     On Tue, 28 Apr 2009 09:59:05 -0400 andrew@xxxxxxxxxxxxxx wrote:
>On Mon, Apr 27, 2009 at 11:57:17PM -0500, bennett@xxxxxxxxxx wrote 5.4K bytes in 107 lines about:
>:      That brings up something that has bothered me for a long time.  When
>: tor discovers that its version doesn't match any in either client-versions
>: or server-versions, it currently writes complaints about it to the log(s),
>: but seems to do nothing further about it.  I'd like to see either of the
>: following.
>Recently, we're started emailing the node operators (at least those with
>valid contact info) suggesting they upgrade to at least
>This method seems to have a better success ratio in getting nodes
>upgraded from very old versions.  At least, better than the log messages
>that state your tor version is not recommended anymore.
>We're also working on Tor Weather to enable automatic notifications, such
>as "your server is out of date, please upgrade".
     Those methods are all very nice, but do not address the clients' security
problems.  Warm and fuzzy feelings that tor node operators, who often do *not*
put contact information into their torrc files, will oblige do nothing to
enable clients to avoid nodes running versions that are known to be unsafe.
     Either of the options that I proposed here *would* address this issue,
and the issue is one that calls for a solution.  The first of the two options
I suggested would also make it possible to distinguish between old relays that
have security vulnerabilities for exit service but not for use as entry or
middle nodes and old relays that are insecure for any use.
     If other options to deal with the problem are on people's minds, please
speak up!

