Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#13237 closed defect (worksforme)

Development builds published to stable APT repositories

Reported by: johnwang Owned by: weasel
Priority: Very High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: apt repository
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Yesterday in the stable APT repository a couple of 2.5.x development builds for tor and tor-geoipdb appeared when I ran apt-get upgrade -s on my Ubuntu Trusty box:

* Inst tor-geoipdb [0.2.4.23-2~trusty+1] (0.2.5.8-rc-1~trusty+1 trusty [all]) []
* Inst tor [0.2.4.23-2~trusty+1] (0.2.5.8-rc-1~trusty+1 trusty [amd64])

Users relying on the stable repository expect only stable builds, so this risky, possibly dangerous update was probably pushed by mistake. The development builds were also pushed to the APT repositories for Ubuntu Lucid, Precise, and Saucy; Debian Squeeze, Wheezy, Jessie, and Sid; and possibly others I haven't checked.

Here's the contents of my /etc/apt/sources.list.d/tor-stable.list:

deb http://deb.torproject.org/torproject.org trusty main
deb-src http://deb.torproject.org/torproject.org trusty main

Child Tickets

Change History (4)

comment:1 Changed 5 years ago by johnwang

Owner: changed from erinn to weasel
Status: newassigned

comment:2 Changed 5 years ago by arma

Resolution: worksforme
Status: assignedclosed

comment:3 in reply to:  2 Changed 5 years ago by johnwang

Replying to arma:

I'm okay with 2.5.x becoming the new stable series. But pushing a release candidate into the stable channel (especially when this is not prominently announced) is contrary to good security practice as well as the expectations of users for whom this move increases risk. Which repository can we subscribe to in order to avoid ever being a guinea pig?

comment:4 Changed 5 years ago by arma

I'm afraid there isn't such a repository. We have too few developers, and especially too few glue people to do this "prominently announced" part. Onward and upward! If you want to help, we talked about it on the #tor-dev channel before doing it, and we talk about other things there that users should hear about too. Thanks/sorry!

Note: See TracTickets for help on using tickets.