Unverified Commit ec836747 authored by intrigeri's avatar intrigeri
Browse files

APT: use non-onion HTTPS sources for Debian repositories

We've observed too much unreliability with Debian's onion APT sources,
so let's switch to APT sources that should be more reliable.

Still, to avoid re-introducing fragility wrt. attacks like
https://www.debian.org/security/2016/dsa-3733 (see refs #8143), we need APT
sources that support HTTPS, which is not that common.

My initial intent was to use https://deb.debian.org/, but we lack support for
SRV records, so that service would HTTP redirect us to one of the CDN instances.
So I figured skipping this redirection step could be more reliable,
hence the hard-coding of the Fastly CDN repository sources.

I'm not too worried about things breaking any time soon due to this hard-coding:

 - The Fastly CDN has backed deb.debian.org since it exists.
 - This configuration is explicitly documented on https://deb.debian.org/.

So I would expect we would learn about a decommission plan for
cdn-fastly.deb.debian.org sufficiently in advance to update our config
in Tails releases before this APT source stops working.

refs #17993
parent bda2797c
......@@ -23,7 +23,7 @@ s{
/[0-9]{10} # serial
/?
(\s+)
}{$1tor+http://vwakviie2ienjx6t.onion/debian/$2}xms;
}{$1tor+https://cdn-fastly.deb.debian.org/debian/$2}xms;
s{
^
......@@ -33,7 +33,7 @@ s{
/[0-9]{10} # serial
/?
(\s+)
}{$1tor+http://sgvtcaew4bxjd7ln.onion/$2}xms;
}{$1tor+https://cdn-fastly.deb.debian.org/debian-security/$2}xms;
s{
^
......@@ -55,7 +55,7 @@ s{
/debian
/?
(\s+)
}{$1tor+http://vwakviie2ienjx6t.onion/debian/$2}xms;
}{$1tor+https://cdn-fastly.deb.debian.org/debian/$2}xms;
s{
^
......@@ -65,7 +65,7 @@ s{
/debian-security
/?
(\s+)
}{$1tor+http://sgvtcaew4bxjd7ln.onion/$2}xms;
}{$1tor+https://cdn-fastly.deb.debian.org/debian-security/$2}xms;
s{
^
......
......@@ -6,7 +6,7 @@ Feature: APT sources are correctly configured
Scenario: APT sources are configured correctly
Given a computer
And I start Tails from DVD with network unplugged and genuine APT sources
Then the only hosts in APT sources are "vwakviie2ienjx6t.onion,sgvtcaew4bxjd7ln.onion,umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion,sdscoq7snqtznauu.onion"
Then the only hosts in APT sources are "cdn-fastly.deb.debian.org,umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd.onion,sdscoq7snqtznauu.onion"
And no proposed-updates APT suite is enabled
And no experimental APT suite is enabled for deb.torproject.org
And if releasing, no unversioned Tails APT source is enabled
......
......@@ -47,8 +47,6 @@ When /^I configure APT to use non-onion sources$/ do
script = <<-SCRIPT
use strict;
use warnings FATAL => "all";
s{vwakviie2ienjx6t[.]onion}{ftp.us.debian.org};
s{sgvtcaew4bxjd7ln[.]onion}{security.debian.org};
s{sdscoq7snqtznauu[.]onion}{deb.torproject.org};
s{umjqavufhoix3smyq6az2sx4istmuvsgmz4bq5u5x56rnayejoo6l2qd[.]onion}{deb.tails.boum.org};
SCRIPT
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment