Re: [Whonix-devel] GNU Guix Questions

From: bancfc@openmailbox.org
To: whonix-devel@whonix.org, guix-devel@gnu.org
Cc: Guix-devel <guix-devel-bounces+bancfc=openmailbox.org@gnu.org>
Subject: Re: [Whonix-devel] GNU Guix Questions
Date: Tue, 07 Mar 2017 00:59:08 +0000	[thread overview]
Message-ID: <03855981cbbc72b0bac0b45345b19d4a@openmailbox.org> (raw)
In-Reply-To: <20170306171504.q3upjno6bzbqeeqc@abyayala>

On 2017-03-06 17:15, ng0 wrote:
> Hi bancfc,
> 

Hi ng0, great to see you here :)

> On 17-03-06 16:14:08, bancfc@openmailbox.org wrote:
>> Hi Guix devs, I am a privacy distro dev and we are looking at using 
>> Guix in
>> our OS. I have a few questions:
>> 
>> * Is the Guix package archive available from a Tor hidden service? 
>> There are
>> many advantages of updating a system over Tor such as preventing a 
>> target
>> adversary from fingerprinting and targeting hosts that run vulnerable
>> packages and protecting systems in case the package manager has a 
>> security
>> bug. Debian and Tor now provide onion mirrors for their packages. Can 
>> you
>> please consider doing the same?
> 
> As far as I know this might be discussed currently at GNU
> sysadministration level,
> at least that's the last info I got when I suggested this last week to
> RMS.
> There is an onion mirror which is run by another community. It doesn't
> mirror alpha.gnu.org yet (where guix binaries are located), but it 
> plans
> to do so. I need to get in touch with the community to ask wether they
> would be okay with more bandwidth.
> Do you have an estimation on how high your usage would be for the guix
> download from the onion mirror?
> 

The amount for bandwidth is approximately the size of GNUnet x 15K 
users. Later on we will expand the selection to include Tor Browser once 
you package it - if that pans out that would be a massive achievement. 
The Torproject have discussed packaging it for years but they couldn't 
work it out because of the breakneck speed of development and the 
cumbersome process of creating Debian packages. Meanwhile anonymity 
distros were forced to come up with a workaround safe downloader 
mechanism in absence of a package fecthable from a package manager. Its 
been a high maintenance effort over the years and a Guix package would 
finally solve this.

Another "wishlist" package would be GNU-libre kernel that includes the 
Grsecurity patchset so we can include that out of the box instead of 
requiring users to manually patch and tweak settings with every (weekly) 
new upstream release.

I realize I'm going offtopic but its really exciting to finally find a 
better way to package things.

>> 
>> * Does Guix defend against the variety of attacks described in the TUF
>> threat model document? (described in link below) How resilient is it 
>> against
>> key compromise? (TUF was designed from the ground up to provide a 
>> highly
>> resilient and secure update framework as a drop in replacement to 
>> crappy
>> standalone updaters - a problem that's become very serious for 
>> proprietary
>> OSes. The security research and implementation behind it are an 
>> excellent
>> rubric that one can apply to any updater/package manager.)
>> 
>> https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
>> 
>> 
>> * How does one setup a third part package archive? After looking at 
>> the
>> manual I believe its as simple as fetching source from one's git repo?
>> 
>> Thanks
>> _______________________________________________
>> You are receiving this e-mail because you subscribed Whonix-devel 
>> mailing list. To unsubscribe visit 
>> https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel or mail 
>> "unsubscribe" to Whonix-devel-unsubscribe@whonix.org.
>> 
>> Sie erhalten diese E-Mail, weil Sie die Whonix-devel Mailingliste 
>> aboniert haben. Zum abbestellen besuchen Sie 
>> https://www.whonix.org/cgi-bin/mailman/listinfo/whonix-devel oder 
>> mailen Sie "unsubscribe" an Whonix-devel-unsubscribe@whonix.org.