Securedrop-admin setup attempting to download old tor-experimental packages


#1

Hello SecureDrop folks. I am building out a new installation of SecureDrop. Everything was going great until I reached https://docs.securedrop.org/en/release-0.9/install.html, and ran securedrop-admin setup from the admin workstation. I can see repeated connection attempts to a few different .onion addresses to download tor-experimental-0.3.4.x-stretch packages. I thought maybe it was some sort of network issue, but if I navigate to any of those URLs (for example, http://sdscoq7snqtznauu.onion/torproject.org), there are no tor-experimental-0.3.4.x files. It appears they’ve been replaced with tor-experimental-0.3.5.x files. Examining the securedrop-admin file, I don’t see any references to 0.3.4.x. Has anyone run across this issue?


#2

Hi arc,

I’m trying to reproduce this error now - what version of Tails are you running on the admin workstation?


#3

Thanks kog. 3.9

I actually just figured this out. This file /etc/apt/sources.list.d/torproject.list had a reference to tor-experimental-0.3.4.x-stretch in it (tor-experimental-0.3.4.x-stretch doesn’t exist anymore at any of the .onion endpoints). I edited the file (sudo nano), changing the 0.3.4.x to 0.3.5.x and re-ran securedrop-admin setup. Perfect.


#4

Yup, this is apparently a Tails 3.9 problem. Gonna test a bit more but chances are the final fix will be to move to 0.3.4 stable rather than 0.3.5-experimental.


#5

Thanks for pointing out we should probably avoid 0.3.5-experimental for now. I re-created the admin workstation USB stick, and then when editing torproject.list, I simply commented out the line referencing tor-experimental-0.3.4.x-stretch. The preceding line referenced the stretch folder which contains the stable version. The two lines seem to be redundant. I commented out the second line:

deb tor+http://sdscoq7snqtznauu.onion/torproject.org/ stretch main
# deb tor+http://sdscoq7snqtznauu.onion/torproject.org/ tor-experimental-0.3.4.x-stretch main

securedrop-admin setup ran without a hitch.


#6

Thanks for the report back here @arc, glad to hear it’s working.

We’re tracking here for any other users that are experiencing this issue: https://github.com/freedomofpress/securedrop/issues/3827


#7

For anyone interested/affected, there’s now a blog post covering this issue and the recommended workaround here: https://securedrop.org/news/advisory-installationworkstation-update-failure-tails-39/ .