https (SSL / TLS) by default broke apt-cacher-ng apt package caching during build

Development
1

(https://github.com/Whonix/Whonix/commit/867a481710077f6bf4e14a5d8c87471e81db85df)

E: Failed to fetch https://deb.debian.org/debian-security/dists/stretch/updates/main/binary-amd64/Packages Received HTTP code 403 from proxy after CONNECT

To be expected:

https://www.unix-ag.uni-kl.de/~bloch/acng/html/howtos.html#ssluse

Perhaps the "tell-me-what-you-need method" mentioned there would help.

This makes also enabling https (SSL / TLS) in anon-apt-soures-list (/etc/apt/sources.list.d/debian.list) difficult. "tell-me-what-you-need method" is hard to add in /etc/apt/sources.list.d/debian.list but it is being used during build of Whonix.

(deb.debian.org and https by default · Kicksecure/anon-apt-sources-list@9f08431 · GitHub)

2

maybe if you fill that as a bug to debian , might consider to look/change something which will help the build.

3

Not a Debian bug. Known and documented limitation. An (apt package)
caching proxy can’t cache end-to-end encrypted SSL’ed connections by
design. Not easy without hacks.

4

many distros that i know use ssl by default for their repos like parrotsec, trisquel…etc so maybe check their code or how they implemented that and see if it can fit to our distro.

5

This issue solved long time ago, Currently everything in whonix is either pure Onion or TLS.

1 Like
6

This was fixed a long time ago indeed.

This was implemented. Example:

https://github.com/Whonix/Whonix/blob/master/build_sources/debian_stable_current_clearnet.list#L13

APT sources during build (chroot) (build_sources) and APT sources used when actually booting a VM (anon-apt-sources-list) are using the same APT repositories (manually keeping sync) but different format.

Not great but there’s no better solution.

1 Like
7

A post was split to a new topic: Whonix build error - ERROR: Host /home/user/Whonix/build_sources/debian_stable_current_clearnet.list does not match chroot /etc/apt/sources.list