Am 09.12.2018 um 04:33 schrieb Chris Marusich:

Instead, we would be using a CDN as a performance optimization that is
transparent to a Guix user.  You seem unsettled by the idea of
entrusting any part of substitute delivery to a third party, but
concretely what risks do you foresee?

I have serious privacy concerns.

TL;DR: A CDN is a centralized infrastructure, allowing to collect information about valuable vulnerability information of almost all Guix-users and -systems. This is might become a thread to freedom of speech, human rights, democracy and economics. Guix should build on a decentralized infrastructure.

A distribution provider gets a notion which system is running which software in which version. In case of guix, the provider even gets the exact version of the software and all its dependencies. Combining this with the rise of IPv6, which per default uses the MAC address as part of the IP address, actually allows identifying a single system.

This information is extremely valuable for all kinds of attackers as it eases attacking a system a lot. This becomes a thread to

to opposition members, dissidents and human rights activists as the intelligent agencies can target these persons much more precisely,
to companies all over the world as many countries do industrial espionage.

This becomes even worst when using a CDN, since the CDN is a centralized system: A single CDN provider gains knowledge for almost all systems all over the world. Which means: this valuable vulnerability information is collected at a single place. Intelligence agencies might be keen on getting access to this information and a centralized system makes it easy for them. And there is evidence they actually collect this information [*].

This gets even worse when the CDN belongs to one of these companies compiling personal profiles, like Google, Facebook or Tencent. Amazon belongs to this group.

I have the strong opinion that Guix should build on a decentralized infrastructure to support keeping the freedom of speech, democracy and human rights.

[*] Actually it is known the US-American intelligence agencies have equipment placed at Verizon to collect all kind of data [1]. One can reason the same is true for other big providers in the US. The USA has the FISA act AFAIU enforcing US companies to collaborate in industrial espionage. In Germany it is known that the BND is extracting high-volume data at the central internet exchange (DE-CIX) [2]. One can reason such also happens in other countries, esp. members of the five-eyes, France, Russia, China, Israel, Saudi Arabia, Iran, Irak, etc.

Regarding your suggestion to ask universities to host mirrors (really,
caching proxies), I think it could be a good idea.  As Leo mentioned,
the configuration to set up an NGINX caching proxy of Hydra (or berlin)
is freely available in maintenance.git.  Do you think we could convince
some universities to host caching proxies that just run an NGINX web
server using those configurations?

The difference is: For a traditional "ftp"-mirror, an organization just needs to add another source to its existing configuration and administer to the save way as all other mirrors. Whereas for a caching proxy they need to change the setup of the web-server and learn how to administer the cache. This difference might make it difficult to convince organizations to mirror.

I could try and ask a few organizations in my area, but I would need figures for this.

[1] https://www.bbc.com/news/world-us-canada-23123964 or search the internet for e.g. "cia verizon espionage"
[2] https://www.heise.de/newsticker/meldung/Gerichtsurteil-BND-darf-weiterhin-Internet-Knoten-De-CIX-anzapfen-4061494.html
[3] https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act
[4]

-- 
+++hartmut

| Hartmut Goebel            |                       |
| hartmut@goebel-consult.de | www.goebel-consult.de |