-
intrigeri authored
We've observed too much unreliability with Debian's onion APT sources, so let's switch to APT sources that should be more reliable. Still, to avoid re-introducing fragility wrt. attacks like https://www.debian.org/security/2016/dsa-3733 (see refs #8143), we need APT sources that support HTTPS, which is not that common. My initial intent was to use https://deb.debian.org/, but we lack support for SRV records, so that service would HTTP redirect us to one of the CDN instances. So I figured skipping this redirection step could be more reliable, hence the hard-coding of the Fastly CDN repository sources. I'm not too worried about things breaking any time soon due to this hard-coding: - The Fastly CDN has backed deb.debian.org since it exists. - This configuration is explicitly documented on https://deb.debian.org/. So I would expect we would learn about a decommission plan for cdn-fastly.deb.debian.org sufficiently in advance to update our config in Tails releases before this APT source stops working. refs #17993