Tor

Tor

[Rasa Gulla via]

How can I use tor in guixsd?

Sent with [ProtonMail](https://protonmail.com) Secure Email.

Re: Tor

[Julien Lepiller]

Hi Rasa,

To enable tor in the Guix System, you must ferst modify your configuration to add a tor-service-type, see the manual for more explanations: https://guix.gnu.org/manual/devel/en/html_node/Networking-Services.html#Networking-Service

The service is already enabled ard running if you selected it during installation. Otherwise, edit your /etc/config.scm to add it, and run "guix system reconfigure /etc/config.scm" to enable the new service.

Once the tor service is running, point your applications to it by configuring them to use the socksv5 proxy on localhost, port 9050. For icecat that's in the network settings, proxy settings. You should also check "proxy DNS queries through socksv5" (or similar) to prevent leaks. You can alse use torsocks for applications that don't support socksv5 directly.

HTH!

Le 17 septembre 2020 08:32:59 GMT-04:00, Rasa Gulla via <help-guix@gnu.org> a écrit :
>How can I use tor in guixsd?
>
>Sent with [ProtonMail](https://protonmail.com) Secure Email.

Re: Tor

[Rasa Gulla]

Hi

> To enable tor in the Guix System, you must ferst modify your configuration to add a tor-service-type, see the manual for more explanations: https://guix.gnu.org/manual/devel/en/html_node/Networking-Services.html#Networking-Service
>
> The service is already enabled ard running if you selected it during installation. Otherwise, edit your /etc/config.scm to add it, and run "guix system reconfigure /etc/config.scm" to enable the new service.
>
> Once the tor service is running, point your applications to it by configuring them to use the socksv5 proxy on localhost, port 9050. For icecat that's in the network settings, proxy settings. You should also check "proxy DNS queries through socksv5" (or similar) to prevent leaks. You can alse use torsocks for applications that don't support socksv5 directly.

Thank you.

tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 233 bytes --]

Hi Guixers,

I installed "tor".

Do I also need "tor-client" and "torsocks"?

I don't know what they are for.

I don't want to have too many packages, so if I don't need them to run 
tor, I can uninstall them.

Gottfried

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Csepp]

Gottfried <gottfried@posteo.de> writes:

> [[PGP Signed Part:Undecided]]
> Hi Guixers,
>
> I installed "tor".
>
> Do I also need "tor-client" and "torsocks"?
>
> I don't know what they are for.
>
> I don't want to have too many packages, so if I don't need them to run
> tor, I can uninstall them.
>
> Gottfried
>
> [2. OpenPGP public key --- application/pgp-keys; OpenPGP_0x61FAF349C9FB7F94.asc]...
>
> [[End of PGP Signed Part]]

You can just use tor and set your browser or whatever to use it as a
proxy.  Torsocks mostly does the same thing.  Kind of.  (Not really.)

Word of warning: if you want to stay anonymous, you should use Tor
Browser or Tails.  Icecat is a bad choice, it has few users and its
developers added some custom code that makes it very easy to figure out
your aren't running vanilla Firefox.

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 1424 bytes --]

> Word of warning: if you want to stay anonymous, you should use Tor
>> Browser or Tails.  Icecat is a bad choice, it has few users and its
>> developers added some custom code that makes it very easy to figure out
>> your aren't running vanilla Firefox.

As far as I understand it:

How can I use Tor Browser or Tails in Guix?

I would have to use Tails through a usb-stick, without installing it on 
the harddisk - am I right?

How could I use Tor Browser with Guix?

Gottfried


Am 28.08.22 um 14:09 schrieb Csepp:
> 
> Gottfried <gottfried@posteo.de> writes:
> 
>> [[PGP Signed Part:Undecided]]
>> Hi Guixers,
>>
>> I installed "tor".
>>
>> Do I also need "tor-client" and "torsocks"?
>>
>> I don't know what they are for.
>>
>> I don't want to have too many packages, so if I don't need them to run
>> tor, I can uninstall them.
>>
>> Gottfried
>>
>> [2. OpenPGP public key --- application/pgp-keys; OpenPGP_0x61FAF349C9FB7F94.asc]...
>>
>> [[End of PGP Signed Part]]
> 
> You can just use tor and set your browser or whatever to use it as a
> proxy.  Torsocks mostly does the same thing.  Kind of.  (Not really.)
> 
> Word of warning: if you want to stay anonymous, you should use Tor
> Browser or Tails.  Icecat is a bad choice, it has few users and its
> developers added some custom code that makes it very easy to figure out
> your aren't running vanilla Firefox.



[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Csepp]

Gottfried <gottfried@posteo.de> writes:

> [[PGP Signed Part:Undecided]]
>> Word of warning: if you want to stay anonymous, you should use Tor
>>> Browser or Tails.  Icecat is a bad choice, it has few users and its
>>> developers added some custom code that makes it very easy to figure out
>>> your aren't running vanilla Firefox.
>
> As far as I understand it:
>
> How can I use Tor Browser or Tails in Guix?
>
> I would have to use Tails through a usb-stick, without installing it
> on the harddisk - am I right?
>
> How could I use Tor Browser with Guix?
>
> Gottfried
>
>
> Am 28.08.22 um 14:09 schrieb Csepp:
>> Gottfried <gottfried@posteo.de> writes:
>> 
>>> [[PGP Signed Part:Undecided]]
>>> Hi Guixers,
>>>
>>> I installed "tor".
>>>
>>> Do I also need "tor-client" and "torsocks"?
>>>
>>> I don't know what they are for.
>>>
>>> I don't want to have too many packages, so if I don't need them to run
>>> tor, I can uninstall them.
>>>
>>> Gottfried
>>>
>>> [2. OpenPGP public key --- application/pgp-keys; OpenPGP_0x61FAF349C9FB7F94.asc]...
>>>
>>> [[End of PGP Signed Part]]
>> You can just use tor and set your browser or whatever to use it as a
>> proxy.  Torsocks mostly does the same thing.  Kind of.  (Not really.)
>> Word of warning: if you want to stay anonymous, you should use Tor
>> Browser or Tails.  Icecat is a bad choice, it has few users and its
>> developers added some custom code that makes it very easy to figure out
>> your aren't running vanilla Firefox.
>
>
> [2. OpenPGP public key --- application/pgp-keys; OpenPGP_0x61FAF349C9FB7F94.asc]...
>
> [[End of PGP Signed Part]]

Tails itself has docs on how you can use it, Guix doesn't matter in that
case.
For Tor Browser, your best bets are containers of some sort.  I have
Arch and Debian chroots for running software that Guix can't run yet.
Maybe it has a Flatpak?  I think there might be some info on the mailing
list about running it, I know I've seen others discuss it.

Personally, I use Tails from a USB stick, it's the most secure of all
the alternatives.

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 997 bytes --]

As far as I understand you I can delete the package:
tor-client and tor-socks, because I have tor installed.
Am I right?

I checked the Archive, but I didn't find useful information for me.
May be I overread it.

It is too difficult for me to use chroots in Guix System
because I don't know how to set it up.

I also don't know at the moment how to use a container in Guix.

I checked the web and Tor-Browser has a Flatpak, but I don't know how to 
install it in Guix, may be too difficult for me at the moment.

so Tails from the usb-stick is the better solution, if I need it.

Gottfried


> For Tor Browser, your best bets are containers of some sort.  I have
> Arch and Debian chroots for running software that Guix can't run yet.
> Maybe it has a Flatpak?  I think there might be some info on the mailing
> list about running it, I know I've seen others discuss it.
> 
> Personally, I use Tails from a USB stick, it's the most secure of all
> the alternatives.



[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Denis 'GNUtoo' Carikli]

[-- Attachment #1.1: Type: text/plain, Size: 3010 bytes --]

On Tue, 30 Aug 2022 18:32:26 +0000
Gottfried <gottfried@posteo.de> wrote:

> It is too difficult for me to use chroots in Guix System
> because I don't know how to set it up.
For chrooting I use the scripts I attached. 

