README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142

# apt-transport-tor

Easily install Debian packages via [Tor](https://www.torproject.org).

This package implements an APT "acquire method" that handles URLs starting
with "tor+http://" or "tor+https://" in your sources.list.

## Usage

Edit your /etc/apt/sources.list like so, adjusting the suite/components
appropriately for your system:

    deb     tor+http://deb.debian.org/debian unstable main
    deb-src tor+http://deb.debian.org/debian unstable main

Note that [deb.debian.org](https://deb.debian.org/) is backed by a set of
commercial [CDN](https://en.wikipedia.org/wiki/Content_delivery_network)s,
so that you will likely be served by one of their servers close (in network
terms) to the exit node of your connection automatically.

You can of course use any other Debian mirror from the extensive [mirror
list](https://debian.org/mirror/list), but that might result in a connection
"across the globe" if the choosen exit node is far away from the mirror causing
slower connection speeds.

Alternatively, if you have the Tor onion service address of a Debian
mirror, you can use that to have your traffic never leave the Tor network:

    deb     tor+http://<long string>.onion/debian unstable main
    deb-src tor+http://<long string>.onion/debian unstable main

## APT repositories as onion services

While apt sends no directly identifying information to mirrors the download of
metadata like the Translation files as well as individual package names can
potentially reveal information about a user an adversary could observe.
If this is a concern, some APT repositories are available as onion services
which means the information doesn't leave the Tor network via an exit node:

Debian Project: [Complete List](https://onion.debian.org) [Announcement](https://bits.debian.org/2016/08/debian-and-tor-services-available-as-onion-services.html)

 * ftp.debian.org: tor+http://vwakviie2ienjx6t.onion/
 * security.debian.org: tor+http://sgvtcaew4bxjd7ln.onion/
 * people.debian.org: tor+http://hd37oiauf5uoz7gg.onion/
 * debug.mirrors.debian.org: tor+http://ktqxbqrhg5ai2c7f.onion/
 * incoming.debian.org: tor+http://oscbw3h7wrfxqi4m.onion/
 * ftp.ports.debian.org: tor+http://nbybwh4atabu6xq3.onion/
 * incoming.ports.debian.org: tor+http://vyrxto4jsgoxvilf.onion/

Tor Project: [Complete List](https://onion.torproject.org/) [Announcement](https://blog.torproject.org/blog/debian-and-tor-services-available-onion-services)

 * deb.torproject.org: tor+http://sdscoq7snqtznauu.onion/

Note that this list might not be current: Verify before use! The list is
provided only to showcase that many commonly used repositories are already
available as an onion service.

## Configuration

### Using a different Tor instance

By default, apt-transport-tor uses the following SOCKS proxy setting, which
is the default location of a locally installed Tor instance:

	Acquire::tor::proxy "socks5h://apt-transport-tor@localhost:9050";

Note the use of a username to make use of the default IsolateSOCKSAuth Tor
setting for stream isolation, which requires Tor 0.2.4.19 to work well.
This means your apt traffic will be sent over a different circuit from your
regular Tor traffic and for each host you connect to.

### Disabling use of http(s) without Tor in APT

APT >= 1.3 allows methods to be disabled without removing them from the system,
so to avoid mistakenly adding new sources without using tor you can tell apt
via the following configuration options to fail for non-tor-http(s) sources:

	Dir::Bin::Methods::http "false";
	Dir::Bin::Methods::https "false";

### Downloading changelogs

The locations of changelogs is independent of repository. The Release file can
and should include the URI changelogs can be found on, which tends to be an http
URI of a central service.

You can override the value from the Release file to use Tor here as well, or if
you happen to know an onion address use this one instead. the following listing
gives three valid configurations for Debian where the first one is the default,
the second uses the default via Tor and the third uses an onion service address.

	Acquire::Changelogs::URI::Override::Origin::Debian "http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";
	Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://metadata.ftp-master.debian.org/changelogs/@CHANGEPATH@_changelog";
	Acquire::Changelogs::URI::Override::Origin::Debian "tor+http://cmgvqnxjoiqthvrc.onion/changelogs/@CHANGEPATH@_changelog";


## Caveats

Downloading your Debian packages over Tor prevents an attacker who is
sniffing your network connection from being able to tell which packages
you are fetching, or even that your traffic is Debian-related.

However, this does not necessarily defend you from, amongst other things:

* a global passive adversary (who could potentially correlate the exit
  node's traffic with your local Tor traffic)
* an attacker looking at the size of your downloads, and making an
  educated guess about the contents
* an attacker who has broken into your machine

Download speeds will be slower via Tor.

## Trademark, Copyright & Licensing

This product is produced independently from the Tor® anonymity software and
carries no guarantee from [The Tor Project](https://www.torproject.org) about
quality, suitability or anything else.

    Copyright (C) 2014 Tim Retout <diocles@debian.org>
    Copyright (C) 2016 David Kalnischkies <donkult@debian.org>

License:

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.

## Feedback

Comments and suggestions to: [APT developer mailinglist](mailto:deity@lists.debian.org) ([archive](https://lists.debian.org/deity/))

Bug reports should be sent to the Debian BTS.