* GNU Guix Questions @ 2017-03-06 15:14 bancfc 2017-03-06 17:15 ` [Whonix-devel] " ng0 2017-03-07 13:57 ` Ludovic Courtès 0 siblings, 2 replies; 9+ messages in thread From: bancfc @ 2017-03-06 15:14 UTC (permalink / raw) To: guix-devel; +Cc: whonix-devel Hi Guix devs, I am a privacy distro dev and we are looking at using Guix in our OS. I have a few questions: * Is the Guix package archive available from a Tor hidden service? There are many advantages of updating a system over Tor such as preventing a target adversary from fingerprinting and targeting hosts that run vulnerable packages and protecting systems in case the package manager has a security bug. Debian and Tor now provide onion mirrors for their packages. Can you please consider doing the same? * Does Guix defend against the variety of attacks described in the TUF threat model document? (described in link below) How resilient is it against key compromise? (TUF was designed from the ground up to provide a highly resilient and secure update framework as a drop in replacement to crappy standalone updaters - a problem that's become very serious for proprietary OSes. The security research and implementation behind it are an excellent rubric that one can apply to any updater/package manager.) https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md * How does one setup a third part package archive? After looking at the manual I believe its as simple as fetching source from one's git repo? Thanks ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-06 15:14 GNU Guix Questions bancfc @ 2017-03-06 17:15 ` ng0 2017-03-07 0:59 ` bancfc 2017-03-07 13:57 ` Ludovic Courtès 1 sibling, 1 reply; 9+ messages in thread From: ng0 @ 2017-03-06 17:15 UTC (permalink / raw) To: whonix-devel; +Cc: guix-devel Hi bancfc, On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: > Hi Guix devs, I am a privacy distro dev and we are looking at using Guix in > our OS. I have a few questions: > > * Is the Guix package archive available from a Tor hidden service? There are > many advantages of updating a system over Tor such as preventing a target > adversary from fingerprinting and targeting hosts that run vulnerable > packages and protecting systems in case the package manager has a security > bug. Debian and Tor now provide onion mirrors for their packages. Can you > please consider doing the same? As far as I know this might be discussed currently at GNU sysadministration level, at least that's the last info I got when I suggested this last week to RMS. There is an onion mirror which is run by another community. It doesn't mirror alpha.gnu.org yet (where guix binaries are located), but it plans to do so. I need to get in touch with the community to ask wether they would be okay with more bandwidth. Do you have an estimation on how high your usage would be for the guix download from the onion mirror? > > * Does Guix defend against the variety of attacks described in the TUF > threat model document? (described in link below) How resilient is it against > key compromise? (TUF was designed from the ground up to provide a highly > resilient and secure update framework as a drop in replacement to crappy > standalone updaters - a problem that's become very serious for proprietary > OSes. The security research and implementation behind it are an excellent > rubric that one can apply to any updater/package manager.) > > https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md > > > * How does one setup a third part package archive? After looking at the > manual I believe its as simple as fetching source from one's git repo? > > Thanks > _______________________________________________ > You are receiving this e-mail because you subscribed Whonix-devel mailing list. To unsubscribe visit https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or mail "unsubscribe" to Whonix-devel-unsubscribe@whonix.org. > > Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste aboniert haben. Zum abbestellen besuchen Sie https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel oder mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-06 17:15 ` [Whonix-devel] " ng0 @ 2017-03-07 0:59 ` bancfc 2017-03-07 11:05 ` ng0 0 siblings, 1 reply; 9+ messages in thread From: bancfc @ 2017-03-07 0:59 UTC (permalink / raw) To: whonix-devel, guix-devel; +Cc: Guix-devel On 2017-03-06 17:15, ng0 wrote: > Hi bancfc, > Hi ng0, great to see you here :) > On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: >> Hi Guix devs, I am a privacy distro dev and we are looking at using >> Guix in >> our OS. I have a few questions: >> >> * Is the Guix package archive available from a Tor hidden service? >> There are >> many advantages of updating a system over Tor such as preventing a >> target >> adversary from fingerprinting and targeting hosts that run vulnerable >> packages and protecting systems in case the package manager has a >> security >> bug. Debian and Tor now provide onion mirrors for their packages. Can >> you >> please consider doing the same? > > As far as I know this might be discussed currently at GNU > sysadministration level, > at least that's the last info I got when I suggested this last week to > RMS. > There is an onion mirror which is run by another community. It doesn't > mirror alpha.gnu.org yet (where guix binaries are located), but it > plans > to do so. I need to get in touch with the community to ask wether they > would be okay with more bandwidth. > Do you have an estimation on how high your usage would be for the guix > download from the onion mirror? > The amount for bandwidth is approximately the size of GNUnet x 15K users. Later on we will expand the selection to include Tor Browser once you package it - if that pans out that would be a massive achievement. The Torproject have discussed packaging it for years but they couldn't work it out because of the breakneck speed of development and the cumbersome process of creating Debian packages. Meanwhile anonymity distros were forced to come up with a workaround safe downloader mechanism in absence of a package fecthable from a package manager. Its been a high maintenance effort over the years and a Guix package would finally solve this. Another "wishlist" package would be GNU-libre kernel that includes the Grsecurity patchset so we can include that out of the box instead of requiring users to manually patch and tweak settings with every (weekly) new upstream release. I realize I'm going offtopic but its really exciting to finally find a better way to package things. >> >> * Does Guix defend against the variety of attacks described in the TUF >> threat model document? (described in link below) How resilient is it >> against >> key compromise? (TUF was designed from the ground up to provide a >> highly >> resilient and secure update framework as a drop in replacement to >> crappy >> standalone updaters - a problem that's become very serious for >> proprietary >> OSes. The security research and implementation behind it are an >> excellent >> rubric that one can apply to any updater/package manager.) >> >> https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md >> >> >> * How does one setup a third part package archive? After looking at >> the >> manual I believe its as simple as fetching source from one's git repo? >> >> Thanks >> _______________________________________________ >> You are receiving this e-mail because you subscribed Whonix-devel >> mailing list. To unsubscribe visit >> https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or mail >> "unsubscribe" to Whonix-devel-unsubscribe@whonix.org. >> >> Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste >> aboniert haben. Zum abbestellen besuchen Sie >> https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel oder >> mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-07 0:59 ` bancfc @ 2017-03-07 11:05 ` ng0 2017-03-07 19:31 ` bancfc 0 siblings, 1 reply; 9+ messages in thread From: ng0 @ 2017-03-07 11:05 UTC (permalink / raw) To: whonix-devel; +Cc: guix-devel, Guix-devel On 17-03-07 00:59:08, bancfc@openmailbox.org wrote: > On 2017-03-06 17:15, ng0 wrote: > > Hi bancfc, > > > > Hi ng0, great to see you here :) > > > On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: > > > Hi Guix devs, I am a privacy distro dev and we are looking at using > > > Guix in > > > our OS. I have a few questions: > > > > > > * Is the Guix package archive available from a Tor hidden service? > > > There are > > > many advantages of updating a system over Tor such as preventing a > > > target > > > adversary from fingerprinting and targeting hosts that run vulnerable > > > packages and protecting systems in case the package manager has a > > > security > > > bug. Debian and Tor now provide onion mirrors for their packages. > > > Can you > > > please consider doing the same? > > > > As far as I know this might be discussed currently at GNU > > sysadministration level, > > at least that's the last info I got when I suggested this last week to > > RMS. > > There is an onion mirror which is run by another community. It doesn't > > mirror alpha.gnu.org yet (where guix binaries are located), but it plans > > to do so. I need to get in touch with the community to ask wether they > > would be okay with more bandwidth. > > Do you have an estimation on how high your usage would be for the guix > > download from the onion mirror? > > > > > The amount for bandwidth is approximately the size of GNUnet x 15K users. I think we have a misunderstanding here. Do you mean access to the releases of Guix as in what's on https://alpha.gnu.org/whatever/the/path/to/guix/was, where the software itself is released, or did you mean what we call 'binary substitutes' in Guix, the packages which are build from the guix.git master which feature the software (here software as in tor, perl, epiphany, gnupg, etc)? Now that I'm reading your initial email again it reads as if could be either or both. It would be good if you try to clarify this. > Later on we will expand the selection to include Tor Browser once you > package it - if that pans out that would be a massive achievement. The FYI: The torbrowser I am packaging initially is a 1:1 copy of what torbrowser team is keeping in the git repository. Nix for example decided to just patchelf the binary releases of torbrowser (the tar files found on dist.torproject.org), this is not acceptable for the work for Guix. So I'm trying my way with building from git tags. If there are other people interested and willing to help (once I have something to debug), I will share recipes / git repositories to work on it. Furthermore the final package version for Guix will include fixes which might be needed, similar to what icecat does to firefox esr, to include it in Guix. This is of course no 1:1 torbrowser then anymore and must not be described as such. It'll be interesting to see if at all it differs in fingerprinting from torbrowser. If for any reason you need the full 1:1 copy we can talk about this once I/we are getting there, offlist or at least not on guix-devel@gnu.org. > Torproject have discussed packaging it for years but they couldn't work it > out because of the breakneck speed of development and the cumbersome process > of creating Debian packages. Meanwhile anonymity distros were forced to come > up with a workaround safe downloader mechanism in absence of a package > fecthable from a package manager. Its been a high maintenance effort over > the years and a Guix package would finally solve this. > > Another "wishlist" package would be GNU-libre kernel that includes the > Grsecurity patchset so we can include that out of the box instead of > requiring users to manually patch and tweak settings with every (weekly) new > upstream release. I think HEADS (the linux-libre grsec devuan based blend) did this, or they are working on it. I know for Guix, someone is working on SELinux. I think if you are looking into getting a GRSec enabled kernel with according policies, this must be answered by someone who knows more about the core of Guix. It might also be the case that I don't fully understand your plan. What I read sounds like you are either mixing up Guix and GuixSD or as if the differences between both need to be explained. It would be easier to know the current state of the system, and where you want to go with this. > I realize I'm going offtopic but its really exciting to finally find a > better way to package things. > > > > > > > * Does Guix defend against the variety of attacks described in the TUF > > > threat model document? (described in link below) How resilient is it > > > against > > > key compromise? (TUF was designed from the ground up to provide a > > > highly > > > resilient and secure update framework as a drop in replacement to > > > crappy > > > standalone updaters - a problem that's become very serious for > > > proprietary > > > OSes. The security research and implementation behind it are an > > > excellent > > > rubric that one can apply to any updater/package manager.) > > > > > > https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md > > > > > > > > > * How does one setup a third part package archive? After looking at > > > the > > > manual I believe its as simple as fetching source from one's git repo? > > > > > > Thanks > > > _______________________________________________ > > > You are receiving this e-mail because you subscribed Whonix-devel > > > mailing list. To unsubscribe visit > > > https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or mail > > > "unsubscribe" to Whonix-devel-unsubscribe@whonix.org. > > > > > > Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste > > > aboniert haben. Zum abbestellen besuchen Sie > > > https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel oder > > > mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org. > > _______________________________________________ > You are receiving this e-mail because you subscribed Whonix-devel mailing list. To unsubscribe visit https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or mail "unsubscribe" to Whonix-devel-unsubscribe@whonix.org. > > Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste aboniert haben. Zum abbestellen besuchen Sie https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel