This version of Tor (0.3.2.10) is not recommended

I am working on a upgrade to 0.4.7.8 for Ubuntu 18.04, 20.04 and 22.04 in bug #1982224.

As discussed on IRC (#ubuntu-motu yesterday), "not recommended by upstream" is not an appropriate justification for a valid bug in a package in Ubuntu in itself, because distributions like Ubuntu make a stable release and support the released package version with cherry-picks as needed to ensure stability for users. We should carefully consider upstream recommendations prior to release and our development process is open to all to try and make that easier. But a distribution release comes with a promise to our users to try and keep the release stable (in the "not changing" sense), so at that stage an upstream recommendation that goes against that isn't an automatic free pass to make a change.

Case 1: if there is a specific technical reason that a package in an Ubuntu release is bad for users, then we should have a bug tracking that specific reason. For example, we could have bugs tracking the progress of cherry-picks of specific CVEs or high impact bugs in the tor package in our stable releases. To fix these issues, a contributor would need to provide a debdiff that includes appropriate cherry-picks, referencing the appropriate bugs in the changelog. If this is not practical then we can consider doing a major version bump instead, but you would be expected to justify it on this basis, rather than simply implying that you can't be bothered or merely because you disagree with our long standing quality policies.

Case 2: if the Tor network moves on or has a schedule to move on such that the tor package in Ubuntu will no longer work, then Ubuntu makes an exception. We will accept a major version bump in this case, and we can have a bug tracking it. However, the reason given in this bug at the moment doesn't seem to justify that.

Case 3: if the Tor network routinely invalidates clients from older versions, focusing on version numbers rather than functionality changes that we could cherry-pick instead, and this schedule means that tor packages in Ubuntu releases are expected to become invalidated like this before Ubuntu releases reach their own EOL dates, then I question whether it's appropriate for Ubuntu to keep shipping tor in its stable releases at all. We should look into alternative means for making tor available to Ubuntu users. If you want to make this case then please make it, but I would expect to discuss how we're going to handle this properly in the future first. This case can wait until that discussion concludes. If instead there's an urgent need then you will, by definition, be able to make cherry-picks or a major version bump using cases 1 or 2 above instead.

Case 3b: maybe the tor package in Ubuntu should be additionally exceptional in that we always update it to the latest upstream stable release regardless of whether there is a API break scheduled, or even if they are so routinely scheduled that updates are routinely going to be required before Ubuntu releases EOL. However, again that's a discussion to have that's not urgent because like case 3 it is by definition not urgent as cases 1 and 2 exist.

I'm marking this bug as Incomplete because as described currently there is no action in Ubuntu to be taken. If you want to provide...

For what it's worth, I agree with Robie Basak on the above : just because tor itself is warning that it's "not recommended" by upstream does *not* justify it being a bug in that release of ubuntu per se - though, some thought should have, and did go towards upgrading in future versions (ie post bionic). Since this did in fact did happen, and that was the extent to which I, in 2019, was interested in this warning message.

This particular "bug" neither specified provable breakage nor CVE

Personally I'm in favour of a global fork of tor away from the tor project (which was not necessary in 2019) so I would express caution at "Case 3b" - in projects that have gotten rotten at the upstream, making them 'exceptional' in this way gives a form of political power over users that is actively dangerous - the ubuntu upgrade cycle works fine as a political compromise for now.

This bug does not justify an upgrade. Comments should be made on bug #1982224.