[Whonix-devel] Should Whonix ship Tor 0.2.3 or 0.2.4?

adrelanos adrelanos at riseup.net
Wed Sep 11 03:01:50 CEST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I hope this is the right place to ask questions from a Tor centric
linux distribution packager perspective. Asking as a maintainer of Whonix.

Next version of Whonix will be based on Debian testing (jessie).
[Pretty much ready for release. This is one of the last questions to
be sorted out.]

Torproject's jessie [1] repository still contains Tor 0.2.3.25-1,
while experimental-wheezy [2] already contains Tor 0.2.4.17-rc-1.

Due to the botnet issue, 0.2.4 provides a much better user experience
than 0.2.3. Now I am wondering which apt repository should be enabled
by default in next Whonix version.

I could temporarily add experimental-jessie during the build process
and after installing Tor, reset it to jessie. That doesn't seem like a
good idea, because when experimental-jessie gets a security update,
chances are bad, that this security update also comes through the
jessie repository. As long as the Tor version in the jessi repository
wouldn't be higher than the installed on.

Tails will use 0.2.4 and I have no objections against 0.2.4 in its
current state either. But Whonix can't be compared with Tails in that
way. Tails is a Live DVD and has a planed and working release cycle,
while Whonix is conceptually an installed operating system and
releases are less frequent, Whonix can be updated using apt-get [and
time is rare, and no else willing to regularly create builds].

So when next Whonix version comes with the experimental-jessie
repository enabled by default, it would later be difficult to
downgrade that version to the jessie repository.

Another option I would like to avoid is uploading Tor to Whonix's own
apt repository. I am hesitant doing this, because Whonix doesn't have
any packages containing binary code yet [they are fetched from Debian]
and, because that could look fishy and because it add maintenance
burden, since I would have to keep up with torproject's releases.

None of these options looks good. Any recommendations?

Cheers,
adrelanos

[1]
http://deb.torproject.org/torproject.org/dists/jessie/main/binary-i386/Packages
[2]
http://deb.torproject.org/torproject.org/dists/experimental-jessie/main/binary-i386/Package
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSL8D7AAoJEJwTGtNxOq7vrwwP/jnyFkeFk+CIkLupWfNgf16z
xLFpsbcs1PeF+m70aKtmK3CgAQcotX+cmMWUFkmZEE8PAPPt8zQCRZEqs4V2KELR
oJ7tbmzWxnX+/6sxOrHUnZGu01dpHI19vlhf1PUZMkpGjRqbSNVLgdQcyZ3tsV1W
lvJFCeUxJe7MojcR9nWQJT+Y0ppF1WwdWe9OLLpflxIzuvQb/bZCjmB4GqAMdS/b
vxxWX1WBv443vzOftFL1w8IB3wyUxE9sZocpsdzUsW16pN0yxZcwpTwK3v+aBvZO
oyU3qyefIgPyQtebHPJha/nHrczsw6sbDD3v9AJ8SPUJNjlRuRrxO3lKQjlC43EK
F7Ou5CCIRtwUKP49n6ApI1y4bWfa7aapR8kSlmjcSpHK+ksBry5Kttlz3UuRu7GV
oEDyTO4k8jTTA6A2/1/mULPACDIeS0fKj5sprEu2h46NzH8GXEfH5MAYYxBepKI4
1e2sO5I/QaiQUvov3E94Eb33t3oStvmjqwEAsI/hqR58qn64m/Z3S8K7vCrzIFir
tibPRoBqlGw7j5XJKbcx38AxnYqfjw/dyn2HVMV2Ui8MvR2No4tdIpheqnV/m+9i
vOYO6aFfZDgNrzMFAFlOHyl+F/OXDrOYVhyc1PoQJS0P4eekPdqUDtnY1eWlibGf
n8BetkCH2F2wA8tMF1xo
=nOUu
-----END PGP SIGNATURE-----



More information about the Whonix-devel mailing list