On Fri, Jul 03, 2015 at 12:38:49AM +0000, Cook, Malcolm wrote: > The sys admin at my institute expresses concern that we would > potentially expose ourselves to additional security risk by building > scientific software stack in Guix where we might depend on alternate > versions of, say, openssl. > > Do you agree this is a reasonable concern, and, if so, is there a > "position statement" on the matter? > > I'm guessing this is in part a matter of trust - i.e. do we trust > GNU/guix gang as much as, say the Red Hat/CentOS gang. Or am I > perhaps misunderstanding the consideration?
If openssl security is a concern, that would mostly be relevant for packages that may have root privileges and/or run as an internet service. When it comes to such exploits Red Hat and others do fix and distribute them - which comes as public information. It is not in their interest to hide fixes (even if they could). It is not the nature of FOSS. That means GNU Guix will be one of the first to pick fixes up as there are ample people running GNU Guix that are concerned about their servers and GNU Guix packages can be updated quickly and incrementally (Guix does not need special security repositories). Note that most real world exploits are based on systems running older software. GNU Guix packages tend to be very up-to-date, though it depends on the admin to keep track of that for a running system. I would be very happy to run GNU Guix for critical services (such as ssh-server). I could write a much longer E-mail, but I think what you should do is avoid discussing particular privileged services and convince the system administrator that all privileged services can still be Red Hat/CentOS packages (so 'safe' in his book). All you are installing is user land software in a nice and controlled environment. That is no different from compiling packages by hand and installing them in $HOME. To run the installed software as privileged you still need to start them as root. Therefore GNU Guix installed packages can do no more harm than self-built software. A good system administrator should be able to grasp that. Maybe you can have your system administrator speak with Ricardo's system administrators. They allowed the cluster-wide network mount in an academic setting. In science we have to be able to install our own software on compute clusters. The current (and common) build-it-yourself in $HOME route is laborious and error prone. The reason I am investing in GNU Guix is that I now have a packaging system that allows me to leverage and share package management with other scientists and it goes some way towards reproducible science. It is a great step forward. The environments that 'get' this quickest will do better than others at supporting science. It is just a matter of time that our way of deploying software will become the norm. I hope that helps. Pj.
