-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Hi torservers,
since you haven't updated most of your relays to address [1] released on 2014-07-28 yet, I was wondering if everything is ok? collective vacation?
Since you are operating a significant chunk of the tor network's bw - timely patching is appreciated.
The tor network is currently at 64% of the bandwidth being served by relays running a recommended version according to torstatus.blutmagie.de. I updated a previous metrics feature request so we might see nice graphs about patching progress in the future [2].
[1] https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html [2] https://trac.torproject.org/projects/tor/ticket/6856#comment:2
Hi Nusenu,
On 08/17/2014 01:08 AM, Nusenu wrote:
since you haven't updated most of your relays to address [1] released on 2014-07-28 yet, I was wondering if everything is ok? collective vacation?
Indeed. This is terrible and we will add some more trusted people's ssh keys to the relays, but then again we really want to limit the number of keys that can access our relays for security reasons...
I am returning from vacation tomorrow and will update all relays. Sorry for the delay.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
On 08/17/2014 01:08 AM, Nusenu wrote:
since you haven't updated most of your relays to address [1] released on 2014-07-28 yet, I was wondering if everything is ok? collective vacation?
Indeed. This is terrible and we will add some more trusted people's ssh keys to the relays, but then again we really want to limit the number of keys that can access our relays for security reasons...
Please consider unattended automated updates. Maybe start with a few relays first.
Even in your environment (I guess you do custom builds) I consider this to be the option that results in the fasted response times and safest network.
Worst case would be that the upgrade fails and all your relays go down. Depending on the actual vulnerability that is being fixed, an offline relay can be preferred over a vulnerable relay.
Most of the time it will probably work just fine and safe you some time doing boring updates.
I am returning from vacation tomorrow and will update all relays. Sorry for the delay.
Thanks.
On 08/17/2014 03:12 PM, Nusenu wrote:
Please consider unattended automated updates. Maybe start with a few relays first.
I wanted to switch to unattended upgrades a long time ago, but the story of our relay "management" is more complicated than that... I really want some proper control, the ability to centrally update the MyFamily statement, etc etc. There have been some threads about it on the mailing list over time, but as we're all volunteers we can't magically fix everything immediately...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
I wanted to switch to unattended upgrades a long time ago, but the story of our relay "management" is more complicated than that...
What were the specific problems with unattended upgrades?
There have been some threads about it on the mailing list
I was not aware about any threads regarding unattended torservers upgrades. Would you point us to them?
over time, but as we're all volunteers we can't magically fix everything immediately...
Well I hope I didn't make the impression that you should "fix everything immediately".
There are some nice plugins for puppet, chef, ansible, etc.
Should save you a lot of time on software deployment!
Gr, Nils
On August 17, 2014 3:35:14 PM CEST, Moritz Bartl moritz@torservers.net wrote:
On 08/17/2014 03:12 PM, Nusenu wrote:
Please consider unattended automated updates. Maybe start with a few relays first.
I wanted to switch to unattended upgrades a long time ago, but the story of our relay "management" is more complicated than that... I really want some proper control, the ability to centrally update the MyFamily statement, etc etc. There have been some threads about it on the mailing list over time, but as we're all volunteers we can't magically fix everything immediately...
-- Moritz Bartl https://www.torservers.net/
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Moritz Bartl (2014-08-17):
I am returning from vacation tomorrow and will update all relays. Sorry for the delay.
Are these torservers' relays and is blutmagie showing their current version? (not updated yet):
http://torstatus.blutmagie.de/router_detail.php?FP=2e640cda9cbf297be314948a3... http://torstatus.blutmagie.de/router_detail.php?FP=15edba6cea72079e1fd538426... http://torstatus.blutmagie.de/router_detail.php?FP=e6576a2bcf0c3cbd78dd375d4... http://torstatus.blutmagie.de/router_detail.php?FP=5723495c31e02098f370f0797... http://torstatus.blutmagie.de/router_detail.php?FP=b4494cea9df0d72a6d3a124e2... http://torstatus.blutmagie.de/router_detail.php?FP=7ceb6540f80f7aef17ab7ffb6... http://torstatus.blutmagie.de/router_detail.php?FP=db3b1cfbd3e4d97b84b548add... http://torstatus.blutmagie.de/router_detail.php?FP=f84fcb4ab1678dfa9c0bec40c... http://torstatus.blutmagie.de/router_detail.php?FP=384f445014e041f5fb566f18c... http://torstatus.blutmagie.de/router_detail.php?FP=e4b01298454b2d4795556f4fc... http://torstatus.blutmagie.de/router_detail.php?FP=73834871a46790e65d6966131... http://torstatus.blutmagie.de/router_detail.php?FP=a08b0f041474bc94806374ef0... http://torstatus.blutmagie.de/router_detail.php?FP=9b41b9b3d4661566c660096b7...
On 09/01/2014 08:17 PM, Nusenu wrote:
Are these torservers' relays and is blutmagie showing their current version? (not updated yet):
Thanks for being the necessary watchdog. Generally, better use atlas or globe. You can also query onionoo directly if you have specific questions. Blutmagie still runs the quite outdated old Torstatus that has not been maintained for years and sometimes shows strange things. In this case, it is right though: Two boxes weren't updated correctly. The rest of the relays aren't from us, even though they show our contact info (probably people who used our template torrc and didn't adjust the contact lines).
Are these torservers' relays and is blutmagie showing their current version? (not updated yet):
Two boxes weren't updated correctly. The rest of the relays aren't from us, even though they show our contact info
Hi Moritz, your answer was not very specific.
Is anonymizer1.torservers.net (81.20.139.145) - still running a vulnerable version (0.2.5.3-alpha) - not one of your relays?
https://atlas.torproject.org/#details/9B41B9B3D4661566C660096B715BC647FBD72A...
On 09/18/2014 10:08 PM, Nusenu wrote:
Is anonymizer1.torservers.net (81.20.139.145)
- still running a vulnerable version (0.2.5.3-alpha) - not one of your
relays? https://atlas.torproject.org/#details/9B41B9B3D4661566C660096B715BC647FBD72A...
It has since been upgraded.
tor-relays@lists.torproject.org
-
Moritz Bartl -
Nils Vogels -
Nusenu