From unknown Sat Jun 14 19:07:14 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#64838 <64838@debbugs.gnu.org> To: bug#64838 <64838@debbugs.gnu.org> Subject: Status: [PATCH] home: Add parcimonie service. Reply-To: bug#64838 <64838@debbugs.gnu.org> Date: Sun, 15 Jun 2025 02:07:14 +0000 retitle 64838 [PATCH] home: Add parcimonie service. reassign 64838 guix-patches submitter 64838 Efraim Flashner severity 64838 normal tag 64838 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Jul 24 15:03:55 2023 Received: (at submit) by debbugs.gnu.org; 24 Jul 2023 19:03:55 +0000 Received: from localhost ([127.0.0.1]:44034 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qO0qY-0002tK-KW for submit@debbugs.gnu.org; Mon, 24 Jul 2023 15:03:55 -0400 Received: from lists.gnu.org ([2001:470:142::17]:39766) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qO0qV-0002t4-N7 for submit@debbugs.gnu.org; Mon, 24 Jul 2023 15:03:53 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qO0qP-0000qC-Pc for guix-patches@gnu.org; Mon, 24 Jul 2023 15:03:45 -0400 Received: from mail-wm1-x332.google.com ([2a00:1450:4864:20::332]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1qO0qN-0003Cz-95 for guix-patches@gnu.org; Mon, 24 Jul 2023 15:03:45 -0400 Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-3fbea147034so36961485e9.0 for ; Mon, 24 Jul 2023 12:03:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690225420; x=1690830220; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:from:to:cc:subject:date:message-id:reply-to; bh=Gpo9vTRoxcLM1C9iH3rPatkiLyNS7HPgFN7z6PsfNjs=; b=lAoK6Tm4ICysZS/EHuxabMCGVKv1GTsHApLZgeU0XP+5igQvJLKGEpgCWyFDXIaplS KKm+IwIDgb2GLCJrWS/x4n3x3rHNjwcKY6LBetG2eMOFAVQDDrClMhcz6h//TwjR0FlY acni8GRv/bhJui37xzj7FLLtb/2nVmT3JSnYUfHt/JCUzqSWRSbIsR/vc9w+FwEYGcPD VL5IEiNuLBU8CqU01eFkiSdV2yxtil7FapRFQbiJzn/9x6gTi9Sr4TyfcjVn8g7pg/4Z Flr8luEFWEENezgda6u2y2hqykBtp1YsZlNXhqWmXutamJZQHD73zZuGcoLScPwjBq6V ZU0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690225420; x=1690830220; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Gpo9vTRoxcLM1C9iH3rPatkiLyNS7HPgFN7z6PsfNjs=; b=h+QSFedbZ2AC/9itcRhxIDDCaHfpr44wwTq3L+f9f14T+MYHBf/OyaJJ5x0RpI2T/8 jyCZ4gkNPp9Qeaw5vkIaKIwGku69nLsUE36AeZ71DiQxy7SMu9yxzhqsaIK6rPg0/0CH cSB/vQYKFA3sLewRZUtokfNaf1pYe6eimraqi73VtUv/b7BS/YyM9l9HIfGX+PKxrEj3 WLF6iUf1bWSX5BzGMR8LhSVWLhb4fIaGKlAYY3mC7vSG9uqxC2YHIyoguS/UQ0E4Fl8R TcGUgGzG940oamIkuO6Nw2W9LKFc6bl5CVWbnYGraVktqndZJw7SPdFM6OmOKNWtRvI8 VVYQ== X-Gm-Message-State: ABy/qLZ0XA3uvPbmmdvJstBUSHgQGgzJ3DC3kfQPqR/Wl9Q+xP8kgqj1 AgwVMjhTs48zLZPMOacsIy6Fji2tH2RB+Q== X-Google-Smtp-Source: APBJJlF2vPWlxjIluZxFh2Eyvhyv4jgQ0UTfdzWeojCW2xa9sHZlqVIZMfTrovP0IXSx34wg8M2x1w== X-Received: by 2002:a7b:cc93:0:b0:3fd:3049:9496 with SMTP id p19-20020a7bcc93000000b003fd30499496mr3764050wma.33.1690225420262; Mon, 24 Jul 2023 12:03:40 -0700 (PDT) Received: from localhost ([141.226.14.192]) by smtp.gmail.com with ESMTPSA id j19-20020a5d4533000000b0031763fd36c4sm2478248wra.104.2023.07.24.12.03.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Jul 2023 12:03:39 -0700 (PDT) From: Efraim Flashner To: guix-patches@gnu.org Subject: [PATCH] home: Add parcimonie service. Date: Mon, 24 Jul 2023 22:03:30 +0300 Message-ID: X-Mailer: git-send-email 2.41.0 MIME-Version: 1.0 X-Debbugs-Cc: ( , Andrew Tropin , Ludovic Courtès Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Received-SPF: pass client-ip=2a00:1450:4864:20::332; envelope-from=efraim.flashner@gmail.com; helo=mail-wm1-x332.google.com X-Spam_score_int: -14 X-Spam_score: -1.5 X-Spam_bar: - X-Spam_report: (-1.5 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.5 (+) X-Spam-Report: Spam detection software, running on the system "debbugs.gnu.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: * gnu/home/services/gnupg.scm (home-parcimonie-service-type, home-parcimonie-configuration): New variables. * doc/guix.texi (GNU Privacy Guard): Document it. --- doc/guix.texi | 55 +++++++++++++++++++ [...] Content analysis details: (1.5 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 1.0 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (efraim.flashner[at]gmail.com) 0.2 FREEMAIL_FORGED_FROMDOMAIN 2nd level domains in From and EnvelopeFrom freemail headers are different -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Debbugs-Envelope-To: submit Cc: Efraim Flashner X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: 0.5 (/) * gnu/home/services/gnupg.scm (home-parcimonie-service-type, home-parcimonie-configuration): New variables. * doc/guix.texi (GNU Privacy Guard): Document it. --- doc/guix.texi | 55 ++++++++++++++++++++++++ gnu/home/services/gnupg.scm | 86 ++++++++++++++++++++++++++++++++++++- 2 files changed, 139 insertions(+), 2 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 585baf358f..bc86c58cdb 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -43679,6 +43679,61 @@ GNU Privacy Guard @end deftp +@cindex Parcimonie, Home service +The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG +public key from a keyserver. Its refreshes one key at a time; between every +key update parcimonie sleeps a random amount of time, long enough for the +previously used Tor circuit to expire. This process is meant to make it hard +for an attacker to correlate the multiple performed key update operations. + +As an example, here is how you would configure @code{parcimonie} to refresh the +keys in your GnuPG keyring, as well as those keyrings created by Guix, such as +when running @code{guix import}: + +@lisp +(service home-parcimonie-service-type + (home-parcimonie-configuration + (refresh-guix-keyrings? #t))) +@end lisp + +The service reference is given below. + +@defvar parcimonie-service-type +This is the service type for @command{parcimonie} +(@uref{https://salsa.debian.org/intrigeri/parcimonie, Parcimonie's web site}). +Its value must be a @code{home-parcimonie-configuration}, as shown below. +@end defvar + +@c %start of fragment + +@deftp {Data Table} home-parcimonie-configuration +Available @code{home-parcimonie-configuration} fields are: + +@table @asis +@item @code{parcimonie} (default: @code{parcimonie}) (type: file-like) +The parcimonie package to use. + +@item @code{verbose?} (default: @code{#f}) (type: boolean) +Whether to have more verbose logging from the service. + +@item @code{gnupg-already-torified?