|Subject:||Re: Using a CDN or some other mirror?|
|Date:||Sun, 9 Dec 2018 13:12:20 +0100|
|User-agent:||Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1|
Am 09.12.2018 um 04:33 schrieb Chris Marusich:
Instead, we would be using a CDN as a performance optimization that is transparent to a Guix user. You seem unsettled by the idea of entrusting any part of substitute delivery to a third party, but concretely what risks do you foresee?
I have serious privacy concerns.
TL;DR: A CDN is a centralized infrastructure, allowing to collect information about valuable vulnerability information of almost all Guix-users and -systems. This is might become a thread to freedom of speech, human rights, democracy and economics. Guix should build on a decentralized infrastructure.
A distribution provider gets a notion which system is running which software in which version. In case of guix, the provider even gets the exact version of the software and all its dependencies. Combining this with the rise of IPv6, which per default uses the MAC address as part of the IP address, actually allows identifying a single system.
This information is extremely valuable for all kinds of attackers as it eases attacking a system a lot. This becomes a thread to
This gets even worse when the CDN belongs to one of these companies compiling personal profiles, like Google, Facebook or Tencent. Amazon belongs to this group.
I have the strong opinion that Guix should build on a decentralized infrastructure to support keeping the freedom of speech, democracy and human rights.
[*] Actually it is known the US-American intelligence agencies have equipment placed at Verizon to collect all kind of data . One can reason the same is true for other big providers in the US. The USA has the FISA act AFAIU enforcing US companies to collaborate in industrial espionage. In Germany it is known that the BND is extracting high-volume data at the central internet exchange (DE-CIX) . One can reason such also happens in other countries, esp. members of the five-eyes, France, Russia, China, Israel, Saudi Arabia, Iran, Irak, etc.
Regarding your suggestion to ask universities to host mirrors (really, caching proxies), I think it could be a good idea. As Leo mentioned, the configuration to set up an NGINX caching proxy of Hydra (or berlin) is freely available in maintenance.git. Do you think we could convince some universities to host caching proxies that just run an NGINX web server using those configurations?
The difference is: For a traditional "ftp"-mirror, an
organization just needs to add another source to its existing
configuration and administer to the save way as all other mirrors.
Whereas for a caching proxy they need to change the setup of the
web-server and learn how to administer the cache. This difference
might make it difficult to convince organizations to mirror.
I could try and ask a few organizations in my area, but I would need figures for this.
-- +++hartmut | Hartmut Goebel | | | address@hidden | www.goebel-consult.de |
|[Prev in Thread]||Current Thread||[Next in Thread]|