[Whonix-devel] Should Whonix ship Tor 0.2.3 or 0.2.4?
adrelanos at riseup.net
Wed Sep 11 03:01:50 CEST 2013
-----BEGIN PGP SIGNED MESSAGE-----
I hope this is the right place to ask questions from a Tor centric
linux distribution packager perspective. Asking as a maintainer of Whonix.
Next version of Whonix will be based on Debian testing (jessie).
[Pretty much ready for release. This is one of the last questions to
be sorted out.]
Torproject's jessie  repository still contains Tor 0.2.3.25-1,
while experimental-wheezy  already contains Tor 0.2.4.17-rc-1.
Due to the botnet issue, 0.2.4 provides a much better user experience
than 0.2.3. Now I am wondering which apt repository should be enabled
by default in next Whonix version.
I could temporarily add experimental-jessie during the build process
and after installing Tor, reset it to jessie. That doesn't seem like a
good idea, because when experimental-jessie gets a security update,
chances are bad, that this security update also comes through the
jessie repository. As long as the Tor version in the jessi repository
wouldn't be higher than the installed on.
Tails will use 0.2.4 and I have no objections against 0.2.4 in its
current state either. But Whonix can't be compared with Tails in that
way. Tails is a Live DVD and has a planed and working release cycle,
while Whonix is conceptually an installed operating system and
releases are less frequent, Whonix can be updated using apt-get [and
time is rare, and no else willing to regularly create builds].
So when next Whonix version comes with the experimental-jessie
repository enabled by default, it would later be difficult to
downgrade that version to the jessie repository.
Another option I would like to avoid is uploading Tor to Whonix's own
apt repository. I am hesitant doing this, because Whonix doesn't have
any packages containing binary code yet [they are fetched from Debian]
and, because that could look fishy and because it add maintenance
burden, since I would have to keep up with torproject's releases.
None of these options looks good. Any recommendations?
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
More information about the Whonix-devel