[Bug 1710753] Re: Please upgrade Xenial/Zesty to use the latest LTS point release of Tor (0.2.9)

David Goulet 1710753 at bugs.launchpad.net
Mon Aug 21 14:50:13 UTC 2017 

Greetings!

(Tor developer here)

As stated above, the 0.2.7.x series is now EOL since August 1st, 2017
meaning that we will NOT fix any bugs nor do any new releases even in
the event of a catastrophic security issue.

Unfortunately, Tor does see security issues from time to time and the
rate could increase that now our Bug Bounty program has gone public[1].
We've started to document each of them thoroughly on our wiki[2] so
keeping anything EOL in Ubuntu for something as sensitive as Tor is
really not ideal and potentially puts our users and network at risk.

So we (Tor upstream), strongly recommend that any unmaintained version
should be dropped from Ubuntu, at the very least for security purposes,
and the Tor LTS[3] series should be used for Ubuntu's LTS. The 0.2.9.x
series is the latest LTS which is also the one in Debian Stretch for
which we'll be supporting until Jan 1st, 2020.

I believe sdeziel also has volunteered to properly maintain the health
of the "tor" package in Ubuntu and our Debian packager (weasel) has been
doing a fantastic job at keeping tor packages stable, up to date and
released in time for any security issues we've had.

Please, feel free to reach out if you have any questions or concerns.
Thanks!

[1] https://hackerone.com/torproject
[2] https://trac.torproject.org/projects/tor/wiki/TROVE
[3] https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1710753

Title:
  Please upgrade Xenial/Zesty to use the latest LTS point release of Tor
  (0.2.9)

Status in tor package in Ubuntu:
  New

Bug description:
  Currently, Zesty ships with Tor 0.2.9.10 but the latest point release
  is 0.2.9.11 [1]. Xenial is shipping 0.2.7.6 while the 0.2.7 branch
  reached its end of life on August 1st 2017 [2].

  Since Tor is a security sensitive package, tracking upstream point
  releases for that LTS branch would keep Ubuntu users safe.

  1: https://gitweb.torproject.org/tor.git/plain/ReleaseNotes?id=tor-0.2.9.11
  2: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tor/+bug/1710753/+subscriptions

More information about the Ubuntu-sponsors mailing list