Page MenuHomePhabricator

deb.debian.org instead of us.debian.org and use https by default
Open, NormalPublic

Description

the USA server is hard coded into Whonix. If debian could successfully provide a mirror, we could use local.debian.org instead of us.debian.org. You'd think this would be easy...

Tails has attempted to use debian's previous geo mirror CDN service thingies, but could not get it work. See: https://labs.riseup.net/code/issues/9235

I've asked them to try again with debian's latest version:
https://labs.riseup.net/code/issues/14669

And we should look into it for Whonix 15.

https://lists.debian.org/debian-security/2017/10/msg00006.html


use https by default

Details

Impact
Normal

Event Timeline

@Patrick have you considered following tails and using onion sources? I don't see security the benefit that outweighs the load on tor.

Patrick added a comment.EditedSep 19 2017, 11:32 PM

I don't see security the benefit that outweighs the load on tor.

  • security: everyone is exited about onion sources nowadays. It's an extra layer of encryption and authentication. ... etc ...

https://www.whonix.org/wiki/Security_Guide#Onionizing_Repositories

I don't see security the benefit that outweighs the load on tor.

  • load on Tor is invalid: Tor Project does is okay with that. They support apt onion sources. The only load they don't want is the endless upload by file sharing.

@Patrick have you considered following tails and using onion sources?

Yes. We go all onion by default. One day.

It's hard.

  • reminder: using Tor is suspicious in some countries
  • prevent no Tor over Tor (perhaps support non-Tor over Tor builds in Whonix-Workstation VMs only - easy - already implemented in anon-ws-disable-stacked-tor)
  • can there be a legitimate case where someone wants to build Whonix while at the same time being surprised it connected to the Tor network while doing so?
  • the build script would - if still needed - update from clearnet repositories - and install Tor - so all of the build script can then be torified and using onion sources
  • hard, because we'd have to honor users who wish to use bridges
  • Interactive asking for all of this by default? Not great, and we'd also need switches to make it non-interactive (for automated build environments, CI testing and the like)

I am undecided how to do this. But this can be sorted at the right time.

Patrick updated the task description. (Show Details)Sep 25 2018, 1:46 PM
Patrick renamed this task from deb.debian.org instead of us.debian.org to deb.debian.org instead of us.debian.org and use https by default.Nov 8 2018, 9:44 AM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Nov 8 2018, 9:56 AM