comments to use Qubes onion repository

[adrelanos]

Why? Not having to use sed, not having to open documentation to make this change.

Please have a look if you like this style.

• https://github.com/adrelanos/qubes-core-agent-linux-1/blob/a193c8f3aa4df7ecdd8b835a49085f6c5f798568/misc/qubes-r3.list.in
• add comments for Qubes onion apt repository qubes-core-agent-linux#36

Other possible styles:

• a separate files only containing onions (and all out commented by default)
• not edit the current file, just append the onions below

Related:
#2576

[andrewdavidwong]

A lot of users seem to be struggling with using sed and with editing the file manually (and sending me messages about it), so I'm in favor of this.

[adrelanos]

Files to maybe edit or maybe duplicate.

• https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-r3.list.in
• https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-r3.repo
• https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-r4.list.in
• https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-r4.repo
• https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/fedora-updates.repo.in
• https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/fedora.repo.in
• https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/qubes-dom0.repo.in
• https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/qubes-templates.repo

[adrelanos]

Actually, I don't like that style from https://github.com/adrelanos/qubes-core-agent-linux-1/blob/a193c8f3aa4df7ecdd8b835a49085f6c5f798568/misc/qubes-r3.list.in myself too much.

Anyhow. If you think that one is okay, we can go for this.

[unman]

Can suggest that instead of interleaving the onion addresses with standard, it would be much easier for users to edit if they were broken out in separate blocks at the end of the file?
Like this-

# Main qubes updates repository
deb [arch=amd64] http://deb.qubes-os.org/r3.2/vm @DIST@ main
#deb-src http://deb.qubes-os.org/r3.2/vm @DIST@ main


# Updates through Tor
# Main qubes updates repository through Tor
#deb [arch=amd64] tor+http://deb.qubesos4rrrrz6n4.onion/r3.2/vm @DIST@ main
#deb-src tor+http://deb.qubesos4rrrrz6n4.onion/r3.2/vm @DIST@ main

That would make user error much less likely

[0brand]

It was looking at the options for dom0 repos and TemplateVM repos (debian, fedora)

https://github.com/adrelanos/qubes-core-agent-linux-1/blob/a193c8f3aa4df7ecdd8b835a49085f6c5f798568/misc/qubes-r3.list.in

This link is dead so I'm not sure how the example looked

1. For dom0, I think either of these would work.

a)

Add a second block for onion repositories which is commented out by default. When users want to onionize repos they can comment out the first block (clearnet update) and uncomment second block (Tor update).

[qubes-dom0-current]
name = Qubes Dom0 Repository (updates)
baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%
enabled = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-current-testing]
name = Qubes Dom0 Repository (updates-testing)
baseurl = https://yum.qubes-os.org/r$releasever/current-testing/dom0/%DIST%
enabled = 0
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-security-testing]
name = Qubes Dom0 Repository (security-testing)
baseurl = https://yum.qubes-os.org/r$releasever/security-testing/dom0/%DIST%
enabled = 0
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-unstable]
name = Qubes Dom0 Repository (unstable)
baseurl = https://yum.qubes-os.org/r$releasever/unstable/dom0/%DIST%
enabled = 0
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable

#Qubes Tor onion service repository 

#[qubes-dom0-current]
#name = Qubes Dom0 Repository (updates)
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/current/dom0/%DIST%
#enabled = 1
#metadata_expire = 7d
#gpgcheck = 1
#gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

#[qubes-dom0-current-testing]
#name = Qubes Dom0 Repository (updates-testing)
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/current-testing/dom0/%DIST%
#enabled = 0
#metadata_expire = 7d
#gpgcheck = 1
#gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

#[qubes-dom0-security-testing]
#name = Qubes Dom0 Repository (security-testing)
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/security-testing/dom0/%DIST%
#enabled = 0
#metadata_expire = 7d
#gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

#[qubes-dom0-unstable]
#name = Qubes Dom0 Repository (unstable)
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/unstable/dom0/%DIST%
#enabled = 0
#metadata_expire = 7d
#gpgcheck = 1
#gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable

b)

Add a second baseurl=. line (commented out by default) which points to the onion repository. When onionizing repos, users just comment/uncomment the corresponding line.

[qubes-dom0-current]
name = Qubes Dom0 Repository (updates)
baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/%DIST%
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/current/dom0/%DIST%
enabled = 1
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-current-testing]
name = Qubes Dom0 Repository (updates-testing)
baseurl = https://yum.qubes-os.org/r$releasever/current-testing/dom0/%DIST%
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/current-testing/dom0/%DIST%
enabled = 0
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-security-testing]
name = Qubes Dom0 Repository (security-testing)
baseurl = https://yum.qubes-os.org/r$releasever/security-testing/dom0/%DIST%
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/security-testing/dom0/%DIST%
enabled = 0
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-primary

[qubes-dom0-unstable]
name = Qubes Dom0 Repository (unstable)
baseurl = https://yum.qubes-os.org/r$releasever/unstable/dom0/%DIST%
#baseurl = https://yum.sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion/r$releasever/unstable/dom0/%DIST%
enabled = 0
metadata_expire = 7d
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-qubes-$releasever-unstable

It looks like option "a" may be a little messy with all the comment/uncomment so I'm partial to "b"

2. For Template repos @unman had a good idea with separate blocks for onion at the end of the file. This would be much less confusing for users.

When a consensus is met I would be more than happy to submit the pull request or what ever else needs to be done i.e. testing etc.

[adrelanos]

https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-r4.list.in https://github.com/QubesOS/qubes-core-agent-linux/blob/master/misc/qubes-r4.repo.in https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/fedora-updates.repo.in https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/fedora.repo.in https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/qubes-dom0.repo.in https://github.com/QubesOS/qubes-installer-qubes-os/blob/master/qubes-release/qubes-templates.repo

[adrelanos]

1. I am for b).

2. Yes.

[adrelanos]

Patches were submitted by @0brand.

Patch "Comment to use qubes onion repository" Dom0 repositories.
https://groups.google.com/forum/#!topic/qubes-devel/8WM1wegSg90

Patch "Comments in TemplateVMs to use onion repositories"
https://groups.google.com/forum/#!topic/qubes-devel/G8dCAp-BRBo

[0brand]

@adrelanos This issue can be closed? Merak applied patches .

[andrewdavidwong]

Closing this as "resolved." If you believe the issue is not yet resolved, or if anyone is still affected by this issue, please leave a comment, and we'll be happy to reopen this. Thank you.