You've installed apt-transport-tor to help prevent targeted attacks on your system. Great! Now you want to build Debian packages using cowbuilder, and you notice these are still using plain HTTP.
If you're willing to fetch the first few packages without using apt-transport-tor, this is as easy as:
Now any future builds should fetch build-dependencies over Tor.
Unfortunately, creating a base.cow from scratch is more problematic. Neither 'debootstrap' nor 'cdebootstrap' actually rely on apt acquire methods to download files - they look at the URL scheme themselves to work out where to fetch from. I think it's a design point that they shouldn't need apt, anyway, so that you can debootstrap on non-Debian systems. I don't have a good solution beyond using some other means to route these requests over Tor.
Posted: 22 Jul 2014 22:31 |
apt-transport-tor 0.2.1 should now be on your preferred unstable Debian mirror. It will let you download Debian packages through Tor.
New in this release: support for HTTPS over Tor, to keep up with people.debian.org. :)
I haven't mentioned it before on this blog. To get it working, you need to "apt-get install apt-transport-tor", and then use sources.list lines like so:
deb tor+http://http.debian.net/debian unstable main
Note the use of http.debian.net in order to pick a mirror near to whichever Tor exit node. Throughput is surprisingly good.
On the TODO list: reproducible builds? It would be nice to have some mirrors offer Tor hidden services, although I have yet to think about the logistics of this, such as how the load could be balanced (maybe a service like http.debian.net). I also need to look at how cowbuilder etc. can be made to play nicely with Tor. And then Debian installer support!
Posted: 21 Jul 2014 13:17 |