Ubuntu

Please sync tor 0.2.1.26-6 (universe) from Debian testing (main)

Reported by Aron Xu on 2009-08-14
72
This bug affects 10 people
Affects Status Importance Assigned to Milestone
tor (Ubuntu)
Wishlist
Unassigned

Bug Description

 tor (0.2.1.19-1) unstable; urgency=low

   * New upstream version.
     - Make accessing hidden services on 0.2.1.x work right (closes: #538960).
     [More items are in the upstream changelog.]

 -- Peter Palfrader <email address hidden> Wed, 29 Jul 2009 12:49:03 +0200

Artur Rona (ari-tczew) on 2009-08-14
description: updated
tags: added: needs-packaging upgrade
summary: - Please import tor from debian unstable
+ Please sync tor 0.2.1.19-1 (universe) from Debian unstable (main)
Brian Murray (brian-murray) wrote :

*** This is an automated message ***

This bug is tagged needs-packaging which identifies it as a request for a new package in Ubuntu. As a part of the managing needs-packaging bug reports specification, https://wiki.ubuntu.com/QATeam/Specs/NeedsPackagingBugs, all needs-packaging bug reports have Wishlist importance. Subsequently, I'm setting this bug's status to Wishlist.

summary: - Please sync tor 0.2.1.19-1 (universe) from Debian unstable (main)
+ [needs-packaging] Please sync tor 0.2.1.19-1 (universe) from Debian
+ unstable (main)
Changed in ubuntu:
importance: Undecided → Wishlist

I volunteer to maintain tor package in ubuntu, I hope it can appear in karmic's repository.

Aron Xu (happyaron) wrote :

I've chatted with some tor users in #tor on irc.oftc.net, and get something what we might omitted before.
The leader of tor project have built a trust chain and is recommended to all users of tor, that is only use the package that was signed with specified keys, and there is a trustful key list on its official site. Here is the entry I found: http://www.torproject.org/verifying-signatures.html.en
They raised a question that if the package in a distro cannot be signed with the keys listed above, that will not be trusted, even everyone knows we can easily verify the changes that have made by the maintainer of that package in distros like Ubuntu. They prefer making themselves confident in the first place when they get the package.
Debian might not facing this problem because the maintainer of tor in debian is in the trust list on upstream's site, so the users may be able to be confident by verifying the .dsc file signed by that person. It's not difficult to find out packages in Tor's official repository of ubuntu/debian are mostly maintained by that person (here's the instructions they provided: http://www.torproject.org/docs/debian.html.en).
I've checked several other distros, they just leave the so called trust chain there and just keep provide and update the packages.

Another problem is about the support of the package as was discussed in bug #328442, but you can see there are tor still provided in RHEL/CentOS, they ship mostly old version of software as far as I know.

So I recommend three alternative solutions:
1.Simply sync it from Debian;
2.Have somebody keep it up-to-date in repository of the latest;
3.Add a virtual package just like flash-installer, that makes users install the packages provided by upstream repository.

There is no doubt the first one is the most simple one, but may cause another upstream remove request; the second one can solve the problem of unmaintained raised by upstream, but a exception of the repository policy about the update of software version may be needed because upstream may raise the version number time to time if they would like to, and I can be the volunteer to maintain the package; the last solution can be just a expedient solution I think, tor isn't really a package needs this solution like flash-player.

Discussions welcomed!

Morten Kjeldgaard (mok0) wrote :

Tor has been discussed in the ubuntu-ngo team as a desired component, so we are very much interested in this going forward.

Martin Pitt (pitti) wrote :

Aron,

are you a regular tor users and can you commit to spending the resources to testing tor updates and new versions on stable Ubuntu releases for their lifetime?

Right now I'm very hesitant to reintroduce this package, since it seems people are generally better off with using the upstream provided and maintained packages.

If you can maintain and test updates for stable and development releases of Ubuntu, I'm okay with reintroducing this, though.

Aron Xu (happyaron) wrote :

Pitti,

I can maintain it for current stable release and the development release of Ubuntu, that is not very difficult because I can catch up with the upstream release debs and make not too many modifications to fit our requirements and avoid problems. I am using tor and many people around me need it more or less, many of them just wish it apt-getable directly rather than installing another third-party source by hand.
I haven't been a MOTU yet so I need someone to assist me to upload updates of the packages, I've made a package in my ppa, and if you can reintroduce it, I can check it again to polish the debian stuff and make sure it can be used as well as the upstream one.

http://ppa.launchpad.net/happyaron/ppa/ubuntu/pool/main/t/tor/

Aron

Aron Xu [2009-08-24 13:28 -0000]:
> I can maintain it for current stable release

That's the problem -- we need to maintain it in *all* stable
releases. E. g. right now we'd need to keep it up to date in dapper,
hardy, intrepid, and jaunty. Otherwise the users of those releases
would again use the old insecure versions, and we're back to square
one.

> I am using tor and many people around me need it more or less, many
> of them just wish it apt-getable directly rather than installing
> another third-party source by hand.

While that's true, and the point of a distribution, it becomes a weak
point if those old releases stay around forever. If upstream does a
much better job of providing packages for stable releases, it might be
better to refer people there.

I'd like to get the opinion of other MOTUs, too.

If I manage to maintain all stable releases, could you give me a
number that how many releases will I need to maintain at most at same
time?
If only for hardy to karmic, or rather say in 4-5 releases, I can do it.

Aron

Aron Xu [2009-08-24 14:29 -0000]:
> If I manage to maintain all stable releases, could you give me a
> number that how many releases will I need to maintain at most at same
> time?
> If only for hardy to karmic, or rather say in 4-5 releases, I can do it.

We usually have 4 supported stable releases. Dapper (6.06 LTS) is
currently somewhat in between (desktop is not supported any more,
server is), so if we don't update tor there, it would be bearable.

It's acceptable to maintain 4 stable release.
The next step is how to make it back to repository I think, use revu
way or any other way?

Aron

Aron Xu [2009-08-24 14:49 -0000]:
> It's acceptable to maintain 4 stable release.
> The next step is how to make it back to repository I think, use revu
> way or any other way?

No, we can just sync it from Debian. I'd like to get another MOTU's
consent as well, though.

Lets create a tor-packages-maintainers team to maintain tor related packages. Test and provide new tor versions for every stable Ubuntu release for their entire lifetime by using the very good work of Peter Palfrader. Perhaps develop new features like deploying an apparmor-profile. Interest? When send me an message...

Aron Xu (happyaron) wrote :

Seems interesting, but one of the reasons upstream requests deletion of an upstream unsupported package might be users ask questions upstream to find help but they don't want to bear it anymore.

if theres help needed on the steps to make this happen let me know

Scott Kitterman (kitterman) wrote :

It is too late for Karmic now. We'll need to do this for Lucid.

Aron Xu (happyaron) on 2009-10-25
summary: [needs-packaging] Please sync tor 0.2.1.19-1 (universe) from Debian
- unstable (main)
+ testing (main)
tags: removed: needs-packaging
summary: - [needs-packaging] Please sync tor 0.2.1.19-1 (universe) from Debian
- testing (main)
+ Please sync tor 0.2.1.19-1 (universe) from Debian testing (main)
Artur Rona (ari-tczew) on 2009-11-08
tags: added: sync

If I'm reading comment #4 correctly, we could only ever sync from Debian and not make our own changes to have a trusted signature. I don't think that would work out. At the version least we need to be able to have different package revision numbers for different releases when we do updates.

It seems to me like if we are going to do this, we would need some kind of plan like we use for clamav:

https://wiki.ubuntu.com/ClamavUpdates

If the signing key issue is important, we'll also need a MOTU who's key is trusted by TOR.

Changed in ubuntu:
status: New → Incomplete
Aron Xu (happyaron) wrote :

Well, it's nearly expired.

@pitti
Could you tell what's you opinion on how to deal with tor in Lucid?

Benjamin Drung (bdrung) wrote :

removing ubuntu-universe-sponsors for now until there is an decision

I vote for syncing the tor package after we found a who's key is trusted by TOR. I see two solution: We may ask the Debian maintainer to maintain the package in Ubuntu (he already provides packages for Ubuntu) and we give him upload rights or Aron Xu gets involved upstream and his key signed and trusted.

Martin Pitt (pitti) wrote :

> I see two solution: We may ask the Debian maintainer to maintain the package in Ubuntu (he already provides packages for Ubuntu) and we give him upload rights

If Peter wants to do this, this sounds like the best solution. As a DD, giving him tor upload rights is just an easy formality.

> or Aron Xu gets involved upstream and his key signed and trusted.

That's fine as well. In the spirit of team maintenance, it wouldn't even hurt to do both, so that Aron and Peter could both oversee the tor package in Ubuntu?

Aron Xu (happyaron) wrote :

I am sending a mail to Peter, the following message is the mail which I CC'ed here.

Hi Peter,

Please don't mind my saying happy new year too late to you!

I want to ask you whether you can maintain tor package for Ubuntu,
because you are the maintainer of this package in Debian and your key
is trusted by the Tor project. As discussed with the archive admin of
Ubuntu, he told me it's a formality to give you tor's upload right. I
am a Ubuntu user and do some packing as a Debian Maintainer. I would
like to see people around me find tor is just apt-getable from either
Debian or Ubuntu's repository. Some of them are not able to visit
tor's official site, neither access the packages hosted on it.

If you are interested in helping, please see this bug report, or just
reply to me if you need any information:
https://bugs.launchpad.net/ubuntu/+bug/413657

Regards,
Aron Xu

Up this one. Do we have Peter's feedback?

On Sat, Nov 20, 2010 at 21:25, Artur Rona <email address hidden> wrote:
> Up this one. Do we have Peter's feedback?
>
> --
> Please sync tor 0.2.1.19-1 (universe) from Debian testing (main)
> https://bugs.launchpad.net/bugs/413657
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Ubuntu: Incomplete
>
> Bug description:
>  tor  (0.2.1.19-1) unstable; urgency=low
>
>   * New upstream version.
>     - Make accessing hidden services on 0.2.1.x work right (closes: #538960).
>     [More items are in the upstream changelog.]
>
>  -- Peter Palfrader <email address hidden>  Wed, 29 Jul 2009 12:49:03 +0200
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+bug/413657/+subscribe
>

No reply. :-(

--
Regards,
Aron Xu

Gary M (garym) on 2010-11-20
affects: ubuntu → tor (Ubuntu)

I've talked with Peter on IRC. He is not interested in maintaining tor in Ubuntu, but he can help other involved people.

So, can we sync? Benjamin, Scott, what we need to get?

Peter Palfrader (weasel) wrote :

[I'm not talking for the Tor folks here; this is my own opinion.]

I think the primary concern of upstream is that users get current Tor
versions when they ask for Tor. Historically that has been a problem in
Ubuntu, where users apt-get installed (or whatever the shiney equivalent
for that is nowadays) tor and were left with an old and not very well
working tor without ever knowing it.

If Ubuntu can manage to keep their Tor package reasonably current in
all supported releases then I guess that having tor packages in Ubuntu
would be just fine with the Tor people.

(I don't really buy the entire "signed by a trusted key"-argument. It
 might apply to random third party repositories, but I don't think it
 is all that strong for the OS's own repositories. If the OS wants to
 own me I already lose, regardless of whether I get Tor from the place
 with the special fairy-dust or not.)

It has been suggested that I maintain the tor package in Ubuntu, but I
don't think that's such a great idea. I know too little about Ubuntu's
internal workings and communication channels to be effective.

However, I'm quite willing to help any Ubuntu person who wants to bring
Tor back to Ubuntu should they have specific questions, etc.

Cheers,
weasel

Nicola Ferralis (feranick) wrote :

Hi, I don't mean to interject the discussion here with "advertising". Anyway, I maintain a ppa where I port tor-experimental (and related software) to various Ubuntu releases... Just in case someone finds it useful.

https://launchpad.net/~ubun-tor

Cheers,
Nick

Micah Gersten (micahg) wrote :

I unsubscribed ubuntu-sponsors as there seems to be nothing to do at the moment. I would suggest someone who's interested in this make a proposal the the Tech Board about getting a Microrelease exception. This doesn't appear to be maintainable otherwise:
https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions

Do we have a developer who is willing to maintain tor in all releases?

Aron Xu, do you want to be a maintainer for tor in Ubuntu?

On Sun, Nov 28, 2010 at 17:02, Artur Rona <email address hidden> wrote:
> Aron Xu, do you want to be a maintainer for tor in Ubuntu?
>

It is okay for me, but I am not a MOTU nor universe-contributor.

--
Regards,
Aron Xu

As I've stated in Bug #689188; I'm willing to take over Tor work on Ubuntu.

Aron Xu (happyaron) wrote :

Sorry for my late reply, I'm okay to co-maintain this package if Jacob would like me to.

Benjamin Drung (bdrung) on 2010-12-15
summary: - Please sync tor 0.2.1.19-1 (universe) from Debian testing (main)
+ Please sync tor 0.2.1.26-4 (universe) from Debian testing (main)

sync request ACK'ed

Changed in tor (Ubuntu):
status: Incomplete → Confirmed
Micah Gersten (micahg) wrote :

0.2.1.26-6 builds fine on amd64, ACK on new version

summary: - Please sync tor 0.2.1.26-4 (universe) from Debian testing (main)
+ Please sync tor 0.2.1.26-6 (universe) from Debian testing (main)
Colin Watson (cjwatson) wrote :

[Updating] tor (None [Ubuntu] < 0.2.1.26-6 [Debian])
 * Trying to add tor...
2010-12-24 16:17:28 INFO - <tor_0.2.1.26.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
2010-12-24 16:17:29 INFO - <tor_0.2.1.26-6.dsc: downloading from http://ftp.debian.org/debian/>
2010-12-24 16:17:29 INFO - <tor_0.2.1.26-6.diff.gz: downloading from http://ftp.debian.org/debian/>

Changed in tor (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers