APT: use non-onion HTTPS sources for Debian repositories (!383) · Merge requests · tails / tails

intrigeri requested to merge bugfix/17993-stop-using-Debian-onion-service into stable Mar 20, 2021

We've observed too much unreliability with Debian's onion APT sources, so let's switch to APT sources that should be more reliable.

Still, to avoid re-introducing fragility wrt. attacks like https://www.debian.org/security/2016/dsa-3733 (see refs #8143 (closed)), we need APT sources that support HTTPS, which is not that common.

My initial intent was to use https://deb.debian.org/, but we lack support for SRV records, so that service would HTTP redirect us to one of the CDN instances. So I figured skipping this redirection step could be more reliable, hence the hard-coding of the Fastly CDN repository sources.

I'm not too worried about things breaking any time soon due to this hard-coding:

The Fastly CDN has backed deb.debian.org since it exists.
This configuration is explicitly documented on https://deb.debian.org/.

So I would expect we would learn about a decommission plan for cdn-fastly.deb.debian.org sufficiently in advance to update our config in Tails releases before this APT source stops working.

Closes #17993 (closed)

Edited Mar 23, 2021 by intrigeri

APT: use non-onion HTTPS sources for Debian repositories

Merge request reports