Re: Next Steps For the Software Heritage Problem

[Dale Mellor]

On Thu, 2024-06-20 at 22:59 +0200, Ekaitz Zarraga wrote:
> Hi,
> 
> On 2024-06-20 22:54, Andreas Enge wrote:
> > Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor:
> > > I'm sure guix lint tried to push my code out to them the last time I
> > > tried.
> > 
> > Ah indeed, there is this in guix/lint.scm:
> > 
> > So it does not push code, but a URL from which the code can be downloaded.
> > Thus it requires the code to be available from the Internet; local code
> > is "safe" from SWH.

   But this is still leaking information.

> > Now I do not know what will happen if you save your code as a git
> > repository at a hidden URL. For instance, does SWH check the license?
> > I would hope so.

   Hope is not really good enough, there needs to be certainty in this.

> 
> For this specific case we could add some flag to the command line like 
> `--do-not-archive` or something like that.

   `-x archival` does it, but it is too easy to forget and once the cat is out
of the bag privacy is lost.  I really think this should be default behaviour, or
at least there should be a flag in the package definition.  I would still be
uncomfortable with the last option, as everyone would be relying on the
collective of Guix maintainers to not screw up and accidentally leak private
data.

Dale