Switch Debian links in sources.list to .onion
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	HulaHoop
	Aug 25 2015, 12:46 PM

Tags

Referenced Files

None

Subscribers

• WhonixQubes

Description

Jacob is working with Debian to run their repositories as .onion

Once they're up and running I recommend switching Whonix to using them.

Whonix's own repos should follow their lead depending on the resources you can invest in running a .onion on the infrastructure.

Details

Impact: Normal

Related Objects

Mentioned In: T524: Using corridor, a Tor traffic whitelisting gateway with Whonix KVM
T494: get onion back online for whonix.org
T403: Support hidden service debian mirror
Mentioned Here: T472: maintain and upload a known good version of tor from deb.torproject.org in Whonix repository
T494: get onion back online for whonix.org

Event Timeline

HulaHoop created this task.Aug 25 2015, 12:46 PM

HulaHoop raised the priority of this task from to Normal.

HulaHoop updated the task description. (Show Details)

HulaHoop set Impact to Normal.

HulaHoop added a subscriber: HulaHoop.

Herald added a project: Whonix. · View Herald TranscriptAug 25 2015, 12:46 PM

Herald added subscribers: • WhonixQubes, troubadour, Patrick. · View Herald Transcript

Patrick lowered the priority of this task from Normal to Wishlist.Aug 25 2015, 4:24 PM

Trial in progress. Debian planning domain wide .onion roll out:

http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/

http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/

apt-transport-tor instructions:

https://retout.co.uk/blog/2014/07/21/apt-transport-tor

Related issue recently raised on Qubes tracker:
high-level target: templates should default update over Tor
https://github.com/QubesOS/qubes-issues/issues/1159

create a Tor hidden service for deb.torproject.org [ .onion apt-get ]:
https://trac.torproject.org/projects/tor/ticket/17937

I was thinking about changing the main repo URLs to the optimized one but is it worth it when changing to .onion is better?

"Note the use of http.debian.net in order to pick a mirror near to whichever Tor exit node. Throughput is surprisingly good."

https://retout.co.uk/blog/2014/07/21/apt-transport-tor

Related files:

https://github.com/Whonix/anon-apt-sources-list/blob/master/etc/apt/sources.list.d/debian.list
https://github.com/Whonix/Whonix/tree/master/build_sources

As per Tails... httpredir.debian.net is not a great idea. Source:
https://labs.riseup.net/code/issues/9235

https://github.com/Whonix/Whonix/tree/master/build_sources

Btw changing these to onion not trivial. Requires Tor access during build.

Btw changing these to onion not trivial. Requires Tor access during build.

FWIW for Qubes templates (release builds) it isn't a problem - I always build them in DispVM behind Tor.
But it may be a problem for devel builds and it may slow them down...

Patrick mentioned this in T494: get onion back online for whonix.org.Apr 11 2016, 4:18 PM

Once we stop using deb.torproject.org (T472), implementing this ticket gets more attractive. (since they do not yet host a .onion for deb.torproject.org) (And we would need to get our onion for whonix.org back up. (T494))

Patrick mentioned this in T524: Using corridor, a Tor traffic whitelisting gateway with Whonix KVM.Jul 23 2016, 6:59 PM

That day has finally come. Both Tor and Debian have onion repos;

http://forums.whonix.org/t/debian-starts-onionizing/2797

Patrick added projects: anon-apt-sources-list, anon-shared-build-apt-sources-tpo, whonix-repository, enhancement, research.Aug 1 2016, 7:00 PM

Patrick added a project: Whonix 14.Aug 1 2016, 7:07 PM

IMHO restoring Whonix onion repos should be part of this to achieve complete protection.

Already up.

https://www.whonix.org/wiki/Whonix-APT-Repository#Repository_Location_URI

Patrick raised the priority of this task from Wishlist to Normal.Aug 19 2016, 12:08 AM

Patrick closed this task as Resolved.Jan 21 2018, 12:21 PM

Patrick claimed this task.