A regression about showing the Whonix advice if onion-grater profile is not active yet in Whonix 15 / debian buster based.
Added support for OnionShare in “bundled Tor” configuration which is the default in Debian buster version of OnionShare.
This will come through Whonix 15 package upgrades at some point in future.
1 Like
Over on tor-dev, this thread makes it very clear that v2 onions are plain dangerous for various reasons.
https://lists.torproject.org/pipermail/tor-dev/2020-May/014322.html
I note this because the current version of OnionShare from Debian buster (v1.3.2) installed in Whonix defaults to legacy v2 as you can see in my screenshots recently added.
(Which is funny, since if you have a much later Tor version >3.5.X like that provided by Whonix, it is apparently meant to default to v3? Maybe that is only for later OnionShare software version?)
So I guess this might be something where we recommend users default to a later installed version from Sid? (v2.2-2) and take their chances. Bullseye has v2.2. Otherwise they are at real risk of having their ass hacked by capable adversaries.
Debian bullseye = Debian sid = onionshare 2.2-2 at time of writing.
Yes. v2 vs v3 is entirely up to OnionShare, I think. Debian bullseye version uses v3 if I am not mistaken.
Could go back to manual installation instructions.
Outdated, Deprecated, Archived Whonix ™ Documentation.
Can also consider to no longer install by default in Whonix until Whonix is based on Debian bullseye.
1 Like
OnionShare wiki page issues
Why not just use Flatpak for latest version instead (in the appendix part)? Micah has removed build dependencies information for OnionShare - can’t find them anywhere for v2.3.1 They are just pushing snap and flatpak instead for Linux.
This would be easy in non-Qubes-Whonix (only a few steps - see below).
Of course in Qubes-Whonix the AppVM steps would need to be done everytime, but at least you have latest, fully-functional, secure, v3 onions version. The Debian version is ancient and even next testing version is still only v2.2.
With the next Debian release due soon, that means we’ll be stuck with v2.2 for a couple more years - not good enough, because anonymous chat is only available in v2.3 and it is arguably far better/secure than the messengers we recommend in the wiki.
This works →
In whonix-ws-15-onionshare TemplateVM:
sudo apt-get install flatpak
In whonix-ws-15-onionshare AppVM (not allowed in TemplateVM, any way around that?):
Add the Flathub repository:
flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
Install in AppVM (can’t be done in TemplateVM again, any way around that?):
flatpak install flathub org.onionshare.OnionShare
Run in AppVM:
flatpak run org.onionshare.OnionShare
Tested and works nicely with v2.3.1
A pain, but v1.3.2 in Debian is hopelessly out-of-date i.e. doesn’t allow receiving files anonymously, anonymous websites or anonymous chat and only legacy v2 onions i.e. useless by comparison and a security risk.
Also, flatpak instructions are far easier than that build stuff we have on the relevant wikipage right now. If you don’t like the steps above, would this work in both Qubes-Whonix and non-Qubes-Whonix? →
https://docs.onionshare.org/2.3/en/install.html#install-in-linux
You can also download and install PGP-signed .flatpak or .snap packages from Index of /dist/ if you prefer.
I guess for Qubes → download in AppVM, get Micah’s key, verify, copy to TemplateVM, install (for persistence). Dunno, I never use Flatpak.
Random error
Do you see this when trying to run standard onionshare in Whonix 15? (I guess I installed Firejail at some stage…). Doesn’t happen with later OnionShare versions > v1.3.2.
Type: “whonix” for help.
uwt INFO: Stream isolation for some applications enabled. uwt / torsocks will be automatically prepended to some commands. What is that? See:
uwt INFO: Stream Isolation: Easy
user@host:~$ onionshare-gui
Reading profile /etc/firejail/onionshare-gui.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 2023, child pid 2024
Child process initialized in 78.28 ms
/usr/lib/uwtwrapper: line 327: /sbin/ifconfig: Permission denied
Parent is shutting down, bye…
1 Like
Sure. Perhaps keep a short explanation why Debian buster (even bulseye) version is Undocumented, Untested or Unsupported Features at Whonix. Perhaps even just one short sentence for better usability and a few details in a footnote. We aren’t coerced to document everything in every version. Only as far as the Contributors and Authorship are willing to support it.
