ID: 472PHID: PHID-TASK-b3zcjxa4t4nidw5ftvaeAuthor: PatrickStatus at Migration Time: resolvedPriority at Migration Time: Normal
Installing the tor from deb.torproject.org is great because it gives us more recent versions of Tor. Which has versions closer to the one included in TBB.
At one point this was even required:https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
The problem with deb.torproject.org is that it is a too fast moving target, i.e. a new release of Tor might break Whonix for all users. Could happen when they change something related to the systemd service or so.
The responsible way would be to download Tor from deb.torproject.org and to upload it to the Whonix repository.
I could not think of yet how this gets together with builds from source code. (You cannot run apt-get update from postinst scripts.)
TODO:
automate download (verification) and adding to Whonix local / remote apt repository (done)disable TPO sources.list on existing installations using #whonix-legacy remove TPO signing key on existing installations using #whonix-legacy (happens during deb.torproject.org-keyring package removal Debian maintainer prerm script)actually upload TPO packages to Whonix repository more comments in /etc/apt/sources.list.d/torproject.list #anon-shared-build-apt-sources-tpo to more easily add experimental versions of Tor usability feature for testers output torproject repo in use: cat /etc/apt/sources.list.d/torproject.list | grep -v '#' | grep deboutput of Tor version
2016-02-22 20:43:02 UTC
I prefer we not touch binary packages unless there are solid security guarantees - similar to verification of binaries hosted on a mirror.
How complicated is it for using apt to check a package against some signing key in the keychain?
2016-02-23 19:47:19 UTC
HulaHoop (HulaHoop):
I prefer we not touch binary packages unless there are solid security guarantees - similar to verification of binaries hosted on a mirror.
I don’t think there is such verification at the moment let alone anyone
It won’t change a lot. Rather than building a Whonix source package fromdeb.torproject.org and then compare it with the one in the Whonix
How complicated is it for using apt to check a package against some signing key in the keychain?
Is this in scope of this ticket? If you are asking if someone whodeb.torproject.org signing key, no that is not supported by
2016-02-25 16:36:06 UTC
an auditor would download the binary tor package fromdeb.torproject.org and then compare it with the one in the Whonix
Will this be done automatically by the build script? I don’t want this to be a manual verification process that depends on the interest of someone doing it sometimes.
If you are asking if someone whodownloaded the tor package from Whonix repository could verify it against the deb.torproject.org signing key, no that is not supported by apt-get.
Yes that’s what I was asking about. Very interesting as I wasn’t familiar with details about apt.
There are some problems I foresee with critical update logistics. At the moment if the Tor package needs an emergency update, the people tracking Debian stable only will get it as its backported and those tracking deb.torproject.org get it as soon as the new “testing” release is uploaded. If we arbitrarily freeze some “testing” Tor release then how is it decided to upgrade? Will you need to read the changelog of every minor release to decide? Is this sustainable?
2016-02-25 18:07:18 UTC
! In T472#8166, @HulaHoop wrote:deb.torproject.org and then compare it with the one in the Whonix
Will this be done automatically by the build script? I don’t want this to be a manual verification process that depends on the interest of someone doing it sometimes.
There are no verification scripts for any Debians repository at the moment at all. More info:
Verifiable Builds - Whonix
If you are asking if someone whodownloaded the tor package from Whonix repository could verify it against the deb.torproject.org signing key, no that is not supported by apt-get.
Yes that’s what I was asking about. Very interesting as I wasn’t familiar with details about apt.
There are some problems I foresee with critical update logistics. At the moment if the Tor package needs an emergency update, the people tracking Debian stable only will get it as its backported and those tracking deb.torproject.org get it as soon as the new “testing” release is uploaded.
If we arbitrarily freeze some “testing” Tor release then how is it decided to upgrade?
Upgrade every time. Unless the upgrade would break something that would require another Whonix package upgrade to make sure it does not break at the same time. Then upgrading would take longer.
Will you need to read the changelog of every minor release to decide?
Yes, I must do that anyhow.
Is this sustainable?
It has to be.
2016-02-26 01:03:14 UTC
There are no verification scripts for any Debians repository at the moment at all. More info.
There is a semantics mix up. When I say verifiable I mean to check package signatures or hashes not build reproducibility.
Will the Whonix build script be able to download and compare hashes from the two different repos?
EDIT: I think Verifiable → Deterministic makes more sense in the documentation.
It has to be.
OK and I’ll help with keeping track too.
2016-02-26 10:18:43 UTC
2016-02-26 17:23:34 UTC
I’m confused. Source builds will have nothing to with these changes? This only applies for official builds?
I don’t think placing such a critical package in a third party repo is a good idea if we don’t have a reliable and automated way to trace the chain of trust back to the original binaries.
Conflicts with goal T461 (getting rid of chroot scripts).
Blocking this ticket is not really worth the gain. Why not switch to the older version in Debian’s repos if testing is moving too fast?
2016-02-27 11:08:35 UTC
2016-02-27 11:35:46 UTC
Builds from source code should still download, verify and install tor from deb.torproject.org .
You cannot run apt-get update from Debian packaging maintainer (postinst …) scripts. (Because apt-get and dpkg is already running, therefore locked.)
(Running apt-get update would be required within the process of temporarily adding deb.torproject.org , downloading and verifying tor.)
It should be quite easy to download and verify it manually, but there shouldhttps://wiki.debian.org/AptMedium for example - basically
2016-02-27 12:23:06 UTC
2016-02-27 12:30:33 UTC
2016-02-27 13:11:34 UTC
2016-02-27 13:26:05 UTC
No, we do not want to install it there, we want to download it only,
Am I missing something?
2016-04-05 17:01:05 UTC
It depends on how far Installation from Repository / proverbial "sudo apt-get install whonix" (T461) should go.
a)
start a (Qubes) Debian (template)
add Whonix binary apt repository [*]
sudo apt-get install whonix-gateway
b)
1 start a (Qubes) Debian (template)[*]sudo apt-get install whonix-gatewaytor package from deb.torproject.org
If it is supposed to become as simple as the following 3 steps in a)… Then we cannot download and install the tor package from deb.torproject.org. This is because while the package manager is running, we cannot run dpkg install package, since the package database would be already locked.
Which one do we require/want? a) or b)?
[*] Or create a local Whonix apt repository from source code.
2016-04-05 18:38:34 UTC
2016-04-05 21:55:34 UTC
Update: I am trying to avoid uploading the tor package from deb.torproject.org to the Whonix binary apt repository. After thinking more about, it significantly adds up a maintenance burden. Instead I am considering to implement some usability enhancements.
a script run from .bashrc thats shows the current Tor version / Tor Project repository once some file is created (touch ~/tester or so)
more comments in /etc/apt/sources.list.d/torproject.list to more easily allow enabling tor-experimental-0.2.7.x-jessie etc.
These should simplify/remind to keep track of newer Tor versions and see how they work with Whonix before they flow into Tor Project’s stable apt repository.
FYI, a hack (will probably not use it)…install apt packages from deb postinst:
Here is my work in progress attempt for downloading the tor package during Debian maintainer postinst script. It uses a separate apt database. It works.
anon-gw-anonymizer-config/debian/anon-gw-anonymizer-config.postinst at 5fdf627e7e4286cdab418e8e634df3c07e209133 · adrelanos/anon-gw-anonymizer-config · GitHub
Installation from there is more tricky. The above hack of merging dpkg status file changes should probably be avoided. The least awful hack might be to have a blocking startup script that runs early and installs the package at next reboot.
That would move us closer to “sudo apt-get install whonix-gateway” etc. Getting rid of chroot scripts. (T461) Then one could create a Qubes Debain ProxyVM by using method a) to morph it into a Whonix-Gateway. That would greatly simplify Whonix installation process. Make it more robust, easier/quicker testing overall, easier porting. I hope I don’t have to bend things too much to get there. (We are overwriting files such as /etc/resolv.conf, load firewall rules, etc. I hope none of this is a deal breaker during installation. I don’t think there is any other Debian derivative yet that can be installed using apt-get alone.)
That doesn’t give us a set of packages that could be installed from Qubes installer inside a Debian template to morph it into Whonix. (The purpose is to save space on the installer disc here.) But getting pure T461 done somewhat simplifies the development of that.
2016-04-06 14:51:21 UTC
I succeeded to implement the download of
tortor-geoipdbdeb.torproject.org-keyring
from deb.torproject.org using #anon-gw-anonymizer-config postinst script and installation during next reboot. [*]
#anon-gw-anonymizer-config now depends on #anon-shared-build-apt-sources-tpo .
Should the deb.torproject.org-keyring package be rather installed by #anon-shared-build-apt-sources-tpo ? That certainly would be cleaner. But then #anon-shared-build-apt-sources-tpo would need a similar mechanism to download that package during postinst and to install it on next reboot. [*]
If yes, it would certainly be cleaner to a separate package for the download packages during postinst code being a standalone shell library and a generic install on next reboot mechanism [*] that gets used by both packages, #anon-shared-build-apt-sources-tpo and #anon-gw-anonymizer-config .
All doable but quite some work.
So I am wondering, do we still require an independent package add torproject apt repository (#anon-shared-build-apt-sources-tpo )?
Do we still want to enable torproject’s apt repository within Whonix-Workstation? We no longer install any packages from torproject’s apt repository in Whonix-Workstation. We used to install torsocks from there, but since Debian jessie this is no longer necessary. We might need that in future though, if Tor Browser gets added to torproject’s apt repository - if that ever happens.
[*] Or manually running sudo service anon-gw-anonymizer-config start after installation of the #anon-gw-anonymizer-config package. (I wouldn’t know how to automate this during apt-get install whonix-gateway etc. This is as long as dpkg is running, there is no (sane) way to dpkg install another package since the package database is locked. And there are no post apt-get hooks. So there is no sane way to not require manually running sudo service anon-gw-anonymizer-config start or reboot after apt-get install whonix-gateway.)
2016-04-06 20:17:55 UTC
2016-04-08 00:15:59 UTC
The download during postinst as part of apt-get install whonix-... does not work. /etc/resolv.conf gets modified during distribution morphing, therefore breaks networking, so the download will fail. I wonder how this could be solved.
2016-04-08 00:41:02 UTC
2016-04-08 14:19:37 UTC
Small specification so we are on the same page. What I am not talking about here, is the installation without network access for morphing a Debian template into Whonix during Qubes firstboot. This is an issue with apt-get install whonix-... from a usual Debian system with network access. I.e. if subgraph was to ask “how to install Whonix” (for porting), it would be as simple as a). /etc/resolv.conf gets modified by package anon-gw-dns-conf . apt-get install whonix-gateway leads to installation for that package first. After that networking is broken so any other packages requiring networking won’t work.
apt-get install whonix-... is different from the way packages are currently installed when using the build script . Then the script installs them in the right order, the script can also create a backup of such files and read-only mount them in chroot. Also currently: we do not start services during initial install (think: whonix-gw-firewall) vs new: start services during install. This is somewhat an attempt to dumb down build-steps.d/1700_install-packages to apt-get install whonix-....
It’s great to do that. I just now need to solve issues I could not think of earlier how to solve.
Somehow I would have to express in Debian packaging terms to have the packages that require internet access (anon-gw-anonymizer-config) to be installed first. So other packages that do not require internet access and break internet access are installed after that.
2016-04-08 19:04:06 UTC
2016-04-09 15:32:33 UTC
2016-04-13 16:58:24 UTC
2016-04-13 17:05:35 UTC
2016-04-13 17:26:38 UTC
2016-04-14 19:31:06 UTC
2016-04-14 19:53:58 UTC
2016-04-14 23:50:52 UTC
2016-04-15 00:39:41 UTC
2016-04-26 15:17:33 UTC
2016-04-28 00:03:12 UTC
2016-08-04 23:38:23 UTC