all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: "André Batista" <nandre@riseup.net>
To: Brice Waegeneire <brice@waegenei.re>
Cc: guix-devel@gnu.org
Subject: Re: [PATCH] doc: cookbook: Update entry about getting substitutes through Tor.
Date: Thu, 18 Jun 2020 11:06:11 -0300	[thread overview]
Message-ID: <20200618140611.GA2613@andel> (raw)
In-Reply-To: <caffc11179e2be10d1606d23436db2e4@waegenei.re>


[-- Attachment #1.1: Type: text/plain, Size: 2469 bytes --]

Hello Brice,

qua 17 jun 2020 às 08:37:59 (1592393879), brice@waegenei.re enviou:
> Hello André,
> 
> Thank you for the patch and your feedback!

It's me who should be thanking you!

> When writing this section of the cookbook I was worried that some
> readers will misunderstood it so I added a big warning at the
> front but it doesn't seems to be enough since you sent this mail.

Sorry to disturb you, your warning was clear enough. I've only
thought that there was room for improvement whilst there remains
the need for a proper solution to the problem at hand.

> I would like to keep the warnings at the beginning of the section
> to be sure that readers don't miss it when skimming trough it.
> Any rewording of that part to make the scope of the section or
> the warnings more clear is welcome.

It follows attached a new version of the previous patch which
changes the comment to the warning quote. I had previously thought
that it would be worse to inflate the warning with this comment even
more so as the section's title already mentions it's related to
substitutes.

> Note that this section is only about getting *substitutes* through
> tor and it should probably be kept that way to avoid confusing the
> user in regard to what (narrow) security benefit this configuration
> offer.

Note taken, but it seems to me that if someone is going through the
trouble of configuring guix to get substitutes through Tor, such a
person would most likely also wish to update guix through the same
network. It does nothing to fix the possible leaks when substitutes
aren't available, but it makes it clear that it's possible/advisable
on such scenario to pull using torsocks. I don't think it misinforms
users.

> On a wider front I would prefer to have a foolproof configuration
> that route *all* guix related traffic through Tor, instead of that
> half-way setup.  Providing a way to 'torify' any service with
> something like 'make-forkexec-constructor/trosocks', as
> 'make-forkexec-constructor/container' does for containerizing a
> service, would be great[0].  A less engaged option would be to
> make 'guix-daemon' compatible with 'torsocks' since doing it so
> makes guix unusable[1].

I too would prefer it, but a half-way setup is what we have for now.
So a three-quarters-way would be an improvement though not the fix
we're in need. I'll dig deeper and will come back to you if I make
any progress.

[-- Attachment #1.2: 0001-doc-cookbook-Update-entry-about-getting-substitutes-.patch --]
[-- Type: text/plain, Size: 1876 bytes --]

From 1d6e29dcbc5b9a8659294af033863a31526eab76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Thu, 18 Jun 2020 10:23:23 -0300
Subject: [PATCH] doc: cookbook: Update entry about getting substitutes through
 Tor.
To: guix-devel@gnu.org

* doc/guix-cookbook.texi (Getting substitutes from Tor): Update
section warning to mention the use of torsocks when pulling.
---
 doc/guix-cookbook.texi | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 1342826c97..d5a8459363 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -15,6 +15,7 @@ Copyright @copyright{} 2020 Oleg Pykhalov@*
 Copyright @copyright{} 2020 Matthew Brooks@*
 Copyright @copyright{} 2020 Marcin Karpezo@*
 Copyright @copyright{} 2020 Brice Waegeneire@*
+Copyright @copyright{} 2020 André Batista@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1799,10 +1800,16 @@ HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
 will still go through the clearnet.  Again, this configuration isn't
 foolproof some of your traffic won't get routed by Tor at all.  Use it
 at your own risk.
+
+Also note that the procedure described here applies only to package
+substitution. When you update your guix distribution with
+@command{guix pull}, you still need to use @command{torsocks} if
+you want to route the connection to guix's git repository servers
+through Tor.
 @end quotation
 
 Guix's substitute server is available as a Onion service, if you want
-to use it to get your substitutes from Tor configure your system as
+to use it to get your substitutes through Tor configure your system as
 follow:
 
 @lisp
-- 
2.26.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 841 bytes --]

  reply	other threads:[~2020-06-18 14:06 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-12 17:22 Routing Guix services traffic trough Tor Brice Waegeneire
2020-05-17 22:33 ` Ludovic Courtès
2020-05-18 20:32   ` Brice Waegeneire
2020-05-24 21:04     ` Ludovic Courtès
2020-06-03 19:12   ` [PATCH] doc: cookbook: Add entry about getting substitutes through Tor Brice Waegeneire
2020-06-04 12:29     ` [bug#41694] " Ludovic Courtès
2020-06-04 12:54       ` Brice Waegeneire
2020-06-17  2:19         ` André Batista
2020-06-17  8:37           ` Brice Waegeneire
2020-06-18 14:06             ` André Batista [this message]
2020-06-28 11:37               ` [PATCH] doc: cookbook: Update " Brice Waegeneire
2020-07-03 20:30                 ` André Batista

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200618140611.GA2613@andel \
    --to=nandre@riseup.net \
    --cc=brice@waegenei.re \
    --cc=guix-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.