ubuntu and tor
martin at sourceguru.net
Sat Aug 27 05:49:15 CDT 2005
Builds and installs fine on hoary + backports (needs newer version of
libevent), so I'm happy to add it to backports
James, can you please add tor 0.1.0.14-1 to hoary-backports, Thanks!
CC: James Troup, ubuntu-backports
Matt Zimmerman wrote:
> (fixed CC to use security at ubuntu.com, which is the correct contact address)
> On Wed, Aug 24, 2005 at 05:29:43AM -0400, Roger Dingledine wrote:
>>On Tue, Aug 23, 2005 at 02:17:11PM -0700, Matt Zimmerman wrote:
>>>You pointed out that there are security vulnerabilities in the version of
>>>tor included in the Ubuntu 5.04 universe component. The preferred process
>>>for fixing security vulnerabilities in open source distributions is to
>>>backport the fix to the version which shipped in the release.
>>Hi Matt, Giles, others,
>>Thanks for getting back to us. Let me try to clear up a few confusions.
>>Tor 0.1.0.10 (the first stable release in the 0.1.0.x series) shipped
>>on 14 June 2005, and all further versions in the 0.1.0.x series are
>>bugfix releases -- that is, we backport only critical fixes from the
>>development tree (which is 0.1.1.x currently).
>>So upgrading from 0.1.0.11 to 0.1.0.14 will get entirely and only the
>>stability and security fixes. We are doing exactly what you describe,
>>so just slapping in 0.1.0.14 should be the right fix for your Breezy.
>>>There are other options that we can pursue if for some reason this is not
>>>feasible (and I outlined them in my original reply to you), but there are
>>>good reasons why this is not standard practice, and I provided a specific
>>>example in the case of tor in Ubuntu 5.04.
>>You said that Tor 0.1.0.11 is available for Ubuntu 5.04 from the
>>hoary-backports repository. Perhaps the best fix is to remove all trace
>>of 0.0.9.2, update Breezy to 0.1.0.14, and update the hoary-backports
>>package to 0.1.0.14?
> I've CCed Martin Meredith of the Ubuntu Backports team to bring your
> suggestion to his attention.
> We don't generally remove software from the stable archive, but I'm happy
> for us to provide an update in the backports repository if that will satisfy
> your concerns (and the backports team agrees).
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-backports/attachments/20050827/0f8b53c4/signature.pgp
More information about the ubuntu-backports