ubuntu and tor

Martin Meredith martin at sourceguru.net
Sat Aug 27 05:49:15 CDT 2005 

Builds and installs fine on hoary + backports (needs newer version of
libevent), so I'm happy to add it to backports

James, can you please add tor 0.1.0.14-1 to hoary-backports, Thanks!

CC: James Troup, ubuntu-backports

Matt Zimmerman wrote:
> (fixed CC to use security at ubuntu.com, which is the correct contact address)
> 
> On Wed, Aug 24, 2005 at 05:29:43AM -0400, Roger Dingledine wrote:
> 
>>On Tue, Aug 23, 2005 at 02:17:11PM -0700, Matt Zimmerman wrote:
>>
>>>You pointed out that there are security vulnerabilities in the version of
>>>tor included in the Ubuntu 5.04 universe component.  The preferred process
>>>for fixing security vulnerabilities in open source distributions is to
>>>backport the fix to the version which shipped in the release.
>>
>>Hi Matt, Giles, others,
>>
>>Thanks for getting back to us. Let me try to clear up a few confusions.
>>Tor 0.1.0.10 (the first stable release in the 0.1.0.x series) shipped
>>on 14 June 2005, and all further versions in the 0.1.0.x series are
>>bugfix releases -- that is, we backport only critical fixes from the
>>development tree (which is 0.1.1.x currently).
>>
>>So upgrading from 0.1.0.11 to 0.1.0.14 will get entirely and only the
>>stability and security fixes. We are doing exactly what you describe,
>>so just slapping in 0.1.0.14 should be the right fix for your Breezy.
> 
> 
> Done.
> 
> http://lists.ubuntu.com/archives/breezy-changes/2005-August/010247.html
> 
> 
>>>There are other options that we can pursue if for some reason this is not
>>>feasible (and I outlined them in my original reply to you), but there are
>>>good reasons why this is not standard practice, and I provided a specific
>>>example in the case of tor in Ubuntu 5.04.
>>
>>You said that Tor 0.1.0.11 is available for Ubuntu 5.04 from the
>>hoary-backports repository. Perhaps the best fix is to remove all trace
>>of 0.0.9.2, update Breezy to 0.1.0.14, and update the hoary-backports
>>package to 0.1.0.14?
> 
> 
> I've CCed Martin Meredith of the Ubuntu Backports team to bring your
> suggestion to his attention.
> 
> We don't generally remove software from the stable archive, but I'm happy
> for us to provide an update in the backports repository if that will satisfy
> your concerns (and the backports team agrees).
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-backports/attachments/20050827/0f8b53c4/signature.pgp

More information about the ubuntu-backports mailing list