From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Downloading Guix packages via Tor Date: Mon, 18 Jan 2016 14:42:03 +0100 Message-ID: <87bn8jf1hw.fsf@gnu.org> References: <569C2A12.6000309@xandea.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53624) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1aLA4Q-0002KY-Tp for help-guix@gnu.org; Mon, 18 Jan 2016 08:42:12 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1aLA4M-0003re-E7 for help-guix@gnu.org; Mon, 18 Jan 2016 08:42:10 -0500 In-Reply-To: <569C2A12.6000309@xandea.de> (panic's message of "Sun, 17 Jan 2016 23:56:02 +0000") List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org Sender: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org To: panic Cc: help-guix@gnu.org Hello! panic skribis: > (0) > During the `make' step, a bootstrap `guile-2.0.9' or `guile-2.0.11' is > downloaded for several architectures (i686, x86_64, armhf, mipsel). > > o What is this needed for? guile-2.0.11 is already installed from > Debian stable? See for an explanation. > o IMHO a `make' should not download files. I agree, in general. The only other option here would be to make these tarballs part of the Guix tarball, but that=E2=80=99s not so great either. (Longer-term solution: If Guile could fit in a single ELF binary that would contain its core modules, bootstrapping would be simpler.) > o I could only observe the xz-files to be downloaded but not the > GPG signatures. Is the file's integrity checked somehow? Yes, see the targets at the bottom of gnu-system.am. gnu-system.am is part of the source tarball that is itself signed by myself. > o If these files are crucial, I'd prefer the `make' to stop and tell > me how to manually download & verify these files. You could download them yourself from the URL that appears in build-aux/download.scm along with their signature, and verify it yourself. It wouldn=E2=80=99t provide you any assurance since, again, gnu-system.am contains their cryptographic hash, and gnu-system.am is part of the source tarball, which is also signed. > (1) > Is it possible to proxy downloads by Guix through Tor? > I saw reports that it is apparently possible to set the http_proxy > environment variable and then it is used by Guix. Yes, =E2=80=98http_proxy=E2=80=99 will work, but unfortunately =E2=80=98htt= ps_proxy=E2=80=99 and =E2=80=98ftp_proxy=E2=80=99 don=E2=80=99t work yet. We=E2=80=99ve also had= reports of things not working properly: . I would definitely like to have them fixed so that one can have everything go through, say, Privoxy, and then through Tor. > Is it also possible to define socks_proxy? No. > (2) > What is the current state of checking signatures of source tarballs or > git commits/tags? > (thread to the same topic: > https://lists.gnu.org/archive/html/guix-devel/2015-10/msg00115.html) Currently, authenticating tarballs is left to packagers, which is what this thread is about. Tools like =E2=80=98guix import=E2=80=99 and =E2=80=98guix refresh=E2=80=99= attempt to encourage signature checking when signatures are available, using a TOFU model. However, whether packagers did that authenticity check or not leaves no trace. The proposal in that thread is to augment package recipes with the fingerprint against which the source was authenticated, so that we have an audit trail. It=E2=80=99s not implemented yet. But your help is welcom= e! :-) =E2=80=9CYou=E2=80=99ll also like this one=E2=80=9D (as user-tracking web s= ites would say ;-)): https://lists.gnu.org/archive/html/guix-devel/2015-12/msg00107.html Specifically, the question of how to authenticate individual Guix commits. Thanks for your feedback, Ludo=E2=80=99.