• intrigeri's avatar
    APT: use non-onion HTTPS sources for Debian repositories · ec836747
    intrigeri authored
    We've observed too much unreliability with Debian's onion APT sources,
    so let's switch to APT sources that should be more reliable.
    Still, to avoid re-introducing fragility wrt. attacks like
    https://www.debian.org/security/2016/dsa-3733 (see refs #8143), we need APT
    sources that support HTTPS, which is not that common.
    My initial intent was to use https://deb.debian.org/, but we lack support for
    SRV records, so that service would HTTP redirect us to one of the CDN instances.
    So I figured skipping this redirection step could be more reliable,
    hence the hard-coding of the Fastly CDN repository sources.
    I'm not too worried about things breaking any time soon due to this hard-coding:
     - The Fastly CDN has backed deb.debian.org since it exists.
     - This configuration is explicitly documented on https://deb.debian.org/.
    So I would expect we would learn about a decommission plan for
    cdn-fastly.deb.debian.org sufficiently in advance to update our config
    in Tails releases before this APT source stops working.
    refs #17993