oder mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-07 11:05 ` ng0 @ 2017-03-07 19:31 ` bancfc 2017-03-10 10:44 ` ng0 0 siblings, 1 reply; 9+ messages in thread From: bancfc @ 2017-03-07 19:31 UTC (permalink / raw) To: whonix-devel, guix-devel, Guix-devel On 2017-03-07 12:05, ng0 wrote: > On 17-03-07 00:59:08, bancfc@openmailbox.org wrote: >> On 2017-03-06 17:15, ng0 wrote: >> > Hi bancfc, >> > >> >> Hi ng0, great to see you here :) >> >> > On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: >> > > Hi Guix devs, I am a privacy distro dev and we are looking at using >> > > Guix in >> > > our OS. I have a few questions: >> > > >> > > * Is the Guix package archive available from a Tor hidden service? >> > > There are >> > > many advantages of updating a system over Tor such as preventing a >> > > target >> > > adversary from fingerprinting and targeting hosts that run vulnerable >> > > packages and protecting systems in case the package manager has a >> > > security >> > > bug. Debian and Tor now provide onion mirrors for their packages. >> > > Can you >> > > please consider doing the same? >> > >> > As far as I know this might be discussed currently at GNU >> > sysadministration level, >> > at least that's the last info I got when I suggested this last week to >> > RMS. >> > There is an onion mirror which is run by another community. It doesn't >> > mirror alpha.gnu.org yet (where guix binaries are located), but it plans >> > to do so. I need to get in touch with the community to ask wether they >> > would be okay with more bandwidth. >> > Do you have an estimation on how high your usage would be for the guix >> > download from the onion mirror? >> > >> >> >> The amount for bandwidth is approximately the size of GNUnet x 15K >> users. > > I think we have a misunderstanding here. Do you mean access to the > releases of Guix as in what's on > https://alpha.gnu.org/whatever/the/path/to/guix/was, where the software > itself is released, or did you mean what we call 'binary substitutes' > in > Guix, the packages which are build from the guix.git master which > feature the software (here software as in tor, perl, epiphany, gnupg, > etc)? > Now that I'm reading your initial email again it reads as if could be > either or both. It would be good if you try to clarify this. > Yes I meant binary substitutes not Guix itself. > >> Later on we will expand the selection to include Tor Browser once you >> package it - if that pans out that would be a massive achievement. The > > FYI: > The torbrowser I am packaging initially is a 1:1 copy of what > torbrowser > team is keeping in the git repository. Nix for example decided to > just patchelf the binary releases of torbrowser (the tar files found on > dist.torproject.org), this is not acceptable for the work for Guix. > So I'm trying my way with building from git tags. If there are other > people interested and willing to help (once I have something to debug), > I will share recipes / git repositories to work on it. I think this work is so important that it deserves bringing it to the notice of the Tor devs on their mailing list. They will probably help out because it is something they have been wanting to do and are interested in: https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev/ > Furthermore the final package version for Guix will include fixes which > might be needed, similar to what icecat does to firefox esr, to include > it in Guix. This is of course no 1:1 torbrowser then anymore and must > not be described as such. It'll be interesting to see if at all it > differs in fingerprinting from torbrowser. To check the fingerprint of your versions you can use this site: https://fpcentral.irisa.fr/ It was a product of a GSoC project to exclusively measure Tor Borwser fingerprints between versions to help TBB devs and users make sure they are safe. > If for any reason you need the full 1:1 copy we can talk about this > once I/we > are getting there, offlist or at least not on guix-devel@gnu.org. > No particular reason for 1:1 as long as the Guix package is fully reproducible and closely tracks upstream security updates its ok with us. >> Torproject have discussed packaging it for years but they couldn't >> work it >> out because of the breakneck speed of development and the cumbersome >> process >> of creating Debian packages. Meanwhile anonymity distros were forced >> to come >> up with a workaround safe downloader mechanism in absence of a package >> fecthable from a package manager. Its been a high maintenance effort >> over >> the years and a Guix package would finally solve this. >> >> Another "wishlist" package would be GNU-libre kernel that includes the >> Grsecurity patchset so we can include that out of the box instead of >> requiring