[tor-dev] Proposed changes to Tor long-term-support (LTS) policy

[Nick Mathewson]

Hi, all!

I've been working on a proposed change to Tor's LTS policies. I've run
it by a few people already, and now I'm posting it here for wider
comment.

(summary: If we decide to do this, we will still be able to do LTS
releases, but we will backport fewer things to them, and we will make
fewer promises about how well they will work on the network.)


=====================
# Background and summary:

I'm proposing a change to Tor's long-term support (LTS) policies.

For reference, our current policy is described at
https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/CoreTorReleases

We've been struggling with our LTS policies for a while.  In brief: we
backport too many fixes, and we promise too much support for LTS
releases.

The developers don't like it, because the amount of things that we keep
trying to fix in our LTS releases keeps us working on old crufty code
for a long time.

Many packagers don't like it, because they have a policy of auditing
security backports, and we backport too much to our LTS releases for
them to audit carefully.

And our network maintenance group doesn't like it, because our
commitment to supporting very old protocol versions keeps us from
implementing performance and security improvements on a rapid schedule,
unless we backport those changes to the LTS releases.

Therefore, we're going to propose these changes:
   - That once a release becomes LTS-only, its code no longer gets
     anything but security patches (narrowly defined), and minimal
     patches to keep it working on the network.

   - We will no longer guarantee that an LTS-only release will work (or
     work well) on the mainline Tor network for its entire LTS
     lifetime.  We'll try to deliver this if we can, but it won't
     be a definite guarantee.

# In more detail

We propose the following release statuses:

   - Development.  (Every series starts out in this state as an alpha.)

   - Stable.  (Once a series is officially 'ready', we call it stable.)

   - Old-stable.  (Every supported stable release, except the most
     recent one, is in this state.)

   - Long-term support only. (Any LTS release, once a newer release
     has become old-stable.  Only certain releases will get LTS support.)

Every series starts out in "development".  Once it's officially
ready, we call it "stable".  All stable releases besides the most
recent one are "old-stable".

Allowed in all releases:
   - Updates to authorities list
   - Updates to fallbackdirs list
   - Updates to geoip database

LTS-only (any LTS release, once an newer release is oldstable):
   - Only two kinds of changes are allowed:
       - Security fixes, narrowly defined. (See below for a definition.)
       - _Simple_ patches that keep the release functional on the
         network.
   - Relays are not guaranteed to be supported on the network,
     although we'll try not to remove them gratuitously.
   - Clients and onion services are not guaranteed to work on the
     network, although we'll try not to break them gratuitously.

In other words, with an LTS release there will be no guarantee that the
software works on the network.  The promise is that we will keep it
working on the network when we can do so with simple low-risk patches,
and that _if_ it works, we will fix security problems in it.

Oldstable (All stable releases besides the most recent stable release):
  - Stability fixes are also allowed.
  - Relays will be supported on the network.
  - Clients and onion services will be supported on the network.
  - Dirauths may be supported.

Stable (The single most recent stable release):
  - All fixes are allowed.
  - Relays will be supported on the network.
  - Clients and onion services will be supported on the network.
  - Dirauths will be supported.

Development:
  - All fixes are allowed.
  - Relays will be supported on the network.
  - Clients and onion services will be supported on the network.
  - Dirauths will be supported.

==============================

What is a security fix?
  - It is a _bugfix_ that resolves a vulnerability.  _Features_ that
    make Tor more private, anonymous, or more secure won't count.

==============================

The LTS policy above will apply to 0.3.5 _starting with 0.3.5.14_, since
we've already made backports that will appear in 0.3.5.13.

We have already committed to making 0.3.5 an LTS release until Feb 1,
2022.

We also now commit to making 0.4.5 an LTS release until _at least_ Feb
15, 2023. Whether we continue to do this LTS for longer will depend on
our experiences with this new policy.

==============================

So, any proposed amendments to this?

best wishes,
-- 
Nick