zimoun <[email protected]> writes:
> Hi Ricardo, > > On Thu, 26 Nov 2020 at 17:51, Ricardo Wurmus <[email protected]> wrote: >> zimoun <[email protected]> writes: >>> On Thu, 26 Nov 2020 at 12:32, Phil <[email protected]> wrote: >>> >>>> However, can anyone point me to, or explain - what is done to audit >>>> packages in the official Repo in the first place - i.e. how do I know >>>> that a piece of software supplied to me by Guix is not only >>>> delivered in a safe/reliable fashion, but is also free from malware >>>> potentially >>>> introduced by the authors/maintainers themselves? >>> >>> Nothing. > > The correct quote is: «Nothing. It is about trust, as with any > distribution.» […] > Therefore, it is about trust. Certainly, I do not disagree. When someone does extra work to audit the code and nobody is there to witness it … “does it make a sound”? :) All dilligence here is trust with extra steps, but it still is trust-based. -- Ricardo