} (default: @code{#f}) (type: boolean) +Whether GnuPG is already configured to pass all traffic through +@uref{https://torproject.org, Tor}. + +@item @code{dbus?} (default: @code{#f}) (type: boolean) +Whether to send activity updates through D-Bus. + +@item @code{refresh-guix-keyrings?} (default: @code{#f}) (type: boolean) +Guix creates a few keyrings in the @var{$XDG_CONFIG_DIR}, such as when running +@code{guix import} (@pxref{Invoking guix import}). Setting this to @code{#t} +will also refresh any keyrings which Guix has created. + +@item @code{extra-content} (default: @code{#f}) (type: raw-configuration-string) +Raw content to add to the parcimonie command. + +@end table + +@end deftp @c %end of fragment diff --git a/gnu/home/services/gnupg.scm b/gnu/home/services/gnupg.scm index 7e9e02a3cc..9b66f7b1cf 100644 --- a/gnu/home/services/gnupg.scm +++ b/gnu/home/services/gnupg.scm @@ -1,5 +1,6 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2023 Ludovic Courtès +;;; Copyright © 2023 Efraim Flashner ;;; ;;; This file is part of GNU Guix. ;;; @@ -23,7 +24,7 @@ (define-module (gnu home services gnupg) #:use-module (gnu services configuration) #:use-module (gnu home services) #:use-module (gnu home services shepherd) - #:autoload (gnu packages gnupg) (gnupg pinentry) + #:autoload (gnu packages gnupg) (gnupg pinentry parcimonie) #:export (home-gpg-agent-configuration home-gpg-agent-configuration? home-gpg-agent-configuration-gnupg @@ -34,7 +35,17 @@ (define-module (gnu home services gnupg) home-gpg-agent-configuration-max-cache-ttl-ssh home-gpg-agent-configuration-extra-content - home-gpg-agent-service-type)) + home-gpg-agent-service-type + + home-parcimonie-configuration + home-parcimonie-configuration? + home-parcimonie-configuration-parcimonie + home-parcimonie-configuration-gnupg-already-torified? + home-parcimonie-configuration-with-dbus? + home-parcimonie-configuration-refresh-guix-keyrings? + home-parcimonie-configuration-extra-content + + home-parcimonie-service-type)) (define raw-configuration-string? string?) @@ -148,3 +159,74 @@ (define home-gpg-agent-service-type managing OpenPGP and optionally SSH private keys. When SSH support is enabled, @command{gpg-agent} acts as a drop-in replacement for OpenSSH's @command{ssh-agent}."))) + +(define-configuration/no-serialization home-parcimonie-configuration + (parcimonie + (file-like parcimonie) + "The parcimonie package to use.") + (verbose? + (boolean #f) + "Provide extra output to the log file.") + (gnupg-aleady-torified? + (boolean #f) + "GnuPG is already configured to use tor and parcimonie won't attempt to use +tor directly.") + (dbus? + (boolean #f) + "Send activity updates on the org.parcimonie.daemon D-Bus service.") + (refresh-guix-keyrings? + (boolean #f) + "Also refresh any Guix keyrings found in the XDG_CONFIG_DIR.") + (extra-content + (raw-configuration-string "") + "Raw content to add to the parcimonie service.")) + +(define (home-parcimonie-shepherd-service config) + "Return a user service to run parcimonie." + (match-record config + (parcimonie verbose? gnupg-aleady-torified? dbus? + refresh-guix-keyrings? extra-content) + (let ((log-file #~(string-append %user-log-dir "/parcimonie.log"))) + (list (shepherd-service + (provision '(parcimonie)) + (modules '((shepherd support) ;for '%user-log-dir' + (guix build utils) + (srfi srfi-1))) + (start #~(make-forkexec-constructor + (cons* + #$(file-append parcimonie "/bin/parcimonie") + #$@(if verbose? + '("--verbose") + '()) + #$@(if gnupg-aleady-torified? + '("--gnupg_already_torified") + '()) + #$@(if dbus? + '("--with_dbus") + '()) + #$@(if (not (string=? extra-content "")) + (list extra-content) + '()) + #$@(if refresh-guix-keyrings? + '((append-map + (lambda (item) + (list (string-append "--gnupg_extra_options=" + "--keyring=" item))) + (find-files + (string-append (getenv "XDG_CONFIG_HOME") "/guix") + "^trustedkeys\\.kbx$"))) + '((list)))) + #:log-file #$log-file)) + (stop #~(make-kill-destructor)) + (respawn? #t) + (documentation "Incrementally refresh gnupg keyring over Tor")))))) + +(define home-parcimonie-service-type + (service-type + (name 'home-parcimonie) + (extensions + (list (service-extension home-shepherd-service-type + home-parcimonie-shepherd-service))) + (default-value (home-parcimonie-configuration)) + (description + "Incrementally refresh GnuPG keyrings over Tor."))) base-commit: 3adde30af52d4be347d610c0bdd543e0fdd6d64d -- Efraim Flashner רנשלפ םירפא GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted From debbugs-submit-bounces@debbugs.gnu.org Wed Aug 16 16:32:35 2023 Received: (at 64838) by debbugs.gnu.org; 16 Aug 2023 20:32:35 +0000 Received: from localhost ([127.0.0.1]:42193 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qWNBz-0001pu-2K for submit@debbugs.gnu.org; Wed, 16 Aug 2023 16:32:35 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49276) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qWNBw-0001pe-FV for 64838@debbugs.gnu.org; Wed, 16 Aug 2023 16:32:33 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1qWNBq-0006bj-7D; Wed, 16 Aug 2023 16:32:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To: From; bh=3C9RQPkUtzdJJPm5RvVb8HVcLiaMSMBhCQOzrorus+Q=; b=JwG1hfG/i4sgVtEPG2Q1 GZiuWH2WC78yQfZQpZu/NrtWST2W1hyhi8zZMDhhw/2LgJT0wmN98rTEaixitLDMTS6FPk1UYNR80 B1Hd9OEPYave4yKS+euOPnoFoqS7QwQEACInmdcKDf9zxnpuV32mxqqUoPsPgZIEPJL12/t8PkPEm PGQZRp2xDdSUR3DzYGslrQ0gzHO3xc8FXjT6LmtX7bICoOvVJ/EjKRuugT9mZLj4HExudtWiV/nAo F8HEm533aS5Bl/te1UqhRTnWoi4nkje8GMD6s7W/MwCsG81ym+iBL/7oEAhD3xEXqqDekeazzjfBS h5qMBMC1wVfwXw==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: Efraim Flashner Subject: Re: bug#64838: [PATCH] home: Add parcimonie service. References: Date: Wed, 16 Aug 2023 22:32:23 +0200 In-Reply-To: (Efraim Flashner's message of "Mon, 24 Jul 2023 22:03:30 +0300") Message-ID: <878raa4tk8.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 64838 Cc: 64838@debbugs.gnu.org, X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello, Efraim Flashner skribis: > * gnu/home/services/gnupg.scm (home-parcimonie-service-type, > home-parcimonie-configuration): New variables. > * doc/guix.texi (GNU Privacy Guard): Document it. Very nice! > +The @code{parcimonie} service runs a daemon that slowly refreshes a GnuPG > +public key from a keyserver. Its refreshes one key at a time; between e= very ^ =E2=80=9CIt=E2=80=9D > +key update parcimonie sleeps a random amount of time, long enough for the > +previously used Tor circuit to expire. This process is meant to make it= hard > +for an attacker to correlate the multiple performed key update operation= s. Maybe: =E2=80=9Cto correlate the multiple key updates.