[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Whonix-devel] GNU Guix Questions
Re: [Whonix-devel] GNU Guix Questions
Tue, 07 Mar 2017 20:31:45 +0100
On 2017-03-07 12:05, ng0 wrote:
On 17-03-07 00:59:08, address@hidden wrote:
On 2017-03-06 17:15, ng0 wrote:
> Hi bancfc,
Hi ng0, great to see you here :)
> On 17-03-06 16:14:08, address@hidden wrote:
> > Hi Guix devs, I am a privacy distro dev and we are looking at using
> > Guix in
> > our OS. I have a few questions:
> > * Is the Guix package archive available from a Tor hidden service?
> > There are
> > many advantages of updating a system over Tor such as preventing a
> > target
> > adversary from fingerprinting and targeting hosts that run vulnerable
> > packages and protecting systems in case the package manager has a
> > security
> > bug. Debian and Tor now provide onion mirrors for their packages.
> > Can you
> > please consider doing the same?
> As far as I know this might be discussed currently at GNU
> sysadministration level,
> at least that's the last info I got when I suggested this last week to
> There is an onion mirror which is run by another community. It doesn't
> mirror alpha.gnu.org yet (where guix binaries are located), but it plans
> to do so. I need to get in touch with the community to ask wether they
> would be okay with more bandwidth.
> Do you have an estimation on how high your usage would be for the guix
> download from the onion mirror?
The amount for bandwidth is approximately the size of GNUnet x 15K
I think we have a misunderstanding here. Do you mean access to the
releases of Guix as in what's on
https://alpha.gnu.org/whatever/the/path/to/guix/was, where the software
itself is released, or did you mean what we call 'binary substitutes'
Guix, the packages which are build from the guix.git master which
feature the software (here software as in tor, perl, epiphany, gnupg,
Now that I'm reading your initial email again it reads as if could be
either or both. It would be good if you try to clarify this.
Yes I meant binary substitutes not Guix itself.
Later on we will expand the selection to include Tor Browser once you
package it - if that pans out that would be a massive achievement. The
The torbrowser I am packaging initially is a 1:1 copy of what
team is keeping in the git repository. Nix for example decided to
just patchelf the binary releases of torbrowser (the tar files found on
dist.torproject.org), this is not acceptable for the work for Guix.
So I'm trying my way with building from git tags. If there are other
people interested and willing to help (once I have something to debug),
I will share recipes / git repositories to work on it.
I think this work is so important that it deserves bringing it to the
notice of the Tor devs on their mailing list. They will probably help
out because it is something they have been wanting to do and are
Furthermore the final package version for Guix will include fixes which
might be needed, similar to what icecat does to firefox esr, to include
it in Guix. This is of course no 1:1 torbrowser then anymore and must
not be described as such. It'll be interesting to see if at all it
differs in fingerprinting from torbrowser.
To check the fingerprint of your versions you can use this site:
It was a product of a GSoC project to exclusively measure Tor Borwser
fingerprints between versions to help TBB devs and users make sure they
If for any reason you need the full 1:1 copy we can talk about this
are getting there, offlist or at least not on address@hidden
No particular reason for 1:1 as long as the Guix package is fully
reproducible and closely tracks upstream security updates its ok with
Torproject have discussed packaging it for years but they couldn't
out because of the breakneck speed of development and the cumbersome
of creating Debian packages. Meanwhile anonymity distros were forced
up with a workaround safe downloader mechanism in absence of a package
fecthable from a package manager. Its been a high maintenance effort
the years and a Guix package would finally solve this.
Another "wishlist" package would be GNU-libre kernel that includes the
Grsecurity patchset so we can include that out of the box instead of
requiring users to manually patch and tweak settings with every
I think HEADS (the linux-libre grsec devuan based blend) did this, or
are working on it. I know for Guix, someone is working on SELinux. I
think if you are looking into getting a GRSec enabled kernel with
according policies, this must be answered by someone who knows more
about the core of Guix.
It might also be the case that I don't fully understand your plan. What
I read sounds like you are either mixing up Guix and GuixSD or as if
the differences between both need to be explained. It would be easier
know the current state of the system, and where you want to go with
I understand the difference between Guix and GuixSD - the latter is a
full distribution based around the former. Since we are Debian based I
was looking into cherry-picking packages from Guix binary repos because
the way it works is ideal instead of the bureaucracy of Debian packaging
policies which makes packaging impossible in some cases.
Re: GNU Guix Questions, Ludovic Courtès, 2017/03/07