[Qgis-psc] Accessing qGIS APT repositories using Tor

[Pata Gioenas]

Greetings,We did originally write on the qgis-user mailing list to request for enabling Tor access of the APT repository and we just got aware of the interesting discussion that followed here, sadly we can not reply to the original thread as we just joined this mailing list.Before going into any technical detail (your Debian guru friend is totally right), we would like to motivate our-self and if you are happy to do something we can discuss later how it can be done in detail (we can also join #qgis to discuss it, alternatively folks in #tor at OFTC are well aware of the issue as they had to get in touch recently with the Jitsi team for exact same problem).We are not affiliated in any way with ctemplar.com, that is simply our email provider. We are a decentralized non-governmental project (https://pipio.gitlab.io/) working on a privacy-preserving communication system which aim is to defeat global surveillance and censorship. QGIS very useful for us, we currently use it to design and visualize simulations and we are aiming to contribute back a data provider.Some of our members lives in countries that do not look positively on the development of such communication system and they have to rely exclusively on Tor to do their work without the fear of being tracked.In general, many people would prefer not to share information about their location or internet connection with anyone when they are downloading software. This is further exacerbated by the fact that to keep up with security updates, users of software must request updates from the repository with some frequency.Sharing network connectivity information while downloading software exposes information about the users of that software and the versions that they are using, which in turn can be used to attack the systems on which vulnerable software is running.Finally, we would like to answer on the argument that keeping things as they are today "makes it hard to block hosts that are acting badly on our servers".This is not necessarily true, as if bad actors are a serious threat for you it is possible to expose the repositiory as an onion hidden service without any change to the Cloudfare rule, which means no impact on the website itself. It is more work and if bad actors are not a serious threat we recommend instead to simply change the Cloudfare rules.Thanks for considering our request, we are happy to answer any question.p9s - https://patagioenas.gitlab.io/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-psc/attachments/20200428/9f007da3/attachment.html>