[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitut
|
From: |
Brice Waegeneire |
|
Subject: |
Re: [bug#41694] [PATCH] doc: cookbook: Add entry about getting substitutes through Tor. |
|
Date: |
Wed, 17 Jun 2020 08:37:59 +0000 |
|
User-agent: |
Roundcube Webmail/1.3.8 |
Hello André,
Thank you for the patch and your feedback!
On 2020-06-17 02:19, André Batista wrote:
Hello Brice,
I think it would be useful to warn users that when pulling there is
a direct connection to guix git repos, so to route it through Tor,
one needs to use torsocks. It wont make the configuration foolproof,
but it will reduce the leaks to clearnet.
When writing this section of the cookbook I was worried that some
readers will misunderstood it so I added a big warning at the
front but it doesn't seems to be enough since you sent this mail.
--8<---------------cut here---------------start------------->8---
@section Getting substitutes from Tor
Guix daemon can use a HTTP proxy to get substitutes, here we are
configuring it to get them via Tor.
@quotation Warning
@emph{Not all} Guix daemon's traffic will go through Tor! Only
HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections
will still go through the clearnet. Again, this configuration isn't
foolproof some of your traffic won't get routed by Tor at all. Use it
at your own risk.
@end quotation
--8<---------------cut here---------------end--------------->8---
+Note that the procedure described above applies only to package
substitution.
+When you update your guix distribution with @command{guix pull}, you
should
+use @command{torsocks} if you want to route the connection to guix git
+repository servers through Tor.
+
@c
*********************************************************************
@node Advanced package management
@chapter Advanced package management
I would like to keep the warnings at the beginning of the section
to be sure that readers don't miss it when skimming trough it.
Any rewording of that part to make the scope of the section or
the warnings more clear is welcome.
Note that this section is only about getting *substitutes* through
tor and it should probably be kept that way to avoid confusing the
user in regard to what (narrow) security benefit this configuration
offer.
On a wider front I would prefer to have a foolproof configuration
that route *all* guix related traffic through Tor, instead of that
half-way setup. Providing a way to 'torify' any service with
something like 'make-forkexec-constructor/trosocks', as
'make-forkexec-constructor/container' does for containerizing a
service, would be great[0]. A less engaged option would be to
make 'guix-daemon' compatible with 'torsocks' since doing it so
makes guix unusable[1].
[0]: http://logs.guix.gnu.org/guix/2020-06-03.log#142909
[1]: https://lists.gnu.org/archive/html/guix-devel/2020-05/msg00214.html
- Brice