Onionizing Qubes-Whonix Repositories

fortasse · March 6, 2018, 11:04pm

Yes, that onion address should be fine.

Patrick · July 19, 2018, 7:05am

Ticket created.
use onion sources list for apt-get updating by default
https://phabricator.whonix.org/T812

Status:

Due to flakiness of onion v4 this should be postponed.

A fix has been implemented and is expected to arrive in Tor 0.3.5 in December.

While we are at it… Should we separate Whonix webiste onion and Whonix repository onion? We would keep Whonix website onion as is (even functional for apt-get to not break it for anyone) but the next upgrade of Whonix wuould move everyone else to a another, fresh onion address.

Why?

separate website and apt-get downloads
future-proof with respect to future server load
we could move apt-get downloads to a different server when needed

Should we even create 2-10 or even 10-100 different onion domains and randomly assign Whonix users one? Why: load balancing. Why not: probably overkill. Debian manages without such gymnastics. But they don’t have onion v3 yet as far as I know.

Perhaps we’ll wait for onionbalance v3 support?

github.com/DonnchaC/onionbalance

Next-Generation onion services (v3) support

opened 03:50PM - 09 Jan 18 UTC

closed 01:52PM - 08 Apr 20 UTC

Alicesland

Now that we have a stable release of the 0.3.2 branch next-generation (v3) onion… services are hitting the mainstream! onionbalance, in it's current design, does not support v3 onion services. Being that v3 onion services are the future, it makes sense that onionbalance should work on supporting them. I'm not sure if you guys allow bounties on this git but it's very important personally that onionbalance supports v3 onion services. I'm willing to provide a reward ($1000+), payed in cryptocurrency, for the brave soul who submits a pull request accomplishing just that.

Research on this is low priority due to above status.

//cc @mig5

mig5 · July 19, 2018, 8:25am

Given APT is simple HTTP I think you could solve most load issues by letting Varnish cache the repo data. (We could purge the cache when pushing new data to the repo). Or yes, could look at onionbalance.

So I think a single APT server is probably sufficient (it has been sufficient to date, right?) but I also agree in the rule of not putting all eggs in one basket. For example, long term I would advocate having a separate server for website/wiki/forum and one for apt repo, also for security/attack surface reasons (no need for a hack of MediaWiki to place the apt repo at risk). It’s the same ‘compartmentalisation by design’ principle that we appreciate of Whonix and QubesOS. The only downside is commercial impact (more servers) and a little extra server maintenance (more of my time).

Random onion domains is probably overkill/administrative overhead indeed (would rather use onionbalance when it’s available for v3). It would also be then harder for users to confirm with one another that they’re using a legitimate APT source, e.g with 100 different onion domains, hard to ‘google it’ and confirm you’re not using a malicious onion address (hard enough already to read just one long v3 onion address and recognise it as legitimate, Zooko’s triangle, etc etc).