[Whonix-devel] GNU Guix Questions
bancfc at openmailbox.org
bancfc at openmailbox.org
Mon Mar 6 16:14:08 CET 2017
Hi Guix devs, I am a privacy distro dev and we are looking at using Guix
in our OS. I have a few questions:
* Is the Guix package archive available from a Tor hidden service? There
are many advantages of updating a system over Tor such as preventing a
target adversary from fingerprinting and targeting hosts that run
vulnerable packages and protecting systems in case the package manager
has a security bug. Debian and Tor now provide onion mirrors for their
packages. Can you please consider doing the same?
* Does Guix defend against the variety of attacks described in the TUF
threat model document? (described in link below) How resilient is it
against key compromise? (TUF was designed from the ground up to provide
a highly resilient and secure update framework as a drop in replacement
to crappy standalone updaters - a problem that's become very serious for
proprietary OSes. The security research and implementation behind it are
an excellent rubric that one can apply to any updater/package manager.)
https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
* How does one setup a third part package archive? After looking at the
manual I believe its as simple as fetching source from one's git repo?
Thanks
More information about the Whonix-devel
mailing list