whonix-secure-proxy service
32 views
Skip to first unread message
HW42
Jul 13, 2016, 2:50:27 PM7/13/16
to qubes...@googlegroups.com, Patrick Schleizer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Patrick/*,
in Whonix tunneling apt directly through Tor is only disabled (so that
the update proxy can be reached) when the whonix-secure-proxy 'service'
is enabled [0]. What is the purpose of this? Why isn't the "standard"
updates-proxy-setup used?
Context: On a fresh R3.2-rc1 install updating the Whonix templates
doesn't work since apt tries to reach the proxy via Tor. So the question
is whether the Whonix package or the template setup should be patched.
HW42
[0]: https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf#L5
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXho0yAAoJEOSsySeKZGgW2ssP/0EU6gN8r9QYJQRtJbg7gmd/
ml3yjV+lt355l0ouiPi/yzMJCWImym+GKmwpCsShbjNQDRLJva5znQtU/ph1n2rX
5ppnS8niYWpmpio1EREMxsmtQNu1sGBhGtTGZqVTAx47WP541j8hfXigsfgW1UtJ
Fvg5NY05DboqG1VyKfFc5c0dO330uwpWxwC8lTyPRydQrRpCVbNTQ0nCcUSwI6gM
TWuW9kxJQ4i9DWe5wFsux5tcHoMlpAjhlTdciEFWl7nN+Q5hex/YWo8vv6GPqP48
8iEJI0vM0K6zvBvl8YCP6NFk/bo5stG0kHbtEguQ31c8/HtGSIiOx2byQfX5/7C0
hB6RB4PVbnSNfyaa4mDOpfSgCz5AhDe1joVkL9UzGw2zibcEV23J8D0hxLY6J6s6
ka4w4QaewBaTmzvFvwMPbWN3SqOMicw+rW2NvFyp/WcWqQXb5yBOfwJxRlmrjcdY
ARwlGKGSbHAj9JFcKiAfkhFjv2Bpus4M+rvEWF0UHg+vK9Lx7tUCxIkTzax1IWvR
Qfe9SXow9yv63G30nXN4WmUMDalj32UXBM1b5xoDAFWVfLO2P018h+qOuy0nngFb
46Z4u5bQ1w/TXjFBmKmFdwM4XxoFVp981k6dLuagPMq+ldVsWNCOAbauR9pTKWSE
+6Ogj78k5XwzAHwOpe1u
=7qJq
-----END PGP SIGNATURE-----
Hash: SHA512
Hi Patrick/*,
in Whonix tunneling apt directly through Tor is only disabled (so that
the update proxy can be reached) when the whonix-secure-proxy 'service'
is enabled [0]. What is the purpose of this? Why isn't the "standard"
updates-proxy-setup used?
Context: On a fresh R3.2-rc1 install updating the Whonix templates
doesn't work since apt tries to reach the proxy via Tor. So the question
is whether the Whonix package or the template setup should be patched.
HW42
[0]: https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf#L5
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXho0yAAoJEOSsySeKZGgW2ssP/0EU6gN8r9QYJQRtJbg7gmd/
ml3yjV+lt355l0ouiPi/yzMJCWImym+GKmwpCsShbjNQDRLJva5znQtU/ph1n2rX
5ppnS8niYWpmpio1EREMxsmtQNu1sGBhGtTGZqVTAx47WP541j8hfXigsfgW1UtJ
Fvg5NY05DboqG1VyKfFc5c0dO330uwpWxwC8lTyPRydQrRpCVbNTQ0nCcUSwI6gM
TWuW9kxJQ4i9DWe5wFsux5tcHoMlpAjhlTdciEFWl7nN+Q5hex/YWo8vv6GPqP48
8iEJI0vM0K6zvBvl8YCP6NFk/bo5stG0kHbtEguQ31c8/HtGSIiOx2byQfX5/7C0
hB6RB4PVbnSNfyaa4mDOpfSgCz5AhDe1joVkL9UzGw2zibcEV23J8D0hxLY6J6s6
ka4w4QaewBaTmzvFvwMPbWN3SqOMicw+rW2NvFyp/WcWqQXb5yBOfwJxRlmrjcdY
ARwlGKGSbHAj9JFcKiAfkhFjv2Bpus4M+rvEWF0UHg+vK9Lx7tUCxIkTzax1IWvR
Qfe9SXow9yv63G30nXN4WmUMDalj32UXBM1b5xoDAFWVfLO2P018h+qOuy0nngFb
46Z4u5bQ1w/TXjFBmKmFdwM4XxoFVp981k6dLuagPMq+ldVsWNCOAbauR9pTKWSE
+6Ogj78k5XwzAHwOpe1u
=7qJq
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Jul 13, 2016, 4:33:00 PM7/13/16
to HW42, qubes...@googlegroups.com, Patrick Schleizer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Wed, Jul 13, 2016 at 06:49:00PM +0000, HW42 wrote:
> Hi Patrick/*,
>
> in Whonix tunneling apt directly through Tor is only disabled (so that
> the update proxy can be reached) when the whonix-secure-proxy 'service'
> is enabled [0]. What is the purpose of this? Why isn't the "standard"
> updates-proxy-setup used?
