DNF: increase anonymity for users in totalitarian countries

Hi all!

DNF should make mirror list management easier.


> sudo dnf install torbrowser-launcher

DNF by default finds the nearest repository mirror and tries to download the necessary software.

Response in my situation

Downloading Packages:
[MIRROR] python3-pyqt5-sip-12.11.1-1.fc38.x86_64.rpm: Status code: 404 for http://mirror.yandex.ru/fedora/linux/releases/38/Everything/x86_64/os/Packages/p/python3-pyqt5-sip-12.11.1-1.fc38.x86_64.rpm (IP:
[MIRROR] torsocks-2.4.0-4.fc38.x86_64.rpm: Status code: 404 for http://mirror.yandex.ru/fedora/linux/releases/38/Everything/x86_64/os/Packages/t/torsocks-2.4.0-4.fc38.x86_64.rpm (IP:
[MIRROR] torbrowser-launcher-0.3.6-3.fc38.noarch.rpm: Status code: 404 for http://mirror.yandex.ru/fedora/linux/releases/38/Everything/x86_64/os/Packages/t/torbrowser-launcher-0.3.6-3.fc38.noarch.rpm (IP:
[MIRROR] python3-pyqt5-sip-12.11.1-1.fc38.x86_64.rpm: Status code: 404 for https://mirror.yandex.ru/fedora/linux/releases/38/Everything/x86_64/os/Packages/p/python3-pyqt5-sip-12.11.1-1.fc38.x86_64.rpm (IP:
[MIRROR] torsocks-2.4.0-4.fc38.x86_64.rpm: Status code: 404 for https://mirror.yandex.ru/fedora/linux/releases/38/Everything/x86_64/os/Packages/t/torsocks-2.4.0-4.fc38.x86_64.rpm (IP:
[MIRROR] torbrowser-launcher-0.3.6-3.fc38.noarch.rpm: Status code: 404 for https://mirror.yandex.ru/fedora/linux/releases/38/Everything/x86_64/os/Packages/t/torbrowser-launcher-0.3.6-3.fc38.noarch.rpm (IP:

As you can see 404 actually means Tor browser is banned in Russia, and you now blacklisted
All IT giants in Russia are under the complete control of the Kremlin. Now (yandex==kremlin) knows about my search in the repository.

I suggest:

Make it easier to include/exclude some mirrors from DNF searches, for example:
> sudo dnf --repolocation=europe install some_package
The --repolocation flag is simple and convenient for all options.
Yes, we do not have fast response and loading speed, but we increase anonymity for users.

Thank you!

You can file a ticket against the problematic mirror for content filtering:

The issue should be resolved when the mirror is removed from the public mirror list.

1 Like

I’m sorry!

I didn’t describe the situation well and what exactly the problem was. There is no need to remove a convenient and nearby repository from the list of mirrors.Because other packages and programs that are not prohibited in Russia are installed quickly from the same Yandex.

My point was that there are situations in which it is vital to temporarily exclude some repositories from searching and installing applications using DNF.

I suggest using a flag for this, for example --repolocation, which will allow you to exclude some repositories from the list of used mirrors at a time, for user safety purposes.

>sudo dnf --repolocation=usa install some_package

--repolocation=usa means that installation (search) will occur according to the list of repositories located in the USA. This will guarantee the user that the local totalitarian authorities will not be able to see what the user is searching for and what packages he is installing! If this flag is not present, then the installation (search) will take place on the usual list of mirror repositories.

I appeal to the DNF developers, please make changes to the way DNF works! Add a flag to make it easier to filter the list of repositories while using DNF.

1 Like


It would make sense to eventually build an option into the DNF client to automatically leverage the TOR network, as well as something on the repo end. The only issue is that it would get Fedora into some serious legal hot water if they shipped it. It would have to be a package added later from like rpmfusion, or some 3rd party distro based on Fedora.

I could be wrong, but instead of the lack of those packages, it seems that the mirror is somewhat broken?


There is only Fedora 26. And this is the http site.

While in the https site, I can find tor stuff

Indeed it would sound strange that Fedora allow a mirror to arbitrarily remove packages.

The mirror does not host the packages because doing so might be illegal in Russia. The user’s issue is that he’s worried that simply attempting to download them might be flagged and considered suspicious activity. Hence the proposal to have an option to fake your location so you get non-Russian mirrors, which presumably would be less likely to be compelled to log “suspicious activity” on behalf of the Russian government (and more likely to have the packages).

I get the idea, I’m not sure how practical it would be to implement.

1 Like

But such mirror actually hosts such packages.



I doubt that would be sufficient.
While that would allow you to install it without getting flagged, as
soon as there will be an update in the metadata, dnf will try to
download the update, and then you will get flagged.

I can see some options:
Teach dnf to download some packages only from certain mirrors, which
will be quite some work, and might be tricky to set up for all users.

The other option would be to simply select a specific mirror for all
your queries, rather then querying the mirror manager.

A slight upgrade would be to teach mirror manager to accept a location
argument. This could be used, to implement option 1 in dnf.

Generally, I would recommend to not use mirrors in a totalitarian
country, if you have the option. Any package you may install may be now
or in the future seen as unacceptable. And that may well just be a
dependency you did not notice while installing.


You could achieve something quite close to this with today’s dnf using excludepkgs and includepkgs. Add a line in the definition of the fedora repository in /etc/yum.repos.d/fedora.repo saying excludepkgs=tor … (list all sensitive packages). Then create a new configuration file in /etc/yum.repos.d where you define a repository called, say, fedora-freeworld where you point to a safe mirror using a baseurl rather than the metalink in the regular repository’s definition. In this new repository you use includepkgs pointing to an identical list you used for excludepkgs above.

Repeat for the updates repository, and any testing, source, or debuginfo repositories you want to use.

See man dnf.conf for details.


Thank you for spending your time and finding the best solution for me and many people in the world!