On Jul 3, 2015 6:44 AM, "John Darrington" <[email protected]> wrote: > On Fri, Jul 03, 2015 at 12:38:49AM +0000, Cook, Malcolm wrote:
>> The sys admin at my institute expresses concern that we would potentially expose ourselves to additional security risk by building scientific software stack in Guix where we might depend on alternate versions of, say, openssl. > When you install (say Redhat), like you say, you have to trust that Redhat > hasn't (deliberately or maliciously) put malware into any of the MANY THOUSAND > binaries that make up the OS. If I'm interpreting the OP's IT department correctly, this is not about trusting guix or Red Hat regarding malice, not about binaries and substitutions, but regarding competence and diligence, and the package tree. If there are important patches coming out, will they get into guix/Red Hat fast enough and will they get to users fast enough? The IT department does have a point. First, Red Hat has a billion dollar turnover and hundreds of developers and integrators and a full-time security team. Guix has a handful to a few dozen volunteers, depending on how you count. Second, users manage packages themselves, which could lead to a user running on a two-year-old OpenSSL because they didn't do guix package -u. On the other hand, vulnerabilities are the most serious when they are in network-accessible services, which are probably run by the IT department using commercial or commercial-derived packages. I would kindly ask the sysadmin to chill. Or contribute to guix when CentOS gets an OpenSSL security patch. ;-)
