Onionizing Repositories and Editing debian.list File

When you are following instructions for Onionizing Repositories it tells you to edit /etc/apt/sources.list.d/debian.list but when you open /etc/apt/sources.list.d/debian.list on Whonix it says: Instead of directly editing this file, the user is advised to create the following file: /etc/apt/sources.list.d/user.list. This is because when this package gets updated, /etc/apt/sources.list.d/debian.list will be overwritten and may receive new default values and comments. The entire folder /etc/apt/sources.list.d/ gets scanned for additional sources.list files by apt-get. The user may keep their settings even after updating this package.

Should we create /etc/apt/sources.list.d/user.list instead of editing /etc/apt/sources.list.d/debian.list? If we create that file (which now contains onion repositories) instead of editing default file (which contains clearnet repositories) and then update our system or install something, which scenario will happen:

  1. We download packages using onion repositories (from user.list)
  2. We download packages using both, onion repositories (from user.list) and clearnet repositories (from debian.list)

If scenario 2 happens is that a security risk?

1 Like

It’s true. Customizing such configuration files has bad usability. More information:

Unfortunately, not.

Yes.

I can confirm this this is a bit of a contradiction of wiki versus configuration files. But this isn’t simple.

Not sure what documentation should suggest instead.

The user could copy /etc/apt/sources.list.d/debian.list to /etc/apt/sources.list.d/user.list. Then delete /etc/apt/sources.list.d/debian.list. APT should recognize the user modified (deleted) configuration file and not re-install it without explicit user consent.

Then managing /etc/apt/sources.list.d/user.list would be fully up to the user. It would be advisable on each release upgrade to check the source code what /etc/apt/sources.list.d/debian.list looks like and apply any important changes/improvements to /etc/apt/sources.list.d/user.list, if any.

1 Like