It happened: Now that I am an uploading DD for a few months I finally made my first upload of a package – mind you, not of apt, but of a package I declared my intend to "steal" from another person a few weeks ago on deity@ and later also in a bugreport (#835128).
The result is that apt-transport-tor which used to be maintained by Tim Retout as a modified copy of apt code is now maintained by the APT team (with him and me as uploaders) using the apt code directly via a few symlinks.
That brings along a bunch of changes which I mentioned in the list/bug as well, but for completeness:
- tor+https options consistently fall back to tor -> https -> http
- tor+http options consistently fall back to tor -> http
- socks5h isn't forced. It is just the default (and the only one which will work with (tor+)http at the moment; any with tor+https)
- a tor-proxy having apt-transport-tor as username & no password (default) will automatically pick a password based on the target host to get you in a new circuit for each host.
- the User-Agent isn't forced to an all-tor-users-have-the-same value. Especially with tor+http being our normal http I think its better to "hide" between other http users than saying straight that you are a tor user (even if the IP gives it away that you are).
- tor+https doesn't allow redirection to tor+http. We have this for a while for https -> http already (-tor "broke" it). I think if a user went as far as configuring a https source it should stay an https source or fail.
- http/https can be disabled to avoid accidentally adding such sources
- http will not try to connect to .onion domains (RFC7687) and the error hints at using tor+http
- the methods run as
root(like the rest of the apt methods)
I had tried a few times to get people to provide feedback, but there wasn't much. I guess this is good as it means nobody has any complains about it. We will see if that will change now that it is on its way to archive, buildds, mirrors and users: Brace for impact in any case!