I2p not available in bookworm

Problem Description
plinth/apps/i2p Installation: i2p page says, “This application is not available in your distribution.”

Are we missing i2p-router package in bookworm? If so, is there a workaround to this while still having the application controlled by FreedomBox (maybe an out-of-process install of i2p-router)?
Instructions for this are at geti2p.net

Steps to Reproduce

  1. Start with frequent-feature update/advanced apps and features enabled Bookworm FreedomBox having i2p installed via plinth (since buster)
  2. do sudo apt install -t bookworm-backports freedombox to correct automatic updates to freedombox
  3. do rerun setup on i2p from plinth
  4. do Uninstall on i2p from plinth
  5. intending to install i2p anew I now see the, “This application is not currently available in your distribution.” message. Surprise! :disappointed:

Expected Results
I expected the application to be available for installation after uninstalling the application. Sadly, it is not.

Actual results
The plinth/apps/i2p page tells me:

This application is currently not available in your distribution.

Screenshot

Information

  • FreedomBox version: You are running Debian GNU/Linux 12 (bookworm) and FreedomBox version 23.16. FreedomBox is up to date.
  • Hardware: intel Atom PC uname -a: Linux fbhostname 6.1.0-11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.38-4 (2023-08-08) x86_64 GNU/Linux
  • How did you install FreedomBox?:
    • netinst debian buster
    • DEBIAN_FRONTEND=noninteractive apt install freedombox -y
    • unattended upgrade to bullseye
    • upgrade to bookworm

Additional Troubleshooting
The installation issue for i2pd does not appear to be an unresolved dependency. i2p-router package doesn’t seem to be in bookworm, however.

apt search i2p-router gives:

Sorting… Done
Full Text Search… Done

apt search i2p gives:

i2pd/stable 2.45.1-1 amd64
Full-featured C++ implementation of I2P client

aptitude shows dependency issues with i2pd installation. Bookworm distribution packages for libboost-filesystem, libboost-program-options, and libminiupnpc all appear to satisfy the install dependencies for i2pd.

There’s an open Debian bug on i2p for a security issue: “Attackers can de-anonymize i2p hidden services with a message replay attack” that probably led to removal from testing before testing became bookworm.

2 Likes

Thanks for checking bugs. It looks like a FreedomBox users hosting eepsites are at risk. It is not clear to me from reading these whether http/https proxies or i2psnark are at risk. http(s) and i2psnark are not eepsites.

CVE-2023-36325: Attackers can de-anonymize i2p hidden services with a message replay attack synopsis:

If you host eepsites with Java i2p and are running older than i2p 2.3.0, update it as soon as possible.

Users of i2pd are not affected.

Debian Security Tracker for i2p synopsis:

Attackers can de-anonymize i2p hidden services with a message replay attack