If we are talking about the technical problem (which did exist) let's talk about the technical problem. If we are talking of the political/security problem let's talk about that. But don't try to make soup out of what we are talking about, and it is to your interest to try to understand criticism, despite of the form it is coming from.
Today, and after a lengthy discussion on the onion repository malfunction, based on the "new" evidence Katolaz has provided us, there is a speculation of the source of the technical problem. Again and again and in several machines and users the problem appeared as "pieces" of the repository been missing. Stuff that was in there the day before would be missing but the rest would be there from both devuan and debian, and there would be no "error" in updating repositories. A It seems as obvious now that when amprolla3 tries to merge from debian.onion debian has some amprolla like merging system of its subrepositories (not all in a single server). Some of them may be timing out, and amprolla3 is not forwarding those errors as partial hits. B Using tor://pkgmaster. ... amprolla3 is hitting the deb.debian.org (or some other clearnet address) and it never runs into timing out issues, so tor://pkgmaster is always in tact and consistent. It seems as in the past 2 weeks someone must have realized what is going on and went in and adjusted the timeout threshold, which explains the current consistent results. Or else, there is a limit to how much I can speculate, but something seems to have gotten fixed. C The political/security issue is that we (users) have been in the blind. 1 When someone chose to shift the onion repository address to pkgmaster (a beta system) someone should have made an adequate announcement and such was never made, not in the webpage not in the "officially official forum" that no developer has ever visited. 2 If the admin of the pkgmaster.devuan.org can distinguish whether a connection is using onion or clearnet (apart from tor, they are not the same you know, you can use tor to access any clearnet address that has not blacklisted all exit nodes, but you can not use http/https to reach an onion address) either the server on the onion address is a different server (as allowed to conclude by differential parallel results) or it is forwarding those connections to "other" servers. That ability to distinguish the two and act based on that distinction is problematic! 3 If a tor connection is made through the tor network and out in the clear, and back into tor again (as described by Katolaz) then according to torproject the identity of the user can be revealed. They don't know how it happens, they can't yet explain it, but they have warned and reported this for a long time. People abused the abilities of tor and it creates vulnerabilities that can't be controlled. Imagine a server running tor and feeding an IP to another machine and that other machine is running tor a second time. The identity can be revealed, and I don't need to explain to whom or why. So, thank you, I (we) have been convinced here that "unfortunately" we have been right all along, we did our best to report and alert of the problem, partially the problem seems to have been silently fixed, but "admins" chose to try to shove things under the carpet and maintain a code of silence about it till things become explosive. Because when someone is telling you, hey buddy you have a problem. Hey buddy, this is the problem you have, and the only response is "there is no problem, you are crazy", then morally one is obliged to make noise and alert victims of the problem denied by authority! Good bye, and try to be more social when you receive constructive criticism. Something that seems to have been long gone in linux environment. PS To those asking MORE technical evidence, go to the officially official devuan forum and you will find all the specifics. Ask fsmithred to point it to you as he was the only one that took attention and tried some things out to figure it out for himself. Unfortunately by the time he did the problem was cured. When half the dependencies were missing for installing eudev and openrc in ascii he couldn't tell why it was happening. PS2 alessandro ... I am surprised with this attitude you got so far (linux.com) ... but talking with that tone should be reserved for up close conversations you spineless piece of shit hiding behind a terminal. I'll see you at some conference and we can continue. -------- Original Message -------- On February 15, 2018 9:49 AM, KatolaZ <kato...@freaknet.org> wrote: >On Wed, Feb 14, 2018 at 08:21:03PM -0500, Fungal-net wrote: >>Your response is every proof I needed that there is something fishy going on. >> It may be legal to be deceiving people but the question is whether it is >>ethical and whether once you discover a rat are you responsible to make the >>discovery public. That is the dilemma. There is nothing technical about it! >> > > Dear Fungal-net, > > If the rat you have discovered is that we ensure that users accessing > our repos through the onion address are redirected to debian's own > onion address (for packages that come from debian), instead than to a > clearnet address, then you have discovered a dove, not a rat, and a > lively one. This is a feature, not a bug. > > Concerning trust: that will never be an automatic thing, rather a very > personal one. The ultimate person who decides if you should or should > not trust something or somebody is just yourself. > > The way amprolla works (by rewriting packages not in Devuan) is > publicly known. The source code of amprolla is available at: > >https://git.devuan.org/devuan-infrastructure/amprolla3 > > Our repos are signed with GPG keys, published on different locations > and accessible by different means. All our isos are signed with the > GPG key of the developers responsible for them. > > I am very sorry you somehow lost trust in Devuan, but given the amount > of anger you evidently have accumulated, I don't see how else we can > help you. I hope you might decide to come back onboard, but if this is > not the case, I really wish you to find the distro of your choice, the > one that you can trust. > > HND > > KatolaZ > > >[ ~.,_ Enzo Nicosia aka KatolaZ - Devuan -- Freaknet Medialab ] > [ "+. katolaz [at] freaknet.org --- katolaz [at] yahoo.it ] > [ @) http://kalos.mine.nu --- Devuan GNU + Linux User ] > [ @@) http://maths.qmul.ac.uk/~vnicosia -- GPG: 0B5F062F ] > [ (@@@) Twitter: @KatolaZ - skype: katolaz -- github: KatolaZ ] > >Dng mailing list >Dng@lists.dyne.org >https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > _______________________________________________ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
