Hi! I stumbled across this bug, and it looked like there were a couple of issues with the previous version of the patch:
- mentioned "sockproxy" instead of "torsocks" in one place - disabling SMTP relied on USETOR=yes, but the torify function assumed "always/auto/no" So I've updated the patch against the latest git, and changed to use the "yes/maybe/no" convention. For completeness, I've added a FAQ entry mentioning version 1.65, and attach /var/log/popularity-contest after (hopefully) submitting it through tor (there was no gpg extension, because it got moved to POPCONOLD). Technically I've not done further testing on this beyond running it a few times, and I haven't checked for DNS leaks etc. via wireshark, so "caveat emp-tor", so to speak? Kind regards, -- Tim Retout <dioc...@debian.org>
diff --git a/FAQ b/FAQ
index bc76ffa..021717d 100644
--- a/FAQ
+++ b/FAQ
@@ -25,6 +25,14 @@ A) Yes, however if the package gnupg is installed and ENCRYPT is set to 'maybe'
public key cryptography, so the eavesdropper should not be able to decrypt
them. The default is 'maybe' with popularity-contest 1.60.
+ Encrypting popcon submissions still reveals that a particular host
+ is running Debian or a derivative; and the administrators of the
+ popcon server can associate submissions with a source IP address.
+ To prevent this, if USETOR is set to 'maybe' or 'yes', and if the
+ 'tor' and 'torsocks' packages are installed, the submission will be
+ made over Tor. The default is 'maybe' with popularity-contest
+ 1.65, so Tor will be used if available.
+
Q) What are the privacy considerations for popularity-contest ?
A) Each popularity-contest host is identified by a random 128bit uuid
diff --git a/debian/control b/debian/control
index a300056..c30eb23 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Architecture: all
Pre-Depends: debconf (>= 1.5.34) | cdebconf (>= 0.106)
Depends: ${misc:Depends}, ${perl:Depends}, dpkg (>= 1.10)
Recommends: gnupg, cron | cron-daemon, exim4 | mail-transport-agent
-Suggests: anacron
+Suggests: anacron, tor, torsocks
Provides: popcon
Description: Vote for your favourite packages automatically
The popularity-contest package sets up a cron job that will
diff --git a/debian/cron.daily b/debian/cron.daily
index a3a92ef..4e19240 100644
--- a/debian/cron.daily
+++ b/debian/cron.daily
@@ -14,8 +14,39 @@ unset MY_HOSTID
unset PARTICIPATE
unset SUBMITURLS
unset USEHTTP
+unset USETOR
unset MTAOPS
+TORIFY_PATH=/usr/bin/torify
+
+torify_enabled() {
+ # Return 1 to enable torify for HTTP submission, otherwise 0; exit on error
+ TORSOCKS_PATH=/usr/bin/torsocks
+ [ -f "$TORIFY_PATH" ] && [ -f "$TORSOCKS_PATH" ] && TOR_AVAILABLE=1
+
+ case "$USETOR" in
+ "yes")
+ if [ -z $TOR_AVAILABLE ]; then
+ echo "popularity-contest: USETOR is set but torify is not available." 2>&1
+ echo "popularity-contest: Please install the tor and torsocks packages." 2>&1
+ exit 1
+ fi
+ if [ "yes" != "$USEHTTP" ]; then
+ echo "popularity-contest: when USETOR is set USEHTTP must be set as well" 2>&1
+ exit 1
+ fi
+ return 0
+ ;;
+ "maybe")
+ [ "yes" = "$USEHTTP" ] && [ ! -z $TOR_AVAILABLE ] && return 0
+ return 1
+ ;;
+ "no")
+ return 1
+ ;;
+ esac
+}
+
# get configuration information
. /usr/share/popularity-contest/default.conf
. /etc/popularity-contest.conf
@@ -33,6 +64,14 @@ if [ -z "$MAILTO" ] && [ "yes" != "$USEHTTP" ]; then exit 0; fi
# don't run if PARTICIPATE is "no" or unset!
if [ "$PARTICIPATE" = "no" ] || [ -z "$PARTICIPATE" ]; then exit 0; fi
+# enable torify
+if torify_enabled; then
+ TORIFY=$TORIFY_PATH
+else
+ TORIFY=''
+fi
+
+
if [ -n "$HTTP_PROXY" ]; then
export http_proxy="$HTTP_PROXY";
fi
@@ -106,7 +145,7 @@ SUBMITTED=no
# try to post the report through http POST
if [ "$SUBMITURLS" ] && [ "yes" = "$USEHTTP" ]; then
for URL in $SUBMITURLS ; do
- if setsid /usr/share/popularity-contest/popcon-upload \
+ if setsid $TORIFY /usr/share/popularity-contest/popcon-upload \
-u $URL -f $POPCON 2>/dev/null ; then
SUBMITTED=yes
else
@@ -116,8 +155,9 @@ if [ "$SUBMITURLS" ] && [ "yes" = "$USEHTTP" ]; then
fi
# try to email the popularity contest data
+# skip emailing if USETOR is set
-if [ "$MODE" = "--crond" ] && [ yes != "$SUBMITTED" ] && [ "$MAILTO" ]; then
+if [ "$MODE" = "--crond" ] && [ yes != "$SUBMITTED" ] && [ yes != "$USETOR" ] && [ "$MAILTO" ]; then
if [ -x "`which sendmail 2>/dev/null`" ]; then
(
if [ -n "$MAILFROM" ]; then
diff --git a/default.conf b/default.conf
index 773913d..ce87699 100644
--- a/default.conf
+++ b/default.conf
@@ -51,6 +51,16 @@ SUBMITURLS="http://popcon.debian.org/cgi-bin/popcon.cgi";
# USEHTTP enables http reporting. Set this to 'yes' to enable it.
USEHTTP="yes"
+# USETOR enables using Tor to perform http reporting.
+# In order to use Tor also set USEHTTP to "yes" and ensure that the
+# "tor" and "torsocks" packages are installed and the tor daemon
+# is running. More information: https://www.torproject.org/
+# Supported values:
+# yes: use Tor; exit with error if not available.
+# maybe: use Tor if available.
+# no: do not use Tor.
+USETOR="maybe"
+
# HTTP_PROXY allows to specify an HTTP proxy server, the syntax is
# HTTP_PROXY="http://proxy:port";. This overrides the environment
# variable http_proxy.
popularity-contest
Description: Binary data
