Out-of-date Tors (was Re: 25 tbreg relays in directory)

Sebastian Hahn mail at sebastianhahn.net
Tue May 26 11:24:58 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On May 26, 2009, at 8:35 AM, Nils Vogels wrote:

> On Tue, May 26, 2009 at 4:04 AM,  <scream at nonvocalscream.com> wrote:
>>
>> On Mon, 25 May 2009 16:59:33 -0400, Roger Dingledine <arma at mit.edu>  
>> wrote:
>> <snip>
>>> But you're right, this is a real problem. Some of our users use  
>>> Linux
>>> packaging systems that keep them mostly up to date. But some are on
>> Ubuntu
>>> (...insert expletives here). And some are on BSD, which either  
>>> provides
>>> no easy upgrades, or the users don't use them.
>> <snip>
>>
>> Has this been discussed with the Ubuntu packagers?  Is there a link  
>> to the
>> discussion I can read...  I'm a user of Ubuntu and would be very  
>> interested
>> in being able to update via apt (repository).
>
> Same here!
>
> I am using Ubuntu from apt (but only as a client), and if needed I
> could also provide updates. I used to be a package maintainer for
> FreeBSD, but have moved completely off to Linux these days.
>
> If the packagers need some help or are in time constraints, feel free
> to drop me a line.
>
> Grtz!

The problem with Ubuntu can be followed by reading https://bugs.launchpad.net/ubuntu/intrepid/+source/tor/+bug/328442
In short: Tor provides working Ubuntu packages in the noreply  
repositories, so users can simply use those to get working, up-to- 
date, secure versions. Because Tor is in Ubuntu Universe, no security  
updates are provided by Ubuntu itself, meaning that Ubuntu used to  
ship remote-root vulnerable versions of Tor for a long time, even  
though they were informed about the problem and could simply have  
adopted the packages from noreply. As it stands, I personally deem any  
package in Ubuntu universe as a great risk to anyones computer  
security, since updates are not provided in a timely manner. That  
being said, I'm very happy with the current situation (Tor being  
removed from Ubuntu, while users can install packages from noreply  
without any trouble to get the latest version of Tor).
Please see https://wiki.torproject.org/noreply/TheOnionRouter/TorOnDebian 
  if you want to learn more.

Sebastian

-----BEGIN PGP SIGNATURE-----

iEYEARECAAYFAkob0YoACgkQCADWu989zuYTXgCgv81g1FMVpADa9CmHC7gDovLt
A2gAoJFG16H3clai4PCs5QMruKZX6d/x
=PjMT
-----END PGP SIGNATURE-----

More information about the tor-talk mailing list