[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: tor removed from ubuntu jaunty

On Sun, Apr 19, 2009 at 4:28 PM, Roger Dingledine <arma@xxxxxxx> wrote:
> On Sun, Apr 19, 2009 at 11:24:01AM -0500, Matt LaPlante wrote:
>> A heads-up for fellow Ubuntu users: The tor package has been removed
>> from Ubuntu Jaunty due to lack of maintainership.
>> https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2009-April/007866.html
> Yep. You can read a lot more about it here:
> https://bugs.launchpad.net/ubuntu/+source/tor/+bug/328442
> and back from 2007 here:
> http://www.mailinglistarchive.com/ubuntu-devel@xxxxxxxxxxxxxxxx/msg24404.html
> Ubuntu hardy and intrepid are still shipping known-remote-vulnerable
> versions of Tor. The version they have in Intrepid is even
> known-remote-root-vulnerable. And they still haven't gotten around to
> fixing it.
> If you're going to include Tor in your distribution, you really have
> to maintain it. Since Ubuntu doesn't maintain packages in its Universe,
> it seemed like the smartest move to make sure we don't keep having this
> problem with every new Ubuntu version.
> You can find well-maintained Ubuntu packages here:
> https://wiki.torproject.org/noreply/TheOnionRouter/TorOnDebian
> I presume we'll put up jaunty packages when jaunty goes stable. In the
> mean time, I hear the intrepid packages work fine on jaunty. (Let me
> know if that's wrong, and I'll ask Peter to consider setting up a jaunty
> build environment sooner.)

I'm glad that we have someone(s) dedicated to building usable packages
for Ubuntu, but I admit I'm curious why we do it outside of the normal
Ubuntu universe.  Would it not be better to apply this same amount of
effort and skill within the Ubuntu (or Debian) repositories rather
than being off on an island?  I can't back this up with statistics,
but my gut feeling just tells me the less work a user has to do to
install a product like Tor the better for wide-spread distribution.

I don't think it's fair to say "they" haven't gotten around to fixing
these packages when it's our product they've been shipping.  The onus
should be on the Tor community to have someone managing such packages
rather than expecting the distro owners to do all the work for us.
Would you blame Microsoft or Apple for people running out of date
versions under Windows and Mac?  I'm not trying to belittle the
efforts made with the Ubuntu packages in any way, I just find it a bit
odd that the efforts aren't focused on being a more well integrated
product.  I can't imagine it would be significantly more work, yet it
seems there would be a definite benefit for end users.

> Thanks,
> --Roger