zimoun <[email protected]> writes:
> Hi, > > On Thu, 26 Nov 2020 at 12:32, Phil <[email protected]> wrote: > >> However, can anyone point me to, or explain - what is done to audit >> packages in the official Repo in the first place - i.e. how do I know >> that a piece of software supplied to me by Guix is not only >> delivered in a safe/reliable fashion, but is also free from malware >> potentially >> introduced by the authors/maintainers themselves? > > Nothing. It’s a little more than nothing in some cases. For example, there was extensive work to gain confidence that Ungoogled Chromium does not phone home. Generally, anti-features such as update checkers that phone home are patched out. We generally take the code as is, however, and don’t assume that every bit of free software out there is malware in disguise until it is demonstrated beyond reasonable doubt that this is not the case. That would neither be feasible nor would it guarantee satisfactory results. -- Ricardo
