Re: tor

[Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>]

[-- Attachment #1.1: Type: text/plain, Size: 3010 bytes --]

On Tue, 30 Aug 2022 18:32:26 +0000
Gottfried <gottfried@posteo.de> wrote:

> It is too difficult for me to use chroots in Guix System
> because I don't know how to set it up.
For chrooting I use the scripts I attached. 

So far both scripts works for graphical applications. I've no idea if
sound works or not though. 

One limitation of the scripts is that I had to use the same username
and/or uid/gid inside and outside of the chroot. Otherwise the
graphical applications don't run.

As for creating the rootfs to chroot in, we need better support for it
in Guix, especially to add more FSDG compliant distributions.

So far PureOS "amber" is probably the only FSDG compliant option there
is.

After installing debootstrap, the following command should create an
extremely basic rootfs in the /path/to/rootfs/directory directory:
> sudo debootstrap amber /path/to/rootfs/directory \
> https://repo.puri.sm/pureos

You then need to do some low level configuration manually (like
explained in 'man debootstrap'). The Debian installation manual has
more information on that[1] and since PureOS is based on Debian, most of
the information can be reused. 

The security isn't ideal since we lack a pureos keyring but it uses
https so it should be good enough.

As for adding Trisquel and other PureOS versions to debootstrap, I've
sent a patch to debootstrap upstream[2] but nobody looked at it, so
I've no idea how to get that unblocked.

As for other distributions like Parabola, I managed to make a pacstrap
package for Guix[3], but it didn't work: it could install a rootfs but
running the post install scripts failed, probably due to it not having
the right PATH value. So far I didn't find enough time to fix that
issue though. So for now your only option within Guix is through
debootstrap.

Another option for creating a rootfs would be to boot a distribution
installer (like the Parabola command line USB installer) and actually
run pacstrap there, and then once back into Guix, chroot inside with (a
modified version) of the scripts I provided.

And as for running the tor-browser binaries directly on Guix, I've
tried that approach by installing the libraries required by the
tor-browser in Guix like libgcc and so on, and it found some of
these libraries, but not other despite having installed them, so that
didn't work.

As for the tor-browser, there is also an issue with it: in
about:addons, it points users to addons.mozilla.org which contains
nonfree addons. This is what prevents us from adding the
tor-browser-installer/launcher to (other than Guix) FSDG compliant
distributions. So once you created the chroot you'll also need to
download, verify the download with gpg, and unpack it manually.

References:
-----------
[1]https://www.debian.org/releases/stable/amd64/apds03.en.html
[2]https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/60
[3]https://framagit.org/GNUtoo/guix/-/commits/archlinux/

Denis.

[-- Attachment #1.2: parabola32-chroot.sh --]
[-- Type: application/x-shellscript, Size: 1322 bytes --]

[-- Attachment #1.3: trisquel9-chroot.sh --]
[-- Type: application/x-shellscript, Size: 1335 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]