[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Security of packages in official repo
|
From: |
Phil |
|
Subject: |
Security of packages in official repo |
|
Date: |
Thu, 26 Nov 2020 12:32:05 +0000 |
|
User-agent: |
mu4e 1.2.0; emacs 26.3 |
Hi all,
I can find a few articles that give a good overview of Guix security
with regard to ensuring that what is pulled onto my local server is always a
true
representation of the packages as intended by the package authors.
There's also a good process for alerting Guix of potential security issues.
However, can anyone point me to, or explain - what is done to audit
packages in the official Repo in the first place - i.e. how do I know
that a piece of software supplied to me by Guix is not only
delivered in a safe/reliable fashion, but is also free from malware potentially
introduced by the authors/maintainers themselves?
How are new packages or updates audited or reviewed before being accepted
into Guix's official repo?
It's a paranoid question I know - but it's a regular one on security
audits to sign-off software use.... I know that nobody is going to audit
every single line of code of every package, but knowing that some
process exist is normally enough to satisfy the audit?
A similar question and fairly reassuring answer from the Ubuntu Security
Team is given here - I was hoping to find something similar for Guix:
https://askubuntu.com/questions/1186039/are-ubuntu-packages-security-audited
Thanks,
Phil