unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* GNU Guix Questions
@ 2017-03-06 15:14 bancfc
  2017-03-06 17:15 ` [Whonix-devel] " ng0
  2017-03-07 13:57 ` Ludovic Courtès
  0 siblings, 2 replies; 9+ messages in thread
From: bancfc @ 2017-03-06 15:14 UTC (permalink / raw)
  To: guix-devel; +Cc: whonix-devel

Hi Guix devs, I am a privacy distro dev and we are looking at using Guix 
in our OS. I have a few questions:

* Is the Guix package archive available from a Tor hidden service? There 
are many advantages of updating a system over Tor such as preventing a 
target adversary from fingerprinting and targeting hosts that run 
vulnerable packages and protecting systems in case the package manager 
has a security bug. Debian and Tor now provide onion mirrors for their 
packages. Can you please consider doing the same?


* Does Guix defend against the variety of attacks described in the TUF 
threat model document? (described in link below) How resilient is it 
against key compromise? (TUF was designed from the ground up to provide 
a highly resilient and secure update framework as a drop in replacement 
to crappy standalone updaters - a problem that's become very serious for 
proprietary OSes. The security research and implementation behind it are 
an excellent rubric that one can apply to any updater/package manager.)

https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md


* How does one setup a third part package archive? After looking at the 
manual I believe its as simple as fetching source from one's git repo?

Thanks

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2017-03-14 13:45 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-06 15:14 GNU Guix Questions bancfc
2017-03-06 17:15 ` [Whonix-devel] " ng0
2017-03-07  0:59   ` bancfc
2017-03-07 11:05     ` ng0
2017-03-07 19:31       ` bancfc
2017-03-10 10:44         ` ng0
2017-03-13 22:42           ` bancfc
2017-03-14 13:45             ` Ludovic Courtès
2017-03-07 13:57 ` Ludovic Courtès

Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).