Opened 3 years ago

Closed 4 months ago

#19496 closed task (fixed)

Remove deb.tpo obfs4proxy Debian packages

Reported by: irl Owned by: irl
Priority: Medium Milestone:
Component: Internal Services/Service - deb.tpo Version:
Severity: Normal Keywords: debian, packaging, obfs4proxy
Cc: infinity0, lunar Actual Points:
Parent ID: #30471 Points:
Reviewer: Sponsor:

Description

obfs4proxy was package in Debian in #12910, but is currently only available in Debian testing and unstable.

Producing backports for Debian jessie and currently supported Ubuntu suites would improve availability to relay operators, and make it easier for relay operators to run useful bridges.

I'm happy to do this work, but it should be coordinated with infinity0/lunar who currently maintain the package in Debian. I'm also happy for them to do the backporting work.

For the Ubuntu backports, we should host these on deb.tpo (and if we choose to do so we should host Debian packages (sid, stretch, jessie) there too for completeness.

Child Tickets

Change History (9)

comment:1 Changed 3 years ago by lunar

We actually do provide backports:
https://deb.torproject.org/torproject.org/dists/obfs4proxy/main/binary-amd64/Packages

(They haven't been updated for the recent releases though.)

The rationale for using a custom suite is 1. it's too complicated to backport all the Go dependencies; 2. we don't need to do it because the resulting binary is statically linked.

So I believe this is more a problem of documentation and ownership on updates. :)

comment:2 Changed 8 months ago by teor

Owner: asn deleted
Status: newassigned

asn does not need to own any obfuscation tickets any more. Default owners are trouble.

comment:3 Changed 7 months ago by cohosh

Status: assignednew

tickets are unassigned, reverting to 'new'

comment:4 Changed 4 months ago by phw

Component: Archived/ObfsproxyCircumvention/Obfs4

comment:5 Changed 4 months ago by phw

Parent ID: #30471

comment:6 Changed 4 months ago by phw

It's been a few years and obfs4proxy is now in Debian stable and all currently-supported Ubuntu flavours.

The question is: are these packages recent enough? Debian's oldest package is 0.0.7, in stable, and Ubuntu's oldest package is 0.0.6, in xenial (16.04 LTS).

comment:7 Changed 4 months ago by arma

Component: Circumvention/Obfs4Internal Services/Service - deb.tpo
Owner: set to irl
Status: newassigned
Summary: Provide backports for obfs4proxy Debian packagesRemove deb.tpo obfs4proxy Debian packages

I'm hijacking this ticket to be about removing our separate, unmaintained, obfs4proxy packages.

We're shipping obfs4proxy 0.0.7-1 on deb.tpo.

weasel points out that since go statically compiles stuff, that old package is shipping with a go that now has security bugs. That's no good.

In the mean time, Debian stable now has 0.0.7-1+b2, which presumably is where the underlying go libs got rebuilt.

Everything else we care about has at least that version of obfs4proxy too, except Ubuntu 16.04, which still ships with 0.0.6-2.

So the most straightforward thing to do is to get rid of our obfs4proxy component in deb.tpo -- nobody should be using it. And to fix the documentation that tells people to add that repo to their apt sources, e.g.
https://trac.torproject.org/projects/tor/wiki/doc/PluggableTransports/obfs4proxy

And then if folks want to make debs for newer versions of obfs4proxy, we should get those into debian testing, and reevaluate once that's done.

Sound plausible?

comment:8 Changed 4 months ago by arma

If we proceed with deleting them, we can also close #18796, and update/simplify the output of #20643.

There are some more recent versions of obfs4proxy:
https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/ChangeLog
but none of them seem critical to get from the obfs4 server side.

comment:9 Changed 4 months ago by irl

Resolution: fixed
Status: assignedclosed

woo

Additionally, removed the obfs4proxy suite from deb.tpo.

Note: See TracTickets for help on using tickets.