Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
Hi, By using curl you are basically allowing the mirror (or anyone who can intercept the clear text) to tell normal and tor users apart. Think of targeted attacks. Just saying... Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/caa7hugfvexma5ewb-cao7h7peg8tbj6vpqf5eqfps93mmbt...@mail.gmail.com
Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
On Sat, Apr 19, 2014 at 11:50:32PM +0100, Tim Retout wrote: This software works! It was forked from the apt HTTPS transport. It doesn't yet have a build system or any packaging, but hopefully that's the easy part. It is also such a trivial modification¹ that I wonder why a fork is needed as the required metadata will easily exceed the code changes. Just provide a patch which does those settings based on the name of the binary called, like apt is handling it for its gzip/bzip2/lzma/xz methods and be done with it forever instead of maintaining a fork. Or even better just add SOCKS proxy support to the existing methods… Where does it lead us to, when DDs prefer to do forks of Debian native packages? I am bit scared of the answer… (it explains though why my apt3 in brainfuck is going nowhere. ;) ) Best regards David Kalnischkies ¹ 1 file changed, 23 insertions(+), 37 deletions(-) before s/https/tor/ was done yesterday. I wonder why curl is forbidden to redirect from http to https in this commit btw. At least we have a bigger diff this way, I guess… signature.asc Description: Digital signature
Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
On 22 April 2014 13:10, David Kalnischkies da...@kalnischkies.de wrote: It is also such a trivial modification¹ that I wonder why a fork is needed as the required metadata will easily exceed the code changes. Just provide a patch which does those settings based on the name of the binary called, like apt is handling it for its gzip/bzip2/lzma/xz methods and be done with it forever instead of maintaining a fork. Or even better just add SOCKS proxy support to the existing methods… Where does it lead us to, when DDs prefer to do forks of Debian native packages? I am bit scared of the answer… (it explains though why my apt3 in brainfuck is going nowhere. ;) ) Hello. :) I hope you are not too offended by my fork of this code, since you gave me the idea last week! (Our acquire system is pluggable... - https://lists.debian.org/deity/2014/04/msg00075.html ) There are a few reasons I have not yet added SOCKS support to apt properly: - I would like to backport this feature to wheezy, and I am not so comfortable uploading a backport of all of apt. - Adding SOCKS support to the http method means writing a SOCKS client in C++. I did spend two days looking at this option, but to be honest, I'm not even that comfortable with apt having its own HTTP parser, and would rather rely on libcurl. I want to prototype a libcurl-based HTTP acquire method (which should then make this package more than a trivial modification). - Even if we add SOCKS support to apt, I can foresee it being difficult to configure it safely for use with Tor - you need to use: - socks5h, so that the proxy does the DNS lookups - a username/password, for stream isolation when using IsolateSOCKSAuth - probably a standard useragent string (i.e. not one that depends on the version of apt being used) - I'm still looking at this It can be done, but it will be tricky for end users to get right. So, I think a separate 'tor' method is the way to go for usability reasons, regardless of whether SOCKS support is added to the other methods. I could turn this into a separate binary package built from the apt source package? But only if you think it is appropriate for backporting to wheezy. What do you think? I would still like to experiment with a libcurl-based HTTP method somewhere. Kind regards, -- Tim Retout dioc...@debian.org -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cadc0ge-aykarvqshibw36cbmejses_sfdfd-cvevtbiwxvt...@mail.gmail.com
Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
On 22 April 2014 12:03, Raphael Geissert geiss...@debian.org wrote: By using curl you are basically allowing the mirror (or anyone who can intercept the clear text) to tell normal and tor users apart. Think of targeted attacks. Hi Raphael, Tor users can be identified by IP in any case - the important thing is that all Tor users look alike. I think it might be worth matching the user-agent string with normal apt - but I don't know if libcurl is sending any other headers that set it apart. I'll give it some thought. But if most users sending apt over Tor switch to this acquire method, then so long as there is no way to tell those users apart from each other, it is difficult to target individuals. In this case, everything is GPG-signed anyway, so I don't think we're talking about active MITM attacks - it's about confidentiality around which software an individual is using/installing. Kind regards, -- Tim Retout dioc...@debian.org -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/cadc0ge-cuukquggffcruqptzqr2nyrjzqyzyztn4_bqhwcj...@mail.gmail.com
Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
Package: wnpp Severity: wishlist Owner: Tim Retout dioc...@debian.org * Package name: apt-transport-tor Version : 0.1 Upstream Author : Tim Retout dioc...@debian.org * URL : https://github.com/diocles/apt-transport-tor * License : GPL Programming Lang: C++ Description : APT transport for anonymous package downloads via Tor Provides support in APT for downloading packages anonymously via the Tor network. . APT already includes mechanisms for guaranteeing the authenticity of the packages you download. However, an adversary sniffing your network traffic can still see what software you are installing. . Install apt-transport-tor, edit your sources.list to include only tor:// URLs, and you can apt-get install anarchism without fear of reprisals. This software works! It was forked from the apt HTTPS transport. It doesn't yet have a build system or any packaging, but hopefully that's the easy part. Tim -- To UNSUBSCRIBE, email to debian-wnpp-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140419225032.23729.94870.reportbug@thinkpad