Hi there,
On 19. Nov 2025, at 10:50, Matt Connor via tor-relays <tor-relays@lists.torproject.org> wrote:
I've noticed the same. The challenge I have is that the Fedora packages are updated several days after the official release. So that makes it difficult to stay current with security updates, unless I want to venture out and start compiling them (which I'd prefer not to).
For example, tor-0.4.8.20 was announced on November 11, yet the rpm didn't get uploaded until November 15.
Announcement: https://forum.torproject.org/t/stable-release-0-4-8-20/20781 Fedora repo: https://rpm.torproject.org/fedora/43/x86_64/
On Wed, Nov 19, 2025 at 1:39 AM Chris Enkidu-6 via tor-relays <tor-relays@lists.torproject.org> wrote: Understood. I guess my point is that servers shouldn't be flagged when the new version is one day old. If it's a serious security issue, then I expect to see some sort of an announcement on this mailing list because I may go for weeks and never look at my flags on the web. The original email in this thread was the only reason realized it. If I see the average Network traffic that I expect, I simply move on and update my servers once a month.
I'm one of the people responsible for flagging old versions as a dirauth operator. Please do not treat this flagging as anything more than a friendly nudge to update. If there are more serious issues or the version is so outdated that it isn't maintained anymore at all, we can exclude the relays from the consensus as a more drastic measure. Ideally, your distribution updates quickly, you notice that automatically, and then apply the update soon. Cheers Sebastian