arma at mit.edu
Sat Sep 29 07:18:58 BST 2007
On Thu, Sep 27, 2007 at 12:42:50PM -0400, Scott Kitterman wrote:
> On Thursday 27 September 2007 11:18, Benj. Mako Hill wrote:
> > I've been asked by Tor developers if it would be possible to remove the
> > tor package (which is in universe) from future Ubuntu releases. The
> > software can (and should?) stay in the repository and in development
> > versions but should be released.
> > Tor is anonymity software and routinely fixes bugs and implements new
> > features that work around problems that compromise users' anonymity.
> > The software's developers believe that is better to have no package at
> > all in a release than to have packages that are up to 18 months old and
> > which will, in all likelihood, provide users with a false sense of
> > anonymity.
> The SRU process for Universe is very easy. If there are patches that need to
> be gotten out for older versions they can be quickly and automatically
> distributed if the packages are in the distribution. The problem isn't that
> the packages are in Ubuntu, but that they aren' t maintained. If the Tor
> devs are willing to work with us and provide patches, it isn't very hard to
> get them automatically delivered to all users.
Hi Scott, others,
The problem is that Tor still has a long way to go before it settles
down -- it's under active development, and we provide pretty much the
sort of security/stability patches you want, but alas we only have the
resources to support our stable branches for about 12 months. Gutsy is
about to freeze with a Tor stable (0.1.2.x) that came out in April, and
in another 6-8 months we may well have abandoned it. The next Tor stable,
0.2.0.x, is aiming to be out in a month or two, which is particularly
bad timing for gutsy.
Tor's security is particularly tricky, since it comes not only from having
users run secure software, but also from having users behave like other
users. If most users are on Windows or OS X using a recent version, and
there's some poor Ubuntu user who runs feisty, he'll be on a branch of
Tor (0.1.1.x) that came out 16 months ago and has since become obsolete.
So if we keep heading in this direction with gutsy, we'll end up in the
same situation we're already in with feisy, and were before with edgy
and dapper. (Some of you may recall having this same discussion in the
summer of 2005 about the dapper/edgy Tor transition.)
We've heard from hundreds of users at this point who show up to our
IRC channel running an obsolete or insecure Tor version and have no
idea there's a newer one ("I installed the one from Ubuntu, surely they
would have taken care of that.") So far we've stayed out of the Debian
stable releases for this same reason, though for lenny they are pondering
putting us in their new "volatile" category.
Anyway, hopefully this helps to explain. If you need a commitment of 18
months after your release for security/stability patches, then we can't
provide that at this time, and it looks like it makes the most sense to
take us out of your Universe.
--Roger (Tor project leader)
More information about the Ubuntu-motu