Debian Bug report logs - #751977
pu: package tor

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Peter Palfrader <weasel@debian.org>

To: submit@bugs.debian.org

Subject: pu: package tor

Date: Wed, 18 Jun 2014 14:45:15 +0200

Package: release.debian.org
User: release.debian.org@packages.debian.org
Usertags: pu

Hi!

On Wed, 11 Jun 2014, Adam D. Barratt wrote:

> The next point release for "wheezy" (7.6) is scheduled for Saturday,
> July 12th.  Stable NEW will be frozen during the preceding weekend.

I propose to update Tor in stable to the version that is now in jessie.

This would be a jump to the next major version of tor, not just a
patch release update.


The Tor version in stable is 0.2.3.25, the latest version of the
old 0.2.3.x tree of Tor releases.  The current stable Tor tree is
0.2.4.x, released as stable in December, with the current update
being .22 from May.

There's, of course, a whole bunch of reasons why 0.2.4.x is
oh-so-much better than 0.2.3.x.

One key-point is that about a quarter of the Tor network (just
considering the relays, not any clients), is on 0.2.3.25, presumably
because they run Debian stable.  If they all upgraded to the 0.2.4.x
tree, the network as a whole would become a lot more secure as
0.2.4.x allows clients to use stronger crypto for connections built
through these nodes.

Also, Tor upstream is not entirely sure what they would want to
backport to 0.2.3.x in order to call it as DoS-resistant as 0.2.4.x.
That is to say, they are not aware of any arbitrary-code-execution
bugs that affect 0.2.3.x, but nobody knows which of the
DoS/resource-leak bugs that were fixed in the new tree could or
should be backported:

 | And indeed, we're basically done backporting fixes to 0.2.3. For
 | anything short of a remote overflow, we're probably not fixing
 | it.


Obviously, since this is a major upstream version jump, reviewing the
diff is not feasible.

Even going over the upstream changelog took a good long while.  That
resulted in a number of things we'd really like to have.Changes
include things like rejecting authority signing keys that might have
been exposed due to heartbleed, TLS ciphersuits now being chosen by
relays rather than clients (client lists have been chosen mainly for
anti-fingerprinting purposes), always clearing bignums before freeing
them, TLS 1.1 and 1.2 support, turning off client-side DNS cache by
default (that fixes a huge linkability issue for clients), and much
more.  I can clean-up and provide a full(er) list on request.

I don't expect the hand-full of reverse dependencies would have any
problems with the version jump, and from a relay-operator or end-user
point of view not much directly visible has changed.

The default contents of the /etc/tor/torrc conffile have changed
slightly.  (In fact, the diff is so tiny - one date change and one
typo fix in comments - that we could consider reverting that change
to cut down on dpkg propmts if you prefer.)  Existing configuration
files are expected to continue to work in all cases.

Is this update something we can do?

Thanks for your consideration,
weasel
-- 
                           |  .''`.       ** Debian **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Message #8 received at 751977-quiet@bugs.debian.org (full text, mbox, reply):

From: intrigeri <intrigeri@debian.org>

To: debian-release@lists.debian.org

Subject: Re: Updating tor

Date: Mon, 16 Jun 2014 22:02:21 +0200

Hi,

Peter Palfrader wrote (16 Jun 2014 18:53:13 GMT) :
> I propose to update Tor in stable to the version that is now in jessie.

We've been shipping Tor 0.2.4.x in Tails since last September, back
when it was still a release candidate. This means that this branch of
Tor has been started 6-11k times a day in this environment (i386,
Squeeze-based) for 9 months. No problem so far.

This experience, added to the reasons mentioned by weasel, and to the
fact that I've not seen regressions caused by Tor 0.2.4.x in the few
reverse-deps I'm maintaining in Debian, makes me positive that it's
the way to go for Wheezy.

Cheers,
-- 
intrigeri


-- 
To UNSUBSCRIBE, email to debian-release-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/85mwdcpqr6.fsf@boum.org

Message #11 received at 751977-quiet@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: debian-release@lists.debian.org

Subject: Re: Updating tor (was: Upcoming stable point release (7.6))

Date: Mon, 16 Jun 2014 23:27:39 +0200

Peter Palfrader <weasel@debian.org> schrieb:
> Hi!
>
> On Wed, 11 Jun 2014, Adam D. Barratt wrote:
>
>> The next point release for "wheezy" (7.6) is scheduled for Saturday,
>> July 12th.  Stable NEW will be frozen during the preceding weekend.
>
> I propose to update Tor in stable to the version that is now in jessie.

One additional note: We already moved to a new upstream release in a
previous DSA (DSA-2363-1, from 0.2.1.31-1 to 0.2.2.35-1) and it worked
out well.

Cheers,
        Moritz


-- 
To UNSUBSCRIBE, email to debian-release-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: https://lists.debian.org/slrnlpuoab.2kg.jmm@inutil.org

Message #18 received at 751977@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: Peter Palfrader <weasel@debian.org>, 751977@bugs.debian.org

Subject: Re: Bug#751977: pu: package tor

Date: Sat, 21 Jun 2014 16:50:20 +0100

Control: tags -1 + confirmed

On Wed, 2014-06-18 at 14:45 +0200, Peter Palfrader wrote:
> I propose to update Tor in stable to the version that is now in jessie.
> 
> This would be a jump to the next major version of tor, not just a
> patch release update.
[...]
>  | And indeed, we're basically done backporting fixes to 0.2.3. For
>  | anything short of a remote overflow, we're probably not fixing
>  | it.
[...]
> I don't expect the hand-full of reverse dependencies would have any
> problems with the version jump, and from a relay-operator or end-user
> point of view not much directly visible has changed.
> 
> The default contents of the /etc/tor/torrc conffile have changed
> slightly.  (In fact, the diff is so tiny - one date change and one
> typo fix in comments - that we could consider reverting that change
> to cut down on dpkg propmts if you prefer.)  Existing configuration
> files are expected to continue to work in all cases.

If it's common for users to modify torrc, that would be good.

> Is this update something we can do?

Given your comments and the others expressed in the thread, I think we
{c,sh}ould. I'm assuming that the backports build means the new codebase
has had at least some testing in wheezy environments.

Please go ahead, presumably as 0.2.4.22-1~deb7u1.

Regards,

Adam

Message #25 received at 751977@bugs.debian.org (full text, mbox, reply):

From: Roger Dingledine <arma@mit.edu>

To: 751977@bugs.debian.org

Subject: Re: Updating tor

Date: Sun, 22 Jun 2014 17:33:29 -0400

Upstream here. This sounds like a great idea!

I'm also a fan of weasel's idea of reverting the tiny changes in
src/config/torrc.sample.in, since making users re-consider their existing
torrc changes will make them sad for no benefit.

Let us/me know if we can do anything more to be helpful here.

Thanks,
--Roger

Message #30 received at 751977@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

To: 751977@bugs.debian.org

Cc: Peter Palfrader <weasel@debian.org>

Subject: Re: Bug#751977: pu: package tor

Date: Tue, 24 Jun 2014 08:09:31 +0100

Control: tags -1 + pending

On 2014-06-21 16:50, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
> 
> On Wed, 2014-06-18 at 14:45 +0200, Peter Palfrader wrote:
>> I propose to update Tor in stable to the version that is now in 
>> jessie.
>> 
>> This would be a jump to the next major version of tor, not just a
>> patch release update.
[...]
> Please go ahead, presumably as 0.2.4.22-1~deb7u1.

For the record, this was uploaded and I've flagged it for acceptance.

Regards,

Adam

Send a report that this bug log contains spam.