=E2=80=9D > +As an example, here is how you would configure @code{parcimonie} to refr= esh the > +keys in your GnuPG keyring, as well as those keyrings created by Guix, s= uch as > +when running @code{guix import}: > + > +@lisp > +(service home-parcimonie-service-type > + (home-parcimonie-configuration > + (refresh-guix-keyrings? #t))) > +@end lisp Maybe add: =E2=80=9CThis assumes that the Tor anonymous routing daemon is already running on your system. On Guix System, this can be achieved by setting up @code{tor-service-type} (@pxref{Networking Services, @code{tor-service-type}}).=E2=80=9D Apart from these minor nits, LGTM! Thanks, Ludo=E2=80=99. From debbugs-submit-bounces@debbugs.gnu.org Fri Aug 18 09:25:04 2023 Received: (at 64838) by debbugs.gnu.org; 18 Aug 2023 13:25:04 +0000 Received: from localhost ([127.0.0.1]:46369 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qWzTL-00064m-OV for submit@debbugs.gnu.org; Fri, 18 Aug 2023 09:25:04 -0400 Received: from mail-qv1-xf2c.google.com ([2607:f8b0:4864:20::f2c]:46313) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qWzTK-00064J-5C for 64838@debbugs.gnu.org; Fri, 18 Aug 2023 09:25:02 -0400 Received: by mail-qv1-xf2c.google.com with SMTP id 6a1803df08f44-64189860374so4939426d6.0 for <64838@debbugs.gnu.org>; Fri, 18 Aug 2023 06:25:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692365096; x=1692969896; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=N0mYibnJI1wAu3V+rcdxt3CSHeQesGwecTUnvDWo5u4=; b=DxLTufZz31Kqf/E7E8dSfLJ/TavihwpMjL4rJOt8PvWrY7SKI3I5VXrf9MpWaWifbK X4GRJ3k5WVLYavWChfJgpNjUWcKmah6wBbhuPN/twaBAJCnqvUY0SbyHuxUp6u/dxf6V GYs/tjbv2NpJqwfqu4g996l5OIFsGSgL5UrguUAoeg6DK3nBAcIw9pZjUnPQV6tht1Mj dPwhhr2K/eYxcEN87G0S6oO5fDjf7EkRj06GYWwNT8vfpFO9imwv4unJMXK/Ltrv0tYs ZZcYhsQu9VBjR1dfFOMtqwvHc0iN9IbfetZN5P/wC2r0DGkI5EHCXBgragrqQQUs1NnH 4Wiw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692365096; x=1692969896; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=N0mYibnJI1wAu3V+rcdxt3CSHeQesGwecTUnvDWo5u4=; b=Z0C5q8y9pEpNVZlCXDVL3KtBnVEvDdDbt2zVZws2GGyNa2UFw7SU0UKlF9o3NqzqFK r0Uvz11arlU96vTcLs096jZEUz1H2kGYmFMUaDhLfc0lvhNLv4GLykflgRjWVgOVtPka CLkD4rNDAgzd4Fkn9Cq5QeN9JSCtNdTJL/kTS27KwHf6lGzRvUocuszwtKh9iIXxBcks tUvgR2xr3JoQuwqhjgYOhRy8jnl7O/t1yxwEu8/qQPPc8N1K0sViL6SQe54Qhw71B7va nRF8p85mMHHb4FYCN7U4dWMvkzkl+pi5kGk+zkf3AiaPeDNvr129Yu/xgzr2557JULRA dVyw== X-Gm-Message-State: AOJu0YxFY3t1LHZwlmMA9nNXBdMQYxzWt3zgz9WhDbS0Xde230ssQPBj zPXofBFmVNbGfgBV1ml5pF4= X-Google-Smtp-Source: AGHT+IHtZBDxkbDwdjHmCkNNcrgDMm+0PxajKT7g5AR/VV1GxKuV4VL801rO4YIW7MqVUf5Xi1++NQ== X-Received: by 2002:a0c:f313:0:b0:640:5beb:d89d with SMTP id j19-20020a0cf313000000b006405bebd89dmr3067902qvl.40.1692365096069; Fri, 18 Aug 2023 06:24:56 -0700 (PDT) Received: from localhost (ool-ad039216.dyn.optonline.net. [173.3.146.22]) by smtp.gmail.com with ESMTPSA id t20-20020a0cb394000000b0063f78bd525asm670743qve.144.2023.08.18.06.24.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 18 Aug 2023 06:24:55 -0700 (PDT) Date: Fri, 18 Aug 2023 16:24:39 +0300 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#64838: [PATCH] home: Add parcimonie service. Message-ID: Mail-Followup-To: Efraim Flashner , Ludovic =?utf-8?Q?Court=C3=A8s?= , 64838@debbugs.gnu.org, unmatched-paren , Andrew Tropin References: <878raa4tk8.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="yKQjM5/m3eRW1bJ3" Content-Disposition: inline In-Reply-To: <878raa4tk8.fsf@gnu.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 64838 Cc: 64838@debbugs.gnu.org, unmatched-paren , Andrew Tropin X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) --yKQjM5/m3eRW1bJ3 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 16, 2023 at 10:32:23PM +0200, Ludovic Court=C3=A8s wrote: > Hello, >=20 > Efraim Flashner skribis: >=20 > > * gnu/home/services/gnupg.scm (home-parcimonie-service-type, > > home-parcimonie-configuration): New variables. > > * doc/guix.texi (GNU Privacy Guard): Document it. >=20 > Very nice! >=20 > > +The @code{parcimonie} service runs a daemon that slowly refreshes a Gn= uPG > > +public key from a keyserver. Its refreshes one key at a time; between= every > ^ > =E2=80=9CIt=E2=80=9D >=20 > > +key update parcimonie sleeps a random amount of time, long enough for = the > > +previously used Tor circuit to expire. This process is meant to make = it hard > > +for an attacker to correlate the multiple performed key update operati= ons. >=20 > Maybe: =E2=80=9Cto correlate the multiple key updates.=E2=80=9D >=20 > > +As an example, here is how you would configure @code{parcimonie} to re= fresh the > > +keys in your GnuPG keyring, as well as those keyrings created by Guix,= such as > > +when running @code{guix import}: > > + > > +@lisp > > +(service home-parcimonie-service-type > > + (home-parcimonie-configuration > > + (refresh-guix-keyrings? #t))) > > +@end lisp >=20 > Maybe add: =E2=80=9CThis assumes that the Tor anonymous routing daemon is > already running on your system. On Guix System, this can be achieved by > setting up @code{tor-service-type} (@pxref{Networking Services, > @code{tor-service-type}}).=E2=80=9D >=20 > Apart from these minor nits, LGTM! Thanks. Apparently the dbus integration was for the parcimonie applet, but that's been deprecated so I'll remove that option. Also I think I need to test the service once or twice more, I need to make sure the append-map bits work as expected and it doesn't make an extra list. I'll push it once I've taken care of those bits. --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --yKQjM5/m3eRW1bJ3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmTfcRYACgkQQarn3Mo9 g1EIFQ/8Duf5JSMqQ5euovkZGjxhE4KuiY9Xl9iqWfeX6jorRDfUKbMYnjCysv3x mnPp3v9U4NzoGFkWjwQXPwdhsCyNh/FwkWcufhW8WO+dy4PKGtk2Qd9Gd73xdy1V MJiIyW3N86SmyvXPZXxyAn6BcjhlJFBuXd1SU8nc1K12vheCo0Qt0RJyyZ+kp8yG +v4VrrQ+Bg3KvM5vecvsn11ZG2mWoHEPw3k9RZDsBjrY0IqSPGTrBIfHlGKpA6XL I133drafY13I478h9vfUw6MhRW9sVTcdibwkvTNW9mDwuIvti1EZMQNGv1hcZTU4 rHawUhKWd5VPn1rpTWNGLSocg0PvKQqh1HIM/Q+G7MEfefigpGNWTXE1Qpy9j6nK psYA3T+ha/Jqjonz1A780KJ7xCdzyqfsR3qUi6NvRssz0BfsrPRS0w9O/LG+bXG1 WO4p/jAuij25eA/0NSdvKRaaSqI6Pb1h2oZuwCnF6+6yj6qMl3lYoMpc3hp6+zxx DUM9piowFz4eGbS7Xf5F864yvDHVmj7M1KD6pxI3IcTQNpZ78T5/5HbnasAxF9Ot