Element-web: Debian/Ubuntu repository appears to block Tor users sometimes

Description

Running apt over Tor sometimes results in 403 Forbidden or other errors. I think this is caused by CloudFlare getting suspicious and wanting to confirm that apt is a human, which is not the case. However I have been unable to confirm that this error results from CloudFlare, but this is the only repository I see this behaviour with.

Steps to reproduce

Install tor, apt-transport-tor and add tor+ in front of the repository address in the sources.list entry, e.g.:

% cat /etc/apt/sources.list.d/matrix-riot-im.list 
deb tor+https://riot.im/packages/debian/ bionic main

Sometimes this will result in mysterious errors during apt update such as:

...
Err:10 tor+https://riot.im/packages/debian bionic InRelease                     
  403  Forbidden [IP: 127.0.0.1 9050]     
...
Reading package lists... Done
E: Failed to fetch tor+https://riot.im/packages/debian/dists/bionic/InRelease  403  Forbidden [IP: 127.0.0.1 9050]
E: The repository 'tor+https://riot.im/packages/debian bionic InRelease' is no longer signed.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

OS: Ubuntu 18.04.1 LTS

Possible solutions:

• I think the best solution would be running Tor hidden service for Riot.im including this repository (like Debian does).
  
  
  
  • https://github.com/vector-im/riot-web/issues/6463#issuecomment-379265446
  
  
  • https://github.com/vector-im/riot-web/issues/6346#issuecomment-374072095 .
  
  
• Whitelist the T1/Tor country in CloudFlare Firewall access rules, see Does CloudFlare block Tor?
  
  
  
  • My understanding is that (D)DoS is not possible via Tor network as it would affect the network itself and there is already captcha even for clearnet users at points where it makes sense?