GNU bug report logs -
#54370
guix.gnu.org is inaccessible from Russia
Previous Next
Reported by: poiNt_3D <point4d <at> gmail.com>
Date: Sun, 13 Mar 2022 07:13:02 UTC
Severity: normal
Merged with 55500
Done: Christopher Baines <mail <at> cbaines.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 54370 in the body.
You can then email your comments to 54370 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 07:13:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
poiNt_3D <point4d <at> gmail.com>
:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org
.
(Sun, 13 Mar 2022 07:13:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hello. I would like to request a clarification on the issue of
inaccessibility of guix.gnu org from the Russian Federation.
Is the blocking intentional or is there some kind of networking problem?
Here's my traceroute output:
> 6 ge-4-0-0-10g.m320-2-vlgd.nwtelecom.ru (212.48.195.41) 15.660 ms
> 13.065 ms 15.545 ms
> 7 109.172.24.67 (109.172.24.67) 32.341 ms 87.226.183.61 (87.226.183.61)
> 31.027 ms 28.507 ms
> 8 ae53.edge4.stockholm2.level3.net (213.249.107.129) 37.298 ms 29.497
> ms 35.571 ms
> 9 ae1.5.bar1.hamburg1.level3.net (4.69.142.209) 73.587 ms
> s-bb1-link.ip.twelve99.net (62.115.139.180) 27.296 ms
> ae1.5.bar1.hamburg1.level3.net (4.69.142.209) 74.064 ms
> 10 195.122.181.62 (195.122.181.62) 64.682 ms 66.071 ms 68.254 ms
> 11 ffm-b5-link.ip.twelve99.net (62.115.114.89) 51.213 ms
> cr-tub2-be13.x-win.dfn.de (188.1.144.58) 67.156 ms 61.032 ms
> 12 kr-mdcbln1.x-win.dfn.de (188.1.238.78) 65.546 ms
> dfn-ic357399-ffm-b5.ip.twelve99-cust.net (213.248.97.41) 50.044 ms
> 49.354 ms
> 13 cr-erl2-be8.x-win.dfn.de (188.1.144.221) 50.629 ms * *
> 14 cr-tub2-be10.x-win.dfn.de (188.1.146.210) 64.584 ms 56.154 ms *
> 15 kr-mdcbln1.x-win.dfn.de (188.1.238.78) 59.972 ms * 64.541 ms16 * *
> *
> 16 * * *
> 17 * * *
> 18 * * *
> 19 * * *
> 20 * * *
> 21 * * *
> 22 * * *
> 23 * * *
> 24 * * *
> 25 * * *
>
Thanks.
[Message part 2 (text/html, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 09:06:01 GMT)
Full text and
rfc822 format available.
Message #8 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Hello!
Check out this discussion:
https://lists.gnu.org/archive/html/help-guix/2022-03/msg00004.html
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 11:44:01 GMT)
Full text and
rfc822 format available.
Message #11 received at submit <at> debbugs.gnu.org (full text, mbox):
Hi Point4d,
Specifically, from the thread linked by Evgeny:
"At the MDC level there’s an unrelated recent ban of some Russian IP ranges in place due to massively increased port scans and intrusion attempts since about one week. I hope you can use the Chinese mirror for the time being."
That mirror is at https://mirrors.sjtug.sjtu.edu.cn/guix . Let us know if it works.
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 11:44:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Tobias Geerinckx-Rice <me <at> tobias.gr>
:
You have taken responsibility.
(Sun, 13 Mar 2022 11:44:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
poiNt_3D <point4d <at> gmail.com>
:
bug acknowledged by developer.
(Sun, 13 Mar 2022 11:44:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 12:16:02 GMT)
Full text and
rfc822 format available.
Message #22 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Hm,
I didn't address guix.gnu.org beyond ci.guix.gnu.org.
Everyone: should we ask SJTUG to mirror the Web site as well?
I'm generally weary of that.
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
Kind regards,
T G-R
Sent on the go. Excuse or enjoy my brevity.
Did not alter fixed versions and reopened.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Sun, 13 Mar 2022 12:16:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 12:39:02 GMT)
Full text and
rfc822 format available.
Message #27 received at 54370 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Tobias Geerinckx-Rice via Bug reports for GNU Guix <bug-guix <at> gnu.org> writes:
> I didn't address guix.gnu.org beyond ci.guix.gnu.org.
>
> Everyone: should we ask SJTUG to mirror the Web site as well?
>
> I'm generally weary of that.
I believe bayfront was being setup to serve the website (see [1]), but
I'm not sure on how that's progressing.
1: https://git.savannah.gnu.org/cgit/guix/maintenance.git/commit/?id=8250a46b2fa178d1cdd37986028d5a07e3db65ed
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 14:31:02 GMT)
Full text and
rfc822 format available.
Message #30 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Hi,
Christopher Baines <mail <at> cbaines.net> skribis:
> I believe bayfront was being setup to serve the website (see [1]), but
> I'm not sure on how that's progressing.
>
> 1: https://git.savannah.gnu.org/cgit/guix/maintenance.git/commit/?id=8250a46b2fa178d1cdd37986028d5a07e3db65ed
Indeed. The plan we discussed during the “sysadmin hackathon” a couple
of months ago was to, for instance, have the DNS entry point to these
two machines.
The problem we keep stumbling upon and that I don’t know how yet how to
solve is how to make it work for HTTPS: do we copy raw certificates to
bayfront, or is there a way to have separate certificates? How about
Let’s Encrypt challenges?
These are the last issues to solve and I’d welcome expertise here. Any
ideas?
Everything else is addressed: the web site gets built on bayfront just
like it is on berlin, static data such as videos and PDFs are
automatically mirrored to bayfront.
https://git.savannah.gnu.org/cgit/guix/maintenance.git/commit/?id=601691e7ea07c999d60993464b27d4cba2621f05
Thanks,
Ludo’.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 15:31:01 GMT)
Full text and
rfc822 format available.
Message #33 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Hi!
On 2022-03-13 15:30, Ludovic Courtès wrote:
> The plan we discussed during the “sysadmin hackathon” a couple
> of months ago was to, for instance, have the DNS entry point to these
> two machines.
Uhm, quick but:
Apparently some browsers (OK, one, and we all know which one) embraces &
extends the DNS in such a way that this provides the fall-back behaviour
you seem to expect. But this is not standard and it won't fly with most
software. I checked.
It doesn't in Firefox/IceCat. Even if it does in current Chrom{e,ium},
it might just be an unreliable side-effect.
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 19:51:01 GMT)
Full text and
rfc822 format available.
Message #36 received at 54370 <at> debbugs.gnu.org (full text, mbox):
[Resending to the proper address, sorry; I'm mu4e-less and hence
incompetent :-]
Hi!
On 2022-03-13 20:00, poiNt_3D wrote:
> Is it possible to set the firewall to allow only public services to be
> accessed from these IP ranges?
I'm afraid we don't control the berlin firewall or have much sway in how
it's managed, so there's little point in discussing such actions.
> can be easily interpreted as a political decision
With Russia waging war, it seems likely that these Russian ISPs tolerate
abusive traffic for political reasons. There are probably political
consequences for those who refuse.
The Internet was and still is built on ISP accountability and gives
targets few other tools to effectively defend themselves, short of
blocking such IP ranges.
I wish there were a better answer than 'use Tor' for those stuck in the
cross-fire :-(
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 20:04:01 GMT)
Full text and
rfc822 format available.
Message #39 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Pending expertise, is it feasible to serve the copy as-is without trying
to impersonate berlin? E.g. mirror.guix.gnu.org?
Hm, maybe that's not worth the effort…
I've asked around and short of pointing guix.gnu.org to bayfront —
working around the issue & hoping that it will continue to be unaffected
— or using a CDN that has points of presence in Russia — which can
easily be taken down in a future wave of sanctions — the situation seems
to be quite disappointing.
For proper fail-over you (ironically) need one box sitting in front of
the boxes you want to fail over to.
Kind regards,
T G-R
Sent from a Web browser. Excuse or enjoy my brevity.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sun, 13 Mar 2022 20:37:01 GMT)
Full text and
rfc822 format available.
Message #42 received at 54370 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Tobias Geerinckx-Rice via Bug reports for GNU Guix schreef op zo 13-03-
2022 om 20:50 [+0100]:
> I wish there were a better answer than 'use Tor' for those stuck in the
> cross-fire :-(
For the website, publishing the website not only over HTTP/S but also
over IPFS might help? The website is static and Guix has an IPFS
service, so it should be feasible I think. The browser extension
(https://docs.ipfs.io/install/ipfs-companion/) would need to be
packaged though, and a DNS link record
(https://docs.ipfs.io/concepts/dnslink/#resolve-dnslink-name) would
need to be set up.
Greetings,
Maxime.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Tue, 15 Mar 2022 07:59:01 GMT)
Full text and
rfc822 format available.
Message #45 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Hi Maxime,
Maxime Devos <maximedevos <at> telenet.be> skribis:
> For the website, publishing the website not only over HTTP/S but also
> over IPFS might help? The website is static and Guix has an IPFS
> service, so it should be feasible I think. The browser extension
> (https://docs.ipfs.io/install/ipfs-companion/) would need to be
> packaged though, and a DNS link record
> (https://docs.ipfs.io/concepts/dnslink/#resolve-dnslink-name) would
> need to be set up.
That and/or publishing as an onion service would be great.
Ludo’.
Changed bug title to 'guix.gnu.org is inaccessible from Russia' from 'network problem or intentional blocking?'
Request was from
Ludovic Courtès <ludo <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Tue, 15 Mar 2022 14:34:01 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Sat, 19 Mar 2022 11:05:02 GMT)
Full text and
rfc822 format available.
Message #50 received at 54370 <at> debbugs.gnu.org (full text, mbox):
Hi,
I updated the onion address in the section of the cookbook that explains
how to get substitutes from ci.guix over Tor:
https://guix.gnu.org/cookbook/en/html_node/Getting-substitutes-from-Tor.html
Copying the text inline below.
Next step is to publish an Onion service for the web site.
HTH,
Ludo’.
3.8 Getting substitutes from Tor
================================
Guix daemon can use a HTTP proxy to get substitutes, here we are
configuring it to get them via Tor.
Warning: _Not all_ Guix daemon’s traffic will go through Tor! Only
HTTP/HTTPS will get proxied; FTP, Git protocol, SSH, etc
connections will still go through the clearnet. Again, this
configuration isn’t foolproof some of your traffic won’t get routed
by Tor at all. Use it at your own risk.
Also note that the procedure described here applies only to package
substitution. When you update your guix distribution with ‘guix
pull’, you still need to use ‘torsocks’ if you want to route the
connection to guix’s git repository servers through Tor.
Guix’s substitute server is available as a Onion service, if you want
to use it to get your substitutes through Tor configure your system as
follow:
(use-modules (gnu))
(use-service-module base networking)
(operating-system
…
(services
(cons
(service tor-service-type
(tor-configuration
(config-file (plain-file "tor-config"
"HTTPTunnelPort 127.0.0.1:9250"))))
(modify-services %base-services
(guix-service-type
config => (guix-configuration
(inherit config)
;; ci.guix.gnu.org's Onion service
(substitute-urls
"https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion")
(http-proxy "http://localhost:9250")))))))
This will keep a tor process running that provides a HTTP CONNECT
tunnel which will be used by ‘guix-daemon’. The daemon can use other
protocols than HTTP(S) to get remote resources, request using those
protocols won’t go through Tor since we are only setting a HTTP tunnel
here. Note that ‘substitutes-urls’ is using HTTPS and not HTTP or it
won’t work, that’s a limitation of Tor’s tunnel; you may want to use
‘privoxy’ instead to avoid such limitations.
If you don’t want to always get substitutes through Tor but using it
just some of the times, then skip the ‘guix-configuration’. When you
want to get a substitute from the Tor tunnel run:
sudo herd set-http-proxy guix-daemon http://localhost:9250
guix build \
--substitute-urls=https://4zwzi66wwdaalbhgnix55ea3ab4pvvw66ll2ow53kjub6se4q2bclcyd.onion ...
Merged 54370 55500.
Request was from
Tobias Geerinckx-Rice <me <at> tobias.gr>
to
control <at> debbugs.gnu.org
.
(Wed, 18 May 2022 15:13:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Christopher Baines <mail <at> cbaines.net>
:
You have taken responsibility.
(Tue, 07 Feb 2023 15:35:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
poiNt_3D <point4d <at> gmail.com>
:
bug acknowledged by developer.
(Tue, 07 Feb 2023 15:35:02 GMT)
Full text and
rfc822 format available.
Message #57 received at 54370-close <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
poiNt_3D <point4d <at> gmail.com> writes:
> Hello. I would like to request a clarification on the issue of
> inaccessibility of guix.gnu org from the Russian Federation. Is the
> blocking intentional or is there some kind of networking problem?
Now that the website is hosted on bayfront, which wasn't changed
specifically to address this, but should do anyway, I'm going to close
this issue.
Things like ci.guix.gnu.org will still be inaccessible, so feel free to
open issues about those if you wish.
Thanks,
Chris
[signature.asc (application/pgp-signature, inline)]
Reply sent
to
Christopher Baines <mail <at> cbaines.net>
:
You have taken responsibility.
(Tue, 07 Feb 2023 15:35:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Zomb Hacker <iceknight48 <at> gmail.com>
:
bug acknowledged by developer.
(Tue, 07 Feb 2023 15:35:02 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org
:
bug#54370
; Package
guix
.
(Tue, 07 Feb 2023 15:36:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 08 Mar 2023 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 1 year and 50 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.