On Thu, 2024-06-20 at 22:59 +0200, Ekaitz Zarraga wrote: > Hi, > > On 2024-06-20 22:54, Andreas Enge wrote: > > Am Thu, Jun 20, 2024 at 07:42:44PM +0100 schrieb Dale Mellor: > > > I'm sure guix lint tried to push my code out to them the last time I > > > tried. > > > > Ah indeed, there is this in guix/lint.scm: > > > > So it does not push code, but a URL from which the code can be downloaded. > > Thus it requires the code to be available from the Internet; local code > > is "safe" from SWH.
But this is still leaking information. > > Now I do not know what will happen if you save your code as a git > > repository at a hidden URL. For instance, does SWH check the license? > > I would hope so. Hope is not really good enough, there needs to be certainty in this. > > For this specific case we could add some flag to the command line like > `--do-not-archive` or something like that. `-x archival` does it, but it is too easy to forget and once the cat is out of the bag privacy is lost. I really think this should be default behaviour, or at least there should be a flag in the package definition. I would still be uncomfortable with the last option, as everyone would be relying on the collective of Guix maintainers to not screw up and accidentally leak private data. Dale
