From: Brice Waegeneire <brice@waegenei.re>
To: "André Batista" <nandre@riseup.net>
Cc: guix-devel@gnu.org,
Guix-devel <guix-devel-bounces+brice+lists=waegenei.re@gnu.org>
Subject: Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitutes through Tor.
Date: Wed, 17 Jun 2020 08:37:59 +0000 [thread overview]
Message-ID: <caffc11179e2be10d1606d23436db2e4@waegenei.re> (raw)
In-Reply-To: <20200617021951.GA14644@andel>
Hello André,
Thank you for the patch and your feedback!
On 2020-06-17 02:19, André Batista wrote:
> Hello Brice,
>
> I think it would be useful to warn users that when pulling there is
> a direct connection to guix git repos, so to route it through Tor,
> one needs to use torsocks. It wont make the configuration foolproof,
> but it will reduce the leaks to clearnet.
When writing this section of the cookbook I was worried that some
readers will misunderstood it so I added a big warning at the
front but it doesn't seems to be enough since you sent this mail.
--8<---------------cut here---------------start------------->8---
@section Getting substitutes from Tor
Guix daemon can use a HTTP proxy to get substitutes, here we are
configuring it to get them via Tor.
@quotation Warning
@emph{Not all} Guix daemon's traffic will go through Tor! Only
HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
will still go through the clearnet. Again, this configuration isn't
foolproof some of your traffic won't get routed by Tor at all. Use it
at your own risk.
@end quotation
--8<---------------cut here---------------end--------------->8---
> +Note that the procedure described above applies only to package
> substitution.
> +When you update your guix distribution with @command{guix pull}, you
> should
> +use @command{torsocks} if you want to route the connection to guix git
> +repository servers through Tor.
> +
> @c
> *********************************************************************
> @node Advanced package management
> @chapter Advanced package management
I would like to keep the warnings at the beginning of the section
to be sure that readers don't miss it when skimming trough it.
Any rewording of that part to make the scope of the section or
the warnings more clear is welcome.
Note that this section is only about getting *substitutes* through
tor and it should probably be kept that way to avoid confusing the
user in regard to what (narrow) security benefit this configuration
offer.
On a wider front I would prefer to have a foolproof configuration
that route *all* guix related traffic through Tor, instead of that
half-way setup. Providing a way to 'torify' any service with
something like 'make-forkexec-constructor/trosocks', as
'make-forkexec-constructor/container' does for containerizing a
service, would be great[0]. A less engaged option would be to
make 'guix-daemon' compatible with 'torsocks' since doing it so
makes guix unusable[1].
[0]: http://logs.guix.gnu.org/guix/2020-06-03.log#142909
[1]: https://lists.gnu.org/archive/html/guix-devel/2020-05/msg00214.html
- Brice
next prev parent reply other threads:[~2020-06-17 8:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-12 17:22 Routing Guix services traffic trough Tor Brice Waegeneire
2020-05-17 22:33 ` Ludovic Courtès
2020-05-18 20:32 ` Brice Waegeneire
2020-05-24 21:04 ` Ludovic Courtès
2020-06-03 19:12 ` [PATCH] doc: cookbook: Add entry about getting substitutes through Tor Brice Waegeneire
2020-06-04 12:29 ` [bug#41694] " Ludovic Courtès
2020-06-04 12:54 ` Brice Waegeneire
2020-06-17 2:19 ` André Batista
2020-06-17 8:37 ` Brice Waegeneire [this message]
2020-06-18 14:06 ` [PATCH] doc: cookbook: Update " André Batista
2020-06-28 11:37 ` Brice Waegeneire
2020-07-03 20:30 ` André Batista
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=caffc11179e2be10d1606d23436db2e4@waegenei.re \
--to=brice@waegenei.re \
--cc=guix-devel-bounces+brice+lists=waegenei.re@gnu.org \
--cc=guix-devel@gnu.org \
--cc=nandre@riseup.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).