I've chatted with some tor users in #tor on irc.oftc.net, and get something what we might omitted before. The leader of tor project have built a trust chain and is recommended to all users of tor, that is only use the package that was signed with specified keys, and there is a trustful key list on its official site. Here is the entry I found: http://www.torproject.org/verifying-signatures.html.en They raised a question that if the package in a distro cannot be signed with the keys listed above, that will not be trusted, even everyone knows we can easily verify the changes that have made by the maintainer of that package in distros like Ubuntu. They prefer making themselves confident in the first place when they get the package. Debian might not facing this problem because the maintainer of tor in debian is in the trust list on upstream's site, so the users may be able to be confident by verifying the .dsc file signed by that person. It's not difficult to find out packages in Tor's official repository of ubuntu/debian are mostly maintained by that person (here's the instructions they provided: http://www.torproject.org/docs/debian.html.en). I've checked several other distros, they just leave the so called trust chain there and just keep provide and update the packages.
Another problem is about the support of the package as was discussed in bug #328442, but you can see there are tor still provided in RHEL/CentOS, they ship mostly old version of software as far as I know. So I recommend three alternative solutions: 1.Simply sync it from Debian; 2.Have somebody keep it up-to-date in repository of the latest; 3.Add a virtual package just like flash-installer, that makes users install the packages provided by upstream repository. There is no doubt the first one is the most simple one, but may cause another upstream remove request; the second one can solve the problem of unmaintained raised by upstream, but a exception of the repository policy about the update of software version may be needed because upstream may raise the version number time to time if they would like to, and I can be the volunteer to maintain the package; the last solution can be just a expedient solution I think, tor isn't really a package needs this solution like flash-player. Discussions welcomed! -- [needs-packaging] Please sync tor 0.2.1.19-1 (universe) from Debian unstable (main) https://bugs.launchpad.net/bugs/413657 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