AFAIR whonix-secure-proxy service flag is set when startup script detect
that updates proxy is torified (or actually: running in Whonix Gateway,
which torify all updates proxy traffic). This is detected by some
startup script by presence of magic string in updates proxy response.
> Context: On a fresh R3.2-rc1 install updating the Whonix templates
> doesn't work since apt tries to reach the proxy via Tor. So the question
> is whether the Whonix package or the template setup should be patched.
It works for me...
Maybe you don't have it connected to sys-whonix?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXhqV0AAoJENuP0xzK19csN2YH/1XdyPSPeM1LAgFRRBPFFn/b
P0K9CPnWW0LYdZGrWm9A/ZnpA+B6oQdCTu3+gdLdAyvSw08KrFHVM0mQMTQooRTD
z9Ne5phfb9zp/f6pu/vO25kPN2onWeHZqQ9Q4FB0F1ZVmvxmEuQ0kfOHr7vBLZ6K
wB3uuuSU3ktHG7vlvJ/6Rn1tuI1RWyj87xMCcNjy+D+v7aH4GZnbSOhQsN22RRnQ
Bmhg5WuKbDXvJpuohyc+Yhc/GuRW6+XuOsifw+7GkiFIa0qAAYhNwrFtkg9lpPWV
A5k7MR8muchoHI2G5IxuALvPytuiNc3qm3Jxv7f7cXjC9Xln8xZvnvk41e8FM6Q=
=h8Nl
-----END PGP SIGNATURE-----
Hash: SHA256
On Wed, Jul 13, 2016 at 06:49:00PM +0000, HW42 wrote:
> Hi Patrick/*,
>
> in Whonix tunneling apt directly through Tor is only disabled (so that
> the update proxy can be reached) when the whonix-secure-proxy 'service'
> is enabled [0]. What is the purpose of this? Why isn't the "standard"
> updates-proxy-setup used?
that updates proxy is torified (or actually: running in Whonix Gateway,
which torify all updates proxy traffic). This is detected by some
startup script by presence of magic string in updates proxy response.
> Context: On a fresh R3.2-rc1 install updating the Whonix templates
> doesn't work since apt tries to reach the proxy via Tor. So the question
> is whether the Whonix package or the template setup should be patched.
Maybe you don't have it connected to sys-whonix?
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXhqV0AAoJENuP0xzK19csN2YH/1XdyPSPeM1LAgFRRBPFFn/b
P0K9CPnWW0LYdZGrWm9A/ZnpA+B6oQdCTu3+gdLdAyvSw08KrFHVM0mQMTQooRTD
z9Ne5phfb9zp/f6pu/vO25kPN2onWeHZqQ9Q4FB0F1ZVmvxmEuQ0kfOHr7vBLZ6K
wB3uuuSU3ktHG7vlvJ/6Rn1tuI1RWyj87xMCcNjy+D+v7aH4GZnbSOhQsN22RRnQ
Bmhg5WuKbDXvJpuohyc+Yhc/GuRW6+XuOsifw+7GkiFIa0qAAYhNwrFtkg9lpPWV
A5k7MR8muchoHI2G5IxuALvPytuiNc3qm3Jxv7f7cXjC9Xln8xZvnvk41e8FM6Q=
=h8Nl
-----END PGP SIGNATURE-----
Patrick Schleizer
Jul 13, 2016, 4:49:08 PM7/13/16
to HW42, qubes...@googlegroups.com
Hi HW42!
HW42:
to a torified updates proxy. The full mechanism is described here. [1]
There was a Whonix 12 bug. "Templates incorrectly think they're not
connected to a Whonix gateway." [2] Which also showed a warning popup.
Did you see such a popup or hit that bug?
"standard" updates-proxy-setup isn't used to prevent accidental
non-torified, clearnet updates. (design decision [3])
> Context: On a fresh R3.2-rc1 install updating the Whonix templates
> doesn't work since apt tries to reach the proxy via Tor. So the question
> is whether the Whonix package or the template setup should be patched.
The template setup, as in creating the whonix-secure-proxy 'service'
should not be patched.
> [0]: https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf#L5
Cheers,
Patrick
[1] https://www.whonix.org/wiki/Dev/Qubes#Torified_Updates_Proxy
[2]
https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway
[3] https://github.com/QubesOS/qubes-issues/issues/1880
HW42:
> in Whonix tunneling apt directly through Tor is only disabled (so that
> the update proxy can be reached) when the whonix-secure-proxy 'service'
> is enabled [0]. What is the purpose of this? Why isn't the "standard"
> updates-proxy-setup used?
The whonix-secure-proxy 'service' is automatically enabled, if connected
> the update proxy can be reached) when the whonix-secure-proxy 'service'
> is enabled [0]. What is the purpose of this? Why isn't the "standard"
> updates-proxy-setup used?
to a torified updates proxy. The full mechanism is described here. [1]
There was a Whonix 12 bug. "Templates incorrectly think they're not
connected to a Whonix gateway." [2] Which also showed a warning popup.
