Tor version 0.4.7.16 in Whonix 17 is now considered obsolete. Any action required?

wuu · January 30, 2024, 3:30pm

wuu · January 31, 2024, 6:05pm

Start unchanged Whonix-Gateway-17, open Nyx. Read “Tor 0.4.7.16 (obsolete)”.

I understand that this is likely to be caused by Debian, but I am not sure if it’s safe to use.

Patrick · February 1, 2024, 10:52am

This is out-of-scope as per Support Request Policy.

wuu · February 2, 2024, 3:21pm

Tor Project recommends using their repository for Debian/Ubuntu users. (Asked in IRC)

Debian package maintainer did not respond. (Asked via email)

Installing from backports is a thing.

The tor package being obsolete seems to affect mainly relays, as it’s barely mentioned on the web in other contexts. Hopefully it’s not unsecure for use as a client.

To reiterate: It is up to date in Debian, but directory authorities report the version as obsolete (should no longer be used). All packages must stay up-to-date for security purposes - is my cause for concern.

Patrick · February 2, 2024, 4:22pm

(Whonix is based on Debian.)

efg3rhjc5c · February 3, 2024, 1:40pm

I am not sure if it is correct, but it worked for me
After checking available versions by typing in terminal:

apt list-tor -a
Listing… Done
tor/stable-backports,now 0.4.8.10-1~bpo12+1 amd64
tor/stable,stable-security 0.4.7.16-1 amd64 [installed]

then I installed the other one by typing:
sudo apt install tor=0.4.8.10-1~bpo12+1 tor-geoipdb=0.4.8.10-1~bpo12+1

reboot and we are done.

If thats wrong please correct me, but its not obsolete anymore

Patrick · February 3, 2024, 2:17pm

Installation from backports for users could be as simple as:

sudo apt -t bookworm-backports install tor

No need for the extra complication of specification of the most recent available version number on the command line,

which has been documented just now here:
Install Tor from Backports

It’s part of Installing Newer Tor Versions wiki page, and marked “Testers only”.

It’s not done at the distribution level because of this:

Patrick · February 11, 2024, 12:16pm

Due to bugs - not caused by Whonix (upstream bug reports are linked here) - the choice for Whonix development boils down to the following two options.

A) staying on Debian stable version and keeping Vanguards - Tor Anonymity Improvement, or
B) disabling Vanguards and using a newer Tor version.

So far I’ve decided for A) as disabling Vanguards would be a major downgrade.

That is currently broken which is why things are as is. See:

Probably not realistic. Not sure. Look into salaries for Linux distribution developers. Maybe OpenSUSE can be used as an example. Dunno how good this data is:
https://www.glassdoor.co.uk/Salary/SUSE-Software-Engineer-Salaries-E466462_D_KO5,22.htm
(Other considerations on top of it, small vs large company, job security, etc.)

This isn’t just a one-off task. It needs constant monitoring, testing newer versions, analyzing bugs and perhaps derivative-specific bug fixes should need arise. Continuous brain cycles being spent.

At some point during Debian release cycle of a stable version.

Patrick · February 12, 2024, 8:15am

Answered here just now:

Patrick · February 16, 2024, 5:32am

4 posts were split to a new topic: general feedback

Patrick · February 16, 2024, 5:54am

Another issue is some onions being unreachable due to POW (proof of work). Reference: Whonix : tor connection issue (PoW) / vpn

So it seems vanguards needs to be dropped in favor of the newer Tor version.

Patrick · February 17, 2024, 1:45pm

qwhnx · November 16, 2025, 3:32am

Whonix 17, Tor 0.4.8.15 (obsolete)

Patrick · November 17, 2025, 5:07am

Frozen Packages

protectivecat · November 20, 2025, 7:36pm

Hello Patrick,

This time it seems to be tor package’s maintainer delay to provide updates in time as there are two yet undisclosed “medium” level security issues which appear to be fixed in 0.4.8.20 (/tpo/core/team/-/wikis/NetworkTeam/TROVE):

TROVE-2025-014
TROVE-2025-015

Maybe it should be repackaged from Tor Project’s repository into Kicksecure’s repo earlier?

nurmagoz · November 21, 2025, 4:03am

I see this approach is a must, as vanguard not anymore into the concern, packaging Tor from source code into whonix/KS repo or using TPO will resolve it.

Patrick · November 21, 2025, 7:24am

protectivecat · November 21, 2025, 4:46pm

If you ask about vanguards, I can tell these do work in Whonix when conflux feature is disabled (I do not have a Github account at the moment to post about it there). While built-in vanguards-lite provide a decent protection for client connections of most Tor users, “vanguards-full” are still useful protection from more sophisticated, long-term Guard Discovery attacks against Onion Services. For mikeperry-tor/vanguards to work, user can simply add “ConfluxEnabled 0” to torrc. Vanguards errors began when conflux was introduced, both Mike Perry and Tor Project still ignore this issue. It might be worth to note on Whonix wiki for advanced users.

Torprotector · November 23, 2025, 3:31am

It’s not entirely accurate to assume that the Tor Project is ignoring the issue. It’s just that the C implementation of Tor is gradually giving way to Arti (a Tor client written in Rust). Announcing Vanguards Support in Arti | The Tor Project

protectivecat · November 25, 2025, 5:02pm

Arti is still experimental and has no ETA on a stable, production-ready version. I don’t see the development of a new implementation as a logical justification for leaving most of publicly accessible Onion Services using ctor with default conflux settings at risk.