[tor-bugs] #26848 [Core Tor/sbws]: Create Debian package for sbws

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jul 19 17:50:24 UTC 2018 

#26848: Create Debian package for sbws
---------------------------+-------------------------------------
 Reporter:  juga           |          Owner:  juga
     Type:  defect         |         Status:  assigned
 Priority:  Medium         |      Milestone:  sbws 1.0 (MVP must)
Component:  Core Tor/sbws  |        Version:
 Severity:  Normal         |     Resolution:
 Keywords:                 |  Actual Points:
Parent ID:  #25925         |         Points:
 Reviewer:                 |        Sponsor:
---------------------------+-------------------------------------

Comment (by irl):

 Replying to [comment:6 dkg]:
 > irl, i can't tell if you're "really not convinced it's a good idea" or
 if you're "really convinced it's not a good idea". :)

 I'm not sure yet.

 > having a debian package can help for identifying problems, for system
 integration, and for ease of updates.

 Not all are Debian though. We should be identifying problems with good
 test suites.

 > If there's a real concern about people measuring the network who
 shouldn't be, then i'm not sure that the presence of software in the
 debian repository or not is going to stop any even mildly interested
 actor.  If you want to ensure that only "the right" people run sbws, you
 could have the dedicated debian system service do some sort of
 verification that it is on a host that is "acceptable", and then decline
 to run unless the administrator overrides it, but that seems like a lot of
 work to put in to an antifeature in free software.

 I'm thinking of people installing it by accident. Relay operators that are
 looking for nyx may see "Tor Bandwidth Scanner" and think that is what
 they're looking for.

 > as for the cadence of uploads to stable-backports -- packages with a
 passing [DEP-8 autopkgtest testsuite](https://dep-
 team.pages.debian.net/deps/dep8/) and no outstanding RC bugs can [migrate
 from unstable to testing in less time](https://lists.debian.org/debian-
 devel-announce/2018/05/msg00001.html), which allows for an upload to
 stretch-backports faster.  It also means that we can rely on debian's
 testing infrastructure to verify basic package functionality on minimal
 systems.  taking advantage of that continuous integration infrastructure
 seems like a good idea regardless of the package migration times.

 Ah ok, that's a new thing I did not know about. (: I'll withdraw that
 objection.

 Replying to [comment:7 juga]:
 > >  Creating the structure of a Debian package and building a policy-
 compliant
 > >  package is a great idea and would make deployment easier, as long the
 the
 > >  dirauths are running Debian which at least dannenberg and maatuska
 are
 > >  not.
 >
 > the majority are running Debian.

 Do we plan to mandate that dirauths run Debian if they are to have
 bandwidth scanners?

 > i share this concern seems months when i first thought to do this. But:
 > 1. in theory anyone could have been running torflow (just a bit harder
 > to install) for 6 years

 I'm not thinking so much about people running it maliciously, but
 accidentally and then forgetting about it. This could become a cumulative
 problem over time.

 > >  You could just do this anyway, and have the dirauths fetch the code
 from
 > >  here? This would work for all platforms then.
 >
 > agree, the ticket is created. Still upstream releases would miss
 > important system configuration/dependencies.

 I don't understand this.

 > New packages need to close an ITP. AFAICT that discussion is important
 > to actually decided whether it makes sense to have the package in
 Debian.

 This only requires that the ITP is filed. This is done.

 > security updates for backports happen faster?

 I'm not sure about that. See dkg's point above though.

 > Note there's also:
 >
 > [ ] (optional) upload the package to deb.tpo
 >
 > Alternatively we could upload it only there, but arma mentioned that
 only packages that are also in Debian archive go there, cause otherwise
 would end up unmaintained.

 We can even just create a simple APT repository in any web server. As an
 example I do this [[https://people.debian.org/~irl/|here]].

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26848#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list