Upload all stable binaries to torproject debian repository

Currently only the latest stable version is included in torproject repo.

Example: https://deb.torproject.org/torproject.org/dists/jessie/main/binary-amd64/Packages has the latest 0.3.1.x series.

It would be helpful to be able to apt-pin system tor to a particular major version (ie 0.2.9.x) and receive security updates while testing compatibility with the next major version. At the moment, updates to 0.2.9.x must be built and distributed by a third-party even though 0.2.9.x is an LTS release.

Trac:
Username: entr0py

added component::core tor/tor deb.torproject.org priority::medium reporter::entr0py repository resolution::wontfix severity::normal status::closed tor type::enhancement version::tor unspecified labels

What are you trying to do?

If you want the LTS Tor, use the one in Debian stable, and if you want security updates, be sure to have a security.debian.org line in your sources.list?

We are currently using oldstable (Jessie) which has 0.2.5 but we want to be on 0.2.9. At the moment, Jessie-backports and Stretch are on 0.2.9 but the issue is that they will eventually move to 0.3.0 whether we are ready or not. If we stay on 0.2.9 after they've moved to 0.3.0, then we will no longer receive updates. Ideally, we'd like to stay with the current latest stable version, but will spend some time at latest stable minus 0.0.1 to make sure there isn't any breakage.

If torproject repo has all the latest versions, we can pin to any arbitrary major version and stay there as long as needed.

Trac:
Username: entr0py

You're in luck! I think stretch isn't going to move to 0.3.0. That's because 0.2.9 is the LTS, and it's the one we're going to maintain until 2020: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases#Listofreleases

That is, the Debian stables are aiming to do the sort of thing you're talking about, so in most cases you should be able to just use them directly.

Thanks for your attention to this ticket! Unfortunately, the versions that I mentioned were largely arbitrary and the versions we will need going forward won't always correspond to Stable / LTS releases. For example, when TPO blesses 0.3.2 stable, we are likely to be on 0.3.1. (we = Whonix). Our users won't want to be too far behind latest stable release but upgrading automatically to new major versions could cause breakage, which too often is followed by panic.

I understand this ticket would result in additional work for somebody so apologies for that!

Trac:
Username: entr0py

Our debian package maintainer has already indicated elsewhere that this is an unreasonable amount of work. You could build the packages yourself for your distribution if you need it, however.

Understood. Thanks for considering!

Trac:
Username: entr0py
Status: new to closed
Resolution: N/A to wontfix

Replying to Sebastian:

Our debian package maintainer has already indicated elsewhere that this is an unreasonable amount of work. You could build the packages yourself for your distribution if you need it, however.

deb.torproject.org is dead?

what?

I feel like we should have at least an LTS suite. The description of this ticket perhaps describes something that would be too much, but I'm not sure we can claim long-term support without also providing the releases in formats people use, especially if it's just a minor release and the packaging work is already done.

Looking at it, it seems we already have nightly builds for these.

(Saying this, if the maintainer does not have time, then the maintainer does not have time)

There are LTS releases of Tor -- they're the ones that go into Debian stable.

We have a policy for how long we (the Tor team) support each release: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases

Right, but these don't appear on deb.torproject.org even though they've been built for Debian, which means waiting for clearing stable-proposed-updates or having the package migrate from unstable to testing and then backporting (not sure how that works when you have newer versions in unstable). Either way, the package exists but is not available to others to test in their derivatives until clearing the Debian procedures.

closed

moved to tpo/core/tor#24482 (closed)