What’s in a package

by Reventlov on 9/22/2021, 4:09 PM with 13 comments
  • by dane-pgp on 9/23/2021, 11:57 AM

    This is a great article, that touches on issues like reproducible builds and software supply chain security. It also highlights the problem that some software can lack what we might call "reproducible source":

    > In their ESEC/FSE 2021 paper on LastPyMile, Duc-Ly Vu et al. empirically show that “the last mile from source to package” on PyPI is indeed the weakest link in the software supply chain, and that actual differences between packaged source code and upstream source code are observed in the wild.

    There was a clever attempt to solve this problem in the JavaScript/npm ecosystem a few years ago, but sadly it never became officially supported:

    https://hackernoon.com/what-if-we-could-verify-npm-packages-...

  • by amir-h on 9/23/2021, 12:27 PM

    Fascinating write-up!

    Reproducible builds are highly important indeed, though from security perspective we shouldn't assume we're secure because we can reproduce the build.

    As Ken Thompson shows us in Reflections on Trusting Trust: backdoors can live in binary form only and the source code may not be telling the full story.

    What we need to trust are the entities writing and distributing the packages, of everything. Sadly today there is no way to answer: what is the set of entities I'm trusting by using this package.

  • by aijony on 9/23/2021, 4:40 PM

    Another huge plus for source based package managers not elaborated in this article is how easy transformations are [1], so you can rebuild your software with different compilers, dependency versions, source branches, etc. from often a single command.

    [1] https://guix.gnu.org/manual/en/html_node/Package-Transformat...

  • by otikik on 9/23/2021, 12:51 PM

    I didn't know what was guix so I clicked on the "About" page (https://hpc.guix.info/about/).

    > Guix-HPC is an effort to optimize [GNU Guix] for reproducible scientific workflows in high-performance computing (HPC).

    Ok this is like GNU Guix, but for HPC systems (which are helpfully defined). But what is "GNU Guix", though? Ok I will click the link (https://guix.gnu.org/) :

    > *Liberating*. Guix is an advanced distribution of the [GNU operating system] developed by the GNU Project—which respects the freedom of computer users.

    I happen to know what GNUOS is, otherwise I would have to click on yet another link to find out what it is (the name at least suggests it's an Operative System).

    Guix needs extra help on the initial copy page though. Is "more advanced" than GNUOS... does that mean that GNUOS isn't "advanced" (How so)? It also says that Guix "respects the freedom of computer users". That seems to imply that GNUOS does not. Is that the case?

    TL;DR: The "about" page in guix-hpc and guix should start with "Guix/Guix-hpc is an operative system." Then they can talk about how they're based on this and that. And Guix's first page copy text needs to be completely rewritten.