[tor-dev] Comments on Yawning's Draft proposal for Debian

bancfc at openmailbox.org bancfc at openmailbox.org
Sun Jun 12 14:41:57 UTC 2016

I thought the proposal [1] is well written but there is one major point 
it should include:

Sometimes apt/dpkg can contain remotely exploitable bugs which s a big 
risk when updates are fetched over HTTP. As it happens, anyone could 
have been in a position to poison the update process and take over the 
machine because of [CVE-2014-6273] in apt-get [2]. What makes
this bug crippling is that updating apt to fix it would have exposed it 
to what the fix was supposed to prevent. The safest option this time was 
to manually download the fixed package out of band. Updating from an 
Onion Service would protect systems from any tampering/attacks at the 
Exits while bringing all the usual benefits of package metadata privacy.


While there's been some progress to setup Debian APT Onion Services 
[3][4], its still a long way away from being enabled as a safe default. 
This problem along many others summarized in the Debian wiki [5] (such 
as upstream patching of chatty apps that leak system information like 
pip [6]) would make great talking points at the next DebConf.

[1] https://yawnbox.com/index.php/2016/05/03/draft-proposal-for-debian/
[2] http://security-tracker.debian.org/tracker/CVE-2014-6273
[5] https://wiki.debian.org/TorifyDebianServices
[6] https://lists.debian.org/debian-security/2016/05/msg00059.html

More information about the tor-dev mailing list