[tor-dev] [tor-talk] heartbleed: ETA for tor release(s) that blacklist affected directory authority keys? (#11464)

[anonym]

23/04/14 16:51, Nick Mathewson wrote:
> On Wed, Apr 23, 2014 at 10:28 AM, anonym <anonym at riseup.net> wrote:
>> 21/04/14 12:27, Nusenu wrote:
>>> Hi,
>>>
>>> the code to blacklist heartbleed affected tor directory authority keys
>>> has been merged about a week ago [1].
>>>
>>> Do you have an ETA on when you are going to release it (tor and TBB
>>> packages)?
>>
>> As the release manager for the Tails 1.0 release I'm also interested in
>> an ETA for this. Ideally the Tails image intended for the 1.0 release
>> will be built on 2014-04-27 (so this is when we'll truly freeze the
>> version of Tor), and released two days later. We Tails developers would
>> find it sad if its core piece of software becomes out-dated immediately
>> or even just shortly after that.
>>
>> Nick (or any one else in the loop), do you have any idea of timings for
>> the next stable Tor release?
> 
> My goal is to get out a new alpha with the blacklist this week, and an
> 0.2.4 release by the end of the month.
> 
> This is a goal; I don't know if I'm going to be able to make it, and I
> can't make mpromises there.

Thanks for letting us know!

> If you like, it could be entirely reasonable to backport the code in
> question; the relevant commits are:
> 
> 50ad3939242885b1a1a11688abd0c9756631747f
> 46cf63bb42f2818201bc0c39036f2c17e210fcdb
> 2ce0750d21d04c39a5a948b3d96203d8f68ae7ad
> ef3d7f2f97caf961effd7935dd3231e6bba62ca5

Given the planned release date for Tails 1.0, this actually doesn't look
too bad a compromise. I had a quick look at the other tickets tagged
`024-backport` and nothing seemed very important. However, before
deciding on this, I'd really appreciate a confirmation from any of you
Tor devs that, as it looks now, the next 0.2.4 release will have no
other important security fixes affecting *Linux* *clients*. So, will it?

Cheers!