/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use hidden service repos for updates if updating over Tor #2576

Open
andrewdavidwong opened this Issue Jan 14, 2017 · 11 comments

Comments

Assignees
No one assigned
Labels
Projects
Qubes Issues in Torifying the Qubes infrastructure
Milestone
  Release 4.1
4 participants
@andrewdavidwong @marmarek @adrelanos @fortasse
@andrewdavidwong
Member

andrewdavidwong commented Jan 14, 2017

Now that we have hidden service update repos (#2265 and #2266), the next step is to actually use them to download updates, if the user is downloading updates over Tor.

@andrewdavidwong andrewdavidwong added C: other enhancement privacy labels Jan 14, 2017

@andrewdavidwong andrewdavidwong added this to the Release 4.0 milestone Jan 14, 2017

@andrewdavidwong andrewdavidwong added the C: templates label Jan 14, 2017

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 14, 2017

Member

If users want to manually start using the hidden service repos, is it enough simply to substitute every instance of yum.qubes-os.org with qubes-yum.kkkkkkkkkk63ava6.onion (and likewise for deb)?

Side question: If this is enough, then why is apt-transport-tor needed for Debian?

CC: @marmarek, @adrelanos
Member

andrewdavidwong commented Jan 14, 2017

If users want to manually start using the hidden service repos, is it enough simply to substitute every instance of yum.qubes-os.org with qubes-yum.kkkkkkkkkk63ava6.onion (and likewise for deb)?

Side question: If this is enough, then why is apt-transport-tor needed for Debian?

CC: @marmarek, @adrelanos
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 14, 2017

Member

Side question: If this is enough, then why is apt-transport-tor needed for Debian?

If you have Whonix Gateway or such in front of the template, it isn't needed in theory. In practice Debian stretch block (by default, changeable) .onion repositories without apt-transport-tor (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754242 for reasoning). And apt-transport-tor will start local tor instance - so in our case it will be tor over tor.

For Fedora there isn't such problem, s/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/ is enough.

Somehow tricky part here is when onion mirror should be used. Some automatic detection? User configuration (manual substitute)? Alternative package with repositories definition (also installed by explicit user request)?
Member

marmarek commented Jan 14, 2017

Side question: If this is enough, then why is apt-transport-tor needed for Debian?

If you have Whonix Gateway or such in front of the template, it isn't needed in theory. In practice Debian stretch block (by default, changeable) .onion repositories without apt-transport-tor (see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754242 for reasoning). And apt-transport-tor will start local tor instance - so in our case it will be tor over tor.

For Fedora there isn't such problem, s/yum.qubes-os.org/qubes-yum.kkkkkkkkkk63ava6.onion/ is enough.

Somehow tricky part here is when onion mirror should be used. Some automatic detection? User configuration (manual substitute)? Alternative package with repositories definition (also installed by explicit user request)?
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 14, 2017

Member

Somehow tricky part here is when onion mirror should be used. Some automatic detection? User configuration (manual substitute)? Alternative package with repositories definition (also installed by explicit user request)?

One idea is to use the onion mirrors if the user opts to route all traffic through Tor at installation, but the problem is that the user might change his or her mind later and try to switch the TemplateVMs' NetVM from sys-whonix to sys-firewall, so this is indeed tricky.
Member

andrewdavidwong commented Jan 14, 2017

Somehow tricky part here is when onion mirror should be used. Some automatic detection? User configuration (manual substitute)? Alternative package with repositories definition (also installed by explicit user request)?

One idea is to use the onion mirrors if the user opts to route all traffic through Tor at installation, but the problem is that the user might change his or her mind later and try to switch the TemplateVMs' NetVM from sys-whonix to sys-firewall, so this is indeed tricky.

andrewdavidwong added a commit to QubesOS/qubes-doc that referenced this issue Jan 14, 2017

@andrewdavidwong
Create minimal hidden service repo documentation 
QubesOS/qubes-issues#2576
Verified
This commit was signed with a verified signature.
@andrewdavidwong andrewdavidwong Andrew David Wong
GPG key ID: 8CE137352A019A17 Learn about signing commits
5573749
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 14, 2017

Member

For now, I've created some minimal documentation for this:

https://www.qubes-os.org/doc/hidden-service-repos/
Member

andrewdavidwong commented Jan 14, 2017

For now, I've created some minimal documentation for this:

https://www.qubes-os.org/doc/hidden-service-repos/
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Jan 14, 2017

Member

The downside of such "manual" approach is the repository definitions are managed by some package, so if you modify it, you'll need to apply further updates also manually.
Member

marmarek commented Jan 14, 2017

The downside of such "manual" approach is the repository definitions are managed by some package, so if you modify it, you'll need to apply further updates also manually.
@adrelanos

This comment has been minimized.

Show comment
Hide comment
@adrelanos

adrelanos Jan 14, 2017

Member

Side question: If this is enough, then why is apt-transport-tor needed for Debian?

Documentation on that question has just now been added here:
https://www.whonix.org/wiki/Advanced_Security_Guide#apt-transport-tor
Member

adrelanos commented Jan 14, 2017

Side question: If this is enough, then why is apt-transport-tor needed for Debian?

Documentation on that question has just now been added here:
https://www.whonix.org/wiki/Advanced_Security_Guide#apt-transport-tor
@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 14, 2017

Member

Documentation on that question has just now been added here:
https://www.whonix.org/wiki/Advanced_Security_Guide#apt-transport-tor

Thanks, @adrelanos!
Member

andrewdavidwong commented Jan 14, 2017

Documentation on that question has just now been added here:
https://www.whonix.org/wiki/Advanced_Security_Guide#apt-transport-tor

Thanks, @adrelanos!
@fortasse

This comment has been minimized.

Show comment
Hide comment
@fortasse

fortasse Jan 15, 2017

There are also the slightly more "canonical" yum.qubesos4rrrrz6n4.onion, deb.qubesos4rrrrz6n4.onion and ftp.qubesos4rrrrz6n4.onion if you prefer to use those. Identical content, just under a different name.

fortasse commented Jan 15, 2017

There are also the slightly more "canonical" yum.qubesos4rrrrz6n4.onion, deb.qubesos4rrrrz6n4.onion and ftp.qubesos4rrrrz6n4.onion if you prefer to use those. Identical content, just under a different name.

@adrelanos adrelanos referenced this issue Feb 8, 2017

Open

comments to use Qubes onion repository #2623

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Feb 15, 2017

Member

Minimal documentation deleted per #2635.
Member

andrewdavidwong commented Feb 15, 2017

Minimal documentation deleted per #2635.

@rustybird rustybird referenced this issue Mar 18, 2017

Open

Cache updates #1957

@andrewdavidwong

This comment has been minimized.

Show comment
Hide comment
@andrewdavidwong

andrewdavidwong Jan 24, 2018

Member

@fortasse: Are the v3 onion repos also set up to serve updates, e.g., yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion?
Member

andrewdavidwong commented Jan 24, 2018

@fortasse: Are the v3 onion repos also set up to serve updates, e.g., yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion?
@fortasse

This comment has been minimized.

Show comment
Hide comment
@fortasse

fortasse Jan 24, 2018

@andrewdavidwong: Yes. All of the subdomains for qubesos4rrrrz6n4.onion should work on sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion. Let me know if that's not the case.

fortasse commented Jan 24, 2018

@andrewdavidwong: Yes. All of the subdomains for qubesos4rrrrz6n4.onion should work on sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion. Let me know if that's not the case.

@andrewdavidwong andrewdavidwong modified the milestones: Release 4.0, Release 4.1 Mar 31, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment