From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: [Whonix-devel] GNU Guix Questions Date: Mon, 6 Mar 2017 17:15:04 +0000 Message-ID: <20170306171504.q3upjno6bzbqeeqc@abyayala> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:48123) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ckv9W-0003XU-LU for guix-devel@gnu.org; Mon, 06 Mar 2017 11:06:27 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ckv9S-0004S7-US for guix-devel@gnu.org; Mon, 06 Mar 2017 11:06:26 -0500 Received: from latitanza.investici.org ([82.94.249.234]:34870) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1ckv9S-0004Rp-Kj for guix-devel@gnu.org; Mon, 06 Mar 2017 11:06:22 -0500 Content-Disposition: inline In-Reply-To: List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: whonix-devel@whonix.org Cc: guix-devel@gnu.org Hi bancfc, On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: > Hi Guix devs, I am a privacy distro dev and we are looking at using Guix in > our OS. I have a few questions: > > * Is the Guix package archive available from a Tor hidden service? There are > many advantages of updating a system over Tor such as preventing a target > adversary from fingerprinting and targeting hosts that run vulnerable > packages and protecting systems in case the package manager has a security > bug. Debian and Tor now provide onion mirrors for their packages. Can you > please consider doing the same? As far as I know this might be discussed currently at GNU sysadministration level, at least that's the last info I got when I suggested this last week to RMS. There is an onion mirror which is run by another community. It doesn't mirror alpha.gnu.org yet (where guix binaries are located), but it plans to do so. I need to get in touch with the community to ask wether they would be okay with more bandwidth. Do you have an estimation on how high your usage would be for the guix download from the onion mirror? > > * Does Guix defend against the variety of attacks described in the TUF > threat model document? (described in link below) How resilient is it against > key compromise? (TUF was designed from the ground up to provide a highly > resilient and secure update framework as a drop in replacement to crappy > standalone updaters - a problem that's become very serious for proprietary > OSes. The security research and implementation behind it are an excellent > rubric that one can apply to any updater/package manager.) > > https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md > > > * How does one setup a third part package archive? After looking at the > manual I believe its as simple as fetching source from one's git repo? > > Thanks > _______________________________________________ > You are receiving this e-mail because you subscribed Whonix-devel mailing list. To unsubscribe visit https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or mail "unsubscribe" to Whonix-devel-unsubscribe@whonix.org. > > Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste aboniert haben. Zum abbestellen besuchen Sie https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel oder mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org.