23/04/14 16:51, Nick Mathewson wrote:
On Wed, Apr 23, 2014 at 10:28 AM, anonym anonym@riseup.net wrote:
21/04/14 12:27, Nusenu wrote:
Hi,
the code to blacklist heartbleed affected tor directory authority keys has been merged about a week ago [1].
Do you have an ETA on when you are going to release it (tor and TBB packages)?
As the release manager for the Tails 1.0 release I'm also interested in an ETA for this. Ideally the Tails image intended for the 1.0 release will be built on 2014-04-27 (so this is when we'll truly freeze the version of Tor), and released two days later. We Tails developers would find it sad if its core piece of software becomes out-dated immediately or even just shortly after that.
Nick (or any one else in the loop), do you have any idea of timings for the next stable Tor release?
My goal is to get out a new alpha with the blacklist this week, and an 0.2.4 release by the end of the month.
This is a goal; I don't know if I'm going to be able to make it, and I can't make mpromises there.
Thanks for letting us know!
If you like, it could be entirely reasonable to backport the code in question; the relevant commits are:
50ad3939242885b1a1a11688abd0c9756631747f 46cf63bb42f2818201bc0c39036f2c17e210fcdb 2ce0750d21d04c39a5a948b3d96203d8f68ae7ad ef3d7f2f97caf961effd7935dd3231e6bba62ca5
Given the planned release date for Tails 1.0, this actually doesn't look too bad a compromise. I had a quick look at the other tickets tagged `024-backport` and nothing seemed very important. However, before deciding on this, I'd really appreciate a confirmation from any of you Tor devs that, as it looks now, the next 0.2.4 release will have no other important security fixes affecting *Linux* *clients*. So, will it?
Cheers!