sdwdate improvements have been implemented in git master and Whonix developers repository:
- sdwdate can now recover, successfully set the system clock even if system clock is so slow (year 2000) or fast (year 2050) so that Tor is unable to connect.
- Based on Fixing Time based on Tor Consensus.
- The time fetching part of sdwdate (abstracted as separate script
url_to_unixtimeso it can be more easily confined) is now a python3 requests based implementation with the following features:- HTTP header fetching
- HTTP header parsing (we need the
Date:field) - HTTP 1.0 and HTTP 1.1 compatibility
- TLS support
- socks support (for Tor configuration and stream isolation)
Issue of Most Onions Down due to a Denial of Service Attack on the Tor Network / sdwdate synchronisation fails, sometimes works - #4 by Patrick has not been addressed due to lack of a concept how sdwdate could fetch time if most onions are down most of the time.
- sdwdate/sdwdate at master · Kicksecure/sdwdate · GitHub
- sdwdate/url_to_unixtime at master · Kicksecure/sdwdate · GitHub
- sdwdate/usr.bin.sdwdate at master · Kicksecure/sdwdate · GitHub
- sdwdate/usr.bin.url_to_unixtime at master · Kicksecure/sdwdate · GitHub
- sdwdate/sdwdate.service at master · Kicksecure/sdwdate · GitHub
- https://github.com/Whonix/sdwdate/blob/master/lib/systemd/system/sdwdate-restart-tor-request-file-watcher.service
- https://github.com/Whonix/sdwdate/blob/master/usr/lib/sdwdate/sdwdate-restart-tor-request-file-watcher
- sdwdate/test-clock-fast at master · Kicksecure/sdwdate · GitHub
- sdwdate/test-clock-slow at master · Kicksecure/sdwdate · GitHub
- helper-scripts/anondate at master · Kicksecure/helper-scripts · GitHub
- helper-scripts/anondate-get at master · Kicksecure/helper-scripts · GitHub
- helper-scripts/anondate-set at master · Kicksecure/helper-scripts · GitHub
- helper-scripts/anondate-tester at master · Kicksecure/helper-scripts · GitHub
- https://github.com/Whonix/helper-scripts/blob/master/etc/apparmor.d/usr.sbin.anondate-get
- https://github.com/Whonix/helper-scripts/blob/master/etc/apparmor.d/usr.sbin.anondate-set
Could use some help with apparmor / seccomp / systemd / sandbox-app-launcher confinement.
//cc @madaidan