I have seen multiple persons saying that the obfs4proxy package in the debian official repository isn’t the latest version available. Should I delete the package that I installed from the debian repository ? Do you have a step-by-step tutorial how to build it from source ?
Actual version of the package Im using :
obfs4proxy/stable,now 0.0.8-1+b6 amd64 [installed]
pluggable transport proxy for Tor, implementing obfs4
I don’t know what are the risks about using an old version of this package from the official repository of debian on my bridges. If I need to build it from source, I will do it. Like I did with the tor package.
You can also tell me if I need to build other packages from source instead of using apt to install them. It would be nice to improve the security of my bridges.
Thanks for the details how to get the newest package
I am surprised that this package is still considered to be in the test phase after several months and several versions released. And more for knowledge, what is more secure and recommended between choosing the official OS package or the last package released by the developer directly ?
It could refer to the package of tor which must be built from source, but for other packages the best is those of the OS. Each one has a different situation and I never know which method to use that is best.
If the developer releases a package as stable, then one may trust him so far that it can be used also without large risk.
You can be divided on that.
I have been an enthusiast of the “debian way” for decades. But this package is different from the rest of the Tor project.
I install tor via the official debian repository from the tor project. This is also part of the “debian-way”. But I only do this because it is officially recommended. If this recommendation was not, I would use the packages from the debian repository that are packaged and provided by debian itself.
If I now have the choice to compile a current package myself or to use it from the debian repo of debian, then I choose the repo.
It saves a lot of work to keep it up to date and I get support from both torproject and debian project.
So concretely: obfs4proxy I will get from debian repository until torproject provides a package in their own repository.
Everything seems clear to me with your explanations. I just noticed that I bother too much to build from source the tor package when I can simply install it with apt from the beginning … well, a beginner’s mistake happens.
Is there an open way to propose to add the obfs4proxy package in the official tor repo? Do you think it would be useful to have them officially support the package ? so that we can benefit from a possible better compatibility and more frequent updates. Maybe I’m talking too fast, I’m new in the project
if they decide to leave it like that, I’ll just rely on what Debian offers for this package, that’s good enough.
Since the obfs4 upstream is independent of the torproject, I don’t think it is necessary or even wanted.
This is where the development takes place: Yawning Angel / obfs4 · GitLab Cooperation with the various distributions also seems to be excellent, so there will be no need to change the current state.
The new version of obfs4proxy is in its way to get into debian backports, so in few days we expect to be possible to install it from there without needing to use testing. Actually it includes some security fixes, so it will be great if people updates by then. The related issue:
