Am Mon, Dec 01, 2025 at 12:54:26PM +0100 schrieb Rostislav Svoboda: > The "genuine Guix development team" currently includes almost 1 500 > people across the world. A sample from git log:
No, it contains only the committers, which are the people signing the commits. And indeed this signing process does not guarantee the security of all the commits (in the sense that no malware is introduced), but it guarantees authenticity as in "these are the official commits of the Guix project". For instance, it helps against rogue clones on a different platform claiming to be the real Guix. And it helps against downgrade attacks, since the signatures authenticate the order of commits. If in addition you build all your packages from source, I think you get more security than with most other distributions (which may not be enough for your situation, in which case you should also do a security audit of all the source code you build). Andreas
