Announcement: Qubes Tor onion services are available again!
70 views
Skip to first unread message
Andrew David Wong
Apr 17, 2019, 11:06:03 PM4/17/19
to qubes...@googlegroups.com, qubes...@googlegroups.com, Unman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Dear Qubes Community,
We previously announced that the Qubes Tor onion services were no
longer being maintained due to lack of resources. [1] However, Unman
generously agreed to bring them back, and they're now available once
again!
Here are the new onion service URLs:
Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Soon, you will be able to get the new, correct repo definitions just by
updating dom0 and your TemplateVMs. However, if you can't wait, you can
edit your repository definitions by following the instructions below.
Instructions
============
Follow these instructions *only if* you wish to update dom0 and your
TemplateVMs over Tor (via `sys-whonix`). This is an opt-in feature. If,
instead, you wish to update over your regular network connection (aka
"clearnet"), *or if you are not sure*, then *do not* follow these
instructions.
In order to use the new onion services, you must ensure that *every*
line that contains an onion address uses the appropriate *new* address
above. We'll go through this for dom0, Fedora templates, and Debian
templates. Whonix templates do not require any action; their onion
addresses are still the same as before. For additional information, see
"Onionizing Repositories" on the Whonix wiki. [2]
dom0
====
1. In dom0, open `/etc/yum.repos.d/qubes-dom0.repo` in a text editor.
2. Comment out all the `baseurl = https://yum.qubes-os.org/[...]` and
`metalink` lines.
3. Uncomment all the `baseurl = [...].onion` lines.
4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = https://yum.qubes-os.org/r$releasever/current/dom0/fc25/repodata/repomd.xml.metalink
5. Open `/etc/yum.repos.d/qubes-templates.repo` in a text editor and
repeat steps 2-4.
6. In *Qubes Global Settings*, set *Dom0 UpdateVM* to `sys-whonix`.
Fedora TemplateVMs
==================
1. In the TemplateVM, open `/etc/yum.repos.d/qubes-r4.repo` in a text
editor.
2. Comment out every line that contains `yum.qubes-os.org`.
3. Uncomment every line that contains `.onion`.
4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever
5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:
$type:TemplateVM $default allow,target=sys-whonix
Debian TemplateVMs
==================
1. In the TemplateVM, open `/etc/apt/sources.list.d/qubes-r4.list` in a
text editor.
2. Comment out every line that contains `deb.qubes-os.org`.
3. Uncomment every line that contains `.onion`.
4. Update every `.onion` address to
`deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:
# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm stretch main
#deb-src https://deb.qubes-os.org/r4.0/vm stretch main
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main
#deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main
5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:
$type:TemplateVM $default allow,target=sys-whonix
[1] https://www.qubes-os.org/news/2018/01/23/qubes-whonix-next-gen-tor-onion-services/
[2] https://www.whonix.org/wiki/Onionizing_Repositories
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAly36YEACgkQ203TvDlQ
MDD+/g//eGzEagElqNLg/6tQdHTUNZaFQQmEZlNYFt7ZU8QhS7TNQqFR77bHpy+W
1Fbwz2tGMcJwUVj/sQ1A7CQXhhKRL96BtxMjDxTYt5ZQVv7oKs7m1MYUc/3I1hg/
GtNsT7qlPjwMb4XZdrmjyeJg96lYp75msKWDXDsHiAp5Nlq/vuw190TCnw+lGfUJ
+1gf99rGUcfwZZLPl8ZaGlOCjAo6e8qb4ysJH01YvYUt04GQhuUKTyS6OJ8Vq9AV
7cQ1L/Mkc8wNq88T+VEXEmiF/wuVZXDijEV4k/JDyDF0V2ZeljJtMILs5tuvNycK
4f/TMlpJU4jNi2wpWS2VxPMrfUh45/eNpDTDQWFrQ7tFF9sfM/E2SM+GxkhRLfCj
IekhQjJwDPnj+rDSQAiOTCaAaalbAyhfY8FDoqRuOqFLHqy2L/1MKPa4uVgHpkrN
0a4pritN8ge59pbxk0j3Pj8nJvV6KEZtQlByNN5Rp4WtEUQuNK+wuhFNE4aEVYT4
NzMRlQWTJuM0Juz1PN+pnx7s4NUt4jMTXby62S2LCVfNa/lTZ2O9ez5AdCLMlW+f
sX7q6c9iqkGLBKXq0XD95En1J47YfCbv+TcDRHC9fPvrDW2s+sb1877g9u9ARc/U
xOIgDEGOkJ2/pAIvC4Y7d1pWMOKVXaUfqpPgpt+FOc9TqkOfRhc=
=0qqN
-----END PGP SIGNATURE-----
Hash: SHA512
Dear Qubes Community,
We previously announced that the Qubes Tor onion services were no
longer being maintained due to lack of resources. [1] However, Unman
generously agreed to bring them back, and they're now available once
again!
Here are the new onion service URLs:
Website: www.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Yum repo: yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Deb repo: deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
ISOs: iso.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion
Soon, you will be able to get the new, correct repo definitions just by
updating dom0 and your TemplateVMs. However, if you can't wait, you can
edit your repository definitions by following the instructions below.
Instructions
============
Follow these instructions *only if* you wish to update dom0 and your
TemplateVMs over Tor (via `sys-whonix`). This is an opt-in feature. If,
instead, you wish to update over your regular network connection (aka
"clearnet"), *or if you are not sure*, then *do not* follow these
instructions.
In order to use the new onion services, you must ensure that *every*
line that contains an onion address uses the appropriate *new* address
above. We'll go through this for dom0, Fedora templates, and Debian
templates. Whonix templates do not require any action; their onion
addresses are still the same as before. For additional information, see
"Onionizing Repositories" on the Whonix wiki. [2]
dom0
====
1. In dom0, open `/etc/yum.repos.d/qubes-dom0.repo` in a text editor.
2. Comment out all the `baseurl = https://yum.qubes-os.org/[...]` and
`metalink` lines.
3. Uncomment all the `baseurl = [...].onion` lines.
4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:
#baseurl = https://yum.qubes-os.org/r$releasever/current/dom0/fc25
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r$releasever/current/dom0/fc25
#metalink = https://yum.qubes-os.org/r$releasever/current/dom0/fc25/repodata/repomd.xml.metalink
5. Open `/etc/yum.repos.d/qubes-templates.repo` in a text editor and
repeat steps 2-4.
6. In *Qubes Global Settings*, set *Dom0 UpdateVM* to `sys-whonix`.
Fedora TemplateVMs
==================
1. In the TemplateVM, open `/etc/yum.repos.d/qubes-r4.repo` in a text
editor.
2. Comment out every line that contains `yum.qubes-os.org`.
3. Uncomment every line that contains `.onion`.
4. Update every `.onion` address to
`yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:
#baseurl = https://yum.qubes-os.org/r4.0/current/vm/fc$releasever
baseurl = http://yum.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/current/vm/fc$releasever
5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:
$type:TemplateVM $default allow,target=sys-whonix
Debian TemplateVMs
==================
1. In the TemplateVM, open `/etc/apt/sources.list.d/qubes-r4.list` in a
text editor.
2. Comment out every line that contains `deb.qubes-os.org`.
3. Uncomment every line that contains `.onion`.
4. Update every `.onion` address to
`deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion`.
The affected lines should look like this:
# Main qubes updates repository
#deb [arch=amd64] https://deb.qubes-os.org/r4.0/vm stretch main
#deb-src https://deb.qubes-os.org/r4.0/vm stretch main
# Qubes Tor updates repositories
# Main qubes updates repository
deb [arch=amd64] http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main
#deb-src http://deb.qubesosfasa4zl44o4tws22di6kepyzfeqv3tg4e3ztknltfxqrymdad.onion/r4.0/vm stretch main
5. In dom0, ensure that the first non-comment line in
`/etc/qubes-rpc/policy/qubes.UpdatesProxy` is:
$type:TemplateVM $default allow,target=sys-whonix
[1] https://www.qubes-os.org/news/2018/01/23/qubes-whonix-next-gen-tor-onion-services/
[2] https://www.whonix.org/wiki/Onionizing_Repositories
This announcement is also available on the Qubes website:
https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAly36YEACgkQ203TvDlQ
MDD+/g//eGzEagElqNLg/6tQdHTUNZaFQQmEZlNYFt7ZU8QhS7TNQqFR77bHpy+W
1Fbwz2tGMcJwUVj/sQ1A7CQXhhKRL96BtxMjDxTYt5ZQVv7oKs7m1MYUc/3I1hg/
GtNsT7qlPjwMb4XZdrmjyeJg96lYp75msKWDXDsHiAp5Nlq/vuw190TCnw+lGfUJ
+1gf99rGUcfwZZLPl8ZaGlOCjAo6e8qb4ysJH01YvYUt04GQhuUKTyS6OJ8Vq9AV
7cQ1L/Mkc8wNq88T+VEXEmiF/wuVZXDijEV4k/JDyDF0V2ZeljJtMILs5tuvNycK
4f/TMlpJU4jNi2wpWS2VxPMrfUh45/eNpDTDQWFrQ7tFF9sfM/E2SM+GxkhRLfCj
IekhQjJwDPnj+rDSQAiOTCaAaalbAyhfY8FDoqRuOqFLHqy2L/1MKPa4uVgHpkrN
0a4pritN8ge59pbxk0j3Pj8nJvV6KEZtQlByNN5Rp4WtEUQuNK+wuhFNE4aEVYT4
NzMRlQWTJuM0Juz1PN+pnx7s4NUt4jMTXby62S2LCVfNa/lTZ2O9ez5AdCLMlW+f
sX7q6c9iqkGLBKXq0XD95En1J47YfCbv+TcDRHC9fPvrDW2s+sb1877g9u9ARc/U
xOIgDEGOkJ2/pAIvC4Y7d1pWMOKVXaUfqpPgpt+FOc9TqkOfRhc=
=0qqN
-----END PGP SIGNATURE-----
22...@tutamail.com
Apr 18, 2019, 3:32:43 PM4/18/19
to qubes-users
Nice one Unman...thanks for this and your ongoing help! You rock...
(Kudus to Andrew and the Qubes team as well!)
Jon deps
Apr 19, 2019, 2:38:45 PM4/19/19
to qubes...@googlegroups.com
updated via sys-whonix-14 but just *donot use the .onion
addresses ...
anything "wrong" with doing it this way ?
------------
/etc/qubes-rpc/policy/qubes.UpdatesProxy
target=sys-whonix-14 as the top most
then
target=sys-net
but
$anyvm $anyvm deny is at the bottom
it's not broke as they say
unman
Apr 19, 2019, 8:42:25 PM4/19/19
to qubes...@googlegroups.com
servers using Tor. That means you are routing through the Tor network
and leaving it from the exit node to get to the update server.
Using the onion servers you stay within the Tor network all the time.
You can be sure that your connection to the onion site is secure and
encrypted, and you can also be sure that it *is* the site you are trying
to access.
Some of this is provided by TLS, but that depends on a third party
certificate authority, and there are a number of examples where CAs have
been hacked or rogue certificates have been handed out. An onion service
provides its own authentication.
Of course, the fact that the connection is in Tor does *not* validate
the site or the packages served. They must be signed with the relevant
ke, which you have chosen to trust. That's part of the general "distrust
of the infrastructure" - see
https://www.qubes-os.org/faq/#what-does-it-mean-to-distrust-the-infrastructure.
Stumpy
Apr 20, 2019, 8:40:00 AM4/20/19
to qubes...@googlegroups.com
lama...@gmail.com
Apr 20, 2019, 2:18:12 PM4/20/19
to qubes-users
Great news! Thanks Unman!
> Soon, you will be able to get the new, correct repo definitions just by
> updating dom0 and your TemplateVMs. However, if you can't wait, you can
> edit your repository definitions by following the instructions below.
Do you know then that is? And what package will contain the new repo definitions?
unman
Apr 20, 2019, 8:05:01 PM4/20/19
to qubes-users
Reply all
Reply to author
Forward
0 new messages