GNU Guix Questions

[bancfc]

Hi Guix devs, I am a privacy distro dev and we are looking at using Guix 
in our OS. I have a few questions:

* Is the Guix package archive available from a Tor hidden service? There 
are many advantages of updating a system over Tor such as preventing a 
target adversary from fingerprinting and targeting hosts that run 
vulnerable packages and protecting systems in case the package manager 
has a security bug. Debian and Tor now provide onion mirrors for their 
packages. Can you please consider doing the same?


* Does Guix defend against the variety of attacks described in the TUF 
threat model document? (described in link below) How resilient is it 
against key compromise? (TUF was designed from the ground up to provide 
a highly resilient and secure update framework as a drop in replacement 
to crappy standalone updaters - a problem that's become very serious for 
proprietary OSes. The security research and implementation behind it are 
an excellent rubric that one can apply to any updater/package manager.)

https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md


* How does one setup a third part package archive? After looking at the 
manual I believe its as simple as fetching source from one's git repo?

Thanks