Can't update any WhonixVm in Qubes 4.0 or WhonixCheck

Hi,

I’m trying to update whonix-gw-14 and whonix-ws-14 on Qubes 4, but it always gets stuck at:

“0% [Waiting for headers]”

After a long time, I get the message in both vms updater:

Ign:1 http://ftp.us.debian.org/debian stretch InRelease
Hit:2 http://deb.qubes-os.org/r4.0/vm stretch InRelease
[...]
Err:12 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release
Connection failed
Reading package lists... Done
E: The repository 'tor+http://sgvtcaew4bxjd7ln.onion stretch/updates Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.
Done.

So I tried to update it manually, and again I’m stuck at “0% Waiting for Headers”.

Every time I try a WhonixCheck on any qubes whonixvm, after 1 minute or so I get the following error:

“INFO: Whonix APT Repository: Enabled
[…]
WARNING: Debian Package Update Check Result: Could not check for software updates! (apt-get code: 100)
Please manually check inside your ‘whonix-gw-14’ TemplateVM.”

I’ll be very thankful for any kind of help.

Thank you very much!

• Nathan

I think the problem is that my whonixvms aren’t able to reach “http://sgvtcaew4bxjd7ln.onion”.
So it gets stuck trying to reach it, and in the end it gives me that error.

I also don’t know if its safe to keep using Whonix until this problem gets somehow fixed, since I can connect to Tor Browser normally in anon-whonix vm. Maybe that .onion repository server is temporarily disabled.

Hi Nathan

This could be due to Tor network congestion or possibly a temporary sever failure. This will likely resolve itself given a little time. For now you can try changing your Tor circuit and see if that helps. Tor Arm Controller can be used to do that.

@0brand,
Thank you! I will try to change the Tor Circuit and try it again.

Yes, I think the same.

In any case, if something changes I’ll post an update.

I’d like to understand this error better.

Is it Debian failing to update a relevant file on their server end or just server failing in general? It is always the same .onion that fails (and in the past).

Also, why is Debian persisting with v2 onions, when the Tor Project is noting v3 is now the default with the latest software development etc?

It took fortasse literally a hour to create a Whonix v3 onion because it is so easy. Why do the technical gurus over at Debian not upgrade it (child’s play for them)?

If there isn’t an existing ticket to push this - we should create one.

Hey @torjunkie, thanks for your attention in this topic.

Same…

Maybe they don’t consider it a priority or don’t care, which is very disappointing.

May be a good idea. How can we do that?

Of interest →

Here’s the original Debian onion announcement:

Bits from Debian - onion services tag

The definitive Debian .onion list:

https://onion.debian.org/

Why Torify Debian Services

TorifyDebianServices - Debian Wiki

Bugs listed against system admins (no reference to .onion that I see)

https://bugs.debian.org/cgi-bin/pkgreport.cgi?users=debian-admin@lists.debian.org

And the main link below →

Debian System Administrators responsible for all the relevant infrastructure:

https://dsa.debian.org/

So I recommend an informal reaching out on the mailing lists, rather than a “bug” report in the first instance, since that might get them offside.

To contact us, mail debian-admin@lists.debian.org

Maybe (?) (Patrick might chime in on this)

Request for provision of Debian v3 onions for source repositories

Dear System Administrators,

Recent Tor alpha releases by The Tor Project are beginning to make v3 onions the default for newly created onion services.

New release: Tor 0.3.5.1-alpha | The Tor Project

Changes in version 0.3.5.1-alpha - 2018-09-18

Major features (onion services, UI change):

For a newly created onion service, the default version is now 3. Tor still supports existing version 2 services, but the operator now needs to set “HiddenServiceVersion 2” in order to create a new version 2 service. For existing services, Tor now learns the version by reading the key file. Closes ticket 27215.

In the near future, v3 onions will become ubiquitous. As v3 onions provide significant security and anonymity benefits over v2 onions and the change required to create them is trivial, can you please consider implementing this option? It would also further cement Debian’s reputation as a forward-looking, security-focused GNU/Linux distribution.

Once a v3 instance is created, the time required for it to fully accessible is short and only a brief Debian community announcement would be required - perhaps marking it as an “experimental” feature at first. v3 load balancing is not available, but expected in the near-medium term.

Thank you for your consideration.

cc: @Patrick

It doesn’t help.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909355

All them are not working.

How frustrating!

Debian is run by volunteers. But I’m surprised if they don’t have monitoring in place for this sort of problem.

Having said that, we don’t currently ‘monitor’ the .onions ourselves, just the various clearnet domains (including the repos). Tricky to do without getting lots of false positives due to Tor flakiness! I’ll look at adding something for our .onions nonetheless.

Alec Muffett’s ‘Real World onion Sites’ is also a useful if casual monitoring tool/index. It, too, confirms the Debian onions are down for a day. GitHub - alecmuffett/real-world-onion-sites: This is a list of substantial, commercial-or-social-good mainstream websites which provide onion services.

mirrors works again (for me)

Today I was finally able to run WhonixCheck successfully, after running into some problems.

First I opened whonix-14-gw’s Konsole and typed apt-get update, receiving this message:

[...]
Err:12 tor+http://deb.dds6qk...onion stretch Release
Connection failed
[...]
E: The repository 'tor+http://deb.dds6...onion stretch Release' does no longer have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage...
Done.

So I reseted the Tor Connection in sys-whonix and tried updating whonix-14-gw one more time, and finally no errors were found!

I “WhonixChecked” every TemplateVM and, one more time, no sign of errors.

I want to thank specially @torjunkie and @0brand for the attention and support. And thanks One-Eye-Pirate, mig5 and @nurmagoz for the collaboration.

This topic is closed, at least for now.

A workaround for future (inevitable) problems is now in the wiki (pending edit) → “Non-functional Onion Services”

http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/w/index.php?title=Operating_System_Software_and_Updates&oldid=36823&diff=cur

Thanks @0brand - cutting and pasting is so much easier

Nathan:

no longer have a Release file

This error means the repository is being updated, and can’t be used in
the meantime. Like you found, just try it again after an hour or two.
Good you got it working!

Unless Debian infrastructure volunteers are taking “days” to update the “InRelease” file, the more likely reason for this error which commonly occurs for extended periods – way more than an hour or two (and has frequently occured in the past) – is they are not monitoring it regularly.

Hence why people can’t update for days at a time. So they need proper monitoring techniques or a maintainer who actually is competent. Plus upgrading to v3 so they are with the times.

(Edit: removed text → onion is functional again)

I think it warrants a bug report (due to regular failing of that .onion) + request for v3 upgrade as outlined in another post.

Hi torjunkie

I believe a bug report was filed on Debian and Tor trac for this issue. (One-Eye-Pirate posted previouly in this thread)

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909355

Rewritten a bit and posted. Thanks! @torjunkie

Request for provision of Debian v3 onions for source repositories

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909746