Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Conrad Rockenhaus:
>
>
>> On Sep 5, 2019, at 10:21 PM, grarpamp wrote:
>>
>>> never relied on the OS Package of Tor, mainly because OS’s OpenSSL versions
>>> are behind the current version of OpenSSL, so I normally compile Tor against
>>> the latest OpenSSL. Example, FreeBSD 12.0-RELEASE has OpenSSL
>>> 1.1.1a-freebsd, which generates a slight crypto error during the startup of
>>> Tor. If you download OpenSSL 1.1.1c and just compile against it, eh, problem
>>> fixed.
>>
>> As to realtime, hardly any behind...
>> ver openssl 12-stable ports-head
>> 1.1.1c 20190528 20190528 20190528
>> 1.1.1b 20190226 20190226 20180227
>> 1.1.1a 20181120 20181120 20181120
>> ... not including any 'responsible disclosure' bs
>> around any HW / SW that users may or may not
>> be affected by.
>>
>> As to release mechanics...
>> 12.0-release base had latest 1.1.1a at release,
>> release ports tags were one letter rev behind
>> at 1.0.2p and 1.1.0i, release ports head was
>> latest at 1.0.2q and 1.1.1a, quarterly was similar.
>>
>> tor follows same pattern, people can research
>> and post those datas if they want.
>>
>> Of course people's boxes will be behind if they never
>> update them beyond release, that's not fault of any OS.
>>
>> https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading.html
>> https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
>> https://download.freebsd.org/ftp/snapshots/
>>
>> Either update base per binary, snapshot, releng, or stable...
>> or track and install ports (packages) quarterly, latest / head...
>> and compile against that as needed.
>>
>> Or get the upstream sources and do by hand.
>>
>> If people aren't on FreeBSD or a well supported
>> Linux distro they should expect their OS to be
>> laggy in areas.
>>
>> Many FreeBSD tor users would be fine tracking
>> base stable and packages latest (ports head).
>> pkg.conf: url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest";,
>>
>> If their OS of choice is still a bit laggy for them, they
>> can join their OS community and start generating
>> update commits... :)
>>
>> https://freebsd.org/
>> https://openbsd.org/
>> etc
>> or whatever pump and dump linux distro is hot this year.
>
> Grampamp,
>
> You know I love you tons - but the problem with the FreeBSD release of Tor
> isn’t fixed by switching to “latest”, you’ll still get the error upon
> startup. It’s compiled against an older version of OpenSSL. Since it already
> has an active maintainer I can’t just go in and take it over. That would be
> rude.
>
> Yes, OpenSSL on mainline 12.0-RELEASE is fixed, but what they compiled the
> package against isn’t, so it’s either compile the port or don’t use pkgs. I
> for one believe in the philosophy of not mixing pkgs and ports so…. Ports it
> is.
Way late to the party on this, and I don't know if it's resolved on the
FreeBSD side yet, but you need to try https://bugs.freebsd.org/bugzilla/
for issues like this, especially if it's a sync issue between base and
the package.
I did not have any issues with FreeBSD 12-RELEASE with pkgs set to
"latest" with net/tor.
IMHO, issues like this are inevitable when you have THREE supported
"production" releases...
Oh, how I miss the FreeBSD 4.x era.
g
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
> On 7. Sep 2019, at 12:20, teor wrote: > > Hi, > > On 6 Sep 2019, at 20:14, Roman Mamedov wrote: > >>> Where does the security weakpoint risk come from? Does >>> apt-transport-tor/onion service repository availability help in your >>> mind here? >> >> As with adding any third-party repository, it means trusting the repository >> provider to install and run any root-privilege code on the machine. In case >> the repository server (or actually the release process, including signing) is >> compromised, on the next update it can serve malicious or backdoored versions >> of the software. So naturally from the security standpoint it is beneficial >> to >> add (and trust) as few repositories as possible, just to reduce the "attack >> surface". > > So one thing Tor could do here is run easily and securely without root? > > T Not really I think. I kind of subscribe to the same argument (I think it is the same argument at least) for almost all software I install: - I want fast and low-risk updates in the case of a security update, so please give me a patch that fixes only the security issue - I want a low-hassle installation, so frequently updating (more frequently than every other year or so) is really annoying. Especially if there could be changes in the configuration that I have to adapt, and even more so if I cannot have confidence that all configuration changes I might need to make are given during the update. - I never want a software to update without my knowledge, so absolutely no phoning home for updates/automatically updating. Even without root. Being able to execute a binary on a system is not very far from being root on that system these days. I think I apply this to every software with the exception of Tor, and for Tor I only do it because of my project involvement and the big trust I put into the maintainers of our repository. For other stuff, I just stop running it if it doesn't work out of the box provided by my distribution. Cheers Sebastian ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
My relays track current stable, though I prefer going slow updating unless a major CVE/TROVE lands. LTS is beneficial for many reasons and, from the enthused developer perspective perhaps best viewed as "necessary evil." Rather than thinking about killing LTS, is better to think about ways to campaign for and facilitate rapid migration to a latest LTS release when very important features arrive. Possibly this translates to early retirement via blacklisting of the eldest version. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
On Sat, 7 Sep 2019 20:20:06 +1000 teor wrote: > > As with adding any third-party repository, it means trusting the repository > > provider to install and run any root-privilege code on the machine. In case > > the repository server (or actually the release process, including signing) > > is > > compromised, on the next update it can serve malicious or backdoored > > versions > > of the software. So naturally from the security standpoint it is beneficial > > to > > add (and trust) as few repositories as possible, just to reduce the "attack > > surface". > > So one thing Tor could do here is run easily and securely without root? This will not address the concern, because AFAIK in Debian the package management scripts (contained inside the .deb's DEBIAN dir: preinst, postinst, prerm and postrm) always run with root privileges on package addition or removal. -- With respect, Roman ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Hi Am Do., 5. Sept. 2019 um 04:12 Uhr schrieb Mike Perry < mikepe...@torproject.org>: > How can we fix that for you, or at least, how can we make it easier to > run the very latest stable series Tor on your relay? > When i started my first relay i had zero knowledge about Linux so i can describe my whole experience from a noob position. I wanted to start to learn about something new and someone told me a Raspberry Pi is good to start with Linux. Then i had that Pi with Raspbian and didnt knew what to do with it now. I found an instruction on google how to install a Tor relay to contribute to Tor. It took me more than two weeks with many angry moments followed by many facepalms but finally my first relay was working. Now about one year later i operate 25 relays and i love it. I constantly learn something new and i read everything i can about Tor because its fascinating and awesome. It took me months to realize that there is an instruction on your website how to install a relay. At the beginning i always used some guides which i found on google because they appear before the instruction site of the Torproject appears. If you could point out that the instructions for installing a relay on Debian are the same like for Raspbian it had safed me many hours because i thought it will not work if i use the Debian instructions and i thought its more like a "tweak" to make a relay running on a Pi because on your website i can find several OSs but nothing about Raspbian. After i finally understood how to install packages on my Raspberry Pi i was very happy that it worked and i was afraid to touch anything. It took me some more months to even realize that the package in the repositories is not the latest one. I thought its working like Windows Update where you will automatically get the latest stable one when you run apt-get upgrade. After that realization it took me some more months to understand what an additional repository is and how and why to add it. I think there is not much you can do against that. Maybe just support the versions "as short as necessary" because if someone really wants to understand what is going on then he will take his time to make it working. I dont know how big that fraction is but maybe there are several people outside who just dont know that their relay is outdated. I am subscribed on this mailing-list after i had half of my relays already running so maybe there are some people who just dont realize that their relays version is outdated because they still can see traffic on it. So i think kicking out relays with outdated versions "as fast as useful" is a good way to show the operator that he is not very helpful anymore. When they dont see any traffic anymore they either will try to find out why and upgrade or they will close the relay but i think if they decide to close the relay they are anyway not very reliable. To sum it up: - Make it as easy as possible to find the setup instructions - Point out that Raspbian is supported too - Make it more obvious that an operator could be much more useful if he would take a few minutes to upgrade I remembered that someone here asked a few months ago how to set up a relay on Windows. Out of boredom a few days ago i grabbed a one-month-description VPS with Windows Server 2012 R2 on it and tried to set up a relay there. I felt familiar immediatelly even if i had never worked with Windows Server before and the relay was running after 15 minutes. F9C203B9FB710FC9C7C45F2CCDF8B626F2320253 There were only three small points where i struggled a little bit because Tor crashed without telling me why but setting it up on Windows seems to be as easy as on Linux. If it helps i can describe the crashes i had or write a ticket about it. An instruction about setting it up on Windows might be not worth the work but pointing out that if someone is more familiar with Windows that he should just try his luck because it will likely work could be helpful too. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Hi, On 6 Sep 2019, at 20:14, Roman Mamedov wrote: >> Where does the security weakpoint risk come from? Does >> apt-transport-tor/onion service repository availability help in your >> mind here? > > As with adding any third-party repository, it means trusting the repository > provider to install and run any root-privilege code on the machine. In case > the repository server (or actually the release process, including signing) is > compromised, on the next update it can serve malicious or backdoored versions > of the software. So naturally from the security standpoint it is beneficial to > add (and trust) as few repositories as possible, just to reduce the "attack > surface". So one thing Tor could do here is run easily and securely without root? T ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
On Fri, 06 Sep 2019 02:20:00 + Mike Perry wrote: > >> 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" > > > > I was using them in the past, but then decided not to, as it's adding some > > management overhead and also one more potential security weakpoint. > > These two strike me as being likely to be very high on the list of > common reasons, when the choice is deliberately made. > > What can we do to reduce management overhead? Nothing, perhaps. It's just a matter of dealing with an external repo itself: adding it, ensuring it is added on all new machines, ensuring the distro specifier is update on distro upgrades, and likely working on integrating all of that that into a centralized deployment system (not ansible): e.g. do I add that into sources.list directly, or put a file into sources.list.d, if a file, then will it be a file directly, or symlinked from the location into which all other configs are rsync'ed to the machine, etc. Considering the previously perceived low benefit of running the very latest version in the first place, or the benefit of running that over backports (the Tor repo might have only a marginally newer version than backports), it should be easy to see why the desire to skip all of the above. (For backports it is the same "overhead", but I am likely adding backports anyway, due to wanting something else from it, not just Tor). > Someone else mentioned ansible. Would an ansible playbook that add our > repositories and their gpg keys make this easier? Or is it better just > to keep the steps all on a single page? Personally I do not use ansible and would not prefer that to be made the only way to do something. > Where does the security weakpoint risk come from? Does > apt-transport-tor/onion service repository availability help in your > mind here? As with adding any third-party repository, it means trusting the repository provider to install and run any root-privilege code on the machine. In case the repository server (or actually the release process, including signing) is compromised, on the next update it can serve malicious or backdoored versions of the software. So naturally from the security standpoint it is beneficial to add (and trust) as few repositories as possible, just to reduce the "attack surface". -- With respect, Roman ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
> On Sep 5, 2019, at 10:21 PM, grarpamp wrote:
>
>> never relied on the OS Package of Tor, mainly because OS’s OpenSSL versions
>> are behind the current version of OpenSSL, so I normally compile Tor against
>> the latest OpenSSL. Example, FreeBSD 12.0-RELEASE has OpenSSL
>> 1.1.1a-freebsd, which generates a slight crypto error during the startup of
>> Tor. If you download OpenSSL 1.1.1c and just compile against it, eh, problem
>> fixed.
>
> As to realtime, hardly any behind...
> ver openssl 12-stable ports-head
> 1.1.1c 20190528 20190528 20190528
> 1.1.1b 20190226 20190226 20180227
> 1.1.1a 20181120 20181120 20181120
> ... not including any 'responsible disclosure' bs
> around any HW / SW that users may or may not
> be affected by.
>
> As to release mechanics...
> 12.0-release base had latest 1.1.1a at release,
> release ports tags were one letter rev behind
> at 1.0.2p and 1.1.0i, release ports head was
> latest at 1.0.2q and 1.1.1a, quarterly was similar.
>
> tor follows same pattern, people can research
> and post those datas if they want.
>
> Of course people's boxes will be behind if they never
> update them beyond release, that's not fault of any OS.
>
> https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading.html
> https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
> https://download.freebsd.org/ftp/snapshots/
>
> Either update base per binary, snapshot, releng, or stable...
> or track and install ports (packages) quarterly, latest / head...
> and compile against that as needed.
>
> Or get the upstream sources and do by hand.
>
> If people aren't on FreeBSD or a well supported
> Linux distro they should expect their OS to be
> laggy in areas.
>
> Many FreeBSD tor users would be fine tracking
> base stable and packages latest (ports head).
> pkg.conf: url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest";,
>
> If their OS of choice is still a bit laggy for them, they
> can join their OS community and start generating
> update commits... :)
>
> https://freebsd.org/
> https://openbsd.org/
> etc
> or whatever pump and dump linux distro is hot this year.
Grampamp,
You know I love you tons - but the problem with the FreeBSD release of Tor
isn’t fixed by switching to “latest”, you’ll still get the error upon startup.
It’s compiled against an older version of OpenSSL. Since it already has an
active maintainer I can’t just go in and take it over. That would be rude.
Yes, OpenSSL on mainline 12.0-RELEASE is fixed, but what they compiled the
package against isn’t, so it’s either compile the port or don’t use pkgs. I for
one believe in the philosophy of not mixing pkgs and ports so…. Ports it is.
Thanks,
Conrad
signature.asc
Description: Message signed with OpenPGP
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Hi all, > On 6 Sep 2019, at 12:20, Mike Perry wrote: > > Roman Mamedov: >> >> On Thu, 05 Sep 2019 02:11:00 + >> Mike Perry wrote: >> >>> 1. "I didn't know that Debian's backports repo has latest-stable Tor!" >> >> I only looked to backports when I get a warning on the metrics website that >> my >> versions are not recommended. Aside from that, I thought that running LTS on >> relays is actually beneficial, to prevent any newly introduced bugs in the >> current latest versions from having an impact on the network infrastructure. > > We are moving towards relying on CI for finding functional bugs, and > code review and static analysis for security issues. > > I don't believe that current LTS periods of time will necessarily > provide better results for either of these classes of risk than > investing in better CI and in other forms of diversity than just release > version. > > However, I could see a middle ground where we shorten LTS timescales for > the relay side, but don't eliminate them, as we work towards where we > want to be with CI and security issue risk reduction (or other forms of > diversity). We also have long-term support so that popular software distributions can have a supported version of Tor. (Debian, Ubuntu, and ideally some non-Linux distributions, if they become popular in future.) So it's not just risk that determines our current LTS timeframes. T signature.asc Description: Message signed with OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
> never relied on the OS Package of Tor, mainly because OS’s OpenSSL versions
> are behind the current version of OpenSSL, so I normally compile Tor against
> the latest OpenSSL. Example, FreeBSD 12.0-RELEASE has OpenSSL
> 1.1.1a-freebsd, which generates a slight crypto error during the startup of
> Tor. If you download OpenSSL 1.1.1c and just compile against it, eh, problem
> fixed.
As to realtime, hardly any behind...
ver openssl 12-stable ports-head
1.1.1c 20190528 20190528 20190528
1.1.1b 20190226 20190226 20180227
1.1.1a 20181120 20181120 20181120
... not including any 'responsible disclosure' bs
around any HW / SW that users may or may not
be affected by.
As to release mechanics...
12.0-release base had latest 1.1.1a at release,
release ports tags were one letter rev behind
at 1.0.2p and 1.1.0i, release ports head was
latest at 1.0.2q and 1.1.1a, quarterly was similar.
tor follows same pattern, people can research
and post those datas if they want.
Of course people's boxes will be behind if they never
update them beyond release, that's not fault of any OS.
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/updating-upgrading.html
https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ports.html
https://download.freebsd.org/ftp/snapshots/
Either update base per binary, snapshot, releng, or stable...
or track and install ports (packages) quarterly, latest / head...
and compile against that as needed.
Or get the upstream sources and do by hand.
If people aren't on FreeBSD or a well supported
Linux distro they should expect their OS to be
laggy in areas.
Many FreeBSD tor users would be fine tracking
base stable and packages latest (ports head).
pkg.conf: url: "pkg+https://pkg.FreeBSD.org/${ABI}/latest";,
If their OS of choice is still a bit laggy for them, they
can join their OS community and start generating
update commits... :)
https://freebsd.org/
https://openbsd.org/
etc
or whatever pump and dump linux distro is hot this year.
___
tor-relays mailing list
tor-relays@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Roman Mamedov: > > On Thu, 05 Sep 2019 02:11:00 + > Mike Perry wrote: > >> 1. "I didn't know that Debian's backports repo has latest-stable Tor!" > > I only looked to backports when I get a warning on the metrics website that my > versions are not recommended. Aside from that, I thought that running LTS on > relays is actually beneficial, to prevent any newly introduced bugs in the > current latest versions from having an impact on the network infrastructure. We are moving towards relying on CI for finding functional bugs, and code review and static analysis for security issues. I don't believe that current LTS periods of time will necessarily provide better results for either of these classes of risk than investing in better CI and in other forms of diversity than just release version. However, I could see a middle ground where we shorten LTS timescales for the relay side, but don't eliminate them, as we work towards where we want to be with CI and security issue risk reduction (or other forms of diversity). >> 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" > > I was using them in the past, but then decided not to, as it's adding some > management overhead and also one more potential security weakpoint. These two strike me as being likely to be very high on the list of common reasons, when the choice is deliberately made. What can we do to reduce management overhead? Right now, there are quite a lot of separate pages pointing to different pieces of the steps of adding our repo. Is that the problematic piece? Are there additional things make it more of a hassle than it should be? Someone else mentioned ansible. Would an ansible playbook that add our repositories and their gpg keys make this easier? Or is it better just to keep the steps all on a single page? Where does the security weakpoint risk come from? Does apt-transport-tor/onion service repository availability help in your mind here? -- Mike Perry signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
> On Sep 5, 2019, at 11:44 AM, Matt Traudt wrote: > > On 9/4/19 22:43, teor wrote: >> Hi Mike, >> >> Here's some other reasons that might affect a few operators: >> >>> On 5 Sep 2019, at 12:11, Mike Perry wrote: >>> >>> Unfortunately, we still have something like 2500 relays on either Tor >>> 0.2.9-LTS or Tor 0.3.5-LTS. >>> >>> What are the reasons for this? My guess is the top 5 most common >>> responses are: >>> >>> 1. "I didn't know that Debian's backports repo has latest-stable Tor!" >>> 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" >>> 3. "I'm running a distribution that Tor Project doesn't have repos for." >>> 4. "I rolled my own custom Tor from git and forgot about it." >>> 5. "My relay machine was not getting any updates at all. Oops." >>> >>> Does anyone have a reason that they think many other relay operators >>> also share? >> >> 6. When I tried to update, it didn't work with my old config >> 7. I need features that only exist in older Tors >> - I can think of Tor2web, there may be others >> 8. I am maintaining research or other patches against tor, and rebases >> are difficult >> > > Regarding my relays, which currently are [0] > > - Two were stuck on 0.3.4.11 because I had to install Tor from source on > that machine and am bad about updating it (just updated) > - Two are stuck on 0.3.5.7 because research and rebasing to new versions > is liable to create inconsistencies and general doubt about results > > [0]: https://metrics.torproject.org/rs.html#search/contact:pastly > >>> How can we fix that for you, or at least, how can we make it easier to >>> run the very latest stable series Tor on your relay? > > This is a huge ask and I don't expect anything to come of this > suggestion, but: > > Auto updates from within Tor itself (not relying on distro package > managers). Put it behind a torrc option, allow the authorities to tell > relays with the option enabled to download a new tor binary from $PLACE, > create a bunch of infrastructure that builds Tor for all supported > platforms reliably and efficiently, use a bunch of signatures everywhere > so nothing bad can happen, done. So easy a caveman could do it, nothing > bad could ever happen, absolutely no downsides, it's $CURRENT_YEAR so > why don't we have this, etc. etc. > > -- > Matt This may not matter for LTS versions, but I just wanted to mention it it in reference it to the possible idea that Tor possibly updating itself. I’ve never relied on the OS Package of Tor, mainly because OS’s OpenSSL versions are behind the current version of OpenSSL, so I normally compile Tor against the latest OpenSSL. Example, FreeBSD 12.0-RELEASE has OpenSSL 1.1.1a-freebsd, which generates a slight crypto error during the startup of Tor. If you download OpenSSL 1.1.1c and just compile against it, eh, problem fixed. Sorry, maybe I just don’t like seeing errors :). Anyway, why don’r we try to simplify the update process even further and just ship Tor with some ansible scripts that will replace the binary, check the config file and comment out any settings that will break the new version, then restart? It’s pretty simple to write an sensible script to do this function. --- Conrad Rockenhaus con...@rockenhaus.com https://www.rockenhaus.com/ (254) 292-3350 signature.asc Description: Message signed with OpenPGP ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
On 9/4/19 22:43, teor wrote: > Hi Mike, > > Here's some other reasons that might affect a few operators: > >> On 5 Sep 2019, at 12:11, Mike Perry wrote: >> >> Unfortunately, we still have something like 2500 relays on either Tor >> 0.2.9-LTS or Tor 0.3.5-LTS. >> >> What are the reasons for this? My guess is the top 5 most common >> responses are: >> >> 1. "I didn't know that Debian's backports repo has latest-stable Tor!" >> 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" >> 3. "I'm running a distribution that Tor Project doesn't have repos for." >> 4. "I rolled my own custom Tor from git and forgot about it." >> 5. "My relay machine was not getting any updates at all. Oops." >> >> Does anyone have a reason that they think many other relay operators >> also share? > > 6. When I tried to update, it didn't work with my old config > 7. I need features that only exist in older Tors > - I can think of Tor2web, there may be others > 8. I am maintaining research or other patches against tor, and rebases >are difficult > Regarding my relays, which currently are [0] - Two were stuck on 0.3.4.11 because I had to install Tor from source on that machine and am bad about updating it (just updated) - Two are stuck on 0.3.5.7 because research and rebasing to new versions is liable to create inconsistencies and general doubt about results [0]: https://metrics.torproject.org/rs.html#search/contact:pastly >> How can we fix that for you, or at least, how can we make it easier to >> run the very latest stable series Tor on your relay? This is a huge ask and I don't expect anything to come of this suggestion, but: Auto updates from within Tor itself (not relying on distro package managers). Put it behind a torrc option, allow the authorities to tell relays with the option enabled to download a new tor binary from $PLACE, create a bunch of infrastructure that builds Tor for all supported platforms reliably and efficiently, use a bunch of signatures everywhere so nothing bad can happen, done. So easy a caveman could do it, nothing bad could ever happen, absolutely no downsides, it's $CURRENT_YEAR so why don't we have this, etc. etc. -- Matt ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
On Thu, 05 Sep 2019 02:11:00 + Mike Perry wrote: > 1. "I didn't know that Debian's backports repo has latest-stable Tor!" I only looked to backports when I get a warning on the metrics website that my versions are not recommended. Aside from that, I thought that running LTS on relays is actually beneficial, to prevent any newly introduced bugs in the current latest versions from having an impact on the network infrastructure. > 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" I was using them in the past, but then decided not to, as it's adding some management overhead and also one more potential security weakpoint. -- With respect, Roman ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Hi, On 5 Sep 2019, at 13:01, Mike Perry wrote: >> 8. I am maintaining research or other patches against tor, and rebases >> are difficult > > Again, common? I'm going to guess not common (or self-supporting), but > this does feel like something we could measure by checking for git > versions that don't make sense to us in the full descriptor archives. That could be hard: some distros add their own patches using git. >>> How can we fix that for you, or at least, how can we make it easier to >>> run the very latest stable series Tor on your relay? >> >> The answers are probably something like: >> 6. Provide better relay operator support, and direct me to those support >> channels in the log messages, when my relay fails to launch > > Show Quoted Content >>> How can we fix that for you, or at least, how can we make it easier to >>> run the very latest stable series Tor on your relay? >> >> The answers are probably something like: >> 6. Provide better relay operator support, and direct me to those support >> channels in the log messages, when my relay fails to launch > > > +1 100%. I think this will go light years towards getting rid of non-LTS > Tors and LTS tor's alike, regardless of reason. Then we can ask the > remainder. > >> 7. Support old features for longer> 8. Stop refactoring so much code > > Nah. I'm not interested in these, even if populism demands them. Some > shit needs to go away because it is not safe to keep around, and some > stuff needs to be better organized to make it easier to improve. I agree. But you asked for answers, so I gave them. T___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
teor: >> On 5 Sep 2019, at 12:11, Mike Perry wrote: >> >> Unfortunately, we still have something like 2500 relays on either Tor >> 0.2.9-LTS or Tor 0.3.5-LTS. >> >> What are the reasons for this? My guess is the top 5 most common >> responses are: >> >> 1. "I didn't know that Debian's backports repo has latest-stable Tor!" >> 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" >> 3. "I'm running a distribution that Tor Project doesn't have repos for." >> 4. "I rolled my own custom Tor from git and forgot about it." >> 5. "My relay machine was not getting any updates at all. Oops." >> >> Does anyone have a reason that they think many other relay operators >> also share? > > 6. When I tried to update, it didn't work with my old config> 7. I need > features that only exist in older Tors > - I can think of Tor2web, there may be others Are these common? I feel like this is long-tail. I'm looking for most common reasons first. After we address the most common reasons, we can pick our favorite long-tail use cases and decide if those are worth forward-porting or back-porting individual features for. But not before the common cases are dealt with. That way lies madness, and no progress, ever. > 8. I am maintaining research or other patches against tor, and rebases >are difficult Again, common? I'm going to guess not common (or self-supporting), but this does feel like something we could measure by checking for git versions that don't make sense to us in the full descriptor archives. >> How can we fix that for you, or at least, how can we make it easier to >> run the very latest stable series Tor on your relay? > > The answers are probably something like: > 6. Provide better relay operator support, and direct me to those support >channels in the log messages, when my relay fails to launch +1 100%. I think this will go light years towards getting rid of non-LTS Tors and LTS tor's alike, regardless of reason. Then we can ask the remainder. > 7. Support old features for longer> 8. Stop refactoring so much code Nah. I'm not interested in these, even if populism demands them. Some shit needs to go away because it is not safe to keep around, and some stuff needs to be better organized to make it easier to improve. -- Mike Perry signature.asc Description: OpenPGP digital signature ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Operator straw poll: Reasons why you use Tor LTS versions?
Hi Mike, Here's some other reasons that might affect a few operators: > On 5 Sep 2019, at 12:11, Mike Perry wrote: > > Unfortunately, we still have something like 2500 relays on either Tor > 0.2.9-LTS or Tor 0.3.5-LTS. > > What are the reasons for this? My guess is the top 5 most common > responses are: > > 1. "I didn't know that Debian's backports repo has latest-stable Tor!" > 2. "I didn't see the Tor Project repos mentioned in Tor's Relay docs!" > 3. "I'm running a distribution that Tor Project doesn't have repos for." > 4. "I rolled my own custom Tor from git and forgot about it." > 5. "My relay machine was not getting any updates at all. Oops." > > Does anyone have a reason that they think many other relay operators > also share? 6. When I tried to update, it didn't work with my old config 7. I need features that only exist in older Tors - I can think of Tor2web, there may be others 8. I am maintaining research or other patches against tor, and rebases are difficult > How can we fix that for you, or at least, how can we make it easier to > run the very latest stable series Tor on your relay? The answers are probably something like: 6. Provide better relay operator support, and direct me to those support channels in the log messages, when my relay fails to launch 7. Support old features for longer 8. Stop refactoring so much code T ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
