On Sat, Feb 29, 2020 at 09:41:17PM +0100, Bengt Richter wrote: > IMO auto-update is like buying an appliance and giving > the install crew a permanent key to the kitchen door.
I don't think this metaphor is wrong, but it's not very exact. Short of auditing every single line of code in a package, and skillfully detecting obfuscated malware, all of our packages may try to download and execute software at run-time. It's just the nature of computers with network access. In any case, it's extremely unlikely that a package autoupdater will work in Guix because they usually target the executable's directory and that is read-only in /gnu/store. But we should still try to disable them as a matter of Guix policy.