users to manually patch and tweak settings with every >> (weekly) new >> upstream release. > > I think HEADS (the linux-libre grsec devuan based blend) did this, or > they > are working on it. I know for Guix, someone is working on SELinux. I > think if you are looking into getting a GRSec enabled kernel with > according policies, this must be answered by someone who knows more > about the core of Guix. > It might also be the case that I don't fully understand your plan. What > I read sounds like you are either mixing up Guix and GuixSD or as if > the differences between both need to be explained. It would be easier > to > know the current state of the system, and where you want to go with > this. > I understand the difference between Guix and GuixSD - the latter is a full distribution based around the former. Since we are Debian based I was looking into cherry-picking packages from Guix binary repos because the way it works is ideal instead of the bureaucracy of Debian packaging policies which makes packaging impossible in some cases. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-07 19:31 ` bancfc @ 2017-03-10 10:44 ` ng0 2017-03-13 22:42 ` bancfc 0 siblings, 1 reply; 9+ messages in thread From: ng0 @ 2017-03-10 10:44 UTC (permalink / raw) To: bancfc; +Cc: guix-devel, Guix-devel, whonix-devel bancfc@openmailbox.org transcribed 5.5K bytes: > On 2017-03-07 12:05, ng0 wrote: > > On 17-03-07 00:59:08, bancfc@openmailbox.org wrote: > > > On 2017-03-06 17:15, ng0 wrote: > > > > Hi bancfc, > > > > > > > > > > Hi ng0, great to see you here :) > > > > > > > On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: > > > > > Hi Guix devs, I am a privacy distro dev and we are looking at using > > > > > Guix in > > > > > our OS. I have a few questions: > > > > > > > > > > * Is the Guix package archive available from a Tor hidden service? > > > > > There are > > > > > many advantages of updating a system over Tor such as preventing a > > > > > target > > > > > adversary from fingerprinting and targeting hosts that run vulnerable > > > > > packages and protecting systems in case the package manager has a > > > > > security > > > > > bug. Debian and Tor now provide onion mirrors for their packages. > > > > > Can you > > > > > please consider doing the same? Ludovic: can we get an .onion for hydra.gnu.org? I know that I asked for unspecific download mirrors (alpha,ftp,etc) at gnu.org (different list), but asking specifically about hydra.gnu.org would be different. What's left to be documented then is how to provide access for clients. The explanations I've got so far weren't helping. I could ask for the GNUnet eV machine which runs mirror.hydra.gnu.org. bancfc: Depending on the resources Whonix has, you could consider running your own substitutes servers (if that's an option)? > > > > As far as I know this might be discussed currently at GNU > > > > sysadministration level, > > > > at least that's the last info I got when I suggested this last week to > > > > RMS. > > > > There is an onion mirror which is run by another community. It doesn't > > > > mirror alpha.gnu.org yet (where guix binaries are located), but it plans > > > > to do so. I need to get in touch with the community to ask wether they > > > > would be okay with more bandwidth. > > > > Do you have an estimation on how high your usage would be for the guix > > > > download from the onion mirror? > > > > > > > > > > > > > The amount for bandwidth is approximately the size of GNUnet x 15K > > > users. > > > > I think we have a misunderstanding here. Do you mean access to the > > releases of Guix as in what's on > > https://alpha.gnu.org/whatever/the/path/to/guix/was, where the software > > itself is released, or did you mean what we call 'binary substitutes' in > > Guix, the packages which are build from the guix.git master which > > feature the software (here software as in tor, perl, epiphany, gnupg, > > etc)? > > Now that I'm reading your initial email again it reads as if could be > > either or both. It would be good if you try to clarify this. > > > > Yes I meant binary substitutes not Guix itself. > > > > > > Later on we will expand the selection to include Tor Browser once you > > > package it - if that pans out that would be a massive achievement. The > > > > FYI: > > The torbrowser I am packaging initially is a 1:1 copy of what torbrowser > > team is keeping in the git repository. Nix for example decided to > > just patchelf the binary releases of torbrowser (the tar files found on > > dist.torproject.org), this is not acceptable for the work for Guix. > > So I'm trying my way with building from git tags. If there are other > > people interested and willing to help (once I have something to debug), > > I will share recipes / git repositories to work on it. > > I think this work is so important that it deserves bringing it to the notice > of the Tor devs on their mailing list. They will probably help out because > it is something they have been wanting to do and are interested in: > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev/ I will get in touch later, I had some first introduction to the trademarks team of torbrowser, now I need help in trying to figure out what needs to be modified. After this is done I can get in touch with tor-dev to talk about the trademark specifics. It can take a while, so I'd appreciate any kind of help in judging current torbrowser and what needs to be modified. I'm busy with documenting for 'pragmatique' to find more people to help on pragmaOS (working title of the GuixSD blend). > > Furthermore the final package version for Guix will include fixes which > > might be needed, similar to what icecat does to firefox esr, to include > > it in Guix. This is of course no 1:1 torbrowser then anymore and must > > not be described as such. It'll be interesting to see if at all it > > differs in fingerprinting from torbrowser. > > To check the fingerprint of your versions you can use this site: > https://fpcentral.irisa.fr/ > > It was a product of a GSoC project to exclusively measure Tor Borwser > fingerprints between versions to help TBB devs and users make sure they are > safe. Thanks! > > If for any reason you need the full 1:1 copy we can talk about this once > > I/we > > are getting there, offlist or at least not on guix-devel@gnu.org. > > > > No particular reason for 1:1 as long as the Guix package is fully > reproducible and closely tracks upstream security updates its ok with us. > > > > Torproject have discussed packaging it for years but they couldn't > > > work it > > > out because of the breakneck speed of development and the cumbersome > > > process > > > of creating Debian packages. Meanwhile anonymity distros were forced > > > to come > > > up with a workaround safe downloader mechanism in absence of a package > > > fecthable from a package manager. Its been a high maintenance effort > > > over > > > the years and a Guix package would finally solve this. > > > > > > Another "wishlist" package would be GNU-libre kernel that includes the > > > Grsecurity patchset so we can include that out of the box instead of > > > requiring users to manually patch and tweak settings with every > > > (weekly) new > > > upstream release. > > > > I think HEADS (the linux-libre grsec devuan based blend) did this, or > > they > > are working on it. I know for Guix, someone is working on SELinux. I > > think if you are looking into getting a GRSec enabled kernel with > > according policies, this must be answered by someone who knows more > > about the core of Guix. > > It might also be the case that I don't fully understand your plan. What > > I read sounds like you are either mixing up Guix and GuixSD or as if > > the differences between both need to be explained. It would be easier to > > know the current state of the system, and where you want to go with > > this. > > > > I understand the difference between Guix and GuixSD - the latter is a full > distribution based around the former. Since we are Debian based I was > looking into cherry-picking packages from Guix binary repos because the way > it works is ideal instead of the bureaucracy of Debian packaging policies > which makes packaging impossible in some cases. > > Okay, I guess it needs to be more clear what can be used then. As I understand it, you will not be able to use the kernel when you use Guix on another distro. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-10 10:44 ` ng0 @ 2017-03-13 22:42 ` bancfc 2017-03-14 13:45 ` Ludovic Courtès 0 siblings, 1 reply; 9+ messages in thread From: bancfc @ 2017-03-13 22:42 UTC (permalink / raw) To: bancfc, ludo, whonix-devel, guix-devel, Guix-devel On 2017-03-10 11:44, ng0 wrote: > bancfc@openmailbox.org transcribed 5.5K bytes: >> On 2017-03-07 12:05, ng0 wrote: >> > On 17-03-07 00:59:08, bancfc@openmailbox.org wrote: >> > > On 2017-03-06 17:15, ng0 wrote: >> > > > Hi bancfc, >> > > > >> > > >> > > Hi ng0, great to see you here :) >> > > >> > > > On 17-03-06 16:14:08, bancfc@openmailbox.org wrote: >> > > > > Hi Guix devs, I am a privacy distro dev and we are looking at using >> > > > > Guix in >> > > > > our OS. I have a few questions: >> > > > > >> > > > > * Is the Guix package archive available from a Tor hidden service? >> > > > > There are >> > > > > many advantages of updating a system over Tor such as preventing a >> > > > > target >> > > > > adversary from fingerprinting and targeting hosts that run vulnerable >> > > > > packages and protecting systems in case the package manager