Downloading Guix packages via Tor

Downloading Guix packages via Tor

[panic]

Hi,

I'm trying to get myself familiar with Guix and built guix-0.9.0 on a
Debian stable machine (only guile-json is fetched from testing).

I try to do all internet communication through Tor: DNS/port 53 outgoing
and network accesses of non-`debian-tor'-users are rejected on purpose
(like in Tails which is based on Debian).
This makes programs fail when they are not (yet) configured for Tor, so
is Guix:

(0)
During the `make' step, a bootstrap `guile-2.0.9' or `guile-2.0.11' is
downloaded for several architectures (i686, x86_64, armhf, mipsel).

o  What is this needed for? guile-2.0.11 is already installed from
   Debian stable?
o  IMHO a `make' should not download files.
o  I could only observe the xz-files to be downloaded but not the
   GPG signatures.  Is the file's integrity checked somehow?
o  If these files are crucial, I'd prefer the `make' to stop and tell
   me how to manually download & verify these files.

(1)
Is it possible to proxy downloads by Guix through Tor?
I saw reports that it is apparently possible to set the http_proxy
environment variable and then it is used by Guix.  Is it also possible
to define socks_proxy?

(2)
What is the current state of checking signatures of source tarballs or
git commits/tags?
(thread to the same topic:
 https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00115.html)

-- panic

Re: Downloading Guix packages via Tor

[Ludovic Courtès]

Hello!

panic <lists@xandea.de> skribis:

> (0)
> During the `make' step, a bootstrap `guile-2.0.9' or `guile-2.0.11' is
> downloaded for several architectures (i686, x86_64, armhf, mipsel).
>
> o  What is this needed for? guile-2.0.11 is already installed from
>    Debian stable?

See
<https://www.gnu.org/software/guix/manual/html_node/Bootstrapping.html>
for an explanation.

> o  IMHO a `make' should not download files.

I agree, in general.  The only other option here would be to make these
tarballs part of the Guix tarball, but that’s not so great either.

(Longer-term solution: If Guile could fit in a single ELF binary that
would contain its core modules, bootstrapping would be simpler.)

> o  I could only observe the xz-files to be downloaded but not the
>    GPG signatures.  Is the file's integrity checked somehow?

Yes, see the targets at the bottom of gnu-system.am.  gnu-system.am is
part of the source tarball that is itself signed by myself.

> o  If these files are crucial, I'd prefer the `make' to stop and tell
>    me how to manually download & verify these files.

You could download them yourself from the URL that appears in
build-aux/download.scm along with their signature, and verify it
yourself.

It wouldn’t provide you any assurance since, again, gnu-system.am
contains their cryptographic hash, and gnu-system.am is part of the
source tarball, which is also signed.

> (1)
> Is it possible to proxy downloads by Guix through Tor?
> I saw reports that it is apparently possible to set the http_proxy
> environment variable and then it is used by Guix.

Yes, ‘http_proxy’ will work, but unfortunately ‘https_proxy’ and
‘ftp_proxy’ don’t work yet.  We’ve also had reports of things not
working properly: <https://bugs.gnu.org/20402>.

I would definitely like to have them fixed so that one can have
everything go through, say, Privoxy, and then through Tor.

> Is it also possible to define socks_proxy?

No.

> (2)
> What is the current state of checking signatures of source tarballs or
> git commits/tags?
> (thread to the same topic:
>  https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00115.html)

Currently, authenticating tarballs is left to packagers, which is what
this thread is about.

Tools like ‘guix import’ and ‘guix refresh’ attempt to encourage
signature checking when signatures are available, using a TOFU model.
However, whether packagers did that authenticity check or not leaves no
trace.

The proposal in that thread is to augment package recipes with the
fingerprint against which the source was authenticated, so that we have
an audit trail.  It’s not implemented yet.  But your help is welcome!
:-)

“You’ll also like this one” (as user-tracking web sites would say ;-)):

  https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00107.html

Specifically, the question of how to authenticate individual Guix commits.

Thanks for your feedback,
Ludo’.