Onion site down for maintenance

unman · November 9, 2024, 2:00pm

I'm back online to find that the server hosting the Onion site is down
for maintenance.

Apologies for the lack of notice - I had notification but did not see it
until today.

fdhhjigf · November 10, 2024, 5:27pm

Right now, I can’t update any template. I use sys-whonix as update vm and onion repositories.
Issue is happening from at least 4-5 days.

tanky0u · November 10, 2024, 7:46pm

Updating templates is not relevant to the onion service of qubes-os.org webpage.

unman · November 11, 2024, 2:55am

It is as the onion repositories are in the same cluster as the onion web
site.
If you have enabled the onion repositories then updates over Tor will
fail, as stated.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

fdhhjigf · November 11, 2024, 3:07am

When it likely to be resolved?

unman · November 11, 2024, 3:20am

I believe later today.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

tanky0u · November 11, 2024, 6:20am

I wasn’t aware of the QubesOS update repository URL’s that use .onion hidden services. How do I enable those?

apparatus · November 11, 2024, 7:30am

You need to edit the repository config files, uncomment onion repos and comment out the clearnet repos.
For dom0 in /etc/yum.repos.d/qubes-* files.
For Fedora template in /etc/yum.repos.d/qubes-r4.repo file.
For Debian template in /etc/apt/sources.list.d/qubes-r4.list file.

fdhhjigf · November 11, 2024, 9:53am

There is no value of doing that right now, as I am only offline with my qubes laptop right now to avoid any attack surface due to no updates.

tanky0u · November 11, 2024, 10:51am

It’s still down. Looking forward to having it back online.

fdhhjigf · November 11, 2024, 6:48pm

Issue resolved.

tanky0u · November 13, 2024, 7:13pm

Are the onion URL links for checking if there is an update? Are they also used for downloading the update files?
This is confusing: on dom0, there is both /etc/yum.repos.d/qubes-dom0.repo file AND, /etc/qubes/repo-templates/qubes-templates.repo file. DO I comment/uncomment the clearnet/onion ones in BOTH these files in dom0?
What about the debian and whonix ones? Do I operate only on the /etc/apt/sources.list.d/qubes-r4.list file?
Is there an official documentation page on this, laying out the exact file names and the template names, or dom0, and perhaps giving the changed versions of these files for clearnet and onion configs?

ephile · November 13, 2024, 7:48pm

Onion links are to the full repos, so include downloads.
see (4) below
Onion repos are also available for Debian and Whonix. For Debian, visit onion.debian.org (onion site).
The Whonix wiki has some details on onionizing the Qubes repos (onion site).

tanky0u · November 13, 2024, 7:56pm

@ephile , regarding 3, I am confused. It seems like on dom0 there is /etc/qubes/repo-templates/qubes-templates.repo file. Is this also controlling the onion/clearnet update connection preference for the debian/fedora templates? If so, why am I also having to make changes on debian/fedora templates themselves?

ephile · November 13, 2024, 8:01pm

No, this file has repo information for community templates and the invisible things lab templates relevant to dom0. For individual debian and fedora templates you’ll have to edit the relevant files in each of those templates.

tanky0u · November 13, 2024, 8:03pm

Alright, I am reading the whonix wiki link you shared. It is quite helpful.

fdhhjigf · March 17, 2025, 4:27am

Onion mirrors are down for almost a week I think. Please give some updates @unman. When you are expecting them functional?

alimirjamali · March 17, 2025, 7:06am

Just a note that there are other Qubes OS .onion update mirrors available (in additional to the official Qubes OS mirror). The address for them could be found here:

Most of the .onion mirrors in the above list could be also used for updating. Not just downloading installation ISOs.

Updating via any of them should be technically safe as the packages are cryptographically signed and verified by the Distro package manager.

fdhhjigf · March 17, 2025, 7:15am

How to use these mirrors to update, can you elaborate?

alimirjamali · March 17, 2025, 7:32am

For yum/dnf based templates and dom0, you can edit /etc/yum.repos.d/qubes-r4.repo, then copy the lines with baseurl = http://yum.qubesosfasa4....onion ... in it and comment the old lines to have them (so you can revert back to them if you want). Then in the new lines, change the yum.....onion address to one of the .onion addresses in the official mirror list.

For apt/dpkg based templates (all but Whonix), the repo file is /etc/apt/sources.list.d/qubes-r4.list and the line are like:

deb [arch=amd64 signed-by=....gpg] tor+http://deb.qubesosfasa4...onion ....

And again, deb.qubesos...onion part should be replaced with one of the mirrors.

Similarly for Archlinux template, there is another one.

Disclaimer: Before doing that, wait a little for @unman to advise on security benefits/threats of updating over other .onion mirrors compared to waiting for a long time for official .onion mirror to be fixed (if it ever happens now or in future).