We are a group of people who started working on our overlay in July 2015. The git url can be seen on http://www.psyced.org/download.html, we are using a hidden-service for authentication and not "location hidden service". The git url is git://cheettyiapsyciew.onion/youbroketheinternet-overlay however we have not tested to torify layman, but manually added it to the /etc/portage/repos.conf/layman file. [youbroketheinternet] priority = 50 location = /var/lib/layman/youbroketheinternet-overlay layman-type = git #sync-uri = git://cheettyiapsyciew.onion/youbroketheinternet-overlay #auto-sync = No If this works, or small instruction (like: git torify 'url', then add this and that to the file) can be included in the layman list it would be great. Currently we include the following software, some are only necessary forks to get along with our working guile-2, and I also started to try and get some of the ebuilds into portage: ├── dev-libs │ └── openssl ├── dev-scheme │ └── guile ├── maintainer-notes.org ├── media-libs │ └── vid-stab ├── media-video │ └── miro ├── metadata │ └── layout.conf ├── net-im │ ├── qtox │ ├── ricochet │ └── utox ├── net-libs │ └── gnutls ├── net-misc │ ├── gnunet │ ├── gnunet-gtk │ └── gnurl ├── net-p2p │ ├── pybitmessage │ └── retroshare ├── profiles │ ├── package.mask │ ├── repo_name │ └── use.desc ├── README ├── sys-apps │ ├── guix │ └── guix-binary ├── www-client │ ├── torbrowser │ └── torbrowser-launcher ├── www-servers │ └── onionshare From our readme file (recently we also started integrating unique, own ebuilds): youbroketheinternet-overlay =========================== Overlay that borrows and adapts ebuilds from various sources and republishes them via a secure authentication medium. Since all of git, rsync and https protocols can be man in the middled, using a self-authenticating onion is the way to go. Makes you nervous? Why.. this is not about anonymity. All the known problems related to onion services are about de-anonymization. There are no known cases of authenticity failure, which is what we expect from this. Please drop by irc://loupsycedyglgamf.onion:67/youbroketheinternet or http://loupsycedyglgamf.onion/PSYC/?room=youbroketheinternet or torify telnet loupsycedyglgamf.onion + /c youbroketheinternet for feedback and 'git pull' offers. Git was intended for everyone to run their own little git server and pull from each other. Git was NOT invented for centralized commercial social networking clouds such as github! If you want to submit a patch to this overlay, pass it in form of a textual patch or make your copy of this git available on your own onion. Github is not a safe infrastructure for a GNU Internet.
lynX says: it's also mentioned on http://youbroketheinternet.org/#overlay
@layman maintainers, do we support Tor-hosted overlays? I think not but want to confirm this.
(In reply to Michał Górny from comment #2) > @layman maintainers, do we support Tor-hosted overlays? I think not but want > to confirm this. In case you don't support it, could layman be extended to support adding tor hosted overlays? I have never looked at the source of layman, but maybe this is something which could be easily done.
I don't know enough about using tor to know one way or another whether layman supports it. But as far as I know there has never been a tor overlay before. Layman is very modular, so it is relatively easy to create a new overlay type, module and add it to the management system.
Okay, thanks for the input again. I'll schedule this for myself starting in about a month to write 'git-tor' module.
Another question is whether we really want Tor-hosted repositories on the official list. So far we've been working on making repositories more easily available. In particular, we were ensuring that repositories have https:// access so that people behind firewalls can reach them. Adding repositories that are normally inaccessible unless Tor is running kinda defeats the purpose of that.
(In reply to Michał Górny from comment #6) > Another question is whether we really want Tor-hosted repositories on the > official list. So far we've been working on making repositories more easily > available. In particular, we were ensuring that repositories have https:// > access so that people behind firewalls can reach them. Adding repositories > that are normally inaccessible unless Tor is running kinda defeats the > purpose of that. Isn't this also the exact purpose of tor, enabling people who are behind restrictive firewalls to access services by bypassing these firewalls through (for example) routing tor traffic through port 53,80 or 443? (if-not scenario I just thought of) If an official list inclusion should not be possible, it would help when I will try and write the git-tor module for layman and be able to point layman to an additional overlay list, where ours could be included. If this could be endorsed as an inofficial list on overlay.g.o, it could appear in its own section. I can understand if the reason for not considering to include is to think that .onion can change or go away all of the sudden, but there are some old .onion addresses. I have no idea about the age of ours as I was not the person who created it, but the domains run by lynX are reasonable old enough to trust that they don't disappear over night. I will relay messages from lynX later on to add to this.
lynX Michael: the problem with https is that it is only little guarantee that you will receive the correct data that you are supposed to receive since it has become so easy to man in the middle X.509. Onions provide for better security. Also no specific change to layman is necessary. Users just call it with "torify" or configure their systems to support onions transparently. When they have no tor installed, the onion produces a harmless error. It is good that you are fading out plaintext git repositories since those are really trivial to hijack and inject malware.
I'm going to mark this CANTFIX. Please reopen when you either provide open access to the repository, or proper technical means for syncing it cleanly. If you go for the latter, I'd prefer if you did at least Portage and pkgcore sync modules (we need the latter since pkgcore is used to run repo-mirror-ci).
Reopening per https://github.com/gentoo/api-gentoo-org/pull/3
commit b4904a34e4ffec0a2aab2bb77d4237a634bd0943 Author: ng0 <ng0@we.make.ritual.n0.is> Date: Tue Jul 19 00:34:19 2016 repositories: add youbroketheinternet, #579612