Sure.
Even Qubes-Whonix isn’t too complicated. I am demonstrating how to use flatpak in (Qubes-)Whonix on this page:
Chromium
If you would like, what would be useful would be a wiki template flatpak-install.
[1] I actually researched that in context of Dev/Default Browser - Kicksecure but since kicksecure.com isn’t public yet and since flatpak use instructions are interesting (such as for the use case here), I’ve added to Whonix wiki.
Related:
FlatPak as a Software Source / flathub as a source of software
Thanks.
This is tested to work in Qubes-Whonix for OnionShare persistence in the AppVM after reboot/restart. (The --user tag will clearly work for other matters as well e.g. Chromium etc.)
It is clearly not as safe as having it installed in the TemplateVM, but so long as the user only uses that AppVM for that sole purpose, that will limit the risk somewhat. We should create a wiki template as you said.
(PS I think we should have standard flatpak installed in WS in Whonix 16. Just makes it easier.)
In whonix-ws-15-onionshare TemplateVM:
sudo apt-get install flatpak
In whonix-ws-15-onionshare AppVM: (note the --user tag)
flatpak --user remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
flatpak --user install flathub org.onionshare.OnionShare
To launch OnionShare v2.3.1:
flatpak run org.onionshare.OnionShare
Note - I see OnionShare will work (connect to the Tor network successfully) with its bundled Tor version if you don’t change the settings. We should probably warn against that, as it would then lead to Tor-over-Tor in Whonix.
1 Like
Due to too old version… anon-meta-packages whonix-workstation-packages-recommended-gui should no longer Depends: on Debian -- Details of package onionshare in buster?
In other words: No longer install OnionShare by default inside Whonix?
(Until Whonix gets rebased to Debian bullseye (Whonix 16) and OnionShare 2.3.1 arrived in Debian bullseye.)
Documentation currently still mentions v1.3.2:
Figure: First Start of OnionShare v1.3.2 GUI
In v1.3.2 you can check
Remove onionshare non-flatpak instructions?
Last I checked OnionShare 2.2 is probably in the next Debian release. That utilises v3 onions etc. and has most functionality except the anonymous chat. Since I know you’ll update to Debian 11 at the first opportunity, we could just wait a couple of months (or so) and more strongly recommend people use the flatpak method in the meantime as a reasonable compromise.
(Also easier to leave non-flatpak instructions for easy updating later on.)
1 Like
Quote The Tor Project: Onion Service version 2 deprecation timeline [archive]:
Retirement
Here is our planned deprecation timeline:
1. September 15th, 2020
0.4.4.x: Tor will start warning onion service operators and clients that v2 is deprecated and will be obsolete in version 0.4.6.
2. July 15th, 2021
0.4.6.x: Tor will no longer support v2 and support will be removed from the code base.
3. October 15th, 2021
We will release new Tor client stable versions for all supported series that will disable v2.
@Patrick
This is not a good news for me (No longer install OnionShare by default) as I was a user of OnionShare.
Would it be possible to install it using a particular method or it is not recommended? Is it the recommended solution?
Flatpak installation method recommended, see:
Thanks for your support.
EDIT : Solved using the recommended method.
onion-grater profiles…
- config/chroot_local-includes/etc/onion-grater.d/onionshare.yml · master · tails / tails · GitLab
- vs
- onion-grater/40_onionshare.yml at master · Whonix/onion-grater · GitHub
Any changes required?
//cc @JeremyRand
onion-grater profile updated for OnionShare 2.4. Experimental.