[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: address@hidden: Re: [security-discuss] gnuradio project DoS attacks
Re: address@hidden: Re: [security-discuss] gnuradio project DoS attacks GNU wget users]
Fri, 3 Mar 2017 19:32:23 +0000
On 17-03-03 12:50:17, Leo Famulari wrote:
> On Fri, Mar 03, 2017 at 11:08:43AM +0000, ng0 wrote:
> > Hi,
> > I don't like repeating myself when I have written the content before.
> > So going by the message below, I'd like to change the way we provide
> > download links and use the http protocol for our downloads at
> > gnu.org/s/guix. Currently we only offer the ftp protocol links. The
> > ports 20 and 21 are commonly blocked in the tor network by relays, that
> > I was able to telnet to port 21 of alpha.gnu.org was just luck.
> I'm not that familiar with Tor, so forgive me if I'm asking questions
> that everyone else already knows the answer to.
There are no unnecessary questions, I'll gladly answer.
> Would it be enough to offer an HTTPS source for our `gnu.org/s/guix`
I think what happened here is, everyone seems to miss the point of my
email. The content below is just for reference, the question was just to
change the ftp:// links to http:// .. and I just found out, to answer
your question, that https://alpha.gnu.org/ works too.
> downloads? Would that work for Tor users? Or do we have to create an
> Onion service, too?
That's being solved on sys admin level of GNU and/or FSF, at least
that's what I understand from what rms wrote further in the thread.
> What are the pros and cons?
> If the HTTPS link can be accessed reliably over Tor, I think that would
> be better for us, because it would reduce the amount of Guix sysadmin
The https works. The problem I have at the moment is that the homepage
uses ftp:// as the only links for alpha.gnu.org and the signatures.
There are other uses of ftp:// in the source of the code, not the
website, which I have to look at more closely to decide what can be
> > It would not fix
> > the fact that we use ftp:// internally in some downloads (which breaks
> > guix package --fallback when you try to torify guix), but this could
> > be fixed later.
> Are you talking about using FTP to download the sources of some
No, about guix daemon using guix download to fetch the sources over ftp.
I'm still working my way towards an "torified" guix, but I know that
port 21 and 20 are often (there are exceptions) blocked by tor relay
admins. This results in ftp:// download scheme not working.