oijqDIY7+iA7H4TDrPoW/mSVMXnZsCUWNAo2hWuiOEsDvBL+GVArmAz4bUICwCcE x8tL2w9WFUhnZr635Co+WXjXSU+KbKcJ2zb6J3m2ffXncSXgIi8= =XbvP -----END PGP SIGNATURE----- --yKQjM5/m3eRW1bJ3-- From debbugs-submit-bounces@debbugs.gnu.org Mon Sep 04 04:22:30 2023 Received: (at 64838-done) by debbugs.gnu.org; 4 Sep 2023 08:22:30 +0000 Received: from localhost ([127.0.0.1]:48270 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qd4qs-00054d-IW for submit@debbugs.gnu.org; Mon, 04 Sep 2023 04:22:30 -0400 Received: from mail-wm1-x331.google.com ([2a00:1450:4864:20::331]:46553) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1qd4qo-00054M-VJ for 64838-done@debbugs.gnu.org; Mon, 04 Sep 2023 04:22:28 -0400 Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-402c46c49f4so12122465e9.1 for <64838-done@debbugs.gnu.org>; Mon, 04 Sep 2023 01:22:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693815741; x=1694420541; darn=debbugs.gnu.org; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender:from:to :cc:subject:date:message-id:reply-to; bh=Sw895rHGe/lfdiPSwWFjA0/y2j9pDmAX1VYuQicsIP0=; b=rE4H0CR0ZFvUkRaIAZSfF13C+YhZCNPXULsDqMaxPnjDL7iZqUoOepueva+JGkH0Q9 g6rk7u6hzB+xCIrNd4a+1EXO8g3ltVzP02XC19UIW9aOxxAg/kAd6fpKyqrSyZ2goBWt Su7O0PNh/5nhtWMkAdzvgMnkf8Ro+7qBknH5Jg4OEU/jFpFsJTZAGk+UqkN/cz/TKGdN bf/tgekae0NrQvQka3gGAet3ixZ6gYYCM0ACpKoD5uuIGX6BOJfecv4YdMPRqb+sW1T2 5z0p4M9hsyjmOMljVVZoTxZv2Gs1v0gMH8FcUF3hVpUFWFVUazrrNLeM1mMA1xr21f+d tnoQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693815741; x=1694420541; h=in-reply-to:content-disposition:mime-version:references :mail-followup-to:message-id:subject:cc:to:from:date:sender :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Sw895rHGe/lfdiPSwWFjA0/y2j9pDmAX1VYuQicsIP0=; b=GJvaxjweaBXVhYZY6+6C011yVgQ3BoF+DIs//iPo8A7dZZdzabwDdhcDhD7GAEjzDz Ex67aYdLuEEfoRRMQFzJOhDoQyNNCZEgQveAcpxMTkuUfi/uyB1j4HINHeceerx+p8NU enl7Jk50OGXn9o04S809qUemZe2C7/RaOau4qc8tyU5+TBWnNLJzJxlkkFTIoBx3YCU/ SW8lS0BFq9+JdNQImFyZBFlgojXNvvZE0JBvkVKMVzTu4NcPJvNxJmrGE1CG5wvbiu2I DxYpaBwVUqCLKijap05eWY0dWpZAdYgFdGhoPjtpaIkmjFLtm04dN5Fr7dH8hWhbnpFW YE3w== X-Gm-Message-State: AOJu0YzRodOUZoltdZ0yNv6Ud0g/LrvAKqyEEyzXHO5LHMwIJPDqVBS4 53dRFc3vd71VReTb1EvrAXU= X-Google-Smtp-Source: AGHT+IEZpXLwTkwHwFtz2HhCTqQkqw6GRGkZUkvaLWHJZWpLe29CkhPlFV7ybD8F3MClVmi8asZo8A== X-Received: by 2002:a05:6000:1104:b0:319:8a66:f695 with SMTP id z4-20020a056000110400b003198a66f695mr5850727wrw.55.1693815741041; Mon, 04 Sep 2023 01:22:21 -0700 (PDT) Received: from localhost ([2a02:ed3:916:6300:773f:b8e:b2f:a863]) by smtp.gmail.com with ESMTPSA id k16-20020a05600c0b5000b003feeb082a9fsm13220949wmr.3.2023.09.04.01.22.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Sep 2023 01:22:20 -0700 (PDT) Date: Mon, 4 Sep 2023 11:21:55 +0300 From: Efraim Flashner To: Ludovic =?utf-8?Q?Court=C3=A8s?= Subject: Re: bug#64838: [PATCH] home: Add parcimonie service. Message-ID: Mail-Followup-To: Efraim Flashner , Ludovic =?utf-8?Q?Court=C3=A8s?= , 64838-done@debbugs.gnu.org, paren@disroot.org, Andrew Tropin References: <878raa4tk8.fsf@gnu.