Opened 13 months ago

Closed 13 months ago

Last modified 13 months ago

#24482 closed enhancement (wontfix)

Upload all stable binaries to torproject debian repository

Reported by: entr0py Owned by:
Priority: Medium Milestone:
Component: Core Tor/Tor Version: Tor: unspecified
Severity: Normal Keywords: tor repository deb.torproject.org
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Currently only the latest stable version is included in torproject repo.

Example: https://deb.torproject.org/torproject.org/dists/jessie/main/binary-amd64/Packages has the latest 0.3.1.x series.

It would be helpful to be able to apt-pin system tor to a particular major version (ie 0.2.9.x) and receive security updates while testing compatibility with the next major version. At the moment, updates to 0.2.9.x must be built and distributed by a third-party even though 0.2.9.x is an LTS release.

Child Tickets

Change History (11)

comment:1 Changed 13 months ago by arma

What are you trying to do?

If you want the LTS Tor, use the one in Debian stable, and if you want security updates, be sure to have a security.debian.org line in your sources.list?

comment:2 Changed 13 months ago by entr0py

We are currently using oldstable (Jessie) which has 0.2.5 but we want to be on 0.2.9. At the moment, Jessie-backports and Stretch are on 0.2.9 but the issue is that they will eventually move to 0.3.0 whether we are ready or not. If we stay on 0.2.9 after they've moved to 0.3.0, then we will no longer receive updates. Ideally, we'd like to stay with the current latest stable version, but will spend some time at latest stable minus 0.0.1 to make sure there isn't any breakage.

If torproject repo has all the latest versions, we can pin to any arbitrary major version and stay there as long as needed.

Last edited 13 months ago by entr0py (previous) (diff)

comment:3 Changed 13 months ago by arma

You're in luck! I think stretch isn't going to move to 0.3.0. That's because 0.2.9 is the LTS, and it's the one we're going to maintain until 2020:
https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases#Listofreleases

That is, the Debian stables are aiming to do the sort of thing you're talking about, so in most cases you should be able to just use them directly.

comment:4 Changed 13 months ago by entr0py

Thanks for your attention to this ticket! Unfortunately, the versions that I mentioned were largely arbitrary and the versions we will need going forward won't always correspond to Stable / LTS releases. For example, when TPO blesses 0.3.2 stable, we are likely to be on 0.3.1. (we = Whonix). Our users won't want to be too far behind latest stable release but upgrading automatically to new major versions could cause breakage, which too often is followed by panic.

I understand this ticket would result in additional work for *somebody* so apologies for that!

comment:5 Changed 13 months ago by Sebastian

Our debian package maintainer has already indicated elsewhere that this is an unreasonable amount of work. You could build the packages yourself for your distribution if you need it, however.

comment:6 Changed 13 months ago by entr0py

Resolution: wontfix
Status: newclosed

Understood. Thanks for considering!

comment:7 in reply to:  5 Changed 13 months ago by adrelanos

Replying to Sebastian:

Our debian package maintainer has already indicated elsewhere that this is an unreasonable amount of work. You could build the packages yourself for your distribution if you need it, however.

deb.torproject.org is dead?

comment:8 Changed 13 months ago by Sebastian

what?

comment:9 Changed 13 months ago by irl

I feel like we should have at least an LTS suite. The description of this ticket perhaps describes something that would be too much, but I'm not sure we can claim long-term support without also providing the releases in formats people use, especially if it's just a minor release and the packaging work is already done.

Looking at it, it seems we already have nightly builds for these.

(Saying this, if the maintainer does not have time, then the maintainer does not have time)

Last edited 13 months ago by irl (previous) (diff)

comment:10 Changed 13 months ago by nickm

There are LTS releases of Tor -- they're the ones that go into Debian stable.

We have a policy for how long we (the Tor team) support each release: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases

comment:11 Changed 13 months ago by irl

Right, but these don't appear on deb.torproject.org even though they've been built for Debian, which means waiting for clearing stable-proposed-updates or having the package migrate from unstable to testing and then backporting (not sure how that works when you have newer versions in unstable). Either way, the package exists but is not available to others to test in their derivatives until clearing the Debian procedures.

Last edited 13 months ago by irl (previous) (diff)
Note: See TracTickets for help on using tickets.