Re: [qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[unman]

On Sat, Apr 20, 2019 at 11:18:11AM -0700, lamas9...@gmail.com wrote:
> Great news! Thanks Unman!
> 
> > Soon, you will be able to get the new, correct repo definitions just by
> > updating dom0 and your TemplateVMs. However, if you can't wait, you can
> > edit your repository definitions by following the instructions below.
> 
> Do you know then that is? And what package will contain the new repo 
> definitions?
> 

It's qubes-core-agent, and the updated package is already in testing, so wont 
be long.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190421000459.uhspulf3zzxueebm%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[lamas9025]

Great news! Thanks Unman!

> Soon, you will be able to get the new, correct repo definitions just by
> updating dom0 and your TemplateVMs. However, if you can't wait, you can
> edit your repository definitions by following the instructions below.

Do you know then that is? And what package will contain the new repo 
definitions?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/315ae53b-f5ed-44e9-8c7e-670049474fa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[unman]

On Fri, Apr 19, 2019 at 06:38:28PM +, Jon deps wrote:
> On 4/18/19 3:05 AM, Andrew David Wong wrote:
> 
> I could be wrong but personally  I believe  my  Dom0 & Templates are updated
> via sys-whonix-14 but just  *donot  use  the  .onion addresses ...
> 
> anything "wrong" with doing it this way ?
> 

Nothing wrong - doing it this way you are connecting to the normal
servers using Tor. That means you are routing through the Tor network
and leaving it from the exit node to get to the update server.

Using the onion servers you stay within the Tor network all the time.
You can be sure that your connection to the onion site is secure and
encrypted, and you can also be sure that it *is* the site you are trying
to access.
Some of this is provided by TLS, but that depends on a third party
certificate authority, and there are a number of examples where CAs have
been hacked or rogue certificates have been handed out. An onion service
provides its own authentication.

Of course, the fact that the connection is in Tor does *not* validate
the site or the packages served. They must be signed with the relevant
ke, which you have chosen to trust. That's part of the general "distrust
of the infrastructure" - see
https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190420004221.ppa67e2fvyfselmk%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[Jon deps]

On 4/18/19 3:05 AM, Andrew David Wong wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Dear Qubes Community,

We previously announced that the Qubes Tor onion services were no
longer being maintained due to lack of resources. [1] However, Unman
generously agreed to bring them back, and they're now available once
again!

Here are the new onion service URLs:

Website:  www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion

Soon, you will be able to get the new, correct repo definitions just by
updating dom0 and your TemplateVMs. However, if you can't wait, you can
edit your repository definitions by following the instructions below.


Instructions


Follow these instructions *only if* you wish to update dom0 and your
TemplateVMs over Tor (via `sys-whonix`). This is an opt-in feature. If,
instead, you wish to update over your regular network connection (aka
"clearnet"), *or if you are not sure*, then *do not* follow these
instructions.

In order to use the new onion services, you must ensure that *every*
line that contains an onion address uses the appropriate *new* address
above. We'll go through this for dom0, Fedora templates, and Debian
templates. Whonix templates do not require any action; their onion
addresses are still the same as before. For additional information, see
"Onionizing Repositories" on the Whonix wiki. [2]


dom0


1. In dom0, open `/etc/yum.repos.d/qubes-dom0.repo` in a text editor.

2. Comment out all the `baseurl = https://yum.qubes-os.org/[...]` and
`metalink` lines.

3. Uncomment all the `baseurl = [...].onion` lines.

4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:

#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = 
http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = 
https://yum.qubes-os.org/r$releasever/current/dom0/fc25/repodata/repomd.xml.metalink

5. Open `/etc/yum.repos.d/qubes-templates.repo` in a text editor and
repeat steps 2-4.

6. In *Qubes Global Settings*, set *Dom0 UpdateVM* to `sys-whonix`.


Fedora TemplateVMs
==

1. In the TemplateVM, open `/etc/yum.repos.d/qubes-r4.repo` in a text
editor.

2. Comment out every line that contains `yum.qubes-os.org`.

3. Uncomment every line that contains `.onion`.

4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:

#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = 
http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever

5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:

$type:TemplateVM$defaultallow,target=sys-whonix


Debian TemplateVMs
==

1. In the TemplateVM, open `/etc/apt/sources.list.d/qubes-r4.list` in a
text editor.

2. Comment out every line that contains `deb.qubes-os.org`.

3. Uncomment every line that contains `.onion`.

4. Update every `.onion` address to
`deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:

# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm stretch main
#deb-src https://deb.qubes-os.org/r4.0/vm stretch main


# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] 
http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm
 stretch main
#deb-src 
http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm
 stretch main

5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:

$type:TemplateVM$defaultallow,target=sys-whonix


[1] 
https://www.qubes-os.org/news/2018/01/23/qubes-whonix-next-gen-tor-onion-services/
[2] https://www.whonix.org/wiki/Onionizing_Repositories

This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/

- -- 
Andrew David Wong (Axon)

Community Manager, Qubes OS
https://www.qubes-os.org

-BEGIN PGP SIGNATURE-

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAly36YEACgkQ203TvDlQ
MDD+/g//eGzEagElqNLg/6tQdHTUNZaFQQmEZlNYFt7ZU8QhS7TNQqFR77bHpy+W
1Fbwz2tGMcJwUVj/sQ1A7CQXhhKRL96BtxMjDxTYt5ZQVv7oKs7m1MYUc/3I1hg/
GtNsT7qlPjwMb4XZdrmjyeJg96lYp75msKWDXDsHiAp5Nlq/vuw190TCnw+lGfUJ
+1gf99rGUcfwZZLPl8ZaGlOCjAo6e8qb4ysJH01YvYUt04GQhuUKTyS6OJ8Vq9AV

[qubes-users] Re: Announcement: Qubes Tor onion services are available again!

[22rip]

Nice one Unman...thanks for this and your ongoing help! You rock...

(Kudus to Andrew and the Qubes team as well!)

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9bf5e92b-269e-4b92-b9b4-178765dd2a4d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.