Using Debian Apt-get over Freenet

Although its reputation suggests the contrary Freenet does have many mirroring uses.

Freenet has generated a lot of hype for being the “son of Napster” or some equally degrading report. For Freenet to survive, it needs to get away from being just another way to get illegal MP3s. In legal terms, Freenet needs “massive non-infringing use”. Sorry, but getting the latest copy of Quake doesn't count as non-infringing.

This article describes a use for Freenet that few will find a problem with (unless you use an RPM-based distro, to which I say “Get a real package manager!”). It also once again illustrates the power of small, flexible tools that do one thing and do it well.

I Want My .debs!

As a Debian user who often uses my distribution of choice in production environments, I am confronted with problems in choosing mirror FTP sites from which to download new packages. Sometimes a mirror site is already overloaded with users, sometimes it isn't holding the packages I need and still other times it fails completely. I could resort to using the official, but that's not very polite. It would be nice if I didn't have to think about any of this.

Fortunately, the creators of Freenet have given me an answer and didn't even realize it at first. While Freenet has much to do with anonymity, it also provides a highly efficient mirroring system that no centralized system could hope to achieve.

The system described in this article requires no new code for either Freenet or Apt-get. It employs a standard user interface add-in for Freenet called FProxy, which originally was intended for the user to access Freenet through a web browser. Since it communicates with the browser via HTTP, and Apt-get already understands how to talk HTTP, this process only requires running a few simple commands and modifying the /etc/apt/sources.list.

Before proceeding, be sure to download the latest version of Freenet ( as of this writing, although it will probably change by the time you read this) from Set up a node on your local machine and use some test files to insert and request. Open your favorite browser and point it to http://localhost:8081. If it brings up a page for requesting and inserting files, everything should be set up correctly. Be warned that it may take awhile for FProxy to come up, depending on the speed of your machine and which Java Virtual Machine you're running.

On a side note, you can get a Debian package that installs Freenet for you. It is available either at the web site above or in Debian unstable. Unfortunately, due to a buggy implementation of the big number classes, Freenet cannot work on the current version of Kaffe (1.0.6), and thus it can only run on a non-Free virtual machine; you'll find it in “contrib”. If you have a problem with this, you either can use a patched version of Kaffe, the latest CVS version of Kaffe or wait until the next stable version arrives. Current plans are to make future releases of Freenet compliable under GCJ, which brings Java code into native machine code, bypassing the problem of a non-Free VM completely.

In case you were wondering, Freenet makes rather heavy use of strong cryptography, so you'll find it in the non-US area, too. Edit your sources.list as needed.

What to Do

FProxy was meant to be the default user interface for Freenet. Although it is not a full proxy server, it communicates to the browser through HTTP (this is what was shown earlier when you opened up your browser to http://localhost:8081). After realizing that Apt-get could already understand HTTP, it was seen that getting packages from Freenet would be quite simple.

Before going any further, make a backup of your current /etc/apt/sources.list. I didn't do this the first time, and it took a few annoying hours to get that system to download packages correctly again.

Now, add this line to the real sources.list:

deb http://localhost:8081/debian-test/dists stable

For more information, see the sources.list(5) man page. You'll need to modify http://localhost:8081 to reflect the port on which FProxy is running. This port is set in the configuration file .freenetrc, located in the top-level directory in which the Freenet tarball was decompressed. If you used the Debian package, it will be in /etc/freenet/freenetrc.

You also need to add application/x-debian-package to FProxy's passthroughMimeTypes. This will be in fproxyrc (prior to or you can find it in freenetrc under services.fproxy.passthroughMimeTypes.

Next, go to a Debian mirror and download (from the directory /debian/dists/stable/main/binary-<your-arch>/, replacing <your-arch> as necessary) Packages, Packages.gz and Release. Insert all of these (see below). Now download the “hello” package from the devel directory on the Debian mirror and insert that too, being sure to place it under exactly the same name. Now you should be able to run apt-get update (which will download the Packages file off your node) and then apt-get install hello, which will download and install the GNU Hello program. If it worked, congratulations! You can now get packages off Freenet.

To insert these packages, first you will need to create an SVK key pair. This allows you to insert into a subspace that only someone with the private key can access. To do this, enter

freenet_insert -makeKeypair &> keypair.svk

Now, open up keypair.svk in your favorite text editor and delete everything except the value of the private key, and save the result into prv.svk. You now can insert with:

freenet_insert -serverAddress<port>
SSK@`cat prv.svk`/<dir>/<filename>
replacing <port> with the port number your Freenet node is running on, <dir> with the “directory” (Freenet doesn't really have directories, but we can pretend it does) that you want to insert under and <filename> with the name of the file. You can retrieve the document by going back into keypair.svk, deleting everything except the value of the public key and saving it under pub.svk. Then type
freenet_insert -serverAddress<port>
pub.svk`/<dir><filename> <filename>
replacing things as described above. You can allow others to access these files by sending them the public key.

This method avoids a problem that arises with a simpler, guessable key type called KSK, which is actually a subspace where the private key is publicly known. The problem is, there is no way of knowing if a KSK actually has the data it's supposed to. Thus, it can be replaced by an attacker inserting a different document at a hops-to-live value of 1 and cutting the link before the transmission to the next node is done. Doing this enough times will replace the document completely for the majority of Freenet. This means that it would be easy to replace, say, the libc6 package with a virus. Think about how packages generally have to be installed from root, and you see what kind of damage this could do. Even with a subspace, it is strongly suggested that you check the MD5 sums of the packages you're downloading.

The Everything Over Freenet (EOF) Project keeps a list of currently maintained distributions that are under subspaces, which cannot be taken over without knowing the private key associated. Subspaces are slightly more complicated to use but infinitely safer. Please see for instructions on this.


One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix