More privacy when installing and upgrading packes from repo

I was taking a look into the sources list file and I found this:

  GNU nano 5.4                                                                                     sources.list                                                                                               
deb byzantium main

deb byzantium-updates main

deb byzantium-security main

Why not setup the repo’s server with onion address, then we install apt-transport-tor and use the repo with much more proivacy like what debian gives us:
In particular, once you have the apt-transport-tor package installed, the following entries should work in your sources list for a Debian system:

deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian buster main deb tor+http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion/debian buster-updates main deb tor+http://5ajw6aqf3ep7sijnscdzw77t7xq4xjpsy335yb2wiwgouo7yfxtjlmid.onion/debian-security buster/updates main

1 Like

It is my understanding that tor should not be used for large data transfers.

well define large, if it’s a few GB yes, a few MB it’s ok. Have been using on Debian with no problems, where there’s some big updates with 200-300MB, you just wait 5 minutes instead of 20seconds.
But the idea is adding this option for those who want it, like on Debian, having the to options then each user decides what to use.

1 Like

It’s because Tor network had long time not enough servers to run a lot of traffic. 2011 Tor had a capacity of 12.8Gbit/s, while 8Gbit/s where used in average (that means bad internet on prime time). This changed dramatically in last few years. 2019 it had a capacity of 184,64Gbit/s … 2.5 years later it had a capacity of 775Gbit/s and a usage of 275Gbit/s. I don’t think that updating PureOS via Tor is a problem for Tor. It just takes some time longer. My source is the German Wikipedia (the English one had not the information).

I’m just not sure if that makes so much sense for privacy at all. But that’s not to me to rate that.


Interesting stats, thanks

Why don’t you think it is better that government / ISP / hackers would know you’re downloading some packets for your mobile OS (don’t even know which are exact) than the fact you’re using Tor?

(e. g. in Russia, you would go to jail for Tor, it is violation of law.)

Tor can be used for transferring large amounts of data, but it will be slow; this is an option when downloading template updates with Qubes OS.

Just to be clear, I was not writing about the feasibility of large data transfers over tor, but whether that constituted abuse. I was unaware that tor capacity is now multiples of average use. The principle remains and there should be more consideration given than whether it will be fast enough.

I concede that OS updates short of installing all of gnome are probably OK.

1 Like

It does not constitute abuse: see here for an Abuse FAQ.

If you want a broad overview of how much traffic the Tor network can concurrently sustain, here is another link.

If you or anyone else have any more Tor-related questions, I can answer them in this thread, a separate thread, or on the Tor Project Forum.

1 Like

The OP makes clear …

adding this option for those who want it, like on Debian; having the two options then each user decides what to use

It’s a choice. Granted that in your country one choice might be wiser than the other.

1 Like

For those looking to circumvent censorship in Russia using Tor, here is a detailed guide in Russian and English.


Quoted from this link, which I will assume is blocked in Russia until following the steps mentioned above.

For those in an uncensored country looking to assist in Tor censorship circumvention in Russia, the easiest method is to install the Snowflake web extension to deploy a Snowflake proxy within your browser, which I have already done using Firefox ESR for my Librem 5 USA and Librem 14.


Another approach to hide which packets are downloaded could be to run an apt mirror on a server in the local network which can download all packets in advance. Now upgrading your packets on PureOS devices will be done inside your local network and not via internet. This could also speed up the upgrade process.

Also the connection to PureOS’s repos are protected by TLS. An attacker sees that you connect to those repos and can deduce that you are using PureOS. But the attacker does not see plainly which packets are being transferred. Also it might be possible to do some clever analysis to gain more detailed information.

1 Like

One can also setup a relay to help the network. A non-exit would not be a problem, by the way if you have a an android or degoogled android, you can run a non exit relay with orbot app.

Yes, I was going to install it on one of my VPSs. Unfortunately, at the time, the software version was not compatible.

I have only static IP addresses though so not ideal for the purpose anyway, since an authoritarian country can easily block that small number of IP addresses permanently. That’s why Snowflake service is best offered by vast numbers of individuals with dynamic IP addresses - hence the metaphorical name.

We all know that you can always circumvent censorship in any country that is connected to the internet, using TOR or other technology. The problem is that you can’t necessarily circumvent a bullet in the back of the head, or such other more exotic or more subtle means as the Russian authorities might choose.

One solution would be to just install mobian on my L5.

1 Like