Did you see such a popup or hit that bug?
"standard" updates-proxy-setup isn't used to prevent accidental
non-torified, clearnet updates. (design decision [3])
> Context: On a fresh R3.2-rc1 install updating the Whonix templates
> doesn't work since apt tries to reach the proxy via Tor. So the question
> is whether the Whonix package or the template setup should be patched.
should not be patched.
> [0]: https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf#L5
Cheers,
Patrick
[1] https://www.whonix.org/wiki/Dev/Qubes#Torified_Updates_Proxy
[2]
https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway
[3] https://github.com/QubesOS/qubes-issues/issues/1880
HW42
Jul 13, 2016, 5:50:14 PM7/13/16
to Patrick Schleizer, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Patrick Schleizer:
Hash: SHA512
> Hi HW42!
>
> HW42:
>> in Whonix tunneling apt directly through Tor is only disabled (so that
>> the update proxy can be reached) when the whonix-secure-proxy 'service'
>> is enabled [0]. What is the purpose of this? Why isn't the "standard"
>> updates-proxy-setup used?
>
> The whonix-secure-proxy 'service' is automatically enabled, if connected
> to a torified updates proxy. The full mechanism is described here. [1]
Ah, ok. I did not expected an internal generated file in the
>
> HW42:
>> in Whonix tunneling apt directly through Tor is only disabled (so that
>> the update proxy can be reached) when the whonix-secure-proxy 'service'
>> is enabled [0]. What is the purpose of this? Why isn't the "standard"
>> updates-proxy-setup used?
>
> The whonix-secure-proxy 'service' is automatically enabled, if connected
> to a torified updates proxy. The full mechanism is described here. [1]
qubes-service directory.
> There was a Whonix 12 bug. "Templates incorrectly think they're not
> connected to a Whonix gateway." [2] Which also showed a warning popup.
> Did you see such a popup or hit that bug?
time (since this was only a test install I did not pay that much
attention so my memory might be wrong). But it did not had an internet
connection when booting the template. I now removed the manual added
whonix-secure-proxy service and now I see the popup. So this is pretty
sure this bug. Will try to update the Whonix template.
> "standard" updates-proxy-setup isn't used to prevent accidental
> non-torified, clearnet updates. (design decision [3])
>
>> Context: On a fresh R3.2-rc1 install updating the Whonix templates
>> doesn't work since apt tries to reach the proxy via Tor. So the question
>> is whether the Whonix package or the template setup should be patched.
>
> The template setup, as in creating the whonix-secure-proxy 'service'
> should not be patched.
>> [0]: https://github.com/Whonix/qubes-whonix/blob/master/etc/uwt.d/40_qubes.conf#L5
>
> Cheers,
> Patrick
>
> [1] https://www.whonix.org/wiki/Dev/Qubes#Torified_Updates_Proxy
> [2]
> https://forums.whonix.org/t/templates-incorrectly-think-theyre-not-connected-to-a-whonix-gateway
> [3] https://github.com/QubesOS/qubes-issues/issues/1880
iQIcBAEBCgAGBQJXhrdaAAoJEOSsySeKZGgW7I4QALqS0gN7RGnG6P8w3ebyzWPI
3IfXzjF+DyeNwiN4WFnpKb7MQ6/07hgo8c/if9fMZD7SrVqXbsnmU1BiOVnGNC3e
evc97cRp350ao8zMGiiCqZSmqvNeov/PU/pAVeLwjR+bgTYJnfE0uSIUs5CWu0hv
pfowJQ6gb0Wmb8EY760iH7DOq0HOn1gzn9SO04al4KaYSULbhdlwVRyeOjmp9g/C
Xj3gUYT/BaEkTSD3RshyQsZrpTQNtg5tzbM0ZMsZxmKVibTdLNyMATD8dYXxlHWA
whPRl5W0JRHgrm9jfMj/BAqdwYctU5a+3kLWgzhEGtPg63aovBsZSw1mCOuTyHDl
GY4GH5pmC5qHu2IDB9wDq0/cEA6A4eu/aeJu3EATiTesw2sx9//8WJJavFSXxp7G
Jn1GkNzh5MnVaAFDrTTryU/BSC1mjj8RJSE8PqegwR2yDWxaTqiyDHRlpNsSl824
cXlyIGCO19+R2mfQj3kLArMMXCFFmDb0/aIP8ApSewaVI53HPmFivb6XdZuQ7fsr
KROayNM2m3yME8HGMAnomywtxMBhmOKa0lQYiHLypF0YrgLb3Y3rMUZukRpDD/at
oYoBOZ8XgxEXDkzBvC9SJk0Rtlew7MvEeq9j1VfRjac4l6sH/YUiBTnLVIsepUfZ
gS6LjQwTFoZU4HZBH3Ry
=lbn/
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages