Re: [contact.ng0@cryptolab.net: Re: [security-discuss] gnuradio project DoS attacks GNU wget users]

[ng0 <contact.ng0@cryptolab.net>]

On 17-03-03 12:50:17, Leo Famulari wrote:
> On Fri, Mar 03, 2017 at 11:08:43AM +0000, ng0 wrote:
> > Hi,
> > 
> > I don't like repeating myself when I have written the content before.
> > So going by the message below, I'd like to change the way we provide
> > download links and use the http protocol for our downloads at
> > gnu.org/s/guix. Currently we only offer the ftp protocol links. The
> > ports 20 and 21 are commonly blocked in the tor network by relays, that
> > I was able to telnet to port 21 of alpha.gnu.org was just luck.
> 
> I'm not that familiar with Tor, so forgive me if I'm asking questions
> that everyone else already knows the answer to.

There are no unnecessary questions, I'll gladly answer.

> Would it be enough to offer an HTTPS source for our `gnu.org/s/guix`

I think what happened here is, everyone seems to miss the point of my
email. The content below is just for reference, the question was just to
change the ftp:// links to http:// .. and I just found out, to answer
your question, that https://alpha.gnu.org/ works too.

> downloads? Would that work for Tor users? Or do we have to create an
> Onion service, too?

That's being solved on sys admin level of GNU and/or FSF, at least
that's what I understand from what rms wrote further in the thread.

> What are the pros and cons?
> 
> If the HTTPS link can be accessed reliably over Tor, I think that would
> be better for us, because it would reduce the amount of Guix sysadmin
> work.

The https works. The problem I have at the moment is that the homepage
uses ftp:// as the only links for alpha.gnu.org and the signatures.
There are other uses of ftp:// in the source of the code, not the
website, which I have to look at more closely to decide what can be
changed.

> > It would not fix
> > the fact that we use ftp:// internally in some downloads (which breaks
> > guix package --fallback when you try to torify guix), but this could
> > be fixed later.
> 
> Are you talking about using FTP to download the sources of some
> packages?
> 

No, about guix daemon using guix download to fetch the sources over ftp.
I'm still working my way towards an "torified" guix, but I know that
port 21 and 20 are often (there are exceptions) blocked by tor relay
admins. This results in ftp:// download scheme not working.