tool to onionize all APT sources

Soon there will be separate repositories. Whonix and Kicksecure.

Kicksecure will use Kicksecure repository only.

Whonix will use Kicksecure and Whonix repository.

plan to use repository-dist in general (whonix and kicksecure)?

Seems possible. If you see the code, only 2 domains lines have to be altered, or even, --domain [whonix|kicksecure|debian|qubes] in the future, and the domains clear and onion will be chosen by this option. But lets start with kicksecure first to avoid dpkg conflicts as you said.


repository-dist will manage both repository lines.

1 Like
1 Like

Thank you for working on this!

Pull request won’t work as is because:

In other words there will be two deb [...] lines in the derivative.list file for Whonix.
(And only 1 for Kicksecure.)

Autodetection of Whonix vs Kicksecure could be implemented by checking existence of these marker files:

  • /usr/share/kicksecure/marker
  • /usr/share/whonix/marker

Could you fix this please?

So whonix option to be enabled on kicksecure will be disabled?

The way I did on local branch now is:

  • if --url is not provided then
    • if whonix is detected, use it
    • if kicksecure is detected, use it
    • if none are detected, error out and ask to provide url.

but the above will be supersed if on whonix for example, you run --url kicksecure to manage kicksecure repo in whonix.
Should this be disabled on kicksecure?

1 Like

Whonix enable:

  • Kicksecure, and
  • Whonix

Kicksecure enable:

  • Kicksecure only

The design is:
Whonix is based on Kicksecure.
Not historically but that’s the technical design end-goal how to organize things.

1 Like

In case of Whonix, both repository lines, Whonix and Kicksecure need to be enabled.

1 Like

Sorry, maybe I didn’t express this very clearly.

The plan is…

Kicksecure will use:

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+ bullseye main contrib non-free

Whonix will use:

deb [signed-by=/usr/share/keyrings/derivative.asc] tor+ bullseye main contrib non-free
deb [signed-by=/usr/share/keyrings/derivative.asc] tor+ bullseye main contrib non-free

on the same file?

I am using two files to test.

On whonix, running --transport onion will convert sources to onion on /etc/apt/sources.list.d/{derivative,kickescure}.list

Yes. I guess that is easiest. derivative.list

1 Like

link to github updated:

Excellent! Thank you! Merged.

1 Like

I’ll reset to plain-tls-tor default for now.
Whonix previously was onion by default (all repositories, Debian and Whonix). That however was too unstable back then. Now with onion v3 however it might be worth to do another attempt. I plan on doing this after the next stable point release which should follow in a few days.

1 Like

Added some other minor commits on top.

This is now in the testers repository.

1 Like

This is now in the stable repository.

And this was also released in Whonix - for VirtualBox - Point Release!

What’s missing:
repository-dist-wizard (GUI) support.

1 Like

A post was split to a new topic: E: Repository 'tor+ bullseye InRelease' changed its 'Origin' value from 'kicksecure' to 'whonix'