Your message dated Fri, 25 Aug 2017 19:26:53 +0200 with message-id <20170825172652.pfvhqrdmmrhme3mq@crossbow> and subject line Re: Bug#873190: apt blocking .onion (tor) repositories has caused the Debian Bug report #873190, regarding apt blocking .onion (tor) repositories to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 873190: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=873190 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt blocking .onion (tor) repositories
- From: spaetzle <debian-apt@klosternacht.de>
- Date: Fri, 25 Aug 2017 14:40:25 +0200
- Message-id: <[🔎] 150366482516.10977.3064987739203502214.reportbug@mistral>
Package: apt Version: 1.4.7 Severity: normal Dear Maintainer, I just upgraded (rather a completely new, blank installation) from Raspbian/Debian Jessie to Stretch. I used to point apt to several x.onion repositories (hosted on and within the tor network. I just tried again however apt now seems to block .onion repos in general - I get the following message: "Direct connection to .onion domains is blocked by default." My whole traffic is going through a gateway which is routing any outside traffic through tor automatically. In the past everything worked pretty fine when just listing .onion repos. The comment to use a separate apt-tor package is useless - it would just send tor over tor (which is to be avoided). I don't understand what the idea is behind blocking .onion repos. a) If such a repo is listed but there is no tor re-routing installed there will be just no connection to it at all (so no security issue; just an error that the repo is not reachable). b) If tor re-routing is installed everything will work right away and is highly secure with the traffic going through tor. For people with setup a) the option to list tor+http and install the apt-tor package is fine, but the current behaviour breaks the full tor re-routing of setup b). Could you please consider removing the blocking of .onion repos - there will be no security harm whatsoever with removing it. -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "armhf"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "1"; APT::Install-Suggests "0"; APT::Sandbox ""; APT::Sandbox::User "_apt"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^firmware-linux.*"; APT::NeverAutoRemove:: "^linux-firmware$"; APT::NeverAutoRemove:: "^linux-image-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-image-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^linux-headers-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-headers-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-image-extra-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-signed-image-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-image-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^kfreebsd-headers-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^gnumach-image-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^gnumach-image-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^.*-modules-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^.*-modules-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^.*-kernel-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^.*-kernel-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-backports-modules-.*-4\.9\.41-v7\+$"; APT::NeverAutoRemove:: "^linux-tools-4\.9\.0-3-amd64$"; APT::NeverAutoRemove:: "^linux-tools-4\.9\.41-v7\+$"; APT::VersionedKernelPackages ""; APT::VersionedKernelPackages:: "linux-image"; APT::VersionedKernelPackages:: "linux-headers"; APT::VersionedKernelPackages:: "linux-image-extra"; APT::VersionedKernelPackages:: "linux-signed-image"; APT::VersionedKernelPackages:: "kfreebsd-image"; APT::VersionedKernelPackages:: "kfreebsd-headers"; APT::VersionedKernelPackages:: "gnumach-image"; APT::VersionedKernelPackages:: ".*-modules"; APT::VersionedKernelPackages:: ".