On Wed, Aug 08, 2007 at 11:47:56AM -0400, Peter Thoenen wrote: >I hate to call Rui out in public but he is the maintainer here and very >non responsive to private emails about this. > >Tor 1.1.x has BEEN DEPRECIATED from before the time 4.1 STABLE was >released (you were notified of this also Rui) and all version earlier >than 1.2.15 suffer a remote code exploitation which has been proven in >the wild already with technical details to be released to the public in >two week per the developers. The developers announced all users should >update immediately yet still not seeing this port updated in stable when >I csup. Can you (Rui) update this port finally as it would count as a >security update or you just going to hang out and continue to be a >subpar maintainer. If you don't want to maintain your own port then let >me know and I or somebody else can do it but this is ridiculous. You >missed the last couple stable releases and when informed of it you were >like "what the f*ck do I care ... OBSD isn't about the latest and >greatest. Compile it yourself". Well now we have a serious remote code >issue and a depreciated non-supported (in the current tor directory >services) package in OBSD ... is this a big enough issue to get you to care? >NOTE: I am pretty indifferent if it is fixed in CURRENT. This is a >remote code exploit and I am pretty sure security patches are merged >into stable's port tree considering I see updates to it at least weekly.
I agree with you on this -current/-stable thingy. This ports tree soft locking shit *how we care about -stable users* is bullshit, when outdated/security vulnerable stuff is even in -current and it takes ages to backport and make packages of needed security updates... I see there no logic, since developers are on -current anyway and they don't care about stable users really... >Sorry to be an ass Rui but with maintenance comes responsibility. Can't agree on this, since Rui has been very responsive when I sent him secunia link about flaw. He is not ignorant one ;] And tor update has been commited in 4.1 branch too. However there are another ports which aren't updated. > >-Peter >
