[tor-bugs] #20431 [Core Tor/DirAuth]: do not recommend vulnerable tor versions - update "recommended versions"
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Oct 24 08:06:48 UTC 2016
#20431: do not recommend vulnerable tor versions - update "recommended versions"
------------------------------+---------------------
Reporter: cypherpunks | Owner:
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Core Tor/DirAuth | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
------------------------------+---------------------
Comment (by Sebastian):
Replying to [comment:7 teor]:
> Let's take a step back here:
>
> The last time we removed recommended versions, it was because they
simply would not work: they did not believe enough current directory
authorities. This seems to me to be a sensible criterion: "will it
function?"
>
> What are our general guidelines for setting recommended versions?
> I suggest that "is it a severe enough bug?" could be another.
I think the latter is more along the lines of what we actually have been
doing in the past.
> Does #20384 rise to the level that we should stop recommending every
version that doesn't have it? It could be, because it affects many clients
in some way. But have we done this in the past for bugs of similar
severity? I'm not sure.
It definitely has an anonymity impact due to crashing a significant
portion of the network. I'm actually less concerned about clients, because
most of those will use Tor Browser which is on a more recent version
anyway.
> And, finally, if we do decide we want to eliminate all non-patched
versions, should we then increment the minor release version, so we can
recommend versions that definitely have this fix? (It may be too late to
do this now.)
I think we should definitely do that from now on, even if it may be too
late to do it this time.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20431#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list