Amazon - The CIA/Spook/Defense Department cloud providers with 1/3rd of all cloud infrastructure - should have zero access to anything related to Whonix users.
.onions everywhere is the real long term solution for all secure updating and upgrading, by default, configured from 1st install.
I am not sure we really should go into security by policy. Choosing good servers over bad servers. That opens a can of worms.
Before we were using 1) security.debian.org and 2) ftp.us.debian.org. Was never questioned at all.
Could be hosted in US and if I had to bet, I’d bet it is hosted in US.
Even more likely so.
Debian apt downloads looks like a volunteer effort. People who can sponsor/contribute these resources. Both 1) and 2) might already be hosted on amazon AWS or similarly awful. Since it is DNS round robin / mirrors most likely, it most likely is hitting such cloud providers already at least sometimes.
onions are not reliable enough yet.
Even if they were…: Do we say “building Whonix requires an already torified connection so you can access onions”? If you don’t have that, out of luck or use binary Whonix download first.
The problem with forcing CA SSL for apt updates is it breaks regular http mirrors and potentially limits mirror numbers severely - making it easier to censor the Whonix build/updates process. If it becomes widely adopted and http mirrors a minority then switch to apt-https
Censoring Amazon servers is equally pointless since they do go out of their way to keep their centers secret and use front companies to fool customers.
I suggest letting the chips fall where they may and tell users to restart Tor and re-run the apt process.
The good thing is onion mirrors are reliable enough (though not perfect) to act as alternate fallbacks
The good thing about apt is we don’t really need to trust the endpoint hosting the mirror when packages are signed. The advantage of onions is to stop selective poisoning of packages in event of an apt vuln or being able to track anonymous systems update patterns because machines have unique program sets installed on them.