apt-get update over Tor

[zodac11]

As I am getting into a more privacy-minded distro I loved the idea of Tor and availability of updating packages over tor. However after following the manuals, some repos are checked twice though the only thing I did for non-official repos was to change http: with tor+http. I googled and got the idea that "ign" seems to be fine and does not mention an error, yet I wonder why the very same repo is checked twice in after sudo apt-get update:

Ign:1 tor+http://download.opensuse.org/repositori ... Debian_9.0 InRelease
Ign:2 tor+http://download.opensuse.org/repositori ... Debian_9.0 InRelease
Hit:3 tor+http://download.opensuse.org/repositori ... Debian_9.0 Release
Hit:5 tor+http://download.opensuse.org/repositori ... Debian_9.0 Release
Ign:7 tor+http://vwakviie2ienjx6t.onion/debian stretch InRelease
Hit:8 tor+http://vwakviie2ienjx6t.onion/debian stretch-updates InRelease
Hit:9 tor+http://vwakviie2ienjx6t.onion/debian stretch-backports InRelease
Hit:10 tor+http://vwakviie2ienjx6t.onion/debian stretch Release
Hit:11 tor+http://sgvtcaew4bxjd7ln.onion stretch/updates InRelease
Hit:13 tor+http://ppa.launchpad.net/dlech/keepass2-plugins/ubuntu artful InRelease
Hit:14 tor+http://ppa.launchpad.net/micahflee/ppa/ubuntu artful InRelease

[Bulkley]

DontBreakDebian

[steve_v]

I loved the idea of Tor and availability of updating packages over tor.

Um, why?
Unless running Debian is illegal where you live, pulling package updates over TOR just wastes node bandwidth. Updates are slower for you, and TOR is slower for everyone else.

TOR obfuscates who is communicating with who (note: but not the packet contents) - since all you're doing is pulling uninteresting software packages from a public server, what's the point of doing it over TOR?
Is some agency actually trying to find out what software you use (anyone who cares already knows), or is this pure "using TOR because it's there"?

[zodac11]

I loved the idea of Tor and availability of updating packages over tor.

Unless running Debian is illegal where you live,

Is some agency actually trying to find out what software you use (anyone who cares already knows)

I have dual citizenship and moving regularly between both of these countries. Regretfully, both of them are quite notorious in sense of internet monitoring/surveillance and in one of them using Tor and VPN are even forbidden. Without Tor, it is not possible to open dozens of websites.

[Lysander]

The only way to truly ensure your privacy is to self-monitor what you do on the internet. What are these sites and why is it so important you visit them [this can be taken as a rhetorical question if you like]? Be mindful of inadvertantly encouraging the Streisand Effect.

[steve_v]

Without Tor, it is not possible to open dozens of websites.

Presumably that doesn't include all the debian mirrors though?

I use TOR from time to time, and I run a node all the time. But I still don't see the point of system updates over TOR...

[zodac11]

The only way to truly ensure your privacy is to self-monitor what you do on the internet. What are these sites and why is it so important you visit them [this can be taken as a rhetorical question if you like]? Be mindful of inadvertantly encouraging the Streisand Effect.

Imagine a country where wikipedia is banned and google, yahoo, imgur (is still banned I think) and many important pillars of internet are censored.

[zodac11]

Without Tor, it is not possible to open dozens of websites.

Presumably that doesn't include all the debian mirrors though?

I use TOR from time to time, and I run a node all the time. But I still don't see the point of system updates over TOR...

In one country that I have citizenship using Debian or other open source OS is enough proof to put yourself on the list of "potential criminal". Yes, weird, but true.

In the other country that I have citizenship wikipedia, imgur and many other sites are down due to censore and twitter, yahoo, google gets banned from time to time. It is hard to check the unbanned sites everyday so I simply use tor.

[Lysander]

The only way to truly ensure your privacy is to self-monitor what you do on the internet. What are these sites and why is it so important you visit them [this can be taken as a rhetorical question if you like]? Be mindful of inadvertantly encouraging the Streisand Effect.

Imagine a country where wikipedia is banned and google, yahoo, imgur (is still banned I think) and many important pillars of internet are censored.

I can imagine it very easily - my wife's home country [where I visit often] is one such place where Wikipedia, Youtube, Twitter and Facebook have all been banned at one time or another. Circumventing the rules would definitely raise the chances of putting the Streisand Effect into place. I am all for free speech and transparency, but I would also not put myself at risk. It's a terrible situation indeed.

[Bulkley]

Imagine a country where wikipedia is banned and google, yahoo, imgur (is still banned I think) and many important pillars of internet are censored.

zodac11, in your situation, I would have a USB thumb drive loaded with Tails. When you do a shutdown with Tails it even wipes the memory. After shutdown you can hide the thumb drive and no one is the wiser. The computer can actually be loaded with Windows and only be used for safe stuff.

Another option is Liberté Linux. It's getting a bit old but it is designed "with the primary purpose of enabling anyone to communicate safely and covertly in hostile environments."

Keep safe.

[Lysander]

Again I would argue - and I'm very open to refutes - that just by using Tails one is opening channels of suspicion and that nothing is a replacement for self-monitoring and taking responsibility for sites visited and content posted. As much as we would like to think that the internet is the liberal free-speech realm that it was in the early 2000s, alas, it is no longer.

I recall something that someone said to me many years ago on the internet and which is of particular import here - "always assume that everything you say and do is being recorded somewhere and can be used against you to your detriment". By all means take risks if you choose to, but take risks knowingly.

[dasein]

I loved the idea of Tor and availability of updating packages over tor.

Pulling package updates over TOR just wastes node bandwidth. Updates are slower for you, and TOR is slower for everyone else.

Exactly! +100

@OP -> Regardless of how much you "love the idea," this is a pure waste of time and resources, both yours and everyone else's. It's totally pointless, utterly futile, and frankly, it's stupid.

[Bulkley]

Again I would argue - and I'm very open to refutes - that just by using Tails one is opening channels of suspicion and that nothing is a replacement for self-monitoring and taking responsibility for sites visited and content posted. As much as we would like to think that the internet is the liberal free-speech realm that it was in the early 2000s, alas, it is no longer.

I recall something that someone said to me many years ago on the internet and which is of particular import here - "always assume that everything you say and do is being recorded somewhere and can be used against you to your detriment". By all means take risks if you choose to, but take risks knowingly.

I certainly have no argument there. Adding to that I would warn against any phone or handheld device that has a locator or tracks the user in any way. There is no point in worrying about computer security while carrying an iphone.

[gnulux]

I loved the idea of Tor and availability of updating packages over tor.

Pulling package updates over TOR just wastes node bandwidth. Updates are slower for you, and TOR is slower for everyone else.

Exactly! +100

@OP -> Regardless of how much you "love the idea," this is a pure waste of time and resources, both yours and everyone else's. It's totally pointless, utterly futile, and frankly, it's stupid.

Allright, but why has the Debian project published this page : onion.debian.org including the ONION sources.list? There’s no warning at all on that page.