[Tor-BSD] OpenBSD testers neededFw: fix security issue in -stable for net/tor

Sun Dec 17 16:33:54 EST 2017

Hi Vinícius,

Thanks for the feedback, I've cc'd the Relay Search maintainer and the UX
person who is helping redesign our icons.

> On 18 Dec 2017, at 03:29, Vinícius Zavam <egypcio at googlemail.com> wrote:
> 
> 2017-12-14 20:39 GMT+00:00 Daniel Jakots <vigdis+tor at chown.me>:
> >
> > On Wed, 13 Dec 2017 23:39:00 +0000, George Rosamond
> > <george at ceetonetechnology.com> wrote:
> >
> > > teor:
> > > >
> > > > On 14 Dec 2017, at 08:22, Daniel Jakots <vigdis+tor at chown.me> wrote:
> > > >> So what does the "not recommended" mark? Just a hint that you
> > > >> should update?
> > > >
> > > > Yes, just a hint to update.
> 
> hi! global south (relays/bridges operator) speaking here.
> 
> > > > We also declare major version series unsupported.
> > > > (Like 0.2.7 earlier this year, or 0.2.8 and 0.3.0 in January.)
> > > > Then they stop receiving security patches.
> >
> > Thanks, I sent a head-up to ports at openbsd about it.
> 
> would also say thank you for all the time and effort/concern on making the network a better place :3
> 
> > > AFAIK, it was just a "Tor out of date" type message out of syslog.
> > >
> > > I manually updated the port to 0.3.1.9 for two nodes on OpenBSD
> > > -stable, and was going to do a diff.
> 
> isn't a big red exclamation point and a legend of "not recommended" too scary for people/newcomers visiting Atlas (Relay Search)? I mean; there are some cases where one can look at this "warning" as something pretty evil. no? can easily lead to misinterpretation for non english speakers too.
> 
> we can picture this situation quite fast: after a talk or a meetup about Tor some people from the audience would have a look at Atlas and might see this flag like "avoid this node" or "do not use such a relay".
> 
> for people that are kind in touch with Tor like we are, it sounds silly but some people do not read or understand it quite well. it can be confuse. or... how can we say "oh! that *not recommended* flag doesn't matter, just use it" ? (creepy? how to build trust based on such arguments/comments?)

You're right. It is a bit scary.
I imagine some users would be disturbed if their guard has this flag.

And if we don't think people should use a particular tor version,
we stop advertising it on the network.

Maybe we could change the text to "Old Version".

We use colour to distinguish good flags (black) from bad flags (red).
Do you think we should use another colour?

We also have the BadExit and NoEdConsensus flags.
I wonder if they should be red as well?

I think Unmeasured and Hibernating are good as black, because they
are normal in some circumstances.

T
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/tor-bsd/attachments/20171218/d7f8024f/attachment.html>