GNU bug report logs -
#50960
[PATCH 00/10] Add 'guix shell' to subsume 'guix environment'
Previous Next
Reported by: Ludovic Courtès <ludo <at> gnu.org>
Date: Sat, 2 Oct 2021 10:22:02 UTC
Severity: normal
Tags: patch
Done: Ludovic Courtès <ludo <at> gnu.org>
Bug is archived. No further changes may be made.
Full log
Message #128 received at 50960 <at> debbugs.gnu.org (full text, mbox):
On Mon, Oct 04, 2021 at 10:22:54AM +0200, Ludovic Courtès wrote:
> "pelzflorian (Florian Pelz)" <pelzflorian <at> pelzflorian.de> skribis:
> > Let’s say I have downloaded undesirable code to a file
> > /home/florian/Downloads/guix.scm and am hacking on source code in
> > /home/florian/Downloads/something/ where I run `guix shell`, but
> > /home/florian/Downloads/something/ does not in fact contain a
> > guix.scm file. Now I’d have accidentally run the other guix.scm.
>
> Sure, but it’s all under your control; it’s not very different from
> someone knowingly running “guix build -f guix.scm” on an untrusted file,
> is it?
What I meant is that I may wrongly expect a guix.scm file in
/home/florian/Downloads/something/, but it is not there, so things go
awry.
`guix shell` loading files by default would mean one would have to pay
attention to what one is doing, unlike `guix environment`. For
example, not save unrelated (not even malicious) code by the name
guix.scm, and not run guix commands without inspecting what they’d do.
This I don’t like.
> We have the advantage that ‘guix shell’ is a new command, so we can
> document it from the start as behaving this way without arguments.
Many people don’t read manuals.
The probability of an accident is low, but it feels not robust.
I can live with either (and am very happy you and others keep
improving Guix), I just don’t think loading by default is a good idea.
Regards,
Florian
This bug report was last modified 3 years and 210 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.