One thing mentioned by Jacob Appelbaum in his talk the other day, was the advantages of upgrading packages via Tor, to make it harder to target a given machine with fake packages.
I suggest we implement this in the Freedombox, by asking Provixy to send all requests via Tor, and ask APT to fetch data via Privoxy. What do the rest of you think about doing this? The following untested patch for freedombox-setup should implement the feature, redirection APT via privoxy through Tor. I've tested the configuration, but not a freedombox-setup package with these scripts in place to set up this change. We could also include the /etc/apt/apt.conf.d/10freedombox-setup-privoxy file as part of the package, but then APT on machines with the package installed but no configured provixy running will stop working. The privoxy setup do not handle IPv6. Not quite sure how to fix that. diff --git a/setup.d/91_privoxy b/setup.d/91_privoxy index d975a42..9fbfd5a 100755 --- a/setup.d/91_privoxy +++ b/setup.d/91_privoxy @@ -4,3 +4,15 @@ apt-get install -y privoxy # Listen on all interfaces sed -i 's/listen-address localhost:8118/listen-address *:8118/' /etc/privoxy/config + +# Send outgoing connections via Tor +if grep -q ^forward-socks5 ; then + : +else + cat >> /etc/privoxy/config <<EOF +forward-socks5 / 127.0.0.1:9050 . +forward 192.168.*.*/ . +forward 10.*.*.*/ . +forward 127.*.*.*/ . +EOF +fi diff --git a/setup.d/92_privoxy_apt b/setup.d/92_privoxy_apt new file mode 100755 index 0000000..818965d --- /dev/null +++ b/setup.d/92_privoxy_apt @@ -0,0 +1,12 @@ +#!/bin/sh +# +# Tell APT to use provixy. +# +# The pipeline change is to avoid <URL: https://bugs.debian.org/565555 >. +# Not sure if it affect privoxy. + +cat > /etc/apt/apt.conf.d/10freedombox-setup-privoxy <<EOF +Acquire::http::Proxy "http://localhost:8118/"; +Acquire::ftp::Proxy "http://localhost:8118/"; +Acquire::http::Pipeline-Depth 0; +EOF -- Happy hacking Petter Reinholdtsen _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss