[tor-bugs] #19496 [Internal Services/Service - deb.tpo]: Remove deb.tpo obfs4proxy Debian packages (was: Provide backports for obfs4proxy Debian packages)

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri May 10 20:11:02 UTC 2019 

#19496: Remove deb.tpo obfs4proxy Debian packages
-------------------------------------------------+-------------------------
 Reporter:  irl                                  |          Owner:  irl
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Service - deb.tpo  |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  debian,packaging,obfs4proxy          |  Actual Points:
Parent ID:  #30471                               |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------
Changes (by arma):

 * owner:  (none) => irl
 * status:  new => assigned
 * component:  Circumvention/Obfs4 => Internal Services/Service - deb.tpo


Comment:

 I'm hijacking this ticket to be about removing our separate, unmaintained,
 obfs4proxy packages.

 We're shipping obfs4proxy 0.0.7-1 on deb.tpo.

 weasel points out that since go statically compiles stuff, that old
 package is shipping with a go that now has security bugs. That's no good.

 In the mean time, Debian stable now has 0.0.7-1+b2, which presumably is
 where the underlying go libs got rebuilt.

 Everything else we care about has at least that version of obfs4proxy too,
 except Ubuntu 16.04, which still ships with 0.0.6-2.

 So the most straightforward thing to do is to get rid of our obfs4proxy
 component in deb.tpo -- nobody should be using it. And to fix the
 documentation that tells people to add that repo to their apt sources,
 e.g.
 https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy

 And then if folks want to make debs for newer versions of obfs4proxy, we
 should get those into debian testing, and reevaluate once that's done.

 Sound plausible?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19496#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list