Re: List of installed package, version pairs

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: List of installed package, version pairs

From:	Giovanni Biscuolo
Subject:	Re: List of installed package, version pairs
Date:	Fri, 18 Jan 2019 09:36:22 +0100

Hi Jack,

Jack Hill <address@hidden> writes:

> It seems that work has noticed the GuixSD host that I brought into the 
> office. The security office maintains a risk profile be collecting lists 
> of installed packages,

this may seem "tangent" but I think your is a *very* interesting use
case, others gave you some tips on how to get a list of "installed
packages" but I'm (others?) very interested in _how_ your security
office use this list to evaluate a "risk profile"

Jack: do you have any info you could share on this please? your use case
could be the use case (or "class" of use cases) of thousand of potential
Guix users

all of us here are *very* concerned about the security risk of our
installed binaries, this is the reason we are seeking a reproducible
*and* bootsrappable based "software environment" like Guix

...unless your security team is keeping an internal list of applications
and associated risk level, but _how_ to reliably assess that?
i.e. are they fine with "Oracle DBMS" installed via a Docker bundle?
would they be fine if you brought a Windows10 host into the office?

as a *sysadmin* and user (*not* as part of the developers community) I'd
like to _forget_ the "sysadmin/user accessed risk profile" (an
illusion?) of my binaries and choose them for their features alone

maybe your security team could share their views with the Guix community
so we can better understand their concerns

if I were a member of your security team I'd say: «uhm... Guix, Ok show
me your channels» ;-)

e.g. Ricardo Wurmus yesterday in this thread said:

> I’m curious to know if the security folks would also object to you
> building packages from source without Guix.  Do they ask everyone with a
> compiler to provide a list of dependencies?

this is an interesting point: AFAIK it's common practice by sysadmins in
"corporate" infrastructures to forbid users installing packages in /usr
and alike and sometimes /home is also mounted noexec :-O... so maybe
they manage to also systematically forbid users from executing
self-compiled binaries

...but is it an effective security policy?

Thanks
Giovanni

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

signature.asc
Description: PGP signature

[Prev in Thread]

Current Thread

[Next in Thread]

List of installed package, version pairs, Jack Hill, 2019/01/09
- Re: List of installed package, version pairs, Efraim Flashner, 2019/01/10
  - Re: List of installed package, version pairs, Jack Hill, 2019/01/15
    - Re: List of installed package, version pairs, Gábor Boskovits, 2019/01/16
    - Re: List of installed package, version pairs, Jack Hill, 2019/01/16
    - Re: List of installed package, version pairs, Ricardo Wurmus, 2019/01/17
- Re: List of installed package, version pairs, Giovanni Biscuolo <=

Prev by Date: Re: Scheme package installation script
Next by Date: Re: Geiser manual lookups broken with Guile
Previous by thread: Re: List of installed package, version pairs
Next by thread: Where is gtk-update-icon-cache ... ?
Index(es):
- Date
- Thread