From 2fd8655ca7da6ff31f73253986bab7bd311664c7 Mon Sep 17 00:00:00 2001
From: David Kalnischkies <david@kalnischkies.de>
Date: Mon, 22 Jan 2018 14:15:18 +0100
Subject: add a paragraph about changelog download via Tor

---
 README.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/README.md b/README.md
index c03d7a2..ed3ff6b 100644
--- a/README.md
+++ b/README.md
@@ -78,6 +78,22 @@ via the following configuration options to fail for non-tor-http(s) sources:
 	Dir::Bin::Methods::http "false";
 	Dir::Bin::Methods::https "false";
 
+### Downloading changelogs
+
+The locations of changelogs is independent of repository. The Release file can
+and should include the URI changelogs can be found on, which tends to be an http
+URI of a central service.
+
+You can override the value from the Release file to use Tor here as well, or if
+you happen to know an onion address use this one instead. the following listing
+gives three valid configurations for Debian where the first one is the default,
+the second uses the default via Tor and the third uses an onion service address.
+
+	Acquire::Changelogs::URI::Override::Origin::Debian "http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";
+	Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";
+	Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://cmgvqnxjoiqthvrc.onion/changelogs/@CHANGEPATH@_changelog";
+
+
 ## Caveats
 
 Downloading your Debian packages over Tor prevents an attacker who is
-- 
cgit v1.2.3-18-g5258