So far both scripts works for graphical applications. I've no idea if
sound works or not though. 

One limitation of the scripts is that I had to use the same username
and/or uid/gid inside and outside of the chroot. Otherwise the
graphical applications don't run.

As for creating the rootfs to chroot in, we need better support for it
in Guix, especially to add more FSDG compliant distributions.

So far PureOS "amber" is probably the only FSDG compliant option there
is.

After installing debootstrap, the following command should create an
extremely basic rootfs in the /path/to/rootfs/directory directory:
> sudo debootstrap amber /path/to/rootfs/directory \
> https://repo.puri.sm/pureos

You then need to do some low level configuration manually (like
explained in 'man debootstrap'). The Debian installation manual has
more information on that[1] and since PureOS is based on Debian, most of
the information can be reused. 

The security isn't ideal since we lack a pureos keyring but it uses
https so it should be good enough.

As for adding Trisquel and other PureOS versions to debootstrap, I've
sent a patch to debootstrap upstream[2] but nobody looked at it, so
I've no idea how to get that unblocked.

As for other distributions like Parabola, I managed to make a pacstrap
package for Guix[3], but it didn't work: it could install a rootfs but
running the post install scripts failed, probably due to it not having
the right PATH value. So far I didn't find enough time to fix that
issue though. So for now your only option within Guix is through
debootstrap.

Another option for creating a rootfs would be to boot a distribution
installer (like the Parabola command line USB installer) and actually
run pacstrap there, and then once back into Guix, chroot inside with (a
modified version) of the scripts I provided.

And as for running the tor-browser binaries directly on Guix, I've
tried that approach by installing the libraries required by the
tor-browser in Guix like libgcc and so on, and it found some of
these libraries, but not other despite having installed them, so that
didn't work.

As for the tor-browser, there is also an issue with it: in
about:addons, it points users to addons.mozilla.org which contains
nonfree addons. This is what prevents us from adding the
tor-browser-installer/launcher to (other than Guix) FSDG compliant
distributions. So once you created the chroot you'll also need to
download, verify the download with gpg, and unpack it manually.

References:
-----------
[1]https://www.debian.org/releases/stable/amd64/apds03.en.html
[2]https://salsa.debian.org/installer-team/debootstrap/-/merge_requests/60
[3]https://framagit.org/GNUtoo/guix/-/commits/archlinux/

Denis.

[-- Attachment #1.2: parabola32-chroot.sh --]
[-- Type: application/x-shellscript, Size: 1322 bytes --]

[-- Attachment #1.3: trisquel9-chroot.sh --]
[-- Type: application/x-shellscript, Size: 1335 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: tor

[Denis 'GNUtoo' Carikli]

[-- Attachment #1: Type: text/plain, Size: 1619 bytes --]

On Wed, 31 Aug 2022 18:23:54 +0200
Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> wrote:
> As for creating the rootfs to chroot in, we need better support for it
> in Guix, especially to add more FSDG compliant distributions.
> 
> So far PureOS "amber" is probably the only FSDG compliant option there
> is.
> 
> After installing debootstrap, the following command should create an
> extremely basic rootfs in the /path/to/rootfs/directory directory:
> > sudo debootstrap amber /path/to/rootfs/directory \
> > https://repo.puri.sm/pureos
> 
> You then need to do some low level configuration manually (like
> explained in 'man debootstrap'). The Debian installation manual has
> more information on that[1] and since PureOS is based on Debian, most
> of the information can be reused.
Another option would be to find how to dual boot between two GNU/Linux
distributions (like Guix and Trisquel) and use the (Trisquel) graphical
installer to do the installation. The issue here is to make sure not to
erase your existing distribution (Guix) during the installation as it
is easy enough to make the mistake.

Yet another way would be to use a virtual machine software like
gnome-boxes or virt-manager to install another GNU/Linux distribution
inside and use the tor-browser in that.

To make virt-manager (and probably gnome-boxes) work you also need to
add something like this in your service list in the system.scm:
> (service libvirt-service-type
>          (libvirt-configuration))

There is a big quantity of options, so try to pick the one that looks
easier for you.

Denis.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: tor

[Denis 'GNUtoo' Carikli]

[-- Attachment #1: Type: text/plain, Size: 2518 bytes --]

On Tue, 30 Aug 2022 18:32:26 +0000
Gottfried <gottfried@posteo.de> wrote:

> As far as I understand you I can delete the package:
> tor-client and tor-socks, because I have tor installed.
> Am I right?
tor is just a daemon that somehow connects your machine to the
tor-network but it doesn't automatically route any traffic through that
network.

And to start it you either need to run it manually or configure it in
your list of services in your system.scm with something that looks like
that:
>(service tor-service-type
>         (tor-configuration))

The tor-client only contains some utilities that are not very
interesting.

As for torsocks, it's an application to enable other applications to
route their traffic through Tor, but in an extremely unreliable way.

The Tor project documentation has been advising people not to rely on
torsocks because some of the times it doesn't work at all and the
application doesn't use Tor at all, even with torsocks.

And in many cases, with torsocks, very important private information
(like DNS querries) do not go through the Tor network.

The alternative is to configure each applications to talk to the tor
daemon through the socks5 protocol.

And even that is not perfect because if you do that with a browser, the
browser will still not be anonymous because of browser fingerprinting.
But at least your location will be hidden which is already something
good.

Tails works by preventing almost all applications from accessing the
Internet directly, and they are configured for using the Tor daemon.

So if there is any application misbehaving, it's not that problematic
because the only way the applications can send data is through Tor.

To have something like that in Guix we would need to package the ferm
firewall tool Tails used to implement this, and have users adapt the
Tails ferm configuration for their usage and/or enable users to use a
default configuration that is very restrictive (and so doesn't work for
everybody).

I've managed to relatively easily reproduce something like that on
Parabola (because ferm is packaged there), but not yet to have a fully
functional system with it because I didn't manage yet to run the
tor-browser as another user yet, which is required for that setup to
work.

The issue is that we obviously need to put more resources on things
like that (by funding the tor-project, having more people work on that,
etc), but resources are also not easy to find.

Denis.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 3446 bytes --]

Hi Denis,

Thanks very much for your explanation. I am understanding a bit more.

The best would be to run Guix System and to use Tor browser in it, if 
needed.

I have already
  (service tor-service-type) in my config.scm and Tor runs inside Icecat.

I have installed
Guix System,
GNUinOS
and Ubuntu (Ubuntu was installed when I bought the laptop, but I don't 
use it, for safety reasons I left it).

So in my case:
to use the Tor browser itself, as far as I understand it right now would 
be to use a virtual machine software and in it to install Tails.
Is that possible?

Because then Tails has already safety measures and hopefully Guix is 
going to develope in future something to use the Tor browser somehow.

