Bug#990126: unblock: apt-transport-tor/0.5
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: deity@lists.debian.org
Hi,
Please unblock package apt-transport-tor
The package is extremely simple, consisting of a bunch of symlinks
and a lengthy README file – only the later is changed here.
[ Reason ]
* List v3 instead of v2 onion addresses in README
The old v2 addresses will stop working soon. (Closes: #990002)
See: https://blog.torproject.org/v2-deprecation-timeline
* Document localhost vs 127.0.0.1 default proxy setting
The change itself was in apt (>= 1.7) already (Closes: #895908)
(* fixing also 3 small non-consequential typos in README as well…)
[ Impact ]
Incorrect documentation in a package which is mostly about documentation
is very bad from a user PoV.
Users will have also a (slightly) harder time finding a trustable source
of information for the onion addresses they can use (or have to replace
their current v2 usage with).
(but of course, the world continues spinning, if you choose to NACK)
[ Risks ]
No code change (the package has effectively no code).
The bump of the recommends on apt is documentation-only and without
practical effects as the version is satisfied in buster already.
So I am willing to wager on "risk free" betting a bunch of apt brownie
points.¹
[ Other info ]
Sorry for annoying you with this, this late. I somehow entirely missed
the v2 deprecation, so I sadly can't do anything about it in src:apt
code wise, but I think we should at least fix the documentation to give
users a helping hand with these transitions.
Thanks for considering:
unblock apt-transport-tor/0.5
Best regards
David Kalnischkies
¹ I would offer points regardless, but I don't want to risk coming of
as trying to bribe the Release Team. 😉
diff -Nru apt-transport-tor-0.4/debian/changelog apt-transport-tor-0.5/debian/changelog
--- apt-transport-tor-0.4/debian/changelog 2018-01-22 17:36:38.000000000 +0100
+++ apt-transport-tor-0.5/debian/changelog 2021-06-21 12:14:55.000000000 +0200
@@ -1,3 +1,12 @@
+apt-transport-tor (0.5) unstable; urgency=medium
+
+ * Document localhost vs 127.0.0.1 default proxy setting
+ The change itself was in apt (>= 1.7) already (Closes: #895908)
+ * List v3 instead of v2 onion addresses in README
+ The old v2 addresses will stop working soon. (Closes: #990002)
+
+ -- David Kalnischkies <donkult@debian.org> Mon, 21 Jun 2021 12:14:55 +0200
+
apt-transport-tor (0.4) unstable; urgency=medium
* fix typo in Vcs-{Git,Browser} URI
diff -Nru apt-transport-tor-0.4/debian/control apt-transport-tor-0.5/debian/control
--- apt-transport-tor-0.4/debian/control 2018-01-22 17:36:38.000000000 +0100
+++ apt-transport-tor-0.5/debian/control 2021-06-21 12:14:55.000000000 +0200
@@ -14,7 +14,7 @@
Architecture: all
Multi-Arch: foreign
Depends: apt (>= 1.3~rc1), ${misc:Depends}
-Recommends: apt (>= 1.6~alpha6), tor
+Recommends: apt (>= 1.7~alpha1), tor
Description: APT transport for anonymous package downloads via Tor
Provides support in APT for downloading packages anonymously via the Tor
network.
