From mboxrd@z Thu Jan  1 00:00:00 1970
From: bancfc@openmailbox.org
Subject: GNU Guix Questions
Date: Mon, 06 Mar 2017 16:14:08 +0100
Message-ID: <c90c6a2238126ffc507f83180fc4e6a0@openmailbox.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII;
 format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33369)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bancfc@openmailbox.org>) id 1ckuL2-0008Dh-A2
	for guix-devel@gnu.org; Mon, 06 Mar 2017 10:14:17 -0500
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <bancfc@openmailbox.org>) id 1ckuKz-0007gZ-44
	for guix-devel@gnu.org; Mon, 06 Mar 2017 10:14:16 -0500
Received: from lb1.openmailbox.org ([5.79.108.160]:60863
	helo=mail.openmailbox.org)
	by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <bancfc@openmailbox.org>)
	id 1ckuKy-0007gN-RQ
	for guix-devel@gnu.org; Mon, 06 Mar 2017 10:14:13 -0500
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: guix-devel@gnu.org
Cc: whonix-devel@whonix.org

Hi Guix devs, I am a privacy distro dev and we are looking at using Guix 
in our OS. I have a few questions:

* Is the Guix package archive available from a Tor hidden service? There 
are many advantages of updating a system over Tor such as preventing a 
target adversary from fingerprinting and targeting hosts that run 
vulnerable packages and protecting systems in case the package manager 
has a security bug. Debian and Tor now provide onion mirrors for their 
packages. Can you please consider doing the same?


* Does Guix defend against the variety of attacks described in the TUF 
threat model document? (described in link below) How resilient is it 
against key compromise? (TUF was designed from the ground up to provide 
a highly resilient and secure update framework as a drop in replacement 
to crappy standalone updaters - a problem that's become very serious for 
proprietary OSes. The security research and implementation behind it are 
an excellent rubric that one can apply to any updater/package manager.)

https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md


* How does one setup a third part package archive? After looking at the 
manual I believe its as simple as fetching source from one's git repo?

Thanks