ubuntu and tor

Martin Meredith martin at sourceguru.net
Sat Aug 27 05:49:15 CDT 2005

Builds and installs fine on hoary + backports (needs newer version of
libevent), so I'm happy to add it to backports

James, can you please add tor to hoary-backports, Thanks!

CC: James Troup, ubuntu-backports

Matt Zimmerman wrote:
> (fixed CC to use security at ubuntu.com, which is the correct contact address)
> On Wed, Aug 24, 2005 at 05:29:43AM -0400, Roger Dingledine wrote:
>>On Tue, Aug 23, 2005 at 02:17:11PM -0700, Matt Zimmerman wrote:
>>>You pointed out that there are security vulnerabilities in the version of
>>>tor included in the Ubuntu 5.04 universe component.  The preferred process
>>>for fixing security vulnerabilities in open source distributions is to
>>>backport the fix to the version which shipped in the release.
>>Hi Matt, Giles, others,
>>Thanks for getting back to us. Let me try to clear up a few confusions.
>>Tor (the first stable release in the 0.1.0.x series) shipped
>>on 14 June 2005, and all further versions in the 0.1.0.x series are
>>bugfix releases -- that is, we backport only critical fixes from the
>>development tree (which is 0.1.1.x currently).
>>So upgrading from to will get entirely and only the
>>stability and security fixes. We are doing exactly what you describe,
>>so just slapping in should be the right fix for your Breezy.
> Done.
> http://lists.ubuntu.com/archives/breezy-changes/2005-August/010247.html
>>>There are other options that we can pursue if for some reason this is not
>>>feasible (and I outlined them in my original reply to you), but there are
>>>good reasons why this is not standard practice, and I provided a specific
>>>example in the case of tor in Ubuntu 5.04.
>>You said that Tor is available for Ubuntu 5.04 from the
>>hoary-backports repository. Perhaps the best fix is to remove all trace
>>of, update Breezy to, and update the hoary-backports
>>package to
> I've CCed Martin Meredith of the Ubuntu Backports team to bring your
> suggestion to his attention.
> We don't generally remove software from the stable archive, but I'm happy
> for us to provide an update in the backports repository if that will satisfy
> your concerns (and the backports team agrees).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://lists.ubuntu.com/archives/ubuntu-backports/attachments/20050827/0f8b53c4/signature.pgp

More information about the ubuntu-backports mailing list