diff -Nru apt-transport-tor-0.4/README.md apt-transport-tor-0.5/README.md
--- apt-transport-tor-0.4/README.md 2018-01-22 17:36:38.000000000 +0100
+++ apt-transport-tor-0.5/README.md 2021-06-21 12:14:55.000000000 +0200
@@ -39,17 +39,17 @@
Debian Project: [Complete List](https://onion.debian.org) [Announcement](https://bits.debian.org/2016/08/debian-and-tor-services-available-as-onion-services.html)
- * ftp.debian.org: tor+http://vwakviie2ienjx6t.onion/
- * security.debian.org: tor+http://sgvtcaew4bxjd7ln.onion/
- * people.debian.org: tor+http://hd37oiauf5uoz7gg.onion/
- * debug.mirrors.debian.org: tor+http://ktqxbqrhg5ai2c7f.onion/
- * incoming.debian.org: tor+http://oscbw3h7wrfxqi4m.onion/
- * ftp.ports.debian.org: tor+http://nbybwh4atabu6xq3.onion/
- * incoming.ports.debian.org: tor+http://vyrxto4jsgoxvilf.onion/
+ * ftp.debian.org: tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/
+ * security.debian.org: tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/
+ * people.debian.org: tor+http://x6tkjqr46ghqmlqiwyllf5ufg6ciyexsxxfw2copx7cptw4aszq6fdqd.onion/
+ * debug.mirrors.debian.org: tor+http://3lz3irtzg5i4z2sz3qca3oz3sdk3p5a3xlmz3zqwornapeofvoudajid.onion/
+ * incoming.debian.org: tor+http://yhugxzj2ys6livectgptp2ohuqnchtfltetjbkn2jkyersatww2am4yd.onion/
+ * ftp.ports.debian.org: tor+http://xa2v5hi4gwrvrhj3awz2v4crufymvjhkx3q25wd3n2bpf5574du4afqd.onion/
+ * incoming.ports.debian.org: tor+http://y63o645rjql7rm3pnw4sarqaoxrhjk3o62vhgqbkgzjouue2i7qybyad.onion/
Tor Project: [Complete List](https://onion.torproject.org/) [Announcement](https://blog.torproject.org/blog/debian-and-tor-services-available-onion-services)
- * deb.torproject.org: tor+http://sdscoq7snqtznauu.onion/
+ * deb.torproject.org: tor+http://apow7mjfryruh65chtdydfmqfpj5btws7nbocgtaovhvezgccyjazpqd.onion/
Note that this list might not be current: Verify before use! The list is
provided only to showcase that many commonly used repositories are already
@@ -59,9 +59,9 @@
### Preventing user identification by languages
-APT sents no directly user identifying data to a server, but the server (and
+APT sends no directly user identifying data to a server, but the server (and
any observer between you and the server) can guess based on the languages apt
-downloads data for which languages the user might speak and from that infere
+downloads data for which languages the user might speak and from that infer
culture and/or origin country of the user. With a particular uncommon set it
might even be possible to identify a user.
@@ -77,13 +77,20 @@
By default, apt-transport-tor uses the following SOCKS proxy setting, which
is the default location of a locally installed Tor instance:
- Acquire::tor::proxy "socks5h://apt-transport-tor@localhost:9050";
+ Acquire::tor::proxy "socks5h://apt-transport-tor@127.0.0.1:9050";
Note the use of a username to make use of the default IsolateSOCKSAuth Tor
setting for stream isolation, which requires Tor 0.2.4.19 to work well.
This means your apt traffic will be sent over a different circuit from your
regular Tor traffic and for each host you connect to.
+Earlier apt versions (before 1.7) default to `localhost` instead of `127.0.0.1`.
+This can lead to SRV requests being sent to a DNS server – for most users that
+should be a local caching server, but for some it might be a more remote (and
+hence potentially hostile) server. This is something to be aware of in general
+if you are using a hostname in the configuration. On the upside this can give
+you all the flexibility provided via SRV.
+
### Disabling use of http(s) without Tor in APT
APT >= 1.3 allows methods to be disabled without removing them from the system,
@@ -100,13 +107,13 @@
URI of a central service.
You can override the value from the Release file to use Tor here as well, or if
-you happen to know an onion address use this one instead. the following listing
+you happen to know an onion address use this one instead. The following listing
gives three valid configurations for Debian where the first one is the default,
the second uses the default via Tor and the third uses an onion service address.
Acquire::Changelogs::URI::Override::Origin::Debian "http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";;
Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";;
- Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://cmgvqnxjoiqthvrc.onion/changelogs/@CHANGEPATH@_changelog";;
+ Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://4inahjbeyrmqzhvqbsgtcmoibz47joueo3f44rgidig6xdzmljue7uyd.onion/changelogs/@CHANGEPATH@_changelog";;
### Using apt-transport-mirror together with Tor
Reply to: