Tor 0.1.2.x abandoned by upstream, update to 0.2.0.34
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tor (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Hardy |
Fix Released
|
Undecided
|
Unassigned | ||
Intrepid |
Fix Released
|
Undecided
|
Unassigned | ||
Jaunty |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: tor
I am the Tor project leader (aka the upstream).
In Sept-Oct 2007 there was a thread on ubuntu-devel and ubuntu-motu with
the subject "Tor Packages", wherein mako suggested that Ubuntu drop the
Tor package from gutsy and hardy, because Tor doesn't provide multiple years
of support. See e.g.
http://<email address hidden>
The conclusion was that there should be an exception for Tor,
such that when we abandoned a major release, Ubuntu would switch up to
the next stable Tor release.
This time has come. Earlier this week we officially dropped support for
the Tor 0.1.2.x branch. Since there are many known security problems
(including some potential remote exploits that can turn into remote
roots in the right circumstances), we recommend that nobody use it.
In particular, gutsy is shipping 0.1.2.17: http://
and hardy is shipping 0.1.2.19: http://
The Tor 0.2.0.x branch came out (starting at 0.2.0.30) in July 2008,
and has stabilized very well by now. You can read its release notes
and updates:
http://
http://
http://
http://
http://
I notice that Intrepid and Jaunty are also shipping old Tor versions, but
they're already within the 0.2.0.x branch so should be easier to upgrade.
We have up-to-date debs, made by the Debian maintainer, here:
https:/
So: what's the process for making this happen?
Changed in tor: | |
status: | New → Confirmed |
tags: |
added: verification-done removed: verification-needed |
Intrepid and Jaunty already have 0.2, thus the "0.1.2.x abandoned" does not apply there. If there are important fixes in later upstream 0.2.x microreleases, they should get a separate bug report.