Re: Downloading Guix packages via Tor

[ludo@gnu.org (Ludovic Courtès)]

Hello!

panic <lists@xandea.de> skribis:

> (0)
> During the `make' step, a bootstrap `guile-2.0.9' or `guile-2.0.11' is
> downloaded for several architectures (i686, x86_64, armhf, mipsel).
>
> o  What is this needed for? guile-2.0.11 is already installed from
>    Debian stable?

See
<https://www.gnu.org/software/guix/manual/html_node/Bootstrapping.html>
for an explanation.

> o  IMHO a `make' should not download files.

I agree, in general.  The only other option here would be to make these
tarballs part of the Guix tarball, but that’s not so great either.

(Longer-term solution: If Guile could fit in a single ELF binary that
would contain its core modules, bootstrapping would be simpler.)

> o  I could only observe the xz-files to be downloaded but not the
>    GPG signatures.  Is the file's integrity checked somehow?

Yes, see the targets at the bottom of gnu-system.am.  gnu-system.am is
part of the source tarball that is itself signed by myself.

> o  If these files are crucial, I'd prefer the `make' to stop and tell
>    me how to manually download & verify these files.

You could download them yourself from the URL that appears in
build-aux/download.scm along with their signature, and verify it
yourself.

It wouldn’t provide you any assurance since, again, gnu-system.am
contains their cryptographic hash, and gnu-system.am is part of the
source tarball, which is also signed.

> (1)
> Is it possible to proxy downloads by Guix through Tor?
> I saw reports that it is apparently possible to set the http_proxy
> environment variable and then it is used by Guix.

Yes, ‘http_proxy’ will work, but unfortunately ‘https_proxy’ and
‘ftp_proxy’ don’t work yet.  We’ve also had reports of things not
working properly: <https://bugs.gnu.org/20402>.

I would definitely like to have them fixed so that one can have
everything go through, say, Privoxy, and then through Tor.

> Is it also possible to define socks_proxy?

No.

> (2)
> What is the current state of checking signatures of source tarballs or
> git commits/tags?
> (thread to the same topic:
>  https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00115.html)

Currently, authenticating tarballs is left to packagers, which is what
this thread is about.

Tools like ‘guix import’ and ‘guix refresh’ attempt to encourage
signature checking when signatures are available, using a TOFU model.
However, whether packagers did that authenticity check or not leaves no
trace.

The proposal in that thread is to augment package recipes with the
fingerprint against which the source was authenticated, so that we have
an audit trail.  It’s not implemented yet.  But your help is welcome!
:-)

“You’ll also like this one” (as user-tracking web sites would say ;-)):

  https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00107.html

Specifically, the question of how to authenticate individual Guix commits.

Thanks for your feedback,
Ludo’.