Tor version 0.4.7.16 in Whonix 17 is now considered obsolete. Any action required?

wuu · January 30, 2024, 3:30pm

wuu · January 31, 2024, 6:05pm

Start unchanged Whonix-Gateway-17, open Nyx. Read “Tor 0.4.7.16 (obsolete)”.

I understand that this is likely to be caused by Debian, but I am not sure if it’s safe to use.

Patrick · February 1, 2024, 10:52am

This is out-of-scope as per Support Request Policy.

wuu · February 2, 2024, 3:21pm

Tor Project recommends using their repository for Debian/Ubuntu users. (Asked in IRC)

Debian package maintainer did not respond. (Asked via email)

Installing from backports is a thing.

The tor package being obsolete seems to affect mainly relays, as it’s barely mentioned on the web in other contexts. Hopefully it’s not unsecure for use as a client.

To reiterate: It is up to date in Debian, but directory authorities report the version as obsolete (should no longer be used). All packages must stay up-to-date for security purposes - is my cause for concern.

Patrick · February 2, 2024, 4:22pm

(Whonix is based on Debian.)

efg3rhjc5c · February 3, 2024, 1:40pm

I am not sure if it is correct, but it worked for me
After checking available versions by typing in terminal:

apt list-tor -a
Listing… Done
tor/stable-backports,now 0.4.8.10-1~bpo12+1 amd64
tor/stable,stable-security 0.4.7.16-1 amd64 [installed]

then I installed the other one by typing:
sudo apt install tor=0.4.8.10-1~bpo12+1 tor-geoipdb=0.4.8.10-1~bpo12+1

reboot and we are done.

If thats wrong please correct me, but its not obsolete anymore

Patrick · February 3, 2024, 2:17pm

Installation from backports for users could be as simple as:

sudo apt -t bookworm-backports install tor

No need for the extra complication of specification of the most recent available version number on the command line,

which has been documented just now here:
Install Tor from Backports

It’s part of Installing Newer Tor Versions wiki page, and marked “Testers only”.

It’s not done at the distribution level because of this:

Patrick · February 11, 2024, 12:16pm

Due to bugs - not caused by Whonix (upstream bug reports are linked here) - the choice for Whonix development boils down to the following two options.

A) staying on Debian stable version and keeping Vanguards - Tor Anonymity Improvement, or
B) disabling Vanguards and using a newer Tor version.

So far I’ve decided for A) as disabling Vanguards would be a major downgrade.

That is currently broken which is why things are as is. See:

Probably not realistic. Not sure. Look into salaries for Linux distribution developers. Maybe OpenSUSE can be used as an example. Dunno how good this data is:
https://www.glassdoor.co.uk/Salary/SUSE-Software-Engineer-Salaries-E466462_D_KO5,22.htm
(Other considerations on top of it, small vs large company, job security, etc.)

This isn’t just a one-off task. It needs constant monitoring, testing newer versions, analyzing bugs and perhaps derivative-specific bug fixes should need arise. Continuous brain cycles being spent.

At some point during Debian release cycle of a stable version.

Patrick · February 12, 2024, 8:15am

Answered here just now:

Patrick · February 16, 2024, 5:32am

4 posts were split to a new topic: general feedback

Patrick · February 16, 2024, 5:54am

Another issue is some onions being unreachable due to POW (proof of work). Reference: Whonix : tor connection issue (PoW) / vpn

So it seems vanguards needs to be dropped in favor of the newer Tor version.

Patrick · February 17, 2024, 1:45pm