Routing Guix services traffic trough Tor

Routing Guix services traffic trough Tor

[Brice Waegeneire]

Hello Guix,

Today I played a bit with Tor and Guix, trying to fetch substitutes 
trough
the Tor network as blaze_cornbread asked on IRC[0] how to do this.  I
managed to get it working but in the end I don't think we should 
encourage
people doing it this way, that's why I haven't submitted a patch to the
cookbook for it.  Currently the only supported way to proxy traffic for
'guix-daemon' is by setting a HTTP proxy[1] the drawback is that DNS 
query
will still be in clear and wont go trough the proxy in contrast to a 
SOCKS5
proxy where the query will happen on the other side of the proxy.  So
setting guix-daemon to use tor by this mean can put people at risk when
they think that all their guix traffic go trough tor™.

A better approach would be to have a mean to "torify" services with
torsocks, it would proxy the service's traffic (DNS included) trough tor 
via
a SOCKS5 proxy. I don't know how to implement such feature tho. But a
generic method to modify a shepherd service from the configuration could
also be helpful to start service in containers based on the user need
instead of being tied to

The two following examples are **insecure** since the DNS traffic won't 
go
trough tor.  Here is a example of a system configuration:

--8<---------------cut here---------------start------------->8---
(use-modules (gnu))
(use-service-module base networking)

(operating-system
   …
   (services
     (append
       (list ((service tor-service-type
               (tor-configuration
                 (config-file (plain-file "tor-config"
                                          "HTTPTunnelPort 
127.0.0.1:9052"))))))
       (modify-services %base-services
                       (guix-service-type
                        config => (guix-configuration
                                   (http-proxy 
"http://localhost:9052")))))))
--8<---------------cut here---------------end--------------->8---

Following is an example on how to do it, in a less Guixy way, by using
privoxy; it assume a default configured tor service is already present 
on
your system..

--8<---------------cut here---------------start------------->8---
$ sudo herd start tor
Service tor has been started.
$ cat privoxy-tor.conf
forward-socks5 / localhost:9050 .
$ privoxy privoxy-tor.conf
$ sudo herd set-http-proxy guix-daemon http://localhost:8118
changing HTTP/HTTPS proxy of 'guix-daemon' to "http://localhost:8118"...
Service guix-daemon has been stopped.
Service guix-daemon has been started.
$ LANGUAGE=C guix build audacity
substitute: mise à jour des substituts depuis « https://ci.guix.gnu.org 
»... 100.0 %
The following derivation will be built:
    /gnu/store/lz209608z1lw3zbw33hyp3rsx1az2khi-audacity-2.3.3.drv
38,1 MB will be downloaded:
    /gnu/store/ssc6x6dsxz3f5b26p84d02z42lcj8p3h-lv2-1.18.0
    /gnu/store/przpq26zaj858zmyayns6i4y13hr3d32-suil-0.10.6
    /gnu/store/y74d9xvxl33vra8aq9p3ywsvc8yaz04w-portmidi-217
    /gnu/store/2xmhv8ra20bhj73d3qirqbskdpq3lsim-vamp-2.6
    /gnu/store/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz
    /gnu/store/bpp52ds6g1709s2h1ln1i81hz4v7gw6h-serd-0.30.4
    /gnu/store/vwx0zf02r9vxja8rmy6vs8w81907w3bz-sord-0.16.4
    /gnu/store/0ci33f2s2bm9rwply6b47sj6vn10ybaw-sratom-0.6.4
    /gnu/store/b5liczxlxxdhf9p8s61mx21v9x7rbsbi-lilv-0.24.6
substituting 
/gnu/store/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz...
downloading from 
https://ci.guix.gnu.org/nar/1j3nhsacnqilyr4gqccfh9bzb33xvqak-audacity-2.3.3.tar.xz 
...
  audacity-2.3.3.tar.xz  35.7MiB                                          
             548KiB/s 00:02 [                  ]   3.1
--8<---------------cut here---------------end--------------->8---

If during the download of the substitutes the tor service is stopped 
with
“sudo herd stop tor” guix will stop too and complains about a network
error, as expected.  The above setup can be tweaked to proxy trough SSH
instead by doing port forwarding trough SOCKS “ssh -D 8008 my-host” 
(don't
forget to adjust the privoxy config for the port you are forwarding).

PS: Do not try to modify the shepherd guix-daemon service to use 
torsocks
or you'll wont be able to reconfigure, switch-generation or rollback: 
“guix
system: error: while setting up the build environment: cannot open IP
socket: Operation not permitted”.

PPS: The substitutes server are available trough tor
“--substitute-urls=http://bp7o7ckwlewr4slm.onion”.

[0]: http://logs.guix.gnu.org/guix/2020-05-12.log#093952
[1]: 
https://guix.gnu.org/manual/devel/en/html_node/Proxy-Settings.html#Proxy-Settings

- Brice

Re: Routing Guix services traffic trough Tor

[Ludovic Courtès]

Hi Brice,

Brice Waegeneire <brice@waegenei.re> skribis:

> Today I played a bit with Tor and Guix, trying to fetch substitutes 
> trough
> the Tor network as blaze_cornbread asked on IRC[0] how to do this.  I
> managed to get it working but in the end I don't think we should 
> encourage
> people doing it this way, that's why I haven't submitted a patch to the
> cookbook for it.  Currently the only supported way to proxy traffic for
> 'guix-daemon' is by setting a HTTP proxy[1] the drawback is that DNS 
> query
> will still be in clear and wont go trough the proxy in contrast to a 
> SOCKS5
> proxy where the query will happen on the other side of the proxy.

I don’t think that’s the case: when an HTTP proxy is in use, clients
make a CONNECT or GET HTTP request to the proxy, which resolves the host
name on their behalf.  That’s why you can pass
‘--substitute-urls=http://bp7o7ckwlewr4slm.onion’ and it Just Works.

So I think you message could make a great section in the cookbook.  :-)

Thanks,
Ludo’.

Re: Routing Guix services traffic trough Tor

[Brice Waegeneire]

On 2020-05-17 22:33, Ludovic Courtès wrote:
> Hi Brice,
> 
> Brice Waegeneire <brice@waegenei.re> skribis:
> 
>> Today I played a bit with Tor and Guix, trying to fetch substitutes
>> trough
>> the Tor network as blaze_cornbread asked on IRC[0] how to do this.  I
>> managed to get it working but in the end I don't think we should
>> encourage
>> people doing it this way, that's why I haven't submitted a patch to 
>> the
>> cookbook for it.  Currently the only supported way to proxy traffic 
>> for
>> 'guix-daemon' is by setting a HTTP proxy[1] the drawback is that DNS
>> query
>> will still be in clear and wont go trough the proxy in contrast to a
>> SOCKS5
>> proxy where the query will happen on the other side of the proxy.
> 
> I don’t think that’s the case: when an HTTP proxy is in use, clients
> make a CONNECT or GET HTTP request to the proxy, which resolves the 
> host
> name on their behalf.  That’s why you can pass
> ‘--substitute-urls=http://bp7o7ckwlewr4slm.onion’ and it Just Works.
> 
> So I think you message could make a great section in the cookbook.  :-)
> 
> Thanks,
> Ludo’.

Re: Routing Guix services traffic trough Tor

[Ludovic Courtès]

Hey Brice, I think you forgot to type your reply below.  :-)

Ludo’.

Brice Waegeneire <brice@waegenei.re> skribis:

> On 2020-05-17 22:33, Ludovic Courtès wrote:
>> Hi Brice,
>>
>> Brice Waegeneire <brice@waegenei.re> skribis:
>>
>>> Today I played a bit with Tor and Guix, trying to fetch substitutes
>>> trough
>>> the Tor network as blaze_cornbread asked on IRC[0] how to do this.  I
>>> managed to get it working but in the end I don't think we should
>>> encourage
>>> people doing it this way, that's why I haven't submitted a patch to
>>> the
>>> cookbook for it.  Currently the only supported way to proxy traffic
>>> for
>>> 'guix-daemon' is by setting a HTTP proxy[1] the drawback is that DNS
>>> query
>>> will still be in clear and wont go trough the proxy in contrast to a
>>> SOCKS5
>>> proxy where the query will happen on the other side of the proxy.
>>
>> I don’t think that’s the case: when an HTTP proxy is in use, clients
>> make a CONNECT or GET HTTP request to the proxy, which resolves the
>> host
>> name on their behalf.  That’s why you can pass
>> ‘--substitute-urls=http://bp7o7ckwlewr4slm.onion’ and it Just Works.
>>
>> So I think you message could make a great section in the cookbook.  :-)
>>
>> Thanks,
>> Ludo’.

[PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

[Brice Waegeneire]

* doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
---
 doc/guix-cookbook.texi | 55 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 5574a60857..83abc704ca 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -14,6 +14,7 @@ Copyright @copyright{} 2019 Pierre Neidhardt@*
 Copyright @copyright{} 2020 Oleg Pykhalov@*
 Copyright @copyright{} 2020 Matthew Brooks@*
 Copyright @copyright{} 2020 Marcin Karpezo@*
+Copyright @copyright{} 2020 Brice Waegeneire@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1326,6 +1327,7 @@ reference.
 * Connecting to Wireguard VPN::  Connecting to a Wireguard VPN.
 * Customizing a Window Manager:: Handle customization of a Window manager on Guix System.
 * Setting up a bind mount:: Setting up a bind mount in the file-systems definition.
+* Getting substitutes from Tor:: Configuring Guix daemon to get substitutes through Tor.
 @end menu
 
 @node Customizing the Kernel
@@ -1785,6 +1787,59 @@ mount itself.
                 ))
 @end lisp
 
+@node Getting substitutes from Tor
+@section Getting substitutes from Tor
+
+@quotation Warning
+@emph{Not all} Guix daemon's traffic will go through Tor!  Only
+HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
+will still go through the clearnet.  Again, this configuration isn't
+foolproof some of your traffic won't get routed by Tor at all.  Use it
+at your own risk.
+@end quotation
+
+Guix's substitute server is available as a hidden service, if you want
+to use it to get your substitutes from Tor configure your system as
+follow:
+
+@lisp
+(use-modules (gnu))
+(use-service-module base networking)
+
+(operating-system
+  …
+  (services
+    (cons
+      (service tor-service-type
+              (tor-configuration
+                (config-file (plain-file "tor-config"
+                                         "HTTPTunnelPort 127.0.0.1:9250"))))
+      (modify-services %base-services
+                       (guix-service-type
+                         config => (guix-configuration
+                                     (inherit config)
+                                     ;; ci.guix.gnu.org's hidden service
+                                     (substitute-urls "https://bp7o7ckwlewr4slm.onion")
+                                     (http-proxy "http://localhost:9250")))))))
+@end lisp
+
+This will keep a tor process running that provides a HTTP CONNECT tunnel
+which will be used by @command{guix-daemon}.  The daemon can use other
+protocols than HTTP(S) to get remote resources, request using those
+protocols won't go through Tor since we are only setting a HTTP tunnel
+here.  Note that @code{substitutes-urls} is using HTTPS and not HTTP or
+it won't work, that's a limitation of Tor's tunnel; you may want to use
+@command{privoxy} instead to avoid such limitations.
+
+If you don't want to always get substitutes through Tor but using it just
+some of the times, then skip the @code{guix-configuration}.  When you
+want to get a substitute from the Tor tunnel run:
+
+@example
+# herd set-http-proxy guix-daemon http://localhost:9250
+$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
+@end example
+
 @c *********************************************************************
 @node Advanced package management
 @chapter Advanced package management
-- 
2.26.2

Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

[Ludovic Courtès]

Hi,

Brice Waegeneire <brice@waegenei.re> skribis:

> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.

Yay!

> +@node Getting substitutes from Tor
> +@section Getting substitutes from Tor
> +
> +@quotation Warning
> +@emph{Not all} Guix daemon's traffic will go through Tor!  Only
> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
> +will still go through the clearnet.  Again, this configuration isn't
> +foolproof some of your traffic won't get routed by Tor at all.  Use it
> +at your own risk.
> +@end quotation

I would suggest adding a line of intro before the warning, otherwise we
see the warning before even knowing what the section is about.  :-)

> +Guix's substitute server is available as a hidden service, if you want

I think official terminology these days is “Onion service”.

> +to use it to get your substitutes from Tor configure your system as
> +follow:
> +
> +@lisp
> +(use-modules (gnu))
> +(use-service-module base networking)
> +
> +(operating-system
> +  …
> +  (services
> +    (cons
> +      (service tor-service-type
> +              (tor-configuration
> +                (config-file (plain-file "tor-config"
> +                                         "HTTPTunnelPort 127.0.0.1:9250"))))
> +      (modify-services %base-services
> +                       (guix-service-type
             ^^^^^^^^^^^^^
Too many spaces here.

> +@example
> +# herd set-http-proxy guix-daemon http://localhost:9250
> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
> +@end example

To make it copy/pastable, you can remove the prompt and write it as:

  sudo herd set-http-proxy …
  guix build …

Something along these lines LGTM.

Thank you!

Ludo’.

Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

[Brice Waegeneire]

Hello,

On 2020-06-04 12:29, Ludovic Courtès wrote:
> Hi,
> 
> Brice Waegeneire <brice@waegenei.re> skribis:
> 
>> * doc/guix-cookbook.texi (Getting substitutes from Tor): New section.
> 
> Yay!
> 
>> +@node Getting substitutes from Tor
>> +@section Getting substitutes from Tor
>> +
>> +@quotation Warning
>> +@emph{Not all} Guix daemon's traffic will go through Tor!  Only
>> +HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
>> +will still go through the clearnet.  Again, this configuration isn't
>> +foolproof some of your traffic won't get routed by Tor at all.  Use 
>> it
>> +at your own risk.
>> +@end quotation
> 
> I would suggest adding a line of intro before the warning, otherwise we
> see the warning before even knowing what the section is about.  :-)
> 
>> +Guix's substitute server is available as a hidden service, if you 
>> want
> 
> I think official terminology these days is “Onion service”.
> 
>> +to use it to get your substitutes from Tor configure your system as
>> +follow:
>> +
>> +@lisp
>> +(use-modules (gnu))
>> +(use-service-module base networking)
>> +
>> +(operating-system
>> +  …
>> +  (services
>> +    (cons
>> +      (service tor-service-type
>> +              (tor-configuration
>> +                (config-file (plain-file "tor-config"
>> +                                         "HTTPTunnelPort 
>> 127.0.0.1:9250"))))
>> +      (modify-services %base-services
>> +                       (guix-service-type
>              ^^^^^^^^^^^^^
> Too many spaces here.
> 
>> +@example
>> +# herd set-http-proxy guix-daemon http://localhost:9250
>> +$ guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion hello
>> +@end example
> 
> To make it copy/pastable, you can remove the prompt and write it as:
> 
>   sudo herd set-http-proxy …
>   guix build …
> 
> Something along these lines LGTM.
> 
> Thank you!
> 
> Ludo’.

Thank you for the review Ludovic.

Pushed as c987b72382e739bf887849b02c533eda317ea52b with the 3 
modifications you
were requesting.

- Brice

Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

[André Batista]

[-- Attachment #1.1: Type: text/plain, Size: 261 bytes --]

Hello Brice,

I think it would be useful to warn users that when pulling there is
a direct connection to guix git repos, so to route it through Tor,
one needs to use torsocks. It wont make the configuration foolproof,
but it will reduce the leaks to clearnet.


[-- Attachment #1.2: 0001-doc-cookbook-Add-info-on-the-need-of-using-torsocks-.patch --]
[-- Type: text/plain, Size: 1948 bytes --]

From 6a73b1b1129d3d636d7a0559dffa19e5d40aaf0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Tue, 16 Jun 2020 23:13:03 -0300
Subject: [PATCH] doc: cookbook: Add info on the need of using torsocks when
 pulling.
To: guix-devel@gnu.org

* doc/guix-cookbook.texi (Getting substitutes from Tor): Add note at
  the end on using torsocks when pulling.
---
 doc/guix-cookbook.texi | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 1342826c97..1852ce6c3a 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -15,6 +15,7 @@ Copyright @copyright{} 2020 Oleg Pykhalov@*
 Copyright @copyright{} 2020 Matthew Brooks@*
 Copyright @copyright{} 2020 Marcin Karpezo@*
 Copyright @copyright{} 2020 Brice Waegeneire@*
+Copyright @copyright{} 2020 André Batista@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1802,7 +1803,7 @@ at your own risk.
 @end quotation
 
 Guix's substitute server is available as a Onion service, if you want
-to use it to get your substitutes from Tor configure your system as
+to use it to get your substitutes through Tor configure your system as
 follow:
 
 @lisp
@@ -1843,6 +1844,11 @@ sudo herd set-http-proxy guix-daemon http://localhost:9250
 guix build --substitute-urls=https://bp7o7ckwlewr4slm.onion …
 @end example
 
+Note that the procedure described above applies only to package substitution.
+When you update your guix distribution with @command{guix pull}, you should
+use @command{torsocks} if you want to route the connection to guix git
+repository servers through Tor.
+
 @c *********************************************************************
 @node Advanced package management
 @chapter Advanced package management
-- 
2.26.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 841 bytes --]

Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitutes through Tor.

[Brice Waegeneire]

Hello André,

Thank you for the patch and your feedback!

On 2020-06-17 02:19, André Batista wrote:
> Hello Brice,
> 
> I think it would be useful to warn users that when pulling there is
> a direct connection to guix git repos, so to route it through Tor,
> one needs to use torsocks. It wont make the configuration foolproof,
> but it will reduce the leaks to clearnet.

When writing this section of the cookbook I was worried that some
readers will misunderstood it so I added a big warning at the
front but it doesn't seems to be enough since you sent this mail.

--8<---------------cut here---------------start------------->8---
@section Getting substitutes from Tor

Guix daemon can use a HTTP proxy to get substitutes, here we are
configuring it to get them via Tor.

@quotation Warning
@emph{Not all} Guix daemon's traffic will go through Tor!  Only
HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
will still go through the clearnet.  Again, this configuration isn't
foolproof some of your traffic won't get routed by Tor at all.  Use it
at your own risk.
@end quotation
--8<---------------cut here---------------end--------------->8---

> +Note that the procedure described above applies only to package 
> substitution.
> +When you update your guix distribution with @command{guix pull}, you 
> should
> +use @command{torsocks} if you want to route the connection to guix git
> +repository servers through Tor.
> +
>  @c 
> *********************************************************************
>  @node Advanced package management
>  @chapter Advanced package management

I would like to keep the warnings at the beginning of the section
to be sure that readers don't miss it when skimming trough it.
Any rewording of that part to make the scope of the section or
the warnings more clear is welcome.

Note that this section is only about getting *substitutes* through
tor and it should probably be kept that way to avoid confusing the
user in regard to what (narrow) security benefit this configuration
offer.

On a wider front I would prefer to have a foolproof configuration
that route *all* guix related traffic through Tor, instead of that
half-way setup.  Providing a way to 'torify' any service with
something like 'make-forkexec-constructor/trosocks', as
'make-forkexec-constructor/container' does for containerizing a
service, would be great[0].  A less engaged option would be to
make 'guix-daemon' compatible with 'torsocks' since doing it so
makes guix unusable[1].

[0]: http://logs.guix.gnu.org/guix/2020-06-03.log#142909
[1]: https://lists.gnu.org/archive/html/guix-devel/2020-05/msg00214.html

- Brice

Re: [PATCH] doc: cookbook: Update entry about getting substitutes through Tor.

[André Batista]

[-- Attachment #1.1: Type: text/plain, Size: 2469 bytes --]

Hello Brice,

qua 17 jun 2020 às 08:37:59 (1592393879), brice@waegenei.re enviou:
> Hello André,
> 
> Thank you for the patch and your feedback!

It's me who should be thanking you!

> When writing this section of the cookbook I was worried that some
> readers will misunderstood it so I added a big warning at the
> front but it doesn't seems to be enough since you sent this mail.

Sorry to disturb you, your warning was clear enough. I've only
thought that there was room for improvement whilst there remains
the need for a proper solution to the problem at hand.

> I would like to keep the warnings at the beginning of the section
> to be sure that readers don't miss it when skimming trough it.
> Any rewording of that part to make the scope of the section or
> the warnings more clear is welcome.

It follows attached a new version of the previous patch which
changes the comment to the warning quote. I had previously thought
that it would be worse to inflate the warning with this comment even
more so as the section's title already mentions it's related to
substitutes.

> Note that this section is only about getting *substitutes* through
> tor and it should probably be kept that way to avoid confusing the
> user in regard to what (narrow) security benefit this configuration
> offer.

Note taken, but it seems to me that if someone is going through the
trouble of configuring guix to get substitutes through Tor, such a
person would most likely also wish to update guix through the same
network. It does nothing to fix the possible leaks when substitutes
aren't available, but it makes it clear that it's possible/advisable
on such scenario to pull using torsocks. I don't think it misinforms
users.

> On a wider front I would prefer to have a foolproof configuration
> that route *all* guix related traffic through Tor, instead of that
> half-way setup.  Providing a way to 'torify' any service with
> something like 'make-forkexec-constructor/trosocks', as
> 'make-forkexec-constructor/container' does for containerizing a
> service, would be great[0].  A less engaged option would be to
> make 'guix-daemon' compatible with 'torsocks' since doing it so
> makes guix unusable[1].

I too would prefer it, but a half-way setup is what we have for now.
So a three-quarters-way would be an improvement though not the fix
we're in need. I'll dig deeper and will come back to you if I make
any progress.

[-- Attachment #1.2: 0001-doc-cookbook-Update-entry-about-getting-substitutes-.patch --]
[-- Type: text/plain, Size: 1876 bytes --]

From 1d6e29dcbc5b9a8659294af033863a31526eab76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Batista?= <nandre@riseup.net>
Date: Thu, 18 Jun 2020 10:23:23 -0300
Subject: [PATCH] doc: cookbook: Update entry about getting substitutes through
 Tor.
To: guix-devel@gnu.org

* doc/guix-cookbook.texi (Getting substitutes from Tor): Update
section warning to mention the use of torsocks when pulling.
---
 doc/guix-cookbook.texi | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi
index 1342826c97..d5a8459363 100644
--- a/doc/guix-cookbook.texi
+++ b/doc/guix-cookbook.texi
@@ -15,6 +15,7 @@ Copyright @copyright{} 2020 Oleg Pykhalov@*
 Copyright @copyright{} 2020 Matthew Brooks@*
 Copyright @copyright{} 2020 Marcin Karpezo@*
 Copyright @copyright{} 2020 Brice Waegeneire@*
+Copyright @copyright{} 2020 André Batista@*
 
 Permission is granted to copy, distribute and/or modify this document
 under the terms of the GNU Free Documentation License, Version 1.3 or
@@ -1799,10 +1800,16 @@ HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
 will still go through the clearnet.  Again, this configuration isn't
 foolproof some of your traffic won't get routed by Tor at all.  Use it
 at your own risk.
+
+Also note that the procedure described here applies only to package
+substitution. When you update your guix distribution with
+@command{guix pull}, you still need to use @command{torsocks} if
+you want to route the connection to guix's git repository servers
+through Tor.
 @end quotation
 
 Guix's substitute server is available as a Onion service, if you want
-to use it to get your substitutes from Tor configure your system as
+to use it to get your substitutes through Tor configure your system as
 follow:
 
 @lisp
-- 
2.26.2


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 841 bytes --]

Re: [PATCH] doc: cookbook: Update entry about getting substitutes through Tor.

[Brice Waegeneire]

Hello André,

On 2020-06-18 14:06, André Batista wrote:

[...]

> qua 17 jun 2020 às 08:37:59 (1592393879), brice@waegenei.re enviou:
>> I would like to keep the warnings at the beginning of the section
>> to be sure that readers don't miss it when skimming trough it.
>> Any rewording of that part to make the scope of the section or
>> the warnings more clear is welcome.
> 
> It follows attached a new version of the previous patch which
> changes the comment to the warning quote. I had previously thought
> that it would be worse to inflate the warning with this comment even
> more so as the section's title already mentions it's related to
> substitutes.

I tought I already had applied your patch, but I forgot to do it.
It's now applied as f8945734a5abff69644284231cc47fb67456657b, sorry
for the delay.

[...]

>> On a wider front I would prefer to have a foolproof configuration
>> that route *all* guix related traffic through Tor, instead of that
>> half-way setup.  Providing a way to 'torify' any service with
>> something like 'make-forkexec-constructor/trosocks', as
>> 'make-forkexec-constructor/container' does for containerizing a
>> service, would be great[0].  A less engaged option would be to
>> make 'guix-daemon' compatible with 'torsocks' since doing it so
>> makes guix unusable[1].
> 
> I too would prefer it, but a half-way setup is what we have for now.
> So a three-quarters-way would be an improvement though not the fix
> we're in need. I'll dig deeper and will come back to you if I make
> any progress.

I would love to know when you manage to advance on that front.

Have a good day,
- Brice

Re: [PATCH] doc: cookbook: Update entry about getting substitutes through Tor.

[André Batista]

Hi Brice,

dom 28 jun 2020 às 11:37:32 (1593355052), brice@waegenei.re enviou:
> Hello André,
>
> I tought I already had applied your patch, but I forgot to do it.
> It's now applied as f8945734a5abff69644284231cc47fb67456657b, sorry
> for the delay.

No big deal, thanks for your initiative.

> I would love to know when you manage to advance on that front.

It's currently beyond my understanding, but hopefully not for long.

Cheers!