Hello Brice, qua 17 jun 2020 às 08:37:59 (1592393879), [email protected] enviou: > Hello André, > > Thank you for the patch and your feedback!
It's me who should be thanking you! > When writing this section of the cookbook I was worried that some > readers will misunderstood it so I added a big warning at the > front but it doesn't seems to be enough since you sent this mail. Sorry to disturb you, your warning was clear enough. I've only thought that there was room for improvement whilst there remains the need for a proper solution to the problem at hand. > I would like to keep the warnings at the beginning of the section > to be sure that readers don't miss it when skimming trough it. > Any rewording of that part to make the scope of the section or > the warnings more clear is welcome. It follows attached a new version of the previous patch which changes the comment to the warning quote. I had previously thought that it would be worse to inflate the warning with this comment even more so as the section's title already mentions it's related to substitutes. > Note that this section is only about getting *substitutes* through > tor and it should probably be kept that way to avoid confusing the > user in regard to what (narrow) security benefit this configuration > offer. Note taken, but it seems to me that if someone is going through the trouble of configuring guix to get substitutes through Tor, such a person would most likely also wish to update guix through the same network. It does nothing to fix the possible leaks when substitutes aren't available, but it makes it clear that it's possible/advisable on such scenario to pull using torsocks. I don't think it misinforms users. > On a wider front I would prefer to have a foolproof configuration > that route *all* guix related traffic through Tor, instead of that > half-way setup. Providing a way to 'torify' any service with > something like 'make-forkexec-constructor/trosocks', as > 'make-forkexec-constructor/container' does for containerizing a > service, would be great[0]. A less engaged option would be to > make 'guix-daemon' compatible with 'torsocks' since doing it so > makes guix unusable[1]. I too would prefer it, but a half-way setup is what we have for now. So a three-quarters-way would be an improvement though not the fix we're in need. I'll dig deeper and will come back to you if I make any progress.
From 1d6e29dcbc5b9a8659294af033863a31526eab76 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Batista?= <[email protected]> Date: Thu, 18 Jun 2020 10:23:23 -0300 Subject: [PATCH] doc: cookbook: Update entry about getting substitutes through Tor. To: [email protected] * doc/guix-cookbook.texi (Getting substitutes from Tor): Update section warning to mention the use of torsocks when pulling. --- doc/guix-cookbook.texi | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/guix-cookbook.texi b/doc/guix-cookbook.texi index 1342826c97..d5a8459363 100644 --- a/doc/guix-cookbook.texi +++ b/doc/guix-cookbook.texi @@ -15,6 +15,7 @@ Copyright @copyright{} 2020 Oleg Pykhalov@* Copyright @copyright{} 2020 Matthew Brooks@* Copyright @copyright{} 2020 Marcin Karpezo@* Copyright @copyright{} 2020 Brice Waegeneire@* +Copyright @copyright{} 2020 André Batista@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -1799,10 +1800,16 @@ HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc connections will still go through the clearnet. Again, this configuration isn't foolproof some of your traffic won't get routed by Tor at all. Use it at your own risk. + +Also note that the procedure described here applies only to package +substitution. When you update your guix distribution with +@command{guix pull}, you still need to use @command{torsocks} if +you want to route the connection to guix's git repository servers +through Tor. @end quotation Guix's substitute server is available as a Onion service, if you want -to use it to get your substitutes from Tor configure your system as +to use it to get your substitutes through Tor configure your system as follow: @lisp -- 2.26.2
signature.asc
Description: PGP signature
