On 04/24/2011 01:14 AM, Runa A. Sandvik wrote:
On Sun, Apr 24, 2011 at 3:55 AM, Jacob Appelbaum jacob@appelbaum.net wrote:
On 04/23/2011 04:32 PM, Erinn Clark wrote:
- Jacob Appelbaum jacob@appelbaum.net [2011:04:21 11:54 -0700]:
It's a question for what we as a project can handle supporting - when a new Tor is released, we'll need to build it unless we rely on upstream builds. Runa and I suggest that we (Tor) may want our own OpenWRT repository - that by default seems to fall directly on our main build person, I think.
Jake and I discussed this on IRC and the basic summary is that for now we'll wait and see -- probably longer term we can support maintaining a repository, if that turns out to be the right route, but my role is going to be mainly infrastructure related so I can help make sure people are able to do what they need without blocking on me.
One other important point made in that discussion is that no one seems to have time for supporting an entirely new platform for every Tor release. So while The Tor Project may support it - we have no one willing to bell the cat today.
What this means practically is that as we've seen with Android, we're going to seriously lag releases as it won't be the responsibility of any single person or group of people. This won't work if we ship our own OS (such as a custom OpenWRT image) and it will simply be difficult if we're just shipping Tor (with or without supporting libraries).
We already know that we can't rely on upstream builds. If we want to our users to have the latest version of Tor, we need to set up an okpg repository ourselves.
I'm of a mixed feeling here - we can easily rely on upstream packaging work but we need to have a commitment inside of Tor to actually support a repository, if we need to run our own. It's probably the case that for rapid development, we'll need to do so. Stuff like x-wrt are a hybrid example where we may be able to have regular builds of Tor. I haven't really understood the process by which a package is actually ever compiled by OpenWRT or x-wrt and then shipped to users; the exception is when OpenWRT cuts a release...
Jake; it was my impression that you wanted to do this. Is that not the case anymore?
I want a lot of things. After talking with Erinn, I'm a little more enlightened on build issues. No one will take our work and cut a new Tor release as part of their work flow unless we somehow allocate resources or indicate that this is a priority.
With that said - I'm happy to handle packaging of Tor on OpenWRT as I've been working on already. However, that is not enough - we have to actually have a task that is going to be done regularly - no matter what OS or hardware choice we make. Android is a good example, we have repeatedly dropped the ball for a number of (good and bad) reasons. We should not repeat those mistakes - one of the biggest was simply that we did lacked a clear support plan - when a security release for Tor is tagged, Orbot needs to have at least a new Tor binary in a reasonable amount of time. We have utterly failed at this in a few cases - we should avoid re-creating this problem with Torouter.
We're adding a new "product" to The Tor Project - one of the things we need to do is actually plan for the software maintenance phase of that product. As it stands, I don't believe we have a build machine (see bug #2969) that either you (Runa) or I have access to. That makes it hard to build an OpenWRT image or even have a system where we can co-work on packages together but also where we trust the compiler for cutting a release. Speaking of which, we also lack a plan for actually cutting releases - for a real beta test, I believe we'll really need to solve this issue. It's not reasonable to ship the Torouter project without having a good way forward and that includes a solid commitment from someone or someones that will ensure Tor builds kick off for each major or security important release.
All the best, JAke