Gottfried


Am 01.09.22 um 16:27 schrieb Denis 'GNUtoo' Carikli:
> On Tue, 30 Aug 2022 18:32:26 +0000
> Gottfried <gottfried@posteo.de> wrote:
> 
>> As far as I understand you I can delete the package:
>> tor-client and tor-socks, because I have tor installed.
>> Am I right?
> tor is just a daemon that somehow connects your machine to the
> tor-network but it doesn't automatically route any traffic through that
> network.
> 
> And to start it you either need to run it manually or configure it in
> your list of services in your system.scm with something that looks like
> that:
>> (service tor-service-type
>>          (tor-configuration))
> 
> The tor-client only contains some utilities that are not very
> interesting.
> 
> As for torsocks, it's an application to enable other applications to
> route their traffic through Tor, but in an extremely unreliable way.
> 
> The Tor project documentation has been advising people not to rely on
> torsocks because some of the times it doesn't work at all and the
> application doesn't use Tor at all, even with torsocks.
> 
> And in many cases, with torsocks, very important private information
> (like DNS querries) do not go through the Tor network.
> 
> The alternative is to configure each applications to talk to the tor
> daemon through the socks5 protocol.
> 
> And even that is not perfect because if you do that with a browser, the
> browser will still not be anonymous because of browser fingerprinting.
> But at least your location will be hidden which is already something
> good.
> 
> Tails works by preventing almost all applications from accessing the
> Internet directly, and they are configured for using the Tor daemon.
> 
> So if there is any application misbehaving, it's not that problematic
> because the only way the applications can send data is through Tor.
> 
> To have something like that in Guix we would need to package the ferm
> firewall tool Tails used to implement this, and have users adapt the
> Tails ferm configuration for their usage and/or enable users to use a
> default configuration that is very restrictive (and so doesn't work for
> everybody).
> 
> I've managed to relatively easily reproduce something like that on
> Parabola (because ferm is packaged there), but not yet to have a fully
> functional system with it because I didn't manage yet to run the
> tor-browser as another user yet, which is required for that setup to
> work.
> 
> The issue is that we obviously need to put more resources on things
> like that (by funding the tor-project, having more people work on that,
> etc), but resources are also not easy to find.
> 
> Denis.


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Denis 'GNUtoo' Carikli]

[-- Attachment #1: Type: text/plain, Size: 3174 bytes --]

On Thu,  1 Sep 2022 17:35:57 +0000
Gottfried <gottfried@posteo.de> wrote:

> Hi Denis,
Hi,

> The best would be to run Guix System and to use Tor browser in it, if 
> needed.
It probably can be done somehow, as there are external repositories for
installing nonfree software on top of Guix, and so there are already
known methods for installing software without modifying it much.

So maybe it could be adapted to the tor-browser, and somehow generate
an FSDG compliant version of the tor-browser out of it by removing
or changing the text that refers to the nonfree addons repository ("Get
extensions and themes on addons.mozilla.org").

Before it was harder as the addons repository was more tightly
integrated into the tor-browser so the risk of removing the anonymity
was bigger.

In the past, I've looked for tor-browser unofficial packages for Guix
but I didn't find people who did the work, but maybe I missed it.

Sadly I don't have nor the time nor the knowledge to do a work like
that.

> So in my case:
> to use the Tor browser itself, as far as I understand it right now
> would be to use a virtual machine software and in it to install Tails.
> Is that possible?
Yes, that might be the easiest way to get it working on your computer.

> Because then Tails has already safety measures and hopefully Guix is 
> going to develope in future something to use the Tor browser somehow.
In the case of either Tails or the tor-browser, people typically use
the latest version, and there are 3 security levels in the Tor-browser
so we end up with about 6 identifiable configurations.

This is because Tails adds some add blocker to their version of the Tor
Browser, and add-blockers can be distinguished. So you've got 2
possibility, multiplied by the 3 security levels.

And with many users, a lot of people are in each of these 6 identifiable
configurations, so it's not possible to easily identify people.

The issue is that Guix requires the Guix official packages to
be built from Guix.

That would require the tor-browser to be built within Guix, and if for
some reason there is a way to differentiate the Guix tor-browser and
that not enough people use it, then the anonymity it is supposed to
provide is gone. And the fact that Guix has updates all the time could
potentially make that even worse as users could be scattered around a
lot of different build versions.

So it might actually be safer to not try to add a tor-browser package
directly in Guix but either to do it outside of Guix (like in an
external repository/channel) or package in Guix something like a
tor-browser installer/launcher that downloads and patches the
tor-browser for FSDG compliance, and does some setup to be able to run
that in Guix.

Another option would be to somehow convince the tor-project to package
the tor-browser in Guix and use a specific Guix revision to do the
official releases. But that would probably require someone with a lot
of time and/or funding to do that work, and that would also require the
tor-project to have more funding to be able to spend time to actually
review that work.

Denis.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 2324 bytes --]

Hi Denis,

Before I am changing something, I prefer to ask in order to make not 
mistakes.

> To make virt-manager (and probably gnome-boxes) work you also need to
>> add something like this in your service list in the system.scm:
>>> (service libvirt-service-type
>>>          (libvirt-configuration))
>> 

In the manual it says:

(service libvirt-service-type
          (libvirt-configuration
           (unix-sock-group "libvirt")
           (tls-port "16555")))


I installed "virt-manager".
Now I have to add it to my config.scm file.
The question is where and what?


I would add it as the last of services:

(services
     (append
       (list (service mate-desktop-service-type)
             (service enlightenment-desktop-service-type)
                         (service cups-service-type
                                 (cups-configuration
                                         (web-interface? #t)
                                         (extensions (list cups-filters 
hplip))))
                         (service openssh-service-type)
             (service tor-service-type)
             (set-xorg-configuration
               (xorg-configuration
                 (keyboard-layout keyboard-layout))))
	    (service libvirt-service-type
                      (libvirt-configuration
Now the question would be where go the brackets and if I have to add 
something to the 2 lines?

       (modify-services %desktop-services
         (guix-service-type
                config => (guix-configuration
                  (inherit config)
                  (extra-options (list "--gc-keep-derivations=yes" 
"--gc-keep-outputs=yes"))))
         (sane-service-type _ => sane-backends))))




Am 01.09.22 um 15:59 schrieb Denis 'GNUtoo' Carikli:
> On Wed, 31 Aug 2022 18:23:54 +0200
> Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> wrote:

> Yet another way would be to use a virtual machine software like
> gnome-boxes or virt-manager to install another GNU/Linux distribution
> inside and use the tor-browser in that.
> 
> To make virt-manager (and probably gnome-boxes) work you also need to
> add something like this in your service list in the system.scm:
>> (service libvirt-service-type
>>           (libvirt-configuration))
> 

> Denis.


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 5359 bytes --]

Hi Denis,

I added the libvirt-service-type in my config.scm


  (service libvirt-service-type
            (libvirt-configuration
             (unix-sock-group "libvirt")
             (tls-port "16555")))
----------------------------------------------
  (services
     (append
       (list (service mate-desktop-service-type)
             (service enlightenment-desktop-service-type)
			(service cups-service-type
				(cups-configuration
					(web-interface? #t)
					(extensions (list cups-filters hplip))))			
			(service openssh-service-type)
             (service tor-service-type)
             (set-xorg-configuration
               (xorg-configuration
                (keyboard-layout keyboard-layout)))
             (service libvirt-service-type
                      (libvirt-configuration
                       (unix-sock-group "libvirt")
                       (tls-port "16555"))))
	
       (modify-services %desktop-services
	(guix-service-type
-------------------------------------------------

and doing a:
sudo guix system reconfigure /etc/config.scm
it gave me this message:


Backtrace:
           18 (primitive-load "/home/gfp/.config/guix/current/bin/guix")
In guix/ui.scm:
    2263:7 17 (run-guix . _)
   2226:10 16 (run-guix-command _ . _)
In ice-9/boot-9.scm:
   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
     835:3 14 (_)
     815:4 13 (call-with-status-report _ _)
In guix/scripts/system.scm:
    1276:4 12 (_)
In ice-9/boot-9.scm:
   1752:10 11 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
    656:37 10 (thunk)
    1295:8  9 (call-with-build-handler #<procedure 7fe023712ab0 at g…> …)
   2165:25  8 (run-with-store #<store-connection 256.99 7fe0205515a0> …)
In guix/scripts/system.scm:
     842:2  7 (_ _)
     719:8  6 (_ #<store-connection 256.99 7fe0205515a0>)
In gnu/system.scm:
   1276:19  5 (operating-system-derivation _)
    796:11  4 (operating-system-services #<<operating-system> kernel:…>)
    830:20  3 (services _)
In /etc/config.scm:
     38:21  2 (services #<<operating-system> kernel: #<package linux-…>)
In ice-9/boot-9.scm:
   1685:16  1 (raise-exception _ #:continuable? _)
   1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Fehler/mistake: libvirt-service-type: Nicht gebundene Variable/unbound 
variable

