On 17-02-12 13:23:09, Hartmut Goebel wrote: > Am 09.02.2017 um 23:50 schrieb Ludovic Courtès: > > I think the only reason to separate things usually is size, not > > “aesthetics.” So I’d be in favor of keeping both in the same output if > > there’s no size problem. > > Separating clients and servers is not an "aesthetic" thing. It's a > matter of security. > > One basic rule for hardening systems is: "only install the required > software". If we munge server and clients packages, this obeys this rule. > > In my day-business I'm a security consultant (CISSP, CSSLP and ISO > 27001 Lead Implementer). And from my point of view Guix already has a > medium problem of acceptance since it munges development-files and > run-time files into one package - as we do for all libraries. This > already contradicts the above mentioned basic rule. > > Now if Guix starts munging server and client components into one > package, this plain disqualifies GuixSD from any security sensitive > system. [*] > > [*] OTOH it opens up chances for big business: selling "Secure GuixSD" > to customers. > > -- > Regards > Hartmut Goebel > > | Hartmut Goebel | [email protected] | > | www.crazy-compilers.com | compilers which you thought are impossible | > >
Exactly why I think we should do this, with a more detailed reasoning. Thanks! -- ng0 -- https://www.inventati.org/patternsinthechaos/
