"Claes Wallin (韋嘉誠)" <[email protected]> skribis:
> If I'm interpreting the OP's IT department correctly, this is not about > trusting guix or Red Hat regarding malice, not about binaries and > substitutions, but regarding competence and diligence, and the package > tree. If there are important patches coming out, will they get into > guix/Red Hat fast enough and will they get to users fast enough? That’s a valid concern, and there’s not much we can say other than we’ve been doing our best and will continue to do so. That said, sysadmins don’t have to wait for upstream Guix to provide the patch; in case of urgency, they could easily add the necessary patches to, say, <http://git.savannah.gnu.org/cgit/guix.git/tree/gnu/packages/openssl.scm#n29>, upgrade their software, and share the patch with upstream Guix. Of course that would be a last resort, and I hope users don’t run into it. But what it means is that users are more independent than with a traditional distro. Ludo’.
