Not former but current core dev alongside Micah.
The docs look pretty good. A couple of suggestions/notes however:
Consider not mentioning the current version 1.3, or any other version. You’re only making work for yourself trying to keep the docs up to date (i.e every time OnionShare gets a new release). May as well not mention version, and make your life easier. Case in point: v.1.3.1 is the latest version.
Likewise for step 6 where you list the dependencies to install. We already have that in the BUILD.md of the onionshare repo. Maybe there’s a nice way to say ‘please run the apt-get commands seen in the ‘Debian-like distros’ section of the BUILD.md in the OnionShare repo’, so that if we change dependencies, you don’t have to update obsolete documentation.
Nothing you can really do about this right now, but there’s an unfortunate bug in the OnionShare ‘develop’ branch (which is the default branch) , which causes the app to crash when opening the Settings dialog. Therefore, the step where you edit settings to set the Tor connection method to ‘via control socket’, crashes. This is obviously only a temporary issue until Micah merges in a fix that’s been sitting in the queue for ages, but I can’t force him to, and we have a workflow whereby we review each other’s patches.
As a temporary workaround, you could consider either telling the user to checkout the ‘master’ branch, or, as I did in my testing just now, the latest release tag (v1.3.1 - yes I realise this then re-introduces the issue in my point 1 above, about hardcoding release numbers into your docs).
- The note ‘Check “Create stealth onion services” to make OnionShare operations more secure.’ is a bit too brief: it should be noted that enabling Stealth also requires action from the user fetching the files, in that they need to edit their torrc (Stealth just means ‘onion service Client Auth’.) We already have this documented, so again, you could maybe append "Note, however, that using Stealth mode makes it harder for the end user to connect to the share, because it requires them to edit their torrc. Please see the official documentation at https://github.com/micahflee/onionshare/wiki/Stealth-Onion-Services for more information’
Suffice to say the instructions otherwise worked for me.
The AppArmor profiles probably won’t work against the recent releases or against the develop/master branches of the git repo. They are super old. The contributor who has unofficially maintained/provided our AppArmor profiles has even opened a ticket saying they are out of date and need to be replaced: https://github.com/micahflee/onionshare/issues/686
We are hoping to get new AppArmor profiles from them ‘soon’. Not sure how to portray this in your docs, but for now I would not try AppArmor with OnionShare unless you are good at AppArmor profiles, and maybe if so, you can help contribute fixes via the above ticket.
As above - the only real element that currently adds extra security is Stealth mode (ClientAuth).
An additional method to reduce the risk of onion service discovery attacks is to use the Shutdown Timer setting. This allows you to self-destruct the share if no-one came and downloaded your share within an acceptable time window.
Unsetting ‘Stop sharing after first download’ is also obviously a risk as it will keep the share open after someone downloads the file (but obviously useful for sharing to multiple users or long term shares). Likewise Persistent mode is a risk as it re-uses the Onion address instead of a random one each time.
Again, I wouldn’t bother pointing any of this out, as it’s all documented in the OnionShare wiki already. Point any ‘using OnionShare’ advice to the official docs to save yourself effort. The Whonix wiki page should only show Whonix-specific steps required to install or configure OnionShare.
Hope this helps