Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor

To: 745259@bugs.debian.org
Cc: Debian Devel <debian-devel@lists.debian.org>
Subject: Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
From: Tim Retout <diocles@debian.org>
Date: Tue, 22 Apr 2014 21:34:44 +0100
Message-id: <[🔎] CADc0ge-AYKarvQshiBw36cbmejseS_SFdfD-cvevTBiWxvtNpg@mail.gmail.com>
Reply-to: Tim Retout <diocles@debian.org>, 745259@bugs.debian.org
In-reply-to: <[🔎] 20140422121046.GA6644@crossbow>
References: <[🔎] 20140419225032.23729.94870.reportbug@thinkpad> <[🔎] 20140422121046.GA6644@crossbow>

On 22 April 2014 13:10, David Kalnischkies <david@kalnischkies.de> wrote:
> It is also such a trivial modification¹ that I wonder why a fork is
> needed as the required metadata will easily exceed the code changes.
> Just provide a patch which does those settings based on the name of
> the binary called, like apt is handling it for its gzip/bzip2/lzma/xz
> methods and be done with it forever instead of maintaining a fork.
> Or even better just add SOCKS proxy support to the existing methods…
>
>
> Where does it lead us to, when DDs prefer to do forks of Debian native
> packages? I am bit scared of the answer…
> (it explains though why my apt3 in brainfuck is going nowhere. ;) )

Hello. :)

I hope you are not too offended by my fork of this code, since you
gave me the idea last week!  ("Our acquire system is pluggable..." -
https://lists.debian.org/deity/2014/04/msg00075.html )

There are a few reasons I have not yet added SOCKS support to apt properly:

- I would like to backport this feature to wheezy, and I am not so
comfortable uploading a backport of all of apt.
- Adding SOCKS support to the http method means writing a SOCKS client
in C++.  I did spend two days looking at this option, but to be
honest, I'm not even that comfortable with apt having its own HTTP
parser, and would rather rely on libcurl.  I want to prototype a
libcurl-based HTTP acquire method (which should then make this package
more than a trivial modification).
- Even if we add SOCKS support to apt, I can foresee it being
difficult to configure it safely for use with Tor - you need to use:
    - socks5h, so that the proxy does the DNS lookups
    - a username/password, for stream isolation when using IsolateSOCKSAuth
    - probably a standard useragent string (i.e. not one that depends
on the version of apt being used) - I'm still looking at this
  It can be done, but it will be tricky for end users to get right.

So, I think a separate 'tor' method is the way to go for usability
reasons, regardless of whether SOCKS support is added to the other
methods.  I could turn this into a separate binary package built from
the apt source package?  But only if you think it is appropriate for
backporting to wheezy.

What do you think?  I would still like to experiment with a
libcurl-based HTTP method somewhere.

Kind regards,

-- 
Tim Retout <diocles@debian.org>

Reply to:

References:
- Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
  - From: Tim Retout <diocles@debian.org>
- Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
  - From: David Kalnischkies <david@kalnischkies.de>

Prev by Date: Bug#628948: Adopting hxe for debian and some question about our own copyright
Next by Date: Processed: owner 734868
Previous by thread: Bug#745259: ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor
Next by thread: Bug#745259: marked as done (ITP: apt-transport-tor -- APT transport for anonymous package downloads via Tor)
Index(es):
- Date
- Thread