Btw packages by Whonix might have low activity because they might not be well known. Packages might not be well known because there’s no nice interface to present them. In the future hopefully this might help:
packages.debian.org APT package repository web interface for deb.whonix.org
Yes.
An interesting problem I’ve been wondering for a long time but I don’t think anyone solved it.
Even official Whonix news aren’t read. Still lots of duplicate questions. Related:
No. Pushing a git branch doesn’t require github or gitlab. Just because Whonix has accounts at github and gitlab that doesn’t mean contribution needs an account at either service.
Any git repository anywhere on the clearnet or onion would be acceptable. Either at a third party host. Lets say an account at https://savannah.gnu.org/ or sourceforge.net could be used to host a git branch.
I could easily git remote add a repository which someone has pushed to savannah or sourceforge and wouldn’t need an account there myself. What I would do is an anonymous clone.
Even self-hosting an onion with gitlab, gitweb or anything other git compatible with be OK.
That’s what I meant with git is decentralized.
(Maybe related: Hosting Location Hidden Services - Whonix)
Last but not least, git is compatible with “e-mail”. Patches can (and regularity are for other projects) sent by e-mail. But even e-mail is optional. Plain text submission anywhere such as forums should suffice. A local git branch (anonymous clone from git(hub/lab) without account is sufficient. With the help of git-format-patch a text file can be created which could very most likely even be pasted here in this forum. That text file could be copied/pasted and applied in a local branch for review and then merged.
As for security, we shouldn’t rely on either TLS or onion anyhow. Not even on any servers. Whonix’s source code wouldn’t be compromised if all servers currently hosting it would be maliciously. That’s because I have a local copy on my local disk. For security, the important thing is to sign git commits and to verify git commits before merging.
As for users git cloning a repository it’s best for security to verify git commit signatures. (That’s documented in Whonix images build documentation as well as Whonix package build documentation.)
Currently if TLS or github/gitlab was ever compromised that would be caught when gpg verifying the git commit after git clone/fetch.
Currently Whonix onions suffer from the same issue as other onions hosted on a (commercial) server. Once the server is compromised, the attacker can impersonate the onion. There’s no onion domain hierarchical seed phrase (similar to cryptocurrencies) which can be used to spawn any number of onions from and there’s no revocation mechanism either.
TLS is standard. onion is kinda a “gimmick”. gpg is still the gold standard for git since that transcends all man-in-the-middle attacks (assuming previous secure transfer for gpg fingerprint and correct gpg usage). Related:
- Verifying Software Signatures - Kicksecure
- Software Signature Verification Usability Issues and Proposed Solutions
Does onion still seem important?
To git push you most likely need an account. But it doesn’t need to be at github or gitlab. Any third party or self-hosted git would work. (If self-hosted it might even be possible without account.)
Any remote repo could easily fetch from Whonix github/gitlab.
- Anonymously git clone Whonix github/gitlab…
- git push to third-party git server (clearnet, onion, third-party or self-hosted)
Could probably be easily scripted.
If gitlab based, gitlab as far as I know has a feature to auto-mirror.
For that, it’s always useful to have a separate (Whonix) VM with separate e-mail account and Whonix forum, github, gitlab or anything accounts.
For sure.
Very, very few projects publish their server config.
Btw mig5 worked under contract. Filled the gap that was left when fortasse the previous server maintainer stepped down. Other than that…
…nobody ever commented on any server related stuff which was Open Sourced back then.