2021-02-09 Thread Leo Famulari
On Mon, Feb 08, 2021 at 06:07:25PM +0100, Ludovic Courtès wrote: > ## Open issue: branching strategy > > - currently: building all of `master` + the "core" of `core-updates` > - schedule > - currently ad-hoc: volunteers get to choose when to freeze/merge > - actions > - pushes to `co

Re: Guix Day: Notes from the CI session

2021-02-09 Thread Leo Famulari
On Mon, Feb 08, 2021 at 06:07:25PM +0100, Ludovic Courtès wrote: > ## Open issue: new machines > > - fast ARM servers available > - criteria for hardware? > - must run free system (stock Guix System) > - hosting? > - the MDC (in Berlin) wouldn't host Guix-specific non-x86 servers >

The Guix Build Coordinator in 2021

2021-02-09 Thread Christopher Baines
Hey! Near the beginning of 2020, things changed such that I suddenly had some time, and some of that time I spend putting idea's I'd had for a while around building derivations, including across multiple machines, in to practice [1]. 1: https://lists.gnu.org/archive/html/guix-devel/2020-04/msg003

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread zimoun
On Tue, 9 Feb 2021 at 19:11, Bonface Munyoki K. wrote: > Also to add to what Léo mentioned, "awesome" lists > are a quick way to get up to speed to some things; Yeah, I thought it was the idea behind the Cookbook. :-) Well, the bottleneck with this (whatever the name ;-)) is recruiting people w

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread Bonface Munyoki K .
zimoun writes: > Hi, > > On Tue, 9 Feb 2021 at 17:16, Léo Le Bouter wrote: > >> Commonly awesome lists are used to share links to all things related to >> some topic or some software. This lists's purpose is for anyone to be >> able to easily get up to speed with what exists instead of having to

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread zimoun
Hi, On Tue, 9 Feb 2021 at 17:16, Léo Le Bouter wrote: > Commonly awesome lists are used to share links to all things related to > some topic or some software. This lists's purpose is for anyone to be > able to easily get up to speed with what exists instead of having to > know each and every one

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread Léo Le Bouter
On Tue, 2021-02-09 at 12:56 +0100, zimoun wrote: > Hi Léo, > Hello! > On Tue, 9 Feb 2021 at 12:19, Léo Le Bouter > wrote: > > > I created an awesome-guix list at > > https://git.sr.ht/~lle-bout/awesome-guix#awesome-guix > > Sorry, I have probably missed the info: what is the aim of awesome- > g

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread Léo Le Bouter
On Tue, 2021-02-09 at 15:19 +0100, Tobias Geerinckx-Rice wrote: > On 2021-02-09 12:56, zimoun wrote: > > Sorry, I have probably missed the info: what is the aim of > > awesome-guix? > > Same here! This looks like an awesome list but the name doesn't do > it > justice. > > Another possible prob

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread Tobias Geerinckx-Rice
On 2021-02-09 12:56, zimoun wrote: Sorry, I have probably missed the info: what is the aim of awesome-guix? Same here! This looks like an awesome list but the name doesn't do it justice. Another possible problematic word *if* you intend this as a Guix community resource:

Re: [DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Leo Prikler
Am Dienstag, den 09.02.2021, 11:22 +0100 schrieb Hartmut Goebel: > Am 09.02.21 um 11:06 schrieb Leo Prikler: > > Depends on the package. If it gets propagated into the build > > environment, the variable is set as well. At other times, it might > > be > > set through the wrap phase for runtime pu

Re: Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread zimoun
Hi Léo, On Tue, 9 Feb 2021 at 12:19, Léo Le Bouter wrote: > I created an awesome-guix list at > https://git.sr.ht/~lle-bout/awesome-guix#awesome-guix Sorry, I have probably missed the info: what is the aim of awesome-guix? Cheers, simon

Discover GNU Guix eco-system with awesome-guix!

2021-02-09 Thread Léo Le Bouter
Hello! I created an awesome-guix list at https://git.sr.ht/~lle-bout/awesome-guix#awesome-guix Please contribute new items by email with patches to ~lle-bout/awesome-guix-de...@lists.sr.ht! No promotion of proprietary software please :-) Léo signature.asc Description: This is a digitally sig

Re: [DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Hartmut Goebel
Am 09.02.21 um 11:06 schrieb Leo Prikler: Depends on the package. If it gets propagated into the build environment, the variable is set as well. At other times, it might be set through the wrap phase for runtime purposes. This makes me think whether the wrap-phase of the qt-build-system does

Re: [DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Raghav Gururajan
Hi Leo! Both search-paths and native-search-paths are expanded in a build environment to form an environment variable. search-paths works on inputs whereas native-search-paths works on native-inputs. In addition, native-search-paths also end up in your $GUIX_PROFILE/etc/profile. So it is lik

Re: [DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Leo Prikler
Am Dienstag, den 09.02.2021, 04:56 -0500 schrieb Raghav Gururajan: > Hi Leo! > > > Both search-paths and native-search-paths are expanded in a build > > environment to form an environment variable. search-paths works on > > inputs whereas native-search-paths works on native-inputs. In > > additi

Re: [DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Raghav Gururajan
Hi Leo! Both search-paths and native-search-paths are expanded in a build environment to form an environment variable. search-paths works on inputs whereas native-search-paths works on native-inputs. In addition, native-search-paths also end up in your $GUIX_PROFILE/etc/profile. So it is lik

[DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Leo Prikler
Hello, Both search-paths and native-search-paths are expanded in a build environment to form an environment variable. search-paths works on inputs whereas native-search-paths works on native-inputs. In addition, native-search-paths also end up in your $GUIX_PROFILE/etc/profile. Regards, Leo

[DOUBT]: native-search-paths VS search-paths

2021-02-09 Thread Raghav Gururajan
Hello Guix! In the package-reference, there are fields called native-search-paths and search-paths. Unfortunately, the corresponding page (https://guix.gnu.org/manual/en/html_node/package-Reference.html) in the manual doesn't explain much. In my experience of packaging I could understand vagu

Re: Unreproducible “guix pack -f docker” because config.scm-builder

2021-02-09 Thread Ludovic Courtès
Hi, zimoun skribis: > On Sat, 06 Feb 2021 at 22:46, Ludovic Courtès wrote: > >> See? One has just 1 link (did you disable deduplication on that one?), >> there other has 5 links. > > Yes, I see but I do not understand why. I have not changed, well, only > the number of cores and jobs: > > Exe

Guix Day: Notes frome the Bootstrap session

2021-02-09 Thread Jan Nieuwenhuizen
Hello Guix! Attached the notes from the "Bootstrap what's next" session yesterday. Greetings, Janneke - Branch wip-arm-bootstrap is getting ready but stuck at glibc-mesboot0, when finished: release mes-0.23. - Branch wip-full-source-bootstrap is ready for review; wait with merge until wip-a

Re: Unreproducible “guix pack -f docker” because config.scm-builder

2021-02-09 Thread zimoun
Hi, On Tue, 9 Feb 2021 at 09:35, Ludovic Courtès wrote: > Pushed as 18a4882e3029a084d2f0c63d9d0148682a854546, thank you! Thanks! Your comment is better that the none of mime. ;-) I have not tried yours but I confirm with mine which is the same, the issue is fixed. :-) Cheers, simon