Charlie Harvey

Using Tor for apt package management on Debian

Recently, the Debian project announced that they intend to make more of their services available as Tor hidden services. They have added a new package to the repositories making it easy to use Tor hidden services when using apt to upgrade packages.

Tor is software that allows better anonymity when using the internet than is usually experienced, by wrapping connections in layers of encryptions and sending them through volunteer-run proxy servers. There is a lot more on the Tor project website if you are not familiar with the project.

Hidden services such as those that Debian intends to adopt have a number of useful features. Often they are used to keep the network location of the send server as confidential as possible. But the Debian project's interest stems from the fact that they provide confidentiality and integrity, without relying on a central certificate authority.

when users connect to [our] onion service […] they can be certain that their connection […] cannot be read or modified […] and that the website that they are visiting is indeed the Debian website. In a sense, this is similar to what using HTTPS provides. However, crucially, onion services do not rely on third-party certification authorities (CAs). Instead, the onion service name cryptographically authenticates its cryptographic key.

In a world where states are increasingly likely to try and MITM their own citizens, and corporations have business models that rely on various degrees of spying, we need such robust mechanisms for ensuring that the software we rely on has not been subverted. The announcement explicitly notes the connection to software freedom, saying:

The freedom to use open source software may be compromised when access to that software is monitored, logged, limited, prevented, or prohibited. As a community, we acknowledge that users should not feel that their every action is trackable or observable by others.

By sending more data to hidden services, Debian also supports the principle of anonymous communication. Were the Tor network only to contain speech by political dissidents, drug dealers and other unsavoury sorts, as authoritarian propagandists are desperate to claim, then it would be far easier politically to ban Tor, or treat all users as criminals. Sending diverse traffic over Tor means that the network functions as infrastructure, making it too useful to simply legislate out of existence.


In order to start using hidden service versions of the repositories you first have to install apt-transport-tor thus

$ sudo aptitude install apt-transport-tor

Then you modify /etc/apt/sources-list using the new onion addresses and tor+http instead of just http

deb tor+http://vwakviie2ienjx6t.onion/debian jessie main deb tor+http://vwakviie2ienjx6t.onion/debian jessie-updates main deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security jessie/updates main

Now when you aptitude update, the package data will be pulled from the onion services.

I’ve found the performance to be acceptable in my early tests. Most servers I run are using unattended upgrades; slow connections are unlikely to be a major problem for that use case.


  • Be respectful. You may want to read the comment guidelines before posting.
  • You can use Markdown syntax to format your comments. You can only use level 5 and 6 headings.
  • You can add class="your language" to code blocks to help highlight.js highlight them correctly.

Privacy note: This form will forward your IP address, user agent and referrer to the Akismet, StopForumSpam and Botscout spam filtering services. I don’t log these details. Those services will. I do log everything you type into the form. Full privacy statement.