Index | Thread | Search

From:
Douglas Silva <doug.hs@proton.me>
Subject:
Re: Tor version in -stable is "not recommended"
To:
"ports@openbsd.org" <ports@openbsd.org>
Cc:
"pascal@stumpf.co" <pascal@stumpf.co>
Date:
Fri, 27 Mar 2026 00:43:32 +0000

Download raw body.

Thread

  • Douglas Silva:

    Tor version in -stable is "not recommended"

Version 0.4.8.23 was released with an important security fix. I'd appreciate if it could be upgraded on -stable.

>   Major bugfix (security, conflux):
>   - Fix a memory compare using the wrong length. This could lead to a remote crash when using the conflux subsystem. TROVE-2026-004.
>     Fixes bug 41232; bugfix on 0.4.8.1-alpha.

https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes




On Sunday, December 21st, 2025 at 11:57, Douglas Silva <doug.hs@proton.me> wrote:

> Here are my testing results on OpenBSD 7.8-current (Tor v0.4.8.21), running on an amd64 laptop.
> 
> There were a few warnings during build and configure, but no errors. I've built all the make targets described in the Port Testing guide [1], in the order they're listed.
> 
> I've setup a Tor bridge using Lyrebird (from uncommitted port net/lyrebird) as the obfuscator, and it was able to complete its startup without issues. When attempting to use a privileged port (such as 80) for the obfuscator, it fails with a bind error, permission denied — not yet sure why — but then I haven't tried the same on -stable. Using a non-privileged port works, though.
> 
> Based on the log messages and the reachability test provided by the Tor Project, it appeared to be reachable; but I didn't attempt to actually use the bridge on a Tor Browser.
> 
> You'll see in the logs that the IPv6 address was not confirmed reachable, but that is because I didn't open the IPv6 ORPort for this simple test; only the IPv4.
> 
> I'm attaching the collected log files for all the relevant make targets, plus the service startup log (tor-start.log).
> 
> 
> [1] https://www.openbsd.org/faq/ports/testing.html#Testing
> 
> 
> On Friday, December 19th, 2025 at 15:33, Douglas Silva <doug.hs@proton.me> wrote:
> 
> >
> >
> >
> >
> > My Tor bridge running on -stable is flagged as "not recommended" by the directory authorities. This happens when the version you're running is obsolete, experimental or has known issues.
> >
> > I see that the port in -current is the latest version (0.4.8.21), but -stable is still on version 0.4.8.18. Can we upgrade it?
> >
> > If it's lack of testing, I can test it on -current. I would've done that already, but the ports testing guide only mentions that testing is useful to get a port committed to CVS faster — it doesn't say it helps getting a port from -current to -stable.