[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GNU Guix Questions

From: bancfc
Subject: GNU Guix Questions
Date: Mon, 06 Mar 2017 16:14:08 +0100
User-agent: Roundcube Webmail/1.0.6

Hi Guix devs, I am a privacy distro dev and we are looking at using Guix in our OS. I have a few questions:

* Is the Guix package archive available from a Tor hidden service? There are many advantages of updating a system over Tor such as preventing a target adversary from fingerprinting and targeting hosts that run vulnerable packages and protecting systems in case the package manager has a security bug. Debian and Tor now provide onion mirrors for their packages. Can you please consider doing the same?

* Does Guix defend against the variety of attacks described in the TUF threat model document? (described in link below) How resilient is it against key compromise? (TUF was designed from the ground up to provide a highly resilient and secure update framework as a drop in replacement to crappy standalone updaters - a problem that's become very serious for proprietary OSes. The security research and implementation behind it are an excellent rubric that one can apply to any updater/package manager.)

* How does one setup a third part package archive? After looking at the manual I believe its as simple as fetching source from one's git repo?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]