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y9VvOy48bhF9Kv3f" Content-Disposition: inline In-Reply-To: <878raa4tk8.fsf@gnu.org> X-PGP-Key-ID: 0x41AAE7DCCA3D8351 X-PGP-Key: https://flashner.co.il/~efraim/efraim_flashner.asc X-PGP-Fingerprint: A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 X-Spam-Score: 0.5 (/) X-Debbugs-Envelope-To: 64838-done Cc: 64838-done@debbugs.gnu.org, paren@disroot.org, Andrew Tropin X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.5 (/) --y9VvOy48bhF9Kv3f Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Aug 16, 2023 at 10:32:23PM +0200, Ludovic Court=C3=A8s wrote: > Hello, >=20 > Efraim Flashner skribis: >=20 > > * gnu/home/services/gnupg.scm (home-parcimonie-service-type, > > home-parcimonie-configuration): New variables. > > * doc/guix.texi (GNU Privacy Guard): Document it. >=20 > Very nice! >=20 > > +The @code{parcimonie} service runs a daemon that slowly refreshes a Gn= uPG > > +public key from a keyserver. Its refreshes one key at a time; between= every > ^ > =E2=80=9CIt=E2=80=9D >=20 > > +key update parcimonie sleeps a random amount of time, long enough for = the > > +previously used Tor circuit to expire. This process is meant to make = it hard > > +for an attacker to correlate the multiple performed key update operati= ons. >=20 > Maybe: =E2=80=9Cto correlate the multiple key updates.=E2=80=9D >=20 > > +As an example, here is how you would configure @code{parcimonie} to re= fresh the > > +keys in your GnuPG keyring, as well as those keyrings created by Guix,= such as > > +when running @code{guix import}: > > + > > +@lisp > > +(service home-parcimonie-service-type > > + (home-parcimonie-configuration > > + (refresh-guix-keyrings? #t))) > > +@end lisp >=20 > Maybe add: =E2=80=9CThis assumes that the Tor anonymous routing daemon is > already running on your system. On Guix System, this can be achieved by > setting up @code{tor-service-type} (@pxref{Networking Services, > @code{tor-service-type}}).=E2=80=9D >=20 > Apart from these minor nits, LGTM! >=20 > Thanks, > Ludo=E2=80=99. Thanks. I was able to test it overnight and everything looks good. Patch pushed finally! --=20 Efraim Flashner =D7=A8=D7=A0=D7=A9=D7=9C=D7=A4 = =D7=9D=D7=99=D7=A8=D7=A4=D7=90 GPG key =3D A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted --y9VvOy48bhF9Kv3f Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmT1k6IACgkQQarn3Mo9 g1Eo/hAAuH/20pWjcADDHisBDd8HUtnVStf0z4wBhgDAYpOWngfuXnIlUV3KKd3y Of1Qt18X3QZAhakzoH9HbSy8a716WD0U+qICHXkMHTO4kyJcb1NZxF7+M1j+GLO7 yNHcJfsvz3h40WDWbp4I2Tlq4hcEcV/7q1yYBJTV0TaRocvh+OEAbrurGy5Vm/TN ncIN22hI4OujDAnG6ks5HUtv2V3QZOblVFMyMEIAzWfyT9K608MJFbdLhio+n8LA Xqt8n/CUOlLNg6ie6fXIKdEQ1wb/qxT25xQ5Mcq5mNznSl44iyv96U1rcPlqEOSC y5WgbLbamAptN8OmaMmPJsUqlueNn9GKZP//XnLxSTmquIt8oT0YFBG8KZ3O4GQ+ wUgEes+5dTfNfkVRv/jfxG55SZOWtXvE1wY8y40aVx5+bKlVNl207bBuBdfvwTvV MBp9pPYp7YCVA15a57LLbUS12XtB9ree2ZnEp7xdzl8R8XdeU3A00JTfcAYaV/o3 PjekXtqxLZHe5x+qXDLG6QBk45I/Iu7jxk8ZX2w+kSuqIHEY3VeblJ/P3owV7tv1 63FrDNvLYeJx7DSwRnvCt1cKOlCQr4ESdE6WFC5yQNu98vph9CMSE0a22FkCMW6D ep+85dLt5vSVF7E9xytxO3u0+bOgVaHUig65DGjMo2hg6rayDs4= =jjTU -----END PGP SIGNATURE----- --y9VvOy48bhF9Kv3f-- From unknown Sat Jun 14 19:07:14 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 02 Oct 2023 11:24:07 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator