Page MenuHomePhabricator

deb.debian.org instead of us.debian.org and use https (SSL, TLS) by default / fix build --connection onion
Closed, ResolvedPublic

Description

the USA server is hard coded into Whonix. If debian could successfully provide a mirror, we could use local.debian.org instead of us.debian.org. You'd think this would be easy...

Tails has attempted to use debian's previous geo mirror CDN service thingies, but could not get it work. See: https://labs.riseup.net/code/issues/9235

I've asked them to try again with debian's latest version:
https://labs.riseup.net/code/issues/14669

And we should look into it for Whonix 15.

https://lists.debian.org/debian-security/2017/10/msg00006.html


use https by default

Details

Impact
Normal

Event Timeline

@Patrick have you considered following tails and using onion sources? I don't see security the benefit that outweighs the load on tor.

Patrick added a comment.EditedSep 19 2017, 11:32 PM

I don't see security the benefit that outweighs the load on tor.

  • security: everyone is exited about onion sources nowadays. It's an extra layer of encryption and authentication. ... etc ...

https://www.whonix.org/wiki/Security_Guide#Onionizing_Repositories

I don't see security the benefit that outweighs the load on tor.

  • load on Tor is invalid: Tor Project does is okay with that. They support apt onion sources. The only load they don't want is the endless upload by file sharing.

@Patrick have you considered following tails and using onion sources?

Yes. We go all onion by default. One day.

It's hard.

  • reminder: using Tor is suspicious in some countries
  • prevent no Tor over Tor (perhaps support non-Tor over Tor builds in Whonix-Workstation VMs only - easy - already implemented in anon-ws-disable-stacked-tor)
  • can there be a legitimate case where someone wants to build Whonix while at the same time being surprised it connected to the Tor network while doing so?
  • the build script would - if still needed - update from clearnet repositories - and install Tor - so all of the build script can then be torified and using onion sources
  • hard, because we'd have to honor users who wish to use bridges
  • Interactive asking for all of this by default? Not great, and we'd also need switches to make it non-interactive (for automated build environments, CI testing and the like)

I am undecided how to do this. But this can be sorted at the right time.

Patrick updated the task description. (Show Details)Sep 25 2018, 1:46 PM
Patrick renamed this task from deb.debian.org instead of us.debian.org to deb.debian.org instead of us.debian.org and use https by default.Nov 8 2018, 9:44 AM
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)
Patrick updated the task description. (Show Details)Nov 8 2018, 9:56 AM
Patrick renamed this task from deb.debian.org instead of us.debian.org and use https by default to deb.debian.org instead of us.debian.org and use https (SSL, TLS) by default.Dec 22 2018, 11:47 AM
This comment was removed by HulaHoop.
This comment was removed by Patrick.

https://github.com/Whonix/Whonix/commit/64b5b6133d733b7bb400262199992d116ae8709b
https://github.com/Whonix/Whonix/commit/b83dddec7c191160332bc9233feb6069bb28d435
https://github.com/Whonix/Whonix/commit/d182a2720c8c6a56492fccf45a8bc8c2b2902e67
https://github.com/Whonix/Whonix/commit/abaf332e0d831dc61dbe3ef0f37e701be63a494e
https://github.com/Whonix/Whonix/commit/360cc8f283d3d7ad5f1ef1a2984fa78465187dd9
https://github.com/Whonix/Whonix/commit/ec204c7434efbf985e8526d1d81ff5c9e91e1c44
https://github.com/Whonix/Whonix/commit/5e06301a66e93cbd1253ea7a52af993848a0d099
https://github.com/Whonix/Whonix/commit/0a370cf1c98ed7ac46edfda1371e81b7df314154
https://github.com/Whonix/Whonix/commit/8add221ae13de742c3c615fb7c63ce518a9c99f3
https://github.com/Whonix/Whonix/commit/54483462c12e30ec52d05f7e75537d607d9b3422
https://github.com/Whonix/Whonix/commit/3f087b337903a7e37685b0de464eb0c1ab9fc622
https://github.com/Whonix/Whonix/commit/d035e40127ca922749f6273f6f193db27be19601
https://github.com/Whonix/Whonix/commit/ca3add2343abd5846987400c04fd043082f1a489
https://github.com/Whonix/Whonix/commit/5f88d1d7377ff275679f629539d0de24f57e031e
https://github.com/Whonix/anon-shared-build-apt-sources-tpo/commit/7948da7d5c6e964455375499704851b3ca2cc21d
https://github.com/Whonix/whonix-repository/commit/903f0893182ecdbebd6eacd483f373940573e4bc
https://github.com/Whonix/whonix-legacy/commit/25663b8c9bd91185586ce9e18d07500abb81ca18
https://github.com/Whonix/whonix-initializer/commit/6705fa45965c20612ed40276fc961deb0e40890e


This has potential to break builds. Please try to build.

new requirements for build machine:

sudo apt-get install git time curl apt-cacher-ng

git tag

14.0.1.0.7-developers-only

This is now in stretch-testers repository.

Building initiates. I had these deps installed anyhow. Unpinning the CPU resolved some early build error, but now it craps out at RAW image creation. Not really related to your inquiry.

Patrick renamed this task from deb.debian.org instead of us.debian.org and use https (SSL, TLS) by default to deb.debian.org instead of us.debian.org and use https (SSL, TLS) by default / fix build --connection onion.Jan 22 2019, 7:33 AM

Use SSL and apt-cacher-ng also during genmkfile inside cowbuilder.

fix --connection onion

Tor Browser onion connection when using --connection onion


T678
https://github.com/Whonix/genmkfile/commit/2023d66d30fea53eddd408400e85bdc61998ea18
https://github.com/Whonix/Whonix/commit/13fae08f3fec4f2fccc30a8aa00202aefe363b86
https://github.com/Whonix/Whonix/commit/87dd2e7848eff3f1e5e5b6feb5db26d02c5e9431
https://github.com/Whonix/Whonix/commit/9565bd21782c5a94f0e592dda4b1c3c8919a644d
https://github.com/Whonix/Whonix/commit/e2027e93827768ecc6b88f2a44ac9d3b86986d8b
https://github.com/Whonix/Whonix/commit/99b3292a929ceed3a893df212a6639b32b872e46
https://github.com/Whonix/Whonix/commit/206f4a00af107012ce3162114e1ce9b940d52c39
https://github.com/Whonix/Whonix/commit/be98658fe717abaeba34fb724fc12727dd99504e
https://github.com/Whonix/Whonix/commit/c01ab5ccd6188f5e0cf816a310c1ad2d67021086
https://github.com/Whonix/Whonix/commit/6e683dadf2426e6832a8d1d1663a8eb7b1bea075
https://github.com/Whonix/Whonix/commit/fc07b3b3d640d9e420584ba6366e223a0e3571a6
https://github.com/Whonix/Whonix/commit/86220935732765dc29dfceec9ab1c82b8fecc441
https://github.com/Whonix/Whonix/commit/1d7eb7180b98fe73c0eb124f9d9cbaa426dc27c8


new build dependencies:

sudo apt-get install git time curl apt-cacher-ng lsb-release fakeroot

(Actually same build dependencies but sacrifices builder convenience of installing fewer packages manually for simplified code and quicker to fix --connection onion.)


git tag including this coming soon.

Patrick changed the task status from Open to testing-in-next-build-required.Jan 23 2019, 7:32 AM
Patrick closed this task as Resolved.Thu, Feb 14, 7:43 PM
Patrick claimed this task.