Bug#1037254: extrepo apt-transport-tor and onion support
The design looks great! I posted several comments here: https://salsa.debian.org/extrepo-team/extrepo-data/-/merge_requests/240 Cheers, Patrick
Bug#1037254: extrepo apt-transport-tor and onion support
On Tue, Jul 18, 2023 at 08:52:00AM +, Patrick Schleizer wrote:
> One thing to consider: A few onions are tor+https but most are tor+http. But
> I guess that's not an issue because http vs https is declared in the
> repository configuration files.
Yeah, we'll just prepend 'tor+' if that was asked, and leave everything
else as is.
> > I think this would be a nice feature to have, indeed.
>
> Thank you for your interest in this feature!
>
> > However, given that I have zero experience with tor, I would need some help
> > with the design of such a feature.
>
> Sure thing!
I've given this some more thought, and I think a better design would be this:
--tor=onion: use .onion URLs, fail if no such setting exists for the
requested repository.
--tor=tunnel: use tor+http(s), ignore .onion URLs.
--tor=auto: use .onion, fall back on tor+http(s).
--tor=if-onion: use .onion if available, fall back on regular URLs.
All these values would be settable using a "tor:" line in
/etc/extrepo/config.yaml, too.
> > In order to make sure that the data is correct and complete, we would need
> > to be able to validate .onion URLs in the CI jobs, which involves
> > downloading repository metadata and making sure it looks sensible. Do you
> > know if it is possible to reach the tor network from a container?
>
> If you want to test onion availability without use of apt-get? In that case,
> the torsocks package will help. Use of torsocks is very simple. Simply
> prepend it in front of the command you intent to use and the connection will
> be torified. Example usage: torsocks curl oniondomain.onion
I tried this, in the "onion" branch of
https://salsa.debian.org/extrepo-team/extrepo-data, but it failed for
reasons I don't understand. Would you care to take a look?
Thanks,
--
w@uter.{be,co.za}
wouter@{grep.be,fosdem.org,debian.org}
I will have a Tin-Actinium-Potassium mixture, thanks.
Bug#1037254: extrepo apt-transport-tor and onion support
One thing to consider: A few onions are tor+https but most are tor+http. But I guess that's not an issue because http vs https is declared in the repository configuration files. I think this would be a nice feature to have, indeed. Thank you for your interest in this feature! However, given that I have zero experience with tor, I would need some help with the design of such a feature. Sure thing! I'm thinking something like this might work: - If you pass --onion on the command line, or set onion: true in the configuration file: require a preconfigured .onion URL in the repository configuration. Yes. And if unavailable (not declared in the repository configuration), show a helpful error message and exit non-zero. --onion should like an explicit request which should either succeed or fail closed. - If you pass --tor-tunnel on the command line, or set tor-tunnel: true in the configuration file: enable the use of the tor+https configuration, don't use a .onion URL even if it is known. Yes. - if you pass --tor on the command line, or set tor: true in the configuration file: use a .onion URL if it exists, but fall back to using tor+https if not. Also very nice. However, the option name is a bit non-ideal. This is more like an opportunistic, graceful fallback, do the best thing kind of approach. For lack of better option name idea, that's more like --tor-auto. That could be a nice configuration option that users could add to /etc/extrepo/config.yaml as a set and forget option to always get the maximum possible use of Tor. What do you think of this suggestion? Does it make sense? Yes. In order to make sure that the data is correct and complete, we would need to be able to validate .onion URLs in the CI jobs, which involves downloading repository metadata and making sure it looks sensible. Do you know if it is possible to reach the tor network from a container? Yes. I don't see why that wouldn't work. Packages tor and apt-transport-tor don't have any idiosyncrasies which break it inside containers. All they require is a usual network connection. If you want to test onion availability without use of apt-get? In that case, the torsocks package will help. Use of torsocks is very simple. Simply prepend it in front of the command you intent to use and the connection will be torified. Example usage: torsocks curl oniondomain.onion If so, would you be willing to help me work that out? Yes.
Bug#1037254: extrepo apt-transport-tor and onion support
Hi Patrick, I think this would be a nice feature to have, indeed. However, given that I have zero experience with tor, I would need some help with the design of such a feature. I'm thinking something like this might work: - If you pass --onion on the command line, or set onion: true in the configuration file: require a preconfigured .onion URL in the repository configuration. - If you pass --tor-tunnel on the command line, or set tor-tunnel: true in the configuration file: enable the use of the tor+https configuration, don't use a .onion URL even if it is known. - if you pass --tor on the command line, or set tor: true in the configuration file: use a .onion URL if it exists, but fall back to using tor+https if not. What do you think of this suggestion? Does it make sense? Are the proposed option names sensible? In order to make sure that the data is correct and complete, we would need to be able to validate .onion URLs in the CI jobs, which involves downloading repository metadata and making sure it looks sensible. Do you know if it is possible to reach the tor network from a container? If so, would you be willing to help me work that out? If not, can you make another suggestion as to how to do that? Thanks, -- Verstuurd vanaf mijn Android apparaat met K-9 Mail. Excuseer mijn beknoptheid.
Bug#1037254: extrepo apt-transport-tor and onion support
Package: extrepo Severity: wishlist Dear maintainer, - most clearnet repositories are reachable over Tor. This is simple to accomplish by using the apt-transport-tor package (in packages.debian.org for a long time already) by using the tor+https syntax in sources.list. - More and more repositories offer alter alternative onions domains. Even Debian's official deb.debian.org as an alternative onion domain. https://onion.debian.org/ feature request: Could you please add a feature to use either tor+https or tor+...onion? The following options are already supported: sudo extrepo enable whonix sudo extrepo enable whonix_proposed sudo extrepo enable whonix_testers sudo extrepo enable whonix_developers I am not sure how alternative onions option could be selected. In /etc/extrepo/config.yaml to set this globally would be handy. However, some repositories might have (temporarily) broken onions. Therefore a --onion command line option would be handy. This should fail if the repositories doesn't have an onion in its corresponding data file. Kind regards, Patrick
