#26848: Create Debian package for sbws ---------------------------+------------------------------------- Reporter: juga | Owner: juga Type: defect | Status: assigned Priority: Medium | Milestone: sbws 1.0 (MVP must) Component: Core Tor/sbws | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: #25925 | Points: Reviewer: | Sponsor: ---------------------------+-------------------------------------
Comment (by irl): Replying to [comment:6 dkg]: > irl, i can't tell if you're "really not convinced it's a good idea" or if you're "really convinced it's not a good idea". :) I'm not sure yet. > having a debian package can help for identifying problems, for system integration, and for ease of updates. Not all are Debian though. We should be identifying problems with good test suites. > If there's a real concern about people measuring the network who shouldn't be, then i'm not sure that the presence of software in the debian repository or not is going to stop any even mildly interested actor. If you want to ensure that only "the right" people run sbws, you could have the dedicated debian system service do some sort of verification that it is on a host that is "acceptable", and then decline to run unless the administrator overrides it, but that seems like a lot of work to put in to an antifeature in free software. I'm thinking of people installing it by accident. Relay operators that are looking for nyx may see "Tor Bandwidth Scanner" and think that is what they're looking for. > as for the cadence of uploads to stable-backports -- packages with a passing [DEP-8 autopkgtest testsuite](https://dep- team.pages.debian.net/deps/dep8/) and no outstanding RC bugs can [migrate from unstable to testing in less time](https://lists.debian.org/debian- devel-announce/2018/05/msg00001.html), which allows for an upload to stretch-backports faster. It also means that we can rely on debian's testing infrastructure to verify basic package functionality on minimal systems. taking advantage of that continuous integration infrastructure seems like a good idea regardless of the package migration times. Ah ok, that's a new thing I did not know about. (: I'll withdraw that objection. Replying to [comment:7 juga]: > > Creating the structure of a Debian package and building a policy- compliant > > package is a great idea and would make deployment easier, as long the the > > dirauths are running Debian which at least dannenberg and maatuska are > > not. > > the majority are running Debian. Do we plan to mandate that dirauths run Debian if they are to have bandwidth scanners? > i share this concern seems months when i first thought to do this. But: > 1. in theory anyone could have been running torflow (just a bit harder > to install) for 6 years I'm not thinking so much about people running it maliciously, but accidentally and then forgetting about it. This could become a cumulative problem over time. > > You could just do this anyway, and have the dirauths fetch the code from > > here? This would work for all platforms then. > > agree, the ticket is created. Still upstream releases would miss > important system configuration/dependencies. I don't understand this. > New packages need to close an ITP. AFAICT that discussion is important > to actually decided whether it makes sense to have the package in Debian. This only requires that the ITP is filed. This is done. > security updates for backports happen faster? I'm not sure about that. See dkg's point above though. > Note there's also: > > [ ] (optional) upload the package to deb.tpo > > Alternatively we could upload it only there, but arma mentioned that only packages that are also in Debian archive go there, cause otherwise would end up unmaintained. We can even just create a simple APT repository in any web server. As an example I do this [[https://people.debian.org/~irl/|here]]. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26848#comment:8> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs