From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id yNvqOe50615ccgAA0tVLHw (envelope-from ) for ; Thu, 18 Jun 2020 14:06:38 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id +Im7Ne506164fQAA1q6Kng (envelope-from ) for ; Thu, 18 Jun 2020 14:06:38 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 80B5C94030A for ; Thu, 18 Jun 2020 14:06:36 +0000 (UTC) Received: from localhost ([::1]:34850 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jlvBb-0005Ul-FM for larch@yhetil.org; Thu, 18 Jun 2020 10:06:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56688) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlvBP-0005T6-3c for guix-devel@gnu.org; Thu, 18 Jun 2020 10:06:23 -0400 Received: from mx1.riseup.net ([198.252.153.129]:43062) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jlvBM-0005vM-FJ for guix-devel@gnu.org; Thu, 18 Jun 2020 10:06:22 -0400 Received: from bell.riseup.net (bell-pn.riseup.net [10.0.1.178]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 49nkHt16VjzFdrs; Thu, 18 Jun 2020 07:06:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1592489178; bh=8y89oVAjSnOHMVvcZY6XvOrnaukEGQYqlMCWz2Zels4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=FNxhvP/jqG4XCmQQENwv9uu77kWATQc/DxLiEo5UIag+Q6jeLnukSOQcGj4IwL/Vv pZpjf/ivdM16LLWtLrS/3VKDxSe2QXags4IrGoac14RBOdgOuePZPAz8vvepyz1UWH sfmlPijJ3m8qfhbV95qQjDvUiyg1a0YCYqPZMCYQ= X-Riseup-User-ID: 9C368FDC0E801FF8F5E42CD5390026B7FC032FB40B93E74A13E7FDD06ED298FA Received: from [127.0.0.1] (localhost [127.0.0.1]) by bell.riseup.net (Postfix) with ESMTPSA id 49nkHs050FzJnCq; Thu, 18 Jun 2020 07:06:16 -0700 (PDT) Date: Thu, 18 Jun 2020 11:06:11 -0300 From: =?iso-8859-1?Q?Andr=E9?= Batista To: Brice Waegeneire Subject: Re: [PATCH] doc: cookbook: Update entry about getting substitutes through Tor. Message-ID: <20200618140611.GA2613@andel> References: <87blmmkx87.fsf@gnu.org> <20200603191249.29382-1-brice@waegenei.re> <87367baua7.fsf@gnu.org> <5b7e576318d73e89ba5a9cafb6861061@waegenei.re> <20200617021951.GA14644@andel> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="CUfgB8w4ZwR/yMy5" Content-Disposition: inline In-Reply-To: Received-SPF: pass client-ip=198.252.153.129; envelope-from=nandre@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/06/18 10:06:18 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=_AUTOLEARN X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: guix-devel@gnu.org Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=riseup.net header.s=squak header.b=FNxhvP/j; dmarc=pass (policy=none) header.from=riseup.net; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -3.31 X-TUID: Nl5hQqDfWFa6 --CUfgB8w4ZwR/yMy5 Content-Type: multipart/mixed; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello Brice, qua 17 jun 2020 =E0s 08:37:59 (1592393879), brice@waegenei.re enviou: > Hello Andr=E9, >=20 > Thank you for the patch and your feedback! It's me who should be thanking you! > When writing this section of the cookbook I was worried that some > readers will misunderstood it so I added a big warning at the > front but it doesn't seems to be enough since you sent this mail. Sorry to disturb you, your warning was clear enough. I've only thought that there was room for improvement whilst there remains the need for a proper solution to the problem at hand. > I would like to keep the warnings at the beginning of the section > to be sure that readers don't miss it when skimming trough it. > Any rewording of that part to make the scope of the section or > the warnings more clear is welcome. It follows attached a new version of the previous patch which changes the comment to the warning quote. I had previously thought that it would be worse to inflate the warning with this comment even more so as the section's title already mentions it's related to substitutes. > Note that this section is only about getting *substitutes* through > tor and it should probably be kept that way to avoid confusing the > user in regard to what (narrow) security benefit this configuration > offer. Note taken, but it seems to me that if someone is going through the trouble of configuring guix to get substitutes through Tor, such a person would most likely also wish to update guix through the same network. It does nothing to fix the possible leaks when substitutes aren't available, but it makes it clear that it's possible/advisable on such scenario to pull using torsocks. I don't think it misinforms users. > On a wider front I would prefer to have a foolproof configuration > that route *all* guix related traffic through Tor, instead of that > half-way setup. Providing a way to 'torify' any service with > something like 'make-forkexec-constructor/trosocks', as > 'make-forkexec-constructor/container' does for containerizing a > service, would be great[0]. A less engaged option would be to > make 'guix-daemon' compatible with 'torsocks' since doing it so > makes guix unusable[1]. I too would prefer it, but a half-way setup is what we have for now. So a three-quarters-way would be an improvement though not the fix we're in need. I'll dig deeper and will come back to you if I make any progress. --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline; filename="0001-doc-cookbook-Update-entry-about-getting-substitutes-.patch" Content-Transfer-Encoding: quoted-printable =46rom 1d6e29dcbc5b9a8659294af033863a31526eab76 Mon Sep 17 00:00:00 2001 =46rom: =3D?UTF-8?q?Andr=3DC3=3DA9=3D20Batista?=3D Date: Thu, 18 Jun 2020 10:23:23 -0300 Subject: [PATCH] doc: cookbook: Update entry about getting substitutes thro= ugh Tor. To: guix-devel@gnu.org * doc/guix-cookbook.texi (Getting substitutes from Tor): Update section warning to mention the use of torsocks when pulling. --- doc/guix-cookbook.texi | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 1342826c97..d5a8459363 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -15,6 +15,7 @@ Copyright @copyright{} 2020 Oleg Pykhalov@* Copyright @copyright{} 2020 Matthew Brooks@* Copyright @copyright{} 2020 Marcin Karpezo@* Copyright @copyright{} 2020 Brice Waegeneire@* +Copyright @copyright{} 2020 Andr=E9 Batista@* =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -1799,10 +1800,16 @@ HTTP/HTTPS will get proxied; FTP, Git protocol, SSH= , etc connections will still go through the clearnet. Again, this configuration isn't foolproof some of your traffic won't get routed by Tor at all. Use it at your own risk. + +Also note that the procedure described here applies only to package +substitution. When you update your guix distribution with +@command{guix pull}, you still need to use @command{torsocks} if +you want to route the connection to guix's git repository servers +through Tor. @end quotation =20 Guix's substitute server is available as a Onion service, if you want -to use it to get your substitutes from Tor configure your system as +to use it to get your substitutes through Tor configure your system as follow: =20 @lisp --=20 2.26.2 --tThc/1wpZn/ma/RB-- --CUfgB8w4ZwR/yMy5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQI5BAABCgAjFiEEIBdLYNLH+F+MBdSrYrJ+WmBEwoIFAl7rdNAFgwPCZwAACgkQ YrJ+WmBEwoIy0w/9E3M0YhYfR2V3wuj6/4aEi/RXKu+CmgbqXLXJOS8/B2mVfHPW p2j8jLBgrGRPL2Up64z2zlg9ebgNKrt4Rf8xChbypsATtsnW63bIsc/iyWychVeE s7LDNhtMHzrWtF5WsclhG61vzfYJzeMoU9VT7C3a5kJkZoO6DMnCca3VDlT6UG0c QrwXpDsNkyc29Mu5nEXy9dpI2kGBuUJm7xxyKMcWxc24m0Am4z9hZXax5XuzcBkA YIHplJfoxvQodjQ+DrtDrW+j9GjI/FPLJrnY15esKCY0CN+y8CLqDl+OEmK0ZvTG iBFe8Q6UWZ1KiPsG/CZz50OTiOrp7gR66a0KJmJNubYeCAXfMPO9ZCDa4NN23dCb lYk93fRfUzhzqx9XfXKcp9XMXcZNnVxZy3YFyOED22pQnq6SyCrJvJtebuTWdqOV Z1uBMsmJ2BO+KIbMlZVgDfz8vfePd++lR+7aVsEIsejPpx7sJ0r0BXExx6ehEFTX AjW61KjJoDetBc+mOm5fCCJzmvWVqNp11BkNYwYk49NPuzwJpm+goSHKOY2rL1Mg hAkRU5VcW2jD2Zb+9d726D1n5peNtBchqGOhi377uPHea8AtKq2etJWxZp73Le1m 9EdOZiEtYll138X84P2oTYN5Di9rB5z4hGMCPwJWBHapghyTupVGSvQU9og= =fZC/ -----END PGP SIGNATURE----- --CUfgB8w4ZwR/yMy5--