-------- Original Message --------
 On February 15, 2018 1:28 AM, KatolaZ <kato...@freaknet.org> wrote:

>On Wed, Feb 14, 2018 at 05:24:27PM -0500, Fungal-net wrote:
>>devuanfwojg73k6r.onion  and pkgmaster.devuan.org are they and have they ever 
>>been the same?
> They are the same machine and always have been (since late September
> or early October 2017, more or less). The rewrites on pkgmaster are to
> the corresponding Debian mirrors. The rewrites on the onion address
> are on the corresponding Debian onion address. We don't have control
> on them.

Ohh.... so it has been "that" long that onion repository users have been beta 
testing amprolla3?  And when has the announcement been placed for users to be 

> You won't believe it, but you are not the only one using tor here, but
> apparently the only one reporting problems on tor. Have you considered
> the possibility that there might be a problem either in your config or
> in the way you access the repos via tor?

Apparently you didn't read the whole message or reviewed the archive, but I 
believe you, yourself, was involved in this early december list discussion 
about someone testifying to what I am saying.  Packages available through "the 
other repositories" were not available throug the onion address.  It seems as 
you are aware of the problem that I am reporting as it was reported in the 
forum, before this message appeared on the list.  How long has this been?  Why 
didn't you get involved in the forum when the problem was reported?
If there was a problem on "our" side why didn't it ever appear as a problem in 
any of the mutlitude of debian based installations.  I'd like to think that if 
it is a consequence of a bad practice it would appear in Debian as well.  Not 
once, I assure you.

> You should use tor:// or tor+http:// with the onion address, and
> http:// or https:// with pkgmaster. The reason is that the whole thing
> is based on FQDNs http rewrites., and if you mix them up you might
> experience problems.

Are you saying now, and this is a new take on explaining the unexplainable, and 
please readers feel free to intervene here and point out the obvious to me, 
what is the problem of reaching pkgmaster via tor://pkgmaster.devuan.org?  All 
you would know, being the gate keeper on the repository side, is that someone 
through https:// is reaching pkgmaster from the exit node.  Nothing else!  If 
you can see something, other than "graylisting" tor exit nodes, I am sure the 
torpoject people would like to know.  The difference with an onion address is 
that the connection doesn't go out to clearnet to reach the destination, but 
the target is one and the same.  Right?

I don't know what is going on with the internals of the repository and I don't 
know whether the "users" would care to know.  The questions was simple, are 
they or are they not the same.  What is your response?  Beating around the bush?

How do your internals separate a hit on an onion address from one from clearnet 
so amprolla3 and is forwarding those to the debian.onion address?  This brings 
a new twist into the equation.  You are forwarding one connection out of tor 
and back into tor and onto debian.   I am not sure this is a good idea as far 
as anonymity is concerned.  

****   As has been reported by torproject, not yet explained, somehow if you 
make "one connection" through tor, out in clearnet and back through tor your 
identity is revealed.  *****

Are you saying this is what amprolla3 has been doing since 9-10/2017?

But where has this practice been documented before this "official" 
announcement?  Here you are admitting the onion address is NOT the same with 
packagemaster because the forwarding is done to two separate debian addresses.  
Yoy can only be responsible with your addressing scheme, there is no way for 
you to certify that the debian.org and its onion address are the same, just the 
same way we are trying to establish whether they are in fact the same here.

It is pretty clear on our side that "occassionaly" they have not been as when 
you do an update on pkgmaster and it says no upgrades, and consecutively you do 
the same on the onion address and shows both pkgs to be  upgraded and pkgs to 
be removed (apt-get dist-upgrade), or when in the same time frame openrc and 
eudev were available with dependencies on ascii but dependencies were missing 
through the onion address (no other changes to repository structure, just the 

> Again: nothing has changed since October in the way we redirect the
> onion address. Nothing at all. Also, even if not relevant,
>pkgmaster.devuan.org and auto.mirror.devuan.org have the very same set
> of packages (pkgmaster gets its package lists from the same source
> auto.mirror gets its package lists), so other speculations about
> inconsistent repos are not supported by any logic.

No, it is not relevant.  What is relevant is whether the onion address points 
to pkgmaster at this point.  You are bringing a non-issue of the differences 
between pkgmaster and auto.mirror in to dilute the issue.

It is obviously a logic problem when you say that they are the same when you 
describe that they aren't.  Am I crazy here or did you just admit that an onion 
connection is forwarded differently than a clearnet connection?

And it is obvious that even though I make a clear reference that on this list 
the problem was brought up in early December just as I described it, it was 
cared for and addressed then, it was reported "as fixed" for that particular 
occasion.  Did you forget it, do you selectively pretend it is an isolated 
issue that only occurs "here" and you are clueless to how many people witnessed 
the problem, or is with "your logic" the issue a non-problem if only one person 
reports on it?  I am glad, as you describe, that it is many of us using onion 
addresses and tor, two separate things mind you, otherwise what would be the 
point of being the sole onion repository user?  But you can not ever know that, 
can you?  I may have 1000 installations of all possible varieties and keep 
changing circuits and updating all day long, how would you know?  Can you?   
That would be even more interesting.

> KatolaZ

Obviously the way you are handling the response to me is evidence that there is 
something to the story.

PLEASE do not forget to point us to the reference on when was there a public 
announcement that onion address users were shoved over to a beta testing 
system.  I simply have missed it.

What I am trying to establish here is trust in devuan's officially announced 
means of accessing the repositories.  How important this may be is an other 
issue I do not care to discuss here.  We are all mature kids we can think for 
Dng mailing list

Reply via email to