From mboxrd@z Thu Jan 1 00:00:00 1970 From: Leo Famulari Subject: Re: [contact.ng0@cryptolab.net: Re: [security-discuss] gnuradio project DoS attacks GNU wget users] Date: Fri, 3 Mar 2017 12:50:17 -0500 Message-ID: <20170303175017.GA18261@jasmine> References: <20170303110843.o6i4xrl2mvechkbu@abyayala> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53002) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cjrLS-0006vJ-Sv for guix-devel@gnu.org; Fri, 03 Mar 2017 12:50:23 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjrLP-00067i-Nb for guix-devel@gnu.org; Fri, 03 Mar 2017 12:50:22 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:39912) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cjrLP-00067b-ID for guix-devel@gnu.org; Fri, 03 Mar 2017 12:50:19 -0500 Received: from localhost (c-73-188-17-148.hsd1.pa.comcast.net [73.188.17.148]) by mail.messagingengine.com (Postfix) with ESMTPA id 4011C7E526 for ; Fri, 3 Mar 2017 12:50:18 -0500 (EST) Content-Disposition: inline In-Reply-To: <20170303110843.o6i4xrl2mvechkbu@abyayala> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org On Fri, Mar 03, 2017 at 11:08:43AM +0000, ng0 wrote: > Hi, > > I don't like repeating myself when I have written the content before. > So going by the message below, I'd like to change the way we provide > download links and use the http protocol for our downloads at > gnu.org/s/guix. Currently we only offer the ftp protocol links. The > ports 20 and 21 are commonly blocked in the tor network by relays, that > I was able to telnet to port 21 of alpha.gnu.org was just luck. I'm not that familiar with Tor, so forgive me if I'm asking questions that everyone else already knows the answer to. Would it be enough to offer an HTTPS source for our `gnu.org/s/guix` downloads? Would that work for Tor users? Or do we have to create an Onion service, too? What are the pros and cons? If the HTTPS link can be accessed reliably over Tor, I think that would be better for us, because it would reduce the amount of Guix sysadmin work. > It would not fix > the fact that we use ftp:// internally in some downloads (which breaks > guix package --fallback when you try to torify guix), but this could > be fixed later. Are you talking about using FTP to download the sources of some packages?