Thanks for the reply Simon. zimoun writes:
> Nothing. It is about trust, as with any distribution. Now, you can > audit by yourself the source code, compiled by yourself and check if it > is the same that the substitutes serve you. I understand that Guix makes the process of reproducability and auditing much more rock-solid than most other distributions - and this more than satisfies any requirements I have for proving that software package X, is a true representation of source code X, built with toolchain Y. This is great - but my question is more mundane than that. The good news is I think it's answered here: https://guix.gnu.org/manual/en/guix.html#Submitting-Patches Say I have a new piece of software I've developed and I want to make it available through Guix's offical repo. I define a new Guix package for that app - and create a patch for it. The important point is that the patch is vetted by the members of [email protected] mail list. And I assume packages which appear inappropriate for whatever reason are not accepted by members of this list? This is different to PyPi for example where (I believe) anyone can upload any content and have the public downloading it immediately without any approval or vetting - it's pretty Wild West. This makes some institutions unwilling to give students/employees/etc access to systems like PyPi... but on other systems where there is a degree of scrutiny required (such as patch vetting on Guix) - this can make a world of difference in terms of getting a tick in the right box. Whether there is wisdom or any real protection is a separate question of course (nobody will guarantee every line of every source repo!), but nevertheless from a practical point of view, it can prove useful in getting software like Guix adopted - which is what I'm keen to do. As a workaround it would seem perfectly possible to host a private Guix channel with a subset of packages on that have been internally vetted, but it would be more in the spirit of Guix to contribute and use the official package repo. Thanks - hopefully I haven't overly laboured my point! Phil
