Summary: | new overlay asking for inclusion: youbroketheinternet-overlay | ||
---|---|---|---|
Product: | Gentoo Infrastructure | Reporter: | ng0 <tek.no.katze> |
Component: | Gentoo Overlays | Assignee: | Gentoo Overlays Project <overlays> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | layman |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
ng0
2016-04-11 12:38:23 UTC
lynX says: it's also mentioned on http://youbroketheinternet.org/#overlay @layman maintainers, do we support Tor-hosted overlays? I think not but want to confirm this. (In reply to Michał Górny from comment #2) > @layman maintainers, do we support Tor-hosted overlays? I think not but want > to confirm this. In case you don't support it, could layman be extended to support adding tor hosted overlays? I have never looked at the source of layman, but maybe this is something which could be easily done. I don't know enough about using tor to know one way or another whether layman supports it. But as far as I know there has never been a tor overlay before. Layman is very modular, so it is relatively easy to create a new overlay type, module and add it to the management system. Okay, thanks for the input again. I'll schedule this for myself starting in about a month to write 'git-tor' module. Another question is whether we really want Tor-hosted repositories on the official list. So far we've been working on making repositories more easily available. In particular, we were ensuring that repositories have https:// access so that people behind firewalls can reach them. Adding repositories that are normally inaccessible unless Tor is running kinda defeats the purpose of that. (In reply to Michał Górny from comment #6) > Another question is whether we really want Tor-hosted repositories on the > official list. So far we've been working on making repositories more easily > available. In particular, we were ensuring that repositories have https:// > access so that people behind firewalls can reach them. Adding repositories > that are normally inaccessible unless Tor is running kinda defeats the > purpose of that. Isn't this also the exact purpose of tor, enabling people who are behind restrictive firewalls to access services by bypassing these firewalls through (for example) routing tor traffic through port 53,80 or 443? (if-not scenario I just thought of) If an official list inclusion should not be possible, it would help when I will try and write the git-tor module for layman and be able to point layman to an additional overlay list, where ours could be included. If this could be endorsed as an inofficial list on overlay.g.o, it could appear in its own section. I can understand if the reason for not considering to include is to think that .onion can change or go away all of the sudden, but there are some old .onion addresses. I have no idea about the age of ours as I was not the person who created it, but the domains run by lynX are reasonable old enough to trust that they don't disappear over night. I will relay messages from lynX later on to add to this. lynX Michael: the problem with https is that it is only little guarantee that you will receive the correct data that you are supposed to receive since it has become so easy to man in the middle X.509. Onions provide for better security. Also no specific change to layman is necessary. Users just call it with "torify" or configure their systems to support onions transparently. When they have no tor installed, the onion produces a harmless error. It is good that you are fading out plaintext git repositories since those are really trivial to hijack and inject malware. I'm going to mark this CANTFIX. Please reopen when you either provide open access to the repository, or proper technical means for syncing it cleanly. If you go for the latter, I'd prefer if you did at least Portage and pkgcore sync modules (we need the latter since pkgcore is used to run repo-mirror-ci). Reopening per https://github.com/gentoo/api-gentoo-org/pull/3 commit b4904a34e4ffec0a2aab2bb77d4237a634bd0943 Author: ng0 <ng0@we.make.ritual.n0.is> Date: Tue Jul 19 00:34:19 2016 repositories: add youbroketheinternet, #579612 |