has a >> > > > > security >> > > > > bug. Debian and Tor now provide onion mirrors for their packages. >> > > > > Can you >> > > > > please consider doing the same? > > Ludovic: can we get an .onion for hydra.gnu.org? I know that I asked > for > unspecific download mirrors (alpha,ftp,etc) at gnu.org (different > list), but asking > specifically about hydra.gnu.org would be different. What's left to be > documented then is how to provide access for clients. The explanations > I've got so far weren't helping. I could ask for > the GNUnet eV machine which runs mirror.hydra.gnu.org. > > bancfc: Depending on the resources Whonix has, you could consider > running your own substitutes servers (if that's an option)? > Yes we are interested in running our own substitute servers. We currently host our project specific .deb repo. Or do you mean a full mirror of hydra? > > >> > > > As far as I know this might be discussed currently at GNU >> > > > sysadministration level, >> > > > at least that's the last info I got when I suggested this last week to >> > > > RMS. >> > > > There is an onion mirror which is run by another community. It doesn't >> > > > mirror alpha.gnu.org yet (where guix binaries are located), but it plans >> > > > to do so. I need to get in touch with the community to ask wether they >> > > > would be okay with more bandwidth. >> > > > Do you have an estimation on how high your usage would be for the guix >> > > > download from the onion mirror? >> > > > >> > > >> > > >> > > The amount for bandwidth is approximately the size of GNUnet x 15K >> > > users. >> > >> > I think we have a misunderstanding here. Do you mean access to the >> > releases of Guix as in what's on >> > https://alpha.gnu.org/whatever/the/path/to/guix/was, where the software >> > itself is released, or did you mean what we call 'binary substitutes' in >> > Guix, the packages which are build from the guix.git master which >> > feature the software (here software as in tor, perl, epiphany, gnupg, >> > etc)? >> > Now that I'm reading your initial email again it reads as if could be >> > either or both. It would be good if you try to clarify this. >> > >> >> Yes I meant binary substitutes not Guix itself. >> >> > >> > > Later on we will expand the selection to include Tor Browser once you >> > > package it - if that pans out that would be a massive achievement. The >> > >> > FYI: >> > The torbrowser I am packaging initially is a 1:1 copy of what torbrowser >> > team is keeping in the git repository. Nix for example decided to >> > just patchelf the binary releases of torbrowser (the tar files found on >> > dist.torproject.org), this is not acceptable for the work for Guix. >> > So I'm trying my way with building from git tags. If there are other >> > people interested and willing to help (once I have something to debug), >> > I will share recipes / git repositories to work on it. >> >> I think this work is so important that it deserves bringing it to the >> notice >> of the Tor devs on their mailing list. They will probably help out >> because >> it is something they have been wanting to do and are interested in: >> >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev/ > > I will get in touch later, I had some first introduction to the > trademarks team of torbrowser, now I need help in trying to figure out > what needs to be modified. After this is done I can get in touch with > tor-dev to talk about the trademark specifics. > > It can take a while, so I'd appreciate any kind of help in judging > current torbrowser and what needs to be modified. I'm busy with > documenting for 'pragmatique' to find more people to help on pragmaOS > (working title of the GuixSD blend). > Sorry I posted there before seeing your reply :/ I mentioned your packaging work on Tor-Dev: https://lists.torproject.org/pipermail/tor-dev/2017-March/011993.html > >> > Furthermore the final package version for Guix will include fixes which >> > might be needed, similar to what icecat does to firefox esr, to include >> > it in Guix. This is of course no 1:1 torbrowser then anymore and must >> > not be described as such. It'll be interesting to see if at all it >> > differs in fingerprinting from torbrowser. >> >> To check the fingerprint of your versions you can use this site: >> https://fpcentral.irisa.fr/ >> >> It was a product of a GSoC project to exclusively measure Tor Borwser >> fingerprints between versions to help TBB devs and users make sure >> they are >> safe. > > Thanks! > >> > If for any reason you need the full 1:1 copy we can talk about this once >> > I/we >> > are getting there, offlist or at least not on guix-devel@gnu.org. >> > >> >> No particular reason for 1:1 as long as the Guix package is fully >> reproducible and closely tracks