From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: [contact.ng0@cryptolab.net: Re: [security-discuss] gnuradio project DoS attacks GNU wget users] Date: Fri, 3 Mar 2017 19:32:23 +0000 Message-ID: <20170303193223.xgslovuact64wit5@abyayala> References: <20170303110843.o6i4xrl2mvechkbu@abyayala> <20170303175017.GA18261@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:33512) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1cjrrj-0001O2-Th for guix-devel@gnu.org; Fri, 03 Mar 2017 13:23:44 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1cjrrf-0003Nr-SQ for guix-devel@gnu.org; Fri, 03 Mar 2017 13:23:43 -0500 Received: from perdizione.investici.org ([94.23.50.208]:23643) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1cjrrf-0003Mh-Is for guix-devel@gnu.org; Fri, 03 Mar 2017 13:23:39 -0500 Content-Disposition: inline In-Reply-To: <20170303175017.GA18261@jasmine> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org On 17-03-03 12:50:17, Leo Famulari wrote: > On Fri, Mar 03, 2017 at 11:08:43AM +0000, ng0 wrote: > > Hi, > > > > I don't like repeating myself when I have written the content before. > > So going by the message below, I'd like to change the way we provide > > download links and use the http protocol for our downloads at > > gnu.org/s/guix. Currently we only offer the ftp protocol links. The > > ports 20 and 21 are commonly blocked in the tor network by relays, that > > I was able to telnet to port 21 of alpha.gnu.org was just luck. > > I'm not that familiar with Tor, so forgive me if I'm asking questions > that everyone else already knows the answer to. There are no unnecessary questions, I'll gladly answer. > Would it be enough to offer an HTTPS source for our `gnu.org/s/guix` I think what happened here is, everyone seems to miss the point of my email. The content below is just for reference, the question was just to change the ftp:// links to http:// .. and I just found out, to answer your question, that https://alpha.gnu.org/ works too. > downloads? Would that work for Tor users? Or do we have to create an > Onion service, too? That's being solved on sys admin level of GNU and/or FSF, at least that's what I understand from what rms wrote further in the thread. > What are the pros and cons? > > If the HTTPS link can be accessed reliably over Tor, I think that would > be better for us, because it would reduce the amount of Guix sysadmin > work. The https works. The problem I have at the moment is that the homepage uses ftp:// as the only links for alpha.gnu.org and the signatures. There are other uses of ftp:// in the source of the code, not the website, which I have to look at more closely to decide what can be changed. > > It would not fix > > the fact that we use ftp:// internally in some downloads (which breaks > > guix package --fallback when you try to torify guix), but this could > > be fixed later. > > Are you talking about using FTP to download the sources of some > packages? > No, about guix daemon using guix download to fetch the sources over ftp. I'm still working my way towards an "torified" guix, but I know that port 21 and 20 are often (there are exceptions) blocked by tor relay admins. This results in ftp:// download scheme not working.