[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Out-of-date Tors (was Re: 25 tbreg relays in directory)

On Tue, May 26, 2009 at 1:24 PM, Sebastian Hahn <mail@xxxxxxxxxxxxxxxxx> wrote:
> In short: Tor provides working Ubuntu packages in the noreply repositories,
> so users can simply use those to get working, up-to-date, secure versions.
> Because Tor is in Ubuntu Universe, no security updates are provided by
> Ubuntu itself, meaning that Ubuntu used to ship remote-root vulnerable
> versions of Tor for a long time, even though they were informed about the
> problem and could simply have adopted the packages from noreply. As it
> stands, I personally deem any package in Ubuntu universe as a great risk to
> anyones computer security, since updates are not provided in a timely
> manner. That being said, I'm very happy with the current situation (Tor
> being removed from Ubuntu, while users can install packages from noreply
> without any trouble to get the latest version of Tor).

The packages were outdated simply because no one wanted to maintain
the packages in ubuntu. You do not have to be an ubuntu developer to
do this (you can have a developer sponsor the upload of your package),
but you need to know how to package software for ubuntu.

The problem seems to be that people are interested _now_. That isn't
good enough if we tor in ubuntu to be maintained and well taken care
of. If you start working on a project like this, you have to keep
doing so. Or at least find someone else who can take over for you.

I am going to look into the process of becoming an ubuntu developer
(better than having all of my uploads sponsored) and then try to get
tor back in ubuntu. When that time comes, I'll send an email to the
list so that other people can help out too.

Runa Sandvik