[tor-relays] Why are you using torproject's RPMs?

Fri Jun 17 11:11:20 UTC 2016

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 16/06/16 23:08, nusenu wrote:
> (forwarding a question from tor-dev since here are probably more
> ops that might want to answer the question bellow) 
> https://lists.torproject.org/pipermail/tor-dev/2016-June/011073.html
>
>  Dear tor-relay operators,
> 
> are you using torproject's RPMs (instead of those provided by your
>  distro maintainer)?
> 
> If so:
> 
> Nick Mathewson asked:
>> People who download our RPMs: in what way are they beneficial?
> 

Because my OS vendor has no Tor packages.

If they did, I'd be on a stable release cadence from the OS, with
automatic updates.

I don't care about being on the bleeding edge until the bleeding edge
fixes the broken ipv6-implementation. Until then, I can be a few
versions behind without mental stress.

As a rule, I refuse to install software manually, as I don't want the
maintenance burden of following more -announce lists and recompiling
from source every time.

If there's no repository, and it isn't packaged upstream,  it's a
economical tradeoff.

My time to build and maintain software packages, tracking every
release and spending the time making sure it works, vs. the value of
the project.

Tor brings no value to me as someone who's hosting an exit relay, so
that equation would end with "don't run a relay, it's not worth it".

If there was a system package as well as an tor upstream package, I'd
generally prefer the system package. They have a proven track record
for handling updates smoothly, making sure signing and QA happens on
packages.

Vendor repositories are generally of worse quality, runs arbitary
commands as root on my machines, and may or may not inflict other harm
on my system.

Even if I run tor, I don't want to give tor devs persistent root
access to my computers.

//D.S.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXY9rUAAoJEPzDdnREnjz8SQoQAKap5FcAWV6DljXwemD9eqID
vNQ+A5qgh/jCCep7yP51ig9uhSRlvcxpw/AYW5m81ZYSc0B6O1KqJ8na+98e6tTS
Zdd/QeR0i8YRQ9lz/NSTF5s+DUje7J4Fm1ZPWH7dhjPio8rtXqW/B+7yblI5OBD+
rpKh4Du7+by/m/WM2HJxJB4mwL+dHaBH3GH2V6OQCEqQE9TTnxLxoNYC10ZAM8Sd
G1oRQ+iL3jK17v41T4d+ZO8G/Ah3CZkyWucFcUXjVy8YiQBOMXTBh9MbCw5J8SVk
78nPyFRt7Pc9q8mDpYy8bPHYFC3cGsjA/9xYynJardsvnMlsG3FnqiqTiMlcx/hE
JLZqowLDywnlkTb+wpVBbmDe14Jlmv+0i5KlmjHMt0GADixFveZxeIzH19ewPg8k
otoNMqqo59JQlk6LoWTdTiPkmxKF0w30SjtUPLMruG1NEOr7jgqA9pueSQidDgwq
IjrMpyoLR2ZAXq4sAqyNfWZuvcq+jPScJeHQ3NPAZXKUVM/iVQ/YShyP9kh/fZuK
/i3maRVGPTGdSOQQLHoH83Ye5byziTTWVafA1/kvPGqFuZSEo+C7YA5exfFNLpSC
/FaRb+sNpJGDWKWmgX8o8LyhlrHr2I4d2UgFfzZCN4Wx0EVZ6SzqNxMp1F4Ua1v/
utR2oJyIN+2HQjvmhenp
=0ThJ
-----END PGP SIGNATURE-----