Where are the problems?
thanks for help
Gottfried



Am 02.09.22 um 20:31 schrieb Gottfried:
> Hi Denis,
> 
> Before I am changing something, I prefer to ask in order to make not 
> mistakes.
> 
>> To make virt-manager (and probably gnome-boxes) work you also need to
>>> add something like this in your service list in the system.scm:
>>>> (service libvirt-service-type
>>>>          (libvirt-configuration))
>>>
> 
> In the manual it says:
> 
> (service libvirt-service-type
>           (libvirt-configuration
>            (unix-sock-group "libvirt")
>            (tls-port "16555")))
> 
> 
> I installed "virt-manager".
> Now I have to add it to my config.scm file.
> The question is where and what?
> 
> 
> I would add it as the last of services:
> 
> (services
>      (append
>        (list (service mate-desktop-service-type)
>              (service enlightenment-desktop-service-type)
>                          (service cups-service-type
>                                  (cups-configuration
>                                          (web-interface? #t)
>                                          (extensions (list cups-filters 
> hplip))))
>                          (service openssh-service-type)
>              (service tor-service-type)
>              (set-xorg-configuration
>                (xorg-configuration
>                  (keyboard-layout keyboard-layout))))
>          (service libvirt-service-type
>                       (libvirt-configuration
> Now the question would be where go the brackets and if I have to add 
> something to the 2 lines?
> 
>        (modify-services %desktop-services
>          (guix-service-type
>                 config => (guix-configuration
>                   (inherit config)
>                   (extra-options (list "--gc-keep-derivations=yes" 
> "--gc-keep-outputs=yes"))))
>          (sane-service-type _ => sane-backends))))
> 
> 
> 
> 
> Am 01.09.22 um 15:59 schrieb Denis 'GNUtoo' Carikli:
>> On Wed, 31 Aug 2022 18:23:54 +0200
>> Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> wrote:
> 
>> Yet another way would be to use a virtual machine software like
>> gnome-boxes or virt-manager to install another GNU/Linux distribution
>> inside and use the tor-browser in that.
>>
>> To make virt-manager (and probably gnome-boxes) work you also need to
>> add something like this in your service list in the system.scm:
>>> (service libvirt-service-type
>>>           (libvirt-configuration))
>>
> 
>> Denis.
> 


[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Chris Keschnat via]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Hello,
you might need to add the module.

(use-services-modules
    ....
    virtualization
    ....)


Gottfried <gottfried@posteo.de> writes:

> [[PGP Signed Part:Undecided]]
> Hi Denis,
>
> I added the libvirt-service-type in my config.scm
>
>
>  (service libvirt-service-type
>            (libvirt-configuration
>             (unix-sock-group "libvirt")
>             (tls-port "16555")))
> ----------------------------------------------
>  (services
>     (append
>       (list (service mate-desktop-service-type)
>             (service enlightenment-desktop-service-type)
>           (service cups-service-type
>               (cups-configuration
>                   (web-interface? #t)
>                   (extensions (list cups-filters hplip))))
>           (service openssh-service-type)
>             (service tor-service-type)
>             (set-xorg-configuration
>               (xorg-configuration
>                (keyboard-layout keyboard-layout)))
>             (service libvirt-service-type
>                      (libvirt-configuration
>                       (unix-sock-group "libvirt")
>                       (tls-port "16555"))))
>
>       (modify-services %desktop-services
>   (guix-service-type
> -------------------------------------------------
>
> and doing a:
> sudo guix system reconfigure /etc/config.scm
> it gave me this message:
>
>
> Backtrace:
>           18 (primitive-load "/home/gfp/.config/guix/current/bin/guix")
> In guix/ui.scm:
>    2263:7 17 (run-guix . _)
>   2226:10 16 (run-guix-command _ . _)
> In ice-9/boot-9.scm:
>   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
> In guix/status.scm:
>     835:3 14 (_)
>     815:4 13 (call-with-status-report _ _)
> In guix/scripts/system.scm:
>    1276:4 12 (_)
> In ice-9/boot-9.scm:
>   1752:10 11 (with-exception-handler _ _ #:unwind? _ # _)
> In guix/store.scm:
>    656:37 10 (thunk)
>    1295:8  9 (call-with-build-handler #<procedure 7fe023712ab0 at g…> …)
>   2165:25  8 (run-with-store #<store-connection 256.99 7fe0205515a0> …)
> In guix/scripts/system.scm:
>     842:2  7 (_ _)
>     719:8  6 (_ #<store-connection 256.99 7fe0205515a0>)
> In gnu/system.scm:
>   1276:19  5 (operating-system-derivation _)
>    796:11  4 (operating-system-services #<<operating-system> kernel:…>)
>    830:20  3 (services _)
> In /etc/config.scm:
>     38:21  2 (services #<<operating-system> kernel: #<package linux-…>)
> In ice-9/boot-9.scm:
>   1685:16  1 (raise-exception _ #:continuable? _)
>   1685:16  0 (raise-exception _ #:continuable? _)
>
> ice-9/boot-9.scm:1685:16: In procedure raise-exception:
> Fehler/mistake: libvirt-service-type: Nicht gebundene Variable/unbound
> variable
>
> Where are the problems?
> thanks for help
> Gottfried
>
>
>
> Am 02.09.22 um 20:31 schrieb Gottfried:
>> Hi Denis,
>> Before I am changing something, I prefer to ask in order to make not
>> mistakes.
>>
>>> To make virt-manager (and probably gnome-boxes) work you also need to
>>>> add something like this in your service list in the system.scm:
>>>>> (service libvirt-service-type
>>>>>          (libvirt-configuration))
>>>>
>> In the manual it says:
>> (service libvirt-service-type
>>           (libvirt-configuration
>>            (unix-sock-group "libvirt")
>>            (tls-port "16555")))
>> I installed "virt-manager".
>> Now I have to add it to my config.scm file.
>> The question is where and what?
>> I would add it as the last of services:
>> (services
>>      (append
>>        (list (service mate-desktop-service-type)
>>              (service enlightenment-desktop-service-type)
>>                          (service cups-service-type
>>                                  (cups-configuration
>>                                          (web-interface? #t)
>>                                          (extensions (list
>> cups-filters hplip))))
>>                          (service openssh-service-type)
>>              (service tor-service-type)
>>              (set-xorg-configuration
>>                (xorg-configuration
>>                  (keyboard-layout keyboard-layout))))
>>          (service libvirt-service-type
>>                       (libvirt-configuration
>> Now the question would be where go the brackets and if I have to add
>> something to the 2 lines?
>>        (modify-services %desktop-services
>>          (guix-service-type
>>                 config => (guix-configuration
>>                   (inherit config)
>>                   (extra-options (list "--gc-keep-derivations=yes"
>> "--gc-keep-outputs=yes"))))
>>          (sane-service-type _ => sane-backends))))
>> Am 01.09.22 um 15:59 schrieb Denis 'GNUtoo' Carikli:
>>> On Wed, 31 Aug 2022 18:23:54 +0200
>>> Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org> wrote:
>>
>>> Yet another way would be to use a virtual machine software like
>>> gnome-boxes or virt-manager to install another GNU/Linux distribution
>>> inside and use the tor-browser in that.
>>>
>>> To make virt-manager (and probably gnome-boxes) work you also need to
>>> add something like this in your service list in the system.scm:
>>>> (service libvirt-service-type
>>>>           (libvirt-configuration))
>>>
>>
>>> Denis.
>>
>
> [2. OpenPGP public key --- application/pgp-keys; OpenPGP_0x61FAF349C9FB7F94.asc]...
>
> [[End of PGP Signed Part]]
-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEJeJoXz7yKQFBopzYUzV95hT0vZUFAmMsTQ0ACgkQUzV95hT0
vZW1VQwAwQC2CKfkNKZXA/GRyU4AqPLV2HOyxC2f6oQ1/Nqi6ZJGawjjtUVOELkU
k/CEJDf5t473gwUnWhcVSIVu+w6vGqReziGJFW4WPDrCCUVwMDD+WjzsA3OrlBmN
fKdneg+HhhP4PvS02BUuTjZ3AjF3XW9Q0OymKMJw7T4zehYLsVdg2LSWeY5XapCN
T+QPa/TCWZSOQOD0gXoSkM1LOxepEcKwakp3Hmjcv9wb+7exU7StMjJW69vwHRdr
DXPr4WoPjCOVJhJQWeawq881UxZ5tW1owdd2Dd9ZMydGr6HwFI4xbd+B3kO8GKlq
iDZ0u5HGiugTk8nT/wx1fOPGo3ts/shmOlqTrFlMMSJyW5gpQnr2GquP0udOH2/j
EI2SQG/AJQ7071/YGJzQqh1HWIze/s0u1xBbcohS9/vlJQZBSCxpVujCt3OGyQr9
cJCu8E9Z6M1T2BkI0rkW3zLlsqUiljDuVqy0vpklsFRlOo6v2EUhrGGDbs4fI0Nz
0ToQPx7r
=hA+A
-----END PGP SIGNATURE-----

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 1897 bytes --]

> Hello,
> you might need to add the module.
> 
> (use-services-modules
>     ....
>     virtualization
>     ....)

Yes, this was the problem, thank you very much.
Gottfried



        (service libvirt-service-type
                      (libvirt-configuration
                       (unix-sock-group "libvirt")
                       (tls-port "16555"))))

       (modify-services %desktop-services
   (guix-service-type
-------------------------------------------------

and doing a:
sudo guix system reconfigure /etc/config.scm
it gave me this message:


Backtrace:
           18 (primitive-load "/home/gfp/.config/guix/current/bin/guix")
In guix/ui.scm:
    2263:7 17 (run-guix . _)
   2226:10 16 (run-guix-command _ . _)
In ice-9/boot-9.scm:
   1752:10 15 (with-exception-handler _ _ #:unwind? _ # _)
In guix/status.scm:
     835:3 14 (_)
     815:4 13 (call-with-status-report _ _)
In guix/scripts/system.scm:
    1276:4 12 (_)
In ice-9/boot-9.scm:
   1752:10 11 (with-exception-handler _ _ #:unwind? _ # _)
In guix/store.scm:
    656:37 10 (thunk)
    1295:8  9 (call-with-build-handler #<procedure 7fe023712ab0 at g…> …)
   2165:25  8 (run-with-store #<store-connection 256.99 7fe0205515a0> …)
In guix/scripts/system.scm:
     842:2  7 (_ _)
     719:8  6 (_ #<store-connection 256.99 7fe0205515a0>)
In gnu/system.scm:
   1276:19  5 (operating-system-derivation _)
    796:11  4 (operating-system-services #<<operating-system> kernel:…>)
    830:20  3 (services _)
In /etc/config.scm:
     38:21  2 (services #<<operating-system> kernel: #<package linux-…>)
In ice-9/boot-9.scm:
   1685:16  1 (raise-exception _ #:continuable? _)
   1685:16  0 (raise-exception _ #:continuable? _)

ice-9/boot-9.scm:1685:16: In procedure raise-exception:
Fehler/mistake: libvirt-service-type: Nicht gebundene Variable/unbound
variable

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Denis 'GNUtoo' Carikli]

[-- Attachment #1.1: Type: text/plain, Size: 2375 bytes --]

Hi again,

I had some data loss so I wasn't able to reply to this thread before.

I managed to make the tor-browser work in Guix proper, and I've
attached the script I used for that. It's hardcoded for i686 though so
it needs to be modified for x86_64.

Even if that works, there is a problematic issue: the tor-browser has a
potential freedom issue: on one hand it very strongly advises people
not to install any addons, on the other hand in "tools->Addons and
themes->Plugins", there is the following message:
> Get extensions and themes on addons.mozilla.org

And the issue is that that repository also contains nonfree addons.

If that address can get removed or changed, we could have something
where we could be sure that it is FSDG compliant, so we could probably
ship scripts like guix-tor-browser-installer for instance.

I've tried to find where that string is set in the binaries in the hope
of being able to make a dead simple sed script that would fix the
potential FSDG issue at least at installation time, but it didn't
find much:
> $ tar xf tor-browser-linux64-11.5.4_en-US.tar.xz
> $ grep addons.mozilla.org -r tor-browser_en-US
> tor-browser_en-US/Browser/TorBrowser/Docs/ChangeLog.txt:   * Bug
> 10464: Remove addons.mozilla.org from NoScript whitelist grep:
> tor-browser_en-US/Browser/libxul.so: binary file matches

> $ strings tor-browser_en-US/Browser/libxul.so | \
> grep addons.mozilla.org
> addons.mozilla.org
> $http://addons.mozilla.org/ca/crl.pem0
> signingca1.addons.mozilla.org1!0
> $http://addons.mozilla.org/ca/crl.pem0N

The issue is that this domain is also used for addons updates, so we
can't simply remove it blindly. We need to only remove that string in
"tools->Addons and themes->Plugins".

The advantage of patching binaries is that we don't need to rebuild it,
so we really have the tiniest amount of change possible to make it FSDG
compliant (and we can hope that it doesn't change the tor-browser
fingerprint).

As far as I understand it should also also be OK to use binaries like
that as long as we're also able to rebuild it in an FSDG distribution
somehow.

Though here the path forward is probably to dig into upstream bug
reports and see what upstream thinks about making the tor-browser FSDG
compliant and/or removing the information of where to find addons.

Denis.

[-- Attachment #1.2: tor-browser --]
[-- Type: application/octet-stream, Size: 1819 bytes --]

#!/bin/sh
# Copyright (C) 2022 Denis 'GNUtoo' Carikli <GNUtoo@cyberdimension.org>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.

set -e

cd ~/.local/share/torbrowser/tbb/i686/tor-browser_en-US/Browser/

# I have my Download folder somewhere else. Right now it's at
# /srv/data/Downloads on another partition. And I want tor-browser to
# use that folder for storing Downloads.
# For that to work we need to give the tor-browser write access to
# /srv/data/Downloads/. Other methods were tried but didn't work:
# - mounting /srv/data/Downloads/ to Downloads resulted in the
#   tor-browser failing to start.
# - Using --exporse=/srv/data/Downloads/=${HOME}/.../Browser/Downloads
#   did not work either because Download was unaccessible. Replacing
#   --expose by share in the command above didn't change anything.
# So I ended up using --share=/srv/data/Downloads/. That requires the
# user to do the symlink manually though.
guix shell \
	--share=/srv/data/Downloads/ \
	--expose=/run/user/$(id -u)/ \
	--expose=/tmp/.X11-unix \
	--expose=/tmp/.X1-lock \
	--container \
	--emulate-fhs \
	--network \
	bash coreutils dbus-glib file grep gcc:lib gtk+@3 libxt sed -- \
		bash -l -c "export DISPLAY=${DISPLAY}; ./start-tor-browser"

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: tor

[Gottfried]

[-- Attachment #1.1.1: Type: text/plain, Size: 9484 bytes --]

Hi Denis,

thanks for your work.

Will this be also at some stage a Guix package or everybody has to 
install it as a script?
-------------------------------------------------------------------
I did only 2 scripts in my life.
So I need help to do this one.

I did:

1. made a:
"tor-browser.sh"
through:
"touch tor-browser.sh"

2. I opened it with:
"nano tor-browser.sh"

3. I made the first line:
"#!/bin/bash"

4. to make it executable:
"chmod +x tor-browser.sh


5. I put it into:
~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/
(this is what I understood)

6.
bash can't find it, after making it:
where is my mistake?

7. after doing

guix shell \
	--share=/srv/data/Downloads/ \
	--expose=/run/user/$(id -u)/ \
	--expose=/tmp/.X11-unix \
	--expose=/tmp/.X1-lock \
	--container \
	--emulate-fhs \
	--network \
	bash coreutils dbus-glib file grep gcc:lib gtk+@3 libxt sed -- \
		bash -l -c "export DISPLAY=${DISPLAY}; ./start-tor-browser"

it downloaded 94 MB.
------------------------------------------------------------------------
gfp@Tuxedo ~$ guix shell \
         --share=/srv/data/Downloads/ \
         --expose=/run/user/$(id -u)/ \
         --expose=/tmp/.X11-unix \
         --expose=/tmp/.X1-lock \
         --container \
         --emulate-fhs \
         --network \
         bash coreutils dbus-glib file grep gcc:lib gtk+@3 libxt sed -- \
                 bash -l -c "export DISPLAY=${DISPLAY}; ./start-tor-browser"
substitute: Liste der Substitute von „https://ci.guix.gnu.org“ wird 
aktualisiert … 100.0%
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert … 100.0%
85,6 MB werden heruntergeladen
  gtk%2B-3.24.30-doc  3.0MiB                     809KiB/s 00:04 
[##################] 100.0%
  glibc-for-fhs-2.33-debug  19.8MiB              1.2MiB/s 00:16 
[##################] 100.0%
  librsvg-2.50.7  2.6MiB                         1.0MiB/s 00:03 
[##################] 100.0%
  librsvg-2.50.7-doc  47KiB                      564KiB/s 00:00 
[##################] 100.0%
  librsvg-2.50.7-debug  15.9MiB                  1.5MiB/s 00:10 
[##################] 100.0%
  libxt-1.2.1-doc  320KiB                        655KiB/s 00:00 
[##################] 100.0%
  mozjs-91.13.0  14.5MiB                        1008KiB/s 00:15 
[##################] 100.0%
  polkit-121  185KiB                             771KiB/s 00:00 
[##################] 100.0%
  colord-minimal-1.4.5  712KiB                   708KiB/s 00:01 
[##################] 100.0%
  gtk%2B-3.24.30  7.8MiB                         885KiB/s 00:09 
[##################] 100.0%
  gtk%2B-3.24.30-bin  783KiB                     956KiB/s 00:01 
[##################] 100.0%
  gtk%2B-3.24.30-debug  11.3MiB                  1.5MiB/s 00:08 
[##################] 100.0%
substitute: Liste der Substitute von „https://ci.guix.gnu.org“ wird 
aktualisiert … 100.0%
substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
wird aktualisiert …  substitute: Liste der Substitute von 
„https://bordeaux.guix.gnu.org“ wird aktualisiert … 100.0%
Folgende Ableitung wird erstellt:
   /gnu/store/vg7dkn3j5rmf9x7a4fg7an2ps90phv4i-profile.drv

8,3 MB werden heruntergeladen
  bash-5.1.8-doc  301KiB                         915KiB/s 00:00 
[##################] 100.0%
  bash-5.1.8-include  70KiB                      459KiB/s 00:00 
[##################] 100.0%
  file-5.41  349KiB                              645KiB/s 00:01 
[##################] 100.0%
  gcc-12.2.0-lib  5.6MiB                         961KiB/s 00:06 
[##################] 100.0%
  linux-libre-headers-5.10.35  1.1MiB            728KiB/s 00:02 
[##################] 100.0%
7 Veredelungen für cups-filters-1.28.9 werden angewandt …
4 Veredelungen für harfbuzz-2.8.2 werden angewandt …
3 Veredelungen für cups-2.3.3op2 werden angewandt …
8 Veredelungen für librsvg-2.50.7 werden angewandt …
8 Veredelungen für librsvg-2.50.7 werden angewandt …
2 Veredelungen für libxt-1.2.1 werden angewandt …
4 Veredelungen für polkit-121 werden angewandt …
2 Veredelungen für python-3.9.9 werden angewandt …
8 Veredelungen für colord-minimal-1.4.5 werden angewandt …
2 Veredelungen für glib-2.70.2 werden angewandt …
19 Veredelungen für gtk+-3.24.30 werden angewandt …
3 Veredelungen für mesa-21.3.8 werden angewandt …
Zertifikatsbündel der Zertifikatsautoritäten wird erstellt …
Liste der Emacs-Unterverzeichnisse wird erzeugt …
Schriftartenverzeichnis wird erstellt …
Zwischenspeicher für GdkPixbuf-Lader wird erzeugt …
Zwischenspeicher für GLib-Schemata wird erzeugt …
Zwischenspeicher für GTK-Symbolthemen wird erzeugt …
Dateien im Zwischenspeicher für GTK-Eingabemethoden werden erstellt …
Verzeichnis von Info-Handbüchern wird erstellt …
Zwischenspeicher für XDG-Desktop-Dateien wird erzeugt …
XDG-Mime-Datenbank wird erstellt …
Profil mit 10 Paketen wird erstellt …
guix shell: Fehler: statfs: /srv/data/Downloads/: Datei oder Verzeichnis 
nicht gefunden

guix shell: mistake: statfs: /srv/data/Downloads/: file or directory not 
found.
----------------------------------------------------------------------
Where are my mistakes?
thanks

Kind regards

Gottfried



Am 05.11.22 um 01:29 schrieb Denis 'GNUtoo' Carikli:
> Hi again,
> 
> I had some data loss so I wasn't able to reply to this thread before.
> 
> I managed to make the tor-browser work in Guix proper, and I've
> attached the script I used for that. It's hardcoded for i686 though so
> it needs to be modified for x86_64.
> 
> Even if that works, there is a problematic issue: the tor-browser has a
> potential freedom issue: on one hand it very strongly advises people
> not to install any addons, on the other hand in "tools->Addons and
> themes->Plugins", there is the following message:
>> Get extensions and themes on addons.mozilla.org
> 
> And the issue is that that repository also contains nonfree addons.
> 
> If that address can get removed or changed, we could have something
> where we could be sure that it is FSDG compliant, so we could probably
> ship scripts like guix-tor-browser-installer for instance.
> 
> I've tried to find where that string is set in the binaries in the hope
> of being able to make a dead simple sed script that would fix the
> potential FSDG issue at least at installation time, but it didn't
> find much:
>> $ tar xf tor-browser-linux64-11.5.4_en-US.tar.xz
>> $ grep addons.mozilla.org -r tor-browser_en-US
>> tor-browser_en-US/Browser/TorBrowser/Docs/ChangeLog.txt:   * Bug
>> 10464: Remove addons.mozilla.org from NoScript whitelist grep:
>> tor-browser_en-US/Browser/libxul.so: binary file matches
> 
>> $ strings tor-browser_en-US/Browser/libxul.so | \
>> grep addons.mozilla.org
>> addons.mozilla.org
>> $http://addons.mozilla.org/ca/crl.pem0
>> signingca1.addons.mozilla.org1!0
>> $http://addons.mozilla.org/ca/crl.pem0N
> 
> The issue is that this domain is also used for addons updates, so we
> can't simply remove it blindly. We need to only remove that string in
> "tools->Addons and themes->Plugins".
> 
> The advantage of patching binaries is that we don't need to rebuild it,
> so we really have the tiniest amount of change possible to make it FSDG
> compliant (and we can hope that it doesn't change the tor-browser
> fingerprint).
> 
> As far as I understand it should also also be OK to use binaries like
> that as long as we're also able to rebuild it in an FSDG distribution
> somehow.
> 
> Though here the path forward is probably to dig into upstream bug
> reports and see what upstream thinks about making the tor-browser FSDG
> compliant and/or removing the information of where to find addons.
> 
> Denis.




[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 3191 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 840 bytes --]

Re: tor

[Wojtek Kosior via]

[-- Attachment #1: Type: text/plain, Size: 15098 bytes --]

> Will this be also at some stage a Guix package or everybody has to 
> install it as a script?

I understand Denis' intention is to ultimately make *the script* into a
Guix package. But it is possible to have the script look like an
application and appear in user's applications menu. So in the end
launching the Tor Browser through it wouldn't be noticeably different
from running a normal browser.

> -------------------------------------------------------------------
> I did only 2 scripts in my life.
> So I need help to do this one.
> 
> I did:
> 
> 1. made a:
> "tor-browser.sh"
> through:
> "touch tor-browser.sh"
> 
> 2. I opened it with:
> "nano tor-browser.sh"
> 
> 3. I made the first line:
> "#!/bin/bash"
> 
> 4. to make it executable:
> "chmod +x tor-browser.sh
> 
> 
> 5. I put it into:
> ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/
> (this is what I understood)

If you want to use the script Denis attached in his email, you don't
need to add the `#/bin/bash` shebang line - there's already a
`#/bin/sh` line in what Denis made.

Also, you don't need to put this script in the Tor Browser's
directory. Perhaps a more suitable place would be `~/.local/bin` (a
matter of convention).

> 6.
> bash can't find it, after making it:
> where is my mistake?

Shells like Bash use a special environment variable called `PATH` to
determine what directories to search for the scripts/binaries user is
trying to run. If the script's containing directory (in this case
`~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/`) is
not listed in that variable, Bash is not going to look there when it
searches for your script.

You can check current contents of the `PATH` variable by entering

    echo "$PATH"

You can add the Tor Browser directory to `PATH` for the duration of
your current shell session by entering something like

    export PATH="$HOME"/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/:"$PATH"

If you instead choose to place the script inside `~/.local/bin`, that
directory is (probably) going to be included in the `PATH` by default
(by the means of your default, auto-created shell initialization
scripts).

> 7. after doing
> 
> guix shell \
> 	--share=/srv/data/Downloads/ \
> 	--expose=/run/user/$(id -u)/ \
> 	--expose=/tmp/.X11-unix \
> 	--expose=/tmp/.X1-lock \
> 	--container \
> 	--emulate-fhs \
> 	--network \
> 	bash coreutils dbus-glib file grep gcc:lib gtk+@3 libxt sed -- \
> 		bash -l -c "export DISPLAY=${DISPLAY}; ./start-tor-browser"
> 
> it downloaded 94 MB.
> ------------------------------------------------------------------------
> [...]
> 
> guix shell: mistake: statfs: /srv/data/Downloads/: file or directory not 
> found.
> ----------------------------------------------------------------------
> Where are my mistakes?

Denis explained this issue pretty thoroughly in the comment in his
script. Let me quote that

> # I have my Download folder somewhere else. Right now it's at
> # /srv/data/Downloads on another partition. And I want tor-browser to
> # use that folder for storing Downloads.
> # For that to work we need to give the tor-browser write access to
> # /srv/data/Downloads/. Other methods were tried but didn't work:
> # - mounting /srv/data/Downloads/ to Downloads resulted in the
> #   tor-browser failing to start.
> # - Using --exporse=/srv/data/Downloads/=${HOME}/.../Browser/Downloads
> #   did not work either because Download was unaccessible. Replacing
> #   --expose by share in the command above didn't change anything.
> # So I ended up using --share=/srv/data/Downloads/. That requires the
> # user to do the symlink manually though.

This means the `--share=/srv/data/Downloads/` line in Denis' script is
only appropriate if you want to store the downloads under
`/srv/data/Downloads` as he does. Otherwise it is not needed - the Tor
Browser directory (together with its `Downloads` subdir) will be shared
to the container automatically because it is seen by Guix as the
current directory (because Denis' script cd's there first).

Alternatively, you could tell Guix not to share current directory and
to just share `Downloads/`. You'd use the following extra lines

    --no-cwd \
    --share="$HOME"/.local/share/torbrowser/tbb/i686/tor-browser_en-US/Browser/ \


Although this is not related, I believe the
`export DISPLAY=${DISPLAY};` trick in the script can be replaced with
the `--preserve` option of `guix shell`. At this very moment I realized
I can also improve some code of mine this way :o

> Kind regards
> 
> Gottfried

Best,
Wojtek

-- (sig_start)
website: https://koszko.org/koszko.html
PGP: https://koszko.org/key.gpg
fingerprint: E972 7060 E3C5 637C 8A4F  4B42 4BC5 221C 5A79 FD1A

Meet Kraków saints!           #50: blessed Wincenty Kadłubek
Poznaj świętych krakowskich!  #50: błogosławiony Wincenty Kadłubek
https://pl.wikipedia.org/wiki/Wincenty_Kadłubek
-- (sig_end)


On Mon,  7 Nov 2022 19:24:14 +0000
Gottfried <gottfried@posteo.de> wrote:

> Hi Denis,
> 
> thanks for your work.
> 
> Will this be also at some stage a Guix package or everybody has to 
> install it as a script?
> -------------------------------------------------------------------
> I did only 2 scripts in my life.
> So I need help to do this one.
> 
> I did:
> 
> 1. made a:
> "tor-browser.sh"
> through:
> "touch tor-browser.sh"
> 
> 2. I opened it with:
> "nano tor-browser.sh"
> 
> 3. I made the first line:
> "#!/bin/bash"
> 
> 4. to make it executable:
> "chmod +x tor-browser.sh
> 
> 
> 5. I put it into:
> ~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/
> (this is what I understood)
> 
> 6.
> bash can't find it, after making it:
> where is my mistake?
> 
> 7. after doing
> 
> guix shell \
> 	--share=/srv/data/Downloads/ \
> 	--expose=/run/user/$(id -u)/ \
> 	--expose=/tmp/.X11-unix \
> 	--expose=/tmp/.X1-lock \
> 	--container \
> 	--emulate-fhs \
> 	--network \
> 	bash coreutils dbus-glib file grep gcc:lib gtk+@3 libxt sed -- \
> 		bash -l -c "export DISPLAY=${DISPLAY}; ./start-tor-browser"
> 
> it downloaded 94 MB.
> ------------------------------------------------------------------------
> gfp@Tuxedo ~$ guix shell \
>          --share=/srv/data/Downloads/ \
>          --expose=/run/user/$(id -u)/ \
>          --expose=/tmp/.X11-unix \
>          --expose=/tmp/.X1-lock \
>          --container \
>          --emulate-fhs \
>          --network \
>          bash coreutils dbus-glib file grep gcc:lib gtk+@3 libxt sed -- \
>                  bash -l -c "export DISPLAY=${DISPLAY}; ./start-tor-browser"
> substitute: Liste der Substitute von „https://ci.guix.gnu.org“ wird 
> aktualisiert … 100.0%
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
> der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
> der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
> der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
> der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert …  substitute: Liste 
> der Substitute von „https://bordeaux.guix.gnu.org“ wird aktualisiert … 
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert … 100.0%
> 85,6 MB werden heruntergeladen
>   gtk%2B-3.24.30-doc  3.0MiB                     809KiB/s 00:04 
> [##################] 100.0%
>   glibc-for-fhs-2.33-debug  19.8MiB              1.2MiB/s 00:16 
> [##################] 100.0%
>   librsvg-2.50.7  2.6MiB                         1.0MiB/s 00:03 
> [##################] 100.0%
>   librsvg-2.50.7-doc  47KiB                      564KiB/s 00:00 
> [##################] 100.0%
>   librsvg-2.50.7-debug  15.9MiB                  1.5MiB/s 00:10 
> [##################] 100.0%
>   libxt-1.2.1-doc  320KiB                        655KiB/s 00:00 
> [##################] 100.0%
>   mozjs-91.13.0  14.5MiB                        1008KiB/s 00:15 
> [##################] 100.0%
>   polkit-121  185KiB                             771KiB/s 00:00 
> [##################] 100.0%
>   colord-minimal-1.4.5  712KiB                   708KiB/s 00:01 
> [##################] 100.0%
>   gtk%2B-3.24.30  7.8MiB                         885KiB/s 00:09 
> [##################] 100.0%
>   gtk%2B-3.24.30-bin  783KiB                     956KiB/s 00:01 
> [##################] 100.0%
>   gtk%2B-3.24.30-debug  11.3MiB                  1.5MiB/s 00:08 
> [##################] 100.0%
> substitute: Liste der Substitute von „https://ci.guix.gnu.org“ wird 
> aktualisiert … 100.0%
> substitute: Liste der Substitute von „https://bordeaux.guix.gnu.org“ 
> wird aktualisiert …  substitute: Liste der Substitute von 
> „https://bordeaux.guix.gnu.org“ wird aktualisiert … 100.0%
> Folgende Ableitung wird erstellt:
>    /gnu/store/vg7dkn3j5rmf9x7a4fg7an2ps90phv4i-profile.drv
> 
> 8,3 MB werden heruntergeladen
>   bash-5.1.8-doc  301KiB                         915KiB/s 00:00 
> [##################] 100.0%
>   bash-5.1.8-include  70KiB                      459KiB/s 00:00 
> [##################] 100.0%
>   file-5.41  349KiB                              645KiB/s 00:01 
> [##################] 100.0%
>   gcc-12.2.0-lib  5.6MiB                         961KiB/s 00:06 
> [##################] 100.0%
>   linux-libre-headers-5.10.35  1.1MiB            728KiB/s 00:02 
> [##################] 100.0%
> 7 Veredelungen für cups-filters-1.28.9 werden angewandt …
> 4 Veredelungen für harfbuzz-2.8.2 werden angewandt …
> 3 Veredelungen für cups-2.3.3op2 werden angewandt …
> 8 Veredelungen für librsvg-2.50.7 werden angewandt …
> 8 Veredelungen für librsvg-2.50.7 werden angewandt …
> 2 Veredelungen für libxt-1.2.1 werden angewandt …
> 4 Veredelungen für polkit-121 werden angewandt …
> 2 Veredelungen für python-3.9.9 werden angewandt …
> 8 Veredelungen für colord-minimal-1.4.5 werden angewandt …
> 2 Veredelungen für glib-2.70.2 werden angewandt …
> 19 Veredelungen für gtk+-3.24.30 werden angewandt …
> 3 Veredelungen für mesa-21.3.8 werden angewandt …
> Zertifikatsbündel der Zertifikatsautoritäten wird erstellt …
> Liste der Emacs-Unterverzeichnisse wird erzeugt …
> Schriftartenverzeichnis wird erstellt …
> Zwischenspeicher für GdkPixbuf-Lader wird erzeugt …
> Zwischenspeicher für GLib-Schemata wird erzeugt …
> Zwischenspeicher für GTK-Symbolthemen wird erzeugt …
> Dateien im Zwischenspeicher für GTK-Eingabemethoden werden erstellt …
> Verzeichnis von Info-Handbüchern wird erstellt …
> Zwischenspeicher für XDG-Desktop-Dateien wird erzeugt …
> XDG-Mime-Datenbank wird erstellt …
> Profil mit 10 Paketen wird erstellt …
> guix shell: Fehler: statfs: /srv/data/Downloads/: Datei oder Verzeichnis 
> nicht gefunden
> 
> guix shell: mistake: statfs: /srv/data/Downloads/: file or directory not 
> found.
> ----------------------------------------------------------------------
> Where are my mistakes?
> thanks
> 
> Kind regards
> 
> Gottfried
> 
> 
> 
> Am 05.11.22 um 01:29 schrieb Denis 'GNUtoo' Carikli:
> > Hi again,
> > 
> > I had some data loss so I wasn't able to reply to this thread before.
> > 
> > I managed to make the tor-browser work in Guix proper, and I've
> > attached the script I used for that. It's hardcoded for i686 though so
> > it needs to be modified for x86_64.
> > 
> > Even if that works, there is a problematic issue: the tor-browser has a
> > potential freedom issue: on one hand it very strongly advises people
> > not to install any addons, on the other hand in "tools->Addons and
> > themes->Plugins", there is the following message:  
> >> Get extensions and themes on addons.mozilla.org  
> > 
> > And the issue is that that repository also contains nonfree addons.
> > 
> > If that address can get removed or changed, we could have something
> > where we could be sure that it is FSDG compliant, so we could probably
> > ship scripts like guix-tor-browser-installer for instance.
> > 
> > I've tried to find where that string is set in the binaries in the hope
> > of being able to make a dead simple sed script that would fix the
> > potential FSDG issue at least at installation time, but it didn't
> > find much:  
> >> $ tar xf tor-browser-linux64-11.5.4_en-US.tar.xz
> >> $ grep addons.mozilla.org -r tor-browser_en-US
> >> tor-browser_en-US/Browser/TorBrowser/Docs/ChangeLog.txt:   * Bug
> >> 10464: Remove addons.mozilla.org from NoScript whitelist grep:
> >> tor-browser_en-US/Browser/libxul.so: binary file matches  
> >   
> >> $ strings tor-browser_en-US/Browser/libxul.so | \
> >> grep addons.mozilla.org
> >> addons.mozilla.org
> >> $http://addons.mozilla.org/ca/crl.pem0
> >> signingca1.addons.mozilla.org1!0
> >> $http://addons.mozilla.org/ca/crl.pem0N  
> > 
> > The issue is that this domain is also used for addons updates, so we
> > can't simply remove it blindly. We need to only remove that string in
> > "tools->Addons and themes->Plugins".
> > 
> > The advantage of patching binaries is that we don't need to rebuild it,
> > so we really have the tiniest amount of change possible to make it FSDG
> > compliant (and we can hope that it doesn't change the tor-browser
> > fingerprint).
> > 
> > As far as I understand it should also also be OK to use binaries like
> > that as long as we're also able to rebuild it in an FSDG distribution
> > somehow.
> > 
> > Though here the path forward is probably to dig into upstream bug
> > reports and see what upstream thinks about making the tor-browser FSDG
> > compliant and/or removing the information of where to find addons.
> > 
> > Denis.  
> 
> 
> 



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

Re: tor

[Denis 'GNUtoo' Carikli]

[-- Attachment #1: Type: text/plain, Size: 2223 bytes --]

On Mon, 7 Nov 2022 21:14:30 +0100
Wojtek Kosior <koszko@koszko.org> wrote:

> > Will this be also at some stage a Guix package or everybody has to 
> > install it as a script?  
> 
> I understand Denis' intention is to ultimately make *the script* into
> a Guix package. But it is possible to have the script look like an
> application and appear in user's applications menu. So in the end
> launching the Tor Browser through it wouldn't be noticeably different
> from running a normal browser.
In my case I've packaged it in my system.scm, so I can run it like
any other program.

I've not added the information (yet) about that as I though that just
making the script work for another setup than mine would require some
work / adjustment.

As for packaging the script in Guix, the main blocker is to find a way
to make sure it is FSDG compliant.

I guess that if it software that is already there, it should be
ok to package the current script, but I'm more interested in having
something that would download, verify, install and run the tor-browser
to make it easy for users to use.

And that for sure requires to make sure that what we download is OK
FSDG wise.

I've found that bug:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/14924

So maybe I could drop a line there to explain our issue and why
removing that text would make it ok for any FSDG distributions to
package the tor-browser launcher or similar software (like this script).

>     export
> PATH="$HOME"/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/:"$PATH"
> 
> If you instead choose to place the script inside `~/.local/bin`, that
> directory is (probably) going to be included in the `PATH` by default
> (by the means of your default, auto-created shell initialization
> scripts).
I used that path to make it compatible with the tor-browser launcher.

> Although this is not related, I believe the
> `export DISPLAY=${DISPLAY};` trick in the script can be replaced with
> the `--preserve` option of `guix shell`. At this very moment I
> realized I can also improve some code of mine this way :o
Thanks a lot, that could indeed make my code way cleaner.

Denis.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]