upstream security updates its ok with >> us. >> >> > > Torproject have discussed packaging it for years but they couldn't >> > > work it >> > > out because of the breakneck speed of development and the cumbersome >> > > process >> > > of creating Debian packages. Meanwhile anonymity distros were forced >> > > to come >> > > up with a workaround safe downloader mechanism in absence of a package >> > > fecthable from a package manager. Its been a high maintenance effort >> > > over >> > > the years and a Guix package would finally solve this. >> > > >> > > Another "wishlist" package would be GNU-libre kernel that includes the >> > > Grsecurity patchset so we can include that out of the box instead of >> > > requiring users to manually patch and tweak settings with every >> > > (weekly) new >> > > upstream release. >> > >> > I think HEADS (the linux-libre grsec devuan based blend) did this, or >> > they >> > are working on it. I know for Guix, someone is working on SELinux. I >> > think if you are looking into getting a GRSec enabled kernel with >> > according policies, this must be answered by someone who knows more >> > about the core of Guix. >> > It might also be the case that I don't fully understand your plan. What >> > I read sounds like you are either mixing up Guix and GuixSD or as if >> > the differences between both need to be explained. It would be easier to >> > know the current state of the system, and where you want to go with >> > this. >> > >> >> I understand the difference between Guix and GuixSD - the latter is a >> full >> distribution based around the former. Since we are Debian based I was >> looking into cherry-picking packages from Guix binary repos because >> the way >> it works is ideal instead of the bureaucracy of Debian packaging >> policies >> which makes packaging impossible in some cases. >> >> > > Okay, I guess it needs to be more clear what can be used then. > As I understand it, you will not be able to use the kernel when you use > Guix on another distro. Understood ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [Whonix-devel] GNU Guix Questions 2017-03-13 22:42 ` bancfc @ 2017-03-14 13:45 ` Ludovic Courtès 0 siblings, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-03-14 13:45 UTC (permalink / raw) To: bancfc; +Cc: guix-devel, Guix-devel, whonix-devel Hello! bancfc@openmailbox.org skribis: > Yes we are interested in running our own substitute servers. We > currently host our project specific .deb repo. Or do you mean a full > mirror of hydra? From a security viewpoint, the more independent builders there are, the better. So if Whonix and other organizations would run their own build farm and publish their own substitutes (presumably with Cuirass and ‘guix publish’), that would be great. With more and more of our packages being bit-reproducible, users could easily use ‘guix challenge’ to compare what each server is providing and detect anything suspicious. Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: GNU Guix Questions 2017-03-06 15:14 GNU Guix Questions bancfc 2017-03-06 17:15 ` [Whonix-devel] " ng0 @ 2017-03-07 13:57 ` Ludovic Courtès 1 sibling, 0 replies; 9+ messages in thread From: Ludovic Courtès @ 2017-03-07 13:57 UTC (permalink / raw) To: bancfc; +Cc: guix-devel, whonix-devel Hi! bancfc@openmailbox.org skribis: > * Does Guix defend against the variety of attacks described in the TUF > threat model document? (described in link below) How resilient is it > against key compromise? (TUF was designed from the ground up to > provide a highly resilient and secure update framework as a drop in > replacement to crappy standalone updaters - a problem that's become > very serious for proprietary OSes. The security research and > implementation behind it are an excellent rubric that one can apply to > any updater/package manager.) > > https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md The short answer is: not yet. The longer answer is that TUF is biased towards “traditional” package managers where the main asset is a binary package archive. Guix is conceptually a source-based package manager, so what we want to authenticate is Git checkouts of Guix itself. TUF needs to be “ported” to this model. We’ll address this hopefully within a few months, and definitely by 1.0: https://bugs.gnu.org/22883 Ludo’. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2017-03-14 13:45 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-03-06 15:14 GNU Guix Questions bancfc 2017-03-06 17:15 ` [Whonix-devel] " ng0 2017-03-07 0:59 ` bancfc 2017-03-07 11:05 ` ng0 2017-03-07 19:31 ` bancfc 2017-03-10 10:44 ` ng0 2017-03-13 22:42 ` bancfc 2017-03-14 13:45 ` Ludovic Courtès 2017-03-07 13:57 ` Ludovic Courtès
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).