*-kernel"; APT::VersionedKernelPackages:: "linux-backports-modules-.*"; APT::VersionedKernelPackages:: "linux-tools"; APT::Never-MarkAuto-Sections ""; APT::Never-MarkAuto-Sections:: "metapackages"; APT::Never-MarkAuto-Sections:: "contrib/metapackages"; APT::Never-MarkAuto-Sections:: "non-free/metapackages"; APT::Never-MarkAuto-Sections:: "restricted/metapackages"; APT::Never-MarkAuto-Sections:: "universe/metapackages"; APT::Never-MarkAuto-Sections:: "multiverse/metapackages"; APT::Move-Autobit-Sections ""; APT::Move-Autobit-Sections:: "oldlibs"; APT::Move-Autobit-Sections:: "contrib/oldlibs"; APT::Move-Autobit-Sections:: "non-free/oldlibs"; APT::Move-Autobit-Sections:: "restricted/oldlibs"; APT::Move-Autobit-Sections:: "universe/oldlibs"; APT::Move-Autobit-Sections:: "multiverse/oldlibs"; APT::Architectures ""; APT::Architectures:: "armhf"; APT::Compressor ""; APT::Compressor::. ""; APT::Compressor::.::Name "."; APT::Compressor::.::Extension ""; APT::Compressor::.::Binary ""; APT::Compressor::.::Cost "0"; APT::Compressor::lz4 ""; APT::Compressor::lz4::Name "lz4"; APT::Compressor::lz4::Extension ".lz4"; APT::Compressor::lz4::Binary "false"; APT::Compressor::lz4::Cost "50"; APT::Compressor::gzip ""; APT::Compressor::gzip::Name "gzip"; APT::Compressor::gzip::Extension ".gz"; APT::Compressor::gzip::Binary "gzip"; APT::Compressor::gzip::Cost "100"; APT::Compressor::gzip::CompressArg ""; APT::Compressor::gzip::CompressArg:: "-6n"; APT::Compressor::gzip::UncompressArg ""; APT::Compressor::gzip::UncompressArg:: "-d"; APT::Compressor::xz ""; APT::Compressor::xz::Name "xz"; APT::Compressor::xz::Extension ".xz"; APT::Compressor::xz::Binary "xz"; APT::Compressor::xz::Cost "200"; APT::Compressor::xz::CompressArg ""; APT::Compressor::xz::CompressArg:: "-6"; APT::Compressor::xz::UncompressArg ""; APT::Compressor::xz::UncompressArg:: "-d"; APT::Compressor::bzip2 ""; APT::Compressor::bzip2::Name "bzip2"; APT::Compressor::bzip2::Extension ".bz2"; APT::Compressor::bzip2::Binary "bzip2"; APT::Compressor::bzip2::Cost "300"; APT::Compressor::bzip2::CompressArg ""; APT::Compressor::bzip2::CompressArg:: "-6"; APT::Compressor::bzip2::UncompressArg ""; APT::Compressor::bzip2::UncompressArg:: "-d"; APT::Compressor::lzma ""; APT::Compressor::lzma::Name "lzma"; APT::Compressor::lzma::Extension ".lzma"; APT::Compressor::lzma::Binary "xz"; APT::Compressor::lzma::Cost "400"; APT::Compressor::lzma::CompressArg ""; APT::Compressor::lzma::CompressArg:: "--format=lzma"; APT::Compressor::lzma::CompressArg:: "-6"; APT::Compressor::lzma::UncompressArg ""; APT::Compressor::lzma::UncompressArg:: "--format=lzma"; APT::Compressor::lzma::UncompressArg:: "-d"; Dir "/"; Dir::State "var/lib/apt"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::mirrors "mirrors/"; Dir::State::extended_states "extended_states"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::netrc "auth.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Etc::trusted "trusted.gpg"; Dir::Etc::trustedparts "trusted.gpg.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::solvers ""; Dir::Bin::solvers:: "/usr/lib/apt/solvers"; Dir::Bin::planners ""; Dir::Bin::planners:: "/usr/lib/apt/planners"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Bin::gzip "/bin/gzip"; Dir::Bin::bzip2 "/bin/bzip2"; Dir::Bin::xz "/usr/bin/xz"; Dir::Bin::lz4 "/usr/bin/lz4"; Dir::Bin::lzma "/usr/bin/xz"; Dir::Media ""; Dir::Media::MountPath "/media/apt"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Dir::Log::History "history.log"; Dir::Log::Planner "eipp.log.xz"; Dir::Ignore-Files-Silently ""; Dir::Ignore-Files-Silently:: "~$"; Dir::Ignore-Files-Silently:: "\.disabled$"; Dir::Ignore-Files-Silently:: "\.bak$"; Dir::Ignore-Files-Silently:: "\.dpkg-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.ucf-[a-z]+$"; Dir::Ignore-Files-Silently:: "\.save$"; Dir::Ignore-Files-Silently:: "\.orig$"; Dir::Ignore-Files-Silently:: "\.distUpgrade$"; Acquire ""; Acquire::AllowInsecureRepositories "0"; Acquire::AllowWeakRepositories "0"; Acquire::AllowDowngradeToInsecureRepositories "0"; Acquire::cdrom ""; Acquire::cdrom::mount "/media/cdrom/"; Acquire::IndexTargets ""; Acquire::IndexTargets::deb ""; Acquire::IndexTargets::deb::Packages ""; Acquire::IndexTargets::deb::Packages::MetaKey "$(COMPONENT)/binary-$(ARCHITECTURE)/Packages"; Acquire::IndexTargets::deb::Packages::flatMetaKey "Packages"; Acquire::IndexTargets::deb::Packages::ShortDescription "Packages"; Acquire::IndexTargets::deb::Packages::Description "$(RELEASE)/$(COMPONENT) $(ARCHITECTURE) Packages"; Acquire::IndexTargets::deb::Packages::flatDescription "$(RELEASE) Packages"; Acquire::IndexTargets::deb::Packages::Optional "0"; Acquire::IndexTargets::deb::Translations ""; Acquire::IndexTargets::deb::Translations::MetaKey "$(COMPONENT)/i18n/Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatMetaKey "$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::ShortDescription "Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::Description "$(RELEASE)/$(COMPONENT) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb::Translations::flatDescription "$(RELEASE) Translation-$(LANGUAGE)"; Acquire::IndexTargets::deb-src ""; Acquire::IndexTargets::deb-src::Sources ""; Acquire::IndexTargets::deb-src::Sources::MetaKey "$(COMPONENT)/source/Sources"; Acquire::IndexTargets::deb-src::Sources::flatMetaKey "Sources"; Acquire::IndexTargets::deb-src::Sources::ShortDescription "Sources"; Acquire::IndexTargets::deb-src::Sources::Description "$(RELEASE)/$(COMPONENT) Sources"; Acquire::IndexTargets::deb-src::Sources::flatDescription "$(RELEASE) Sources"; Acquire::IndexTargets::deb-src::Sources::Optional "0"; Acquire::Changelogs ""; Acquire::Changelogs::URI ""; Acquire::Changelogs::URI::Origin ""; Acquire::Changelogs::URI::Origin::Debian "http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog"; Acquire::Changelogs::URI::Origin::Tanglu "http://metadata.tanglu.org/changelogs/@CHANGEPATH@_changelog"; Acquire::Changelogs::URI::Origin::Ubuntu "http://changelogs.ubuntu.com/changelogs/pool/@CHANGEPATH@/changelog"; Acquire::Changelogs::URI::Origin::Ultimedia "http://packages.ultimediaos.com/changelogs/pool/@CHANGEPATH@/changelog.txt"; Acquire::Changelogs::AlwaysOnline ""; Acquire::Changelogs::AlwaysOnline::Origin ""; Acquire::Changelogs::AlwaysOnline::Origin::Ubuntu "1"; Acquire::PDiffs "0"; Acquire::Languages ""; Acquire::Languages:: "en"; Acquire::Languages:: "none"; Acquire::CompressionTypes ""; Acquire::CompressionTypes::xz "xz"; Acquire::CompressionTypes::bz2 "bzip2"; Acquire::CompressionTypes::lzma "lzma"; Acquire::CompressionTypes::gz "gzip"; Acquire::CompressionTypes::lz4 "lz4"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/bin/apt-listchanges --apt || test $? -lt 10"; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt || true"; DPkg::Tools ""; DPkg::Tools::Options ""; DPkg::Tools::Options::/usr/bin/apt-listchanges ""; DPkg::Tools::Options::/usr/bin/apt-listchanges::Version "2"; DPkg::Tools::Options::/usr/bin/apt-listchanges::InfoFD "20"; Binary "apt-config"; Binary::apt ""; Binary::apt::APT ""; Binary::apt::APT::Color "1"; Binary::apt::APT::Cache ""; Binary::apt::APT::Cache::Show ""; Binary::apt::APT::Cache::Show::Version "2"; Binary::apt::APT::Cache::AllVersions "0"; Binary::apt::APT::Cache::ShowVirtuals "1"; Binary::apt::APT::Cache::Search ""; Binary::apt::APT::Cache::Search::Version "2"; Binary::apt::APT::Cache::ShowDependencyType "1"; Binary::apt::APT::Cache::ShowVersion "1"; Binary::apt::APT::Get ""; Binary::apt::APT::Get::Upgrade-Allow-New "1"; Binary::apt::APT::Cmd ""; Binary::apt::APT::Cmd::Show-Update-Stats "1"; Binary::apt::APT::Keep-Downloaded-Packages "0"; Binary::apt::DPkg ""; Binary::apt::DPkg::Progress-Fancy "1"; Binary::apt-get ""; Binary::apt-get::Acquire ""; Binary::apt-get::Acquire::AllowInsecureRepositories "1"; CommandLine ""; CommandLine::AsString "apt-config dump"; -- (no /etc/apt/preferences present) -- -- (no /etc/apt/preferences.d/* present) -- -- /etc/apt/sources.list -- deb http://mirrordirector.raspbian.org/raspbian/ stretch main contrib non-free rpi # Uncomment line below then 'apt-get update' to enable 'apt-get source' #deb-src http://archive.raspbian.org/raspbian/ stretch main contrib non-free rpi -- /etc/apt/sources.list.d/80-torproject.list -- # Tor onion-site replacement for: # deb http://deb.torproject.org/torproject.org stretch main deb [allow-insecure=yes] http://sdscoq7snqtznauu.onion/torproject.org stretch main -- /etc/apt/sources.list.d/raspi.list -- deb http://archive.raspberrypi.org/debian/ stretch main ui # Uncomment line below then 'apt-get update' to enable 'apt-get source' #deb-src http://archive.raspberrypi.org/debian/ stretch main ui -- System Information: Distributor ID: Raspbian Description: Raspbian GNU/Linux 9.1 (stretch) Release: 9.1 Codename: stretch Architecture: armv7l Kernel: Linux 4.9.41-v7+ (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apt depends on: ii adduser 3.115 ii gpgv 2.1.18-6 ii init-system-helpers 1.48 ii libapt-pkg5.0 1.4.7 ii libc6 2.24-11+deb9u1 ii libgcc1 1:6.3.0-18+rpi1 ii libstdc++6 6.3.0-18+rpi1 ii raspbian-archive-keyring 20120528.2 Versions of packages apt recommends: ii gnupg 2.1.18-6 Versions of packages apt suggests: pn apt-doc <none> ii aptitude 0.8.7-1 ii dpkg-dev 1.18.24 pn powermgmt-base <none> pn python-apt <none> -- no debconf information
--- End Message ---
--- Begin Message ---
- To: spaetzle <debian-apt@klosternacht.de>, 873190-done@bugs.debian.org
- Subject: Re: Bug#873190: apt blocking .onion (tor) repositories
- From: David Kalnischkies <david@kalnischkies.de>
- Date: Fri, 25 Aug 2017 19:26:53 +0200
- Message-id: <20170825172652.pfvhqrdmmrhme3mq@crossbow>
- In-reply-to: <[🔎] 150366482516.10977.3064987739203502214.reportbug@mistral>
- References: <[🔎] 150366482516.10977.3064987739203502214.reportbug@mistral>
On Fri, Aug 25, 2017 at 02:40:25PM +0200, spaetzle wrote: > "Direct connection to .onion domains is blocked by default." You can use the option Acquire::BlockDotOnion to change this, e.g. echo 'Acquire::BlockDotOnion "false";' > /etc/apt/apt.conf.d/ > I don't understand what the idea is behind blocking .onion repos. The idea is described in RFC7686 [0]: The ".onion" Special-Use Domain Name Specifically §2 point 2: | […] Applications that do not implement the Tor | protocol SHOULD generate an error upon the use of .onion and | SHOULD NOT perform a DNS lookup. APT is not implementing the Tor protocol[1], so it errors out instead of performing a DNS lookup – as it should by this RFC. APT isn't the only tool doing this, Firefox is e.g. doing the same from which I have "stolen" the option name (network.dns.blockDotOnion). > Could you please consider removing the blocking of .onion repos - there will be no security harm whatsoever > with removing it. §4 "Security Considerations" details in a later paragraph: | A legacy client may inadvertently attempt to resolve a .onion name | through the DNS. This causes a disclosure that the client is | attempting to use Tor to reach a specific service. Malicious | resolvers could be engineered to capture and record such leaks, which | might have very adverse consequences for the well-being of the user. I hope that explains why your setup doesn't work by default and why I am closing this report as notabug as I don't see how we can make your setup work by default without risking exposure for others. Best regards David Kalnischkies [0] https://tools.ietf.org/html/rfc7686 [1] as in methods reaching this codepath do not implement the Tor protocol, but we have alternatives which do as the message advertises.Attachment: signature.asc
Description: PGP signature
--- End Message ---