From: Douglas Silva Subject: Re: Tor version in -stable is "not recommended" To: "ports@openbsd.org" Cc: "pascal@stumpf.co" Date: Fri, 27 Mar 2026 00:43:32 +0000 Version 0.4.8.23 was released with an important security fix. I'd appreciate if it could be upgraded on -stable. > Major bugfix (security, conflux): > - Fix a memory compare using the wrong length. This could lead to a remote crash when using the conflux subsystem. TROVE-2026-004. > Fixes bug 41232; bugfix on 0.4.8.1-alpha. https://gitlab.torproject.org/tpo/core/tor/-/raw/release-0.4.8/ReleaseNotes On Sunday, December 21st, 2025 at 11:57, Douglas Silva wrote: > Here are my testing results on OpenBSD 7.8-current (Tor v0.4.8.21), running on an amd64 laptop. > > There were a few warnings during build and configure, but no errors. I've built all the make targets described in the Port Testing guide [1], in the order they're listed. > > I've setup a Tor bridge using Lyrebird (from uncommitted port net/lyrebird) as the obfuscator, and it was able to complete its startup without issues. When attempting to use a privileged port (such as 80) for the obfuscator, it fails with a bind error, permission denied — not yet sure why — but then I haven't tried the same on -stable. Using a non-privileged port works, though. > > Based on the log messages and the reachability test provided by the Tor Project, it appeared to be reachable; but I didn't attempt to actually use the bridge on a Tor Browser. > > You'll see in the logs that the IPv6 address was not confirmed reachable, but that is because I didn't open the IPv6 ORPort for this simple test; only the IPv4. > > I'm attaching the collected log files for all the relevant make targets, plus the service startup log (tor-start.log). > > > [1] https://www.openbsd.org/faq/ports/testing.html#Testing > > > On Friday, December 19th, 2025 at 15:33, Douglas Silva wrote: > > > > > > > > > > > My Tor bridge running on -stable is flagged as "not recommended" by the directory authorities. This happens when the version you're running is obsolete, experimental or has known issues. > > > > I see that the port in -current is the latest version (0.4.8.21), but -stable is still on version 0.4.8.18. Can we upgrade it? > > > > If it's lack of testing, I can test it on -current. I would've done that already, but the ports testing guide only mentions that testing is useful to get a port committed to CVS faster — it doesn't say it helps getting a port from -current to -stable.