Torify apt-get traffic
It is recommended to torrify APT's traffic on the host for several reasons:
- Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
- System updates leak sensitive security information like package versions and the varying patch levels. This information aids targeted attacks.
Follow the instructions below to torify APT traffic in Debian. 
Other URL Configurations
Alternatively, the tor+http:// URL scheme is possible. apt-transport-tor can also be combined with apt-transport-https, leading to the tor+https:// URL scheme. 
Note that changing
http.debian.net picks a mirror near to whichever Tor exit node is being used. Throughput is surprisingly fast.  Also be aware that all public-facing debian.org FTP services were shut down on November 1, 2017. 
Debian URLs can also be pointed to the available onion services
http://sgvtcaew4bxjd7ln.onion. This is the most secure option, as no package metadata ever leaves Tor.    This URL scheme also protects from system compromise in the event APT has a critical security bug. The following entries should work in the sources list:
deb tor+http://vwakviie2ienjx6t.onion/debian stretch main deb tor+http://vwakviie2ienjx6t.onion/debian stretch-updates main deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main #deb tor+http://vwakviie2ienjx6t.onion/debian stretch-backports main
- ftp://ftp.debian.org and ftp://security.debian.org