Upgrade Tor to TRUE latest version (in Ubuntu)

Very out of date by now. Just use these instructions.

The Tor packages in the Debian (and Ubuntu) respositories are not up-to-date. This is dangerous, since people do rely on them for strong anonymity, even though the package warns them not to do so (it's still the best out there.) To get the latest stable version, you'll have to add another repository to your sources.list file and set your system to trust it.

Problem
I discovered that I didn't have the latest stable version of Tor when I tried to install Vidalia from source (there are no Debian/Ubuntu packages for it at this time.) Irresponsibly, the Debian Tor packages are out of date (I don't know who is being irresponsible, but clearly someone is.)
Solution

To get the latest version of Tor, you'll need to 1) add the noreply.org repository, 2) trust the signer (weasel), and 3) update the tor package.

Add the noreply.org repository

  1. Open the sources list: sudo gedit /etc/apt/sources.list
  2. Add the following lines to your sources.list file:
    ## Just for Tor
    deb http://mirror.noreply.org/pub/tor dapper main
    deb-src http://mirror.noreply.org/pub/tor dapper main
  3. Save & exit

Trust weasel

This step allows the package manager to be sure that packages were not altered in transit by a malicious third party. I had a bit of a dilemma with this step. I was viewing the page from which I got weasel's key and fingerprint over an insecure connection, so I could have been subject to a man-in-the-middle attack. But the keyservers I retrieved from only had one Peter Palfrader (a.k.a. weasel), so I suspect I'm okay. Better to provisionally trust the key than to not authenticate the package at all.

  1. Retrieve weasel's keys, as specified by noreply.org: gpg --keyserver subkeys.pgp.net --recv 94C09C7F
  2. Verify that the key fingerprint matches the one at noreply: gpg --fingerprint 94C09C7F
  3. Set your trust level to ultimate, because the signed code will be running on your machine: gpg --edit-key 94C09C7F. Enter trust, 5, y, quit.
  4. Let the package manager know that you trust weasel's code: gpg --export 94C09C7F | sudo apt-key add - (Thanks Kees!)

Update the tor package

You're ready to update now. Two easy steps:

  1. Update your package list: sudo apt-get update
  2. Upgrade any packages you can: sudo apt-get upgrade
Resources

Responses: 10 so far

  1. rlruby says:

    Can you make an auto installer of these steps please. and email me a link or a copy of it. thanks.

  2. Tim McCormack says:

    Sorry, but I will not write an automated installer for this. You should not be installing anonymity/privacy/security software without knowing exactly where it is coming from. If you install Tor and use it improperly, you are less secure against attacks. Read more < href="http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ExitEavesdroppers">here.

  3. rlruby says:

    in the auto installer, you can add tor and privoxy. I just want to make sure everything is installed securely. and tor sometimes works for me but often it will shutdown. it is probably cause i dont have this version that you are teaching. but alright thanks,

    anyone who reads this that knows how, please make a installer for all of these things. Thanks :)

  4. Tim McCormack says:

    If you don't care about validating the package, go ahead and skip the second step (acquiring and trusting weasel's key). The package manager will simply warn you that the package could not be authenticated.

  5. reEz says:

    hey there..i'm having problem here with my university system which only allows us(students) to download less than 2MB..it is really crazy...i heard that tor can set a privacy which even can make me out of this problem..is anybody there that can help me..i really appreciate if somebody teach me how to set it because i can even download any linux software from repositories as most of software are bigger than 2MB..hope that can email me to do so,my email=[removed by admin for privacy]

    ~AlexanDer ReEz~

  6. Tim McCormack says:

    @ reEz: That's a heck of a problem. 2MB is a large picture, a small Flash object, or a small program update. I'm not even sure a virus scanner could update itself with that limit. I'm not sure that Tor would be able to help, since you would still be downloading the same size of file. If Tor breaks large files into smaller chunks, it just might work, though -- I hadn't considered that use for Tor before.

    There are other possibilities, though. Are you familiar with the Download Manager in Firefox? Try downloading a 4MB file with that, and use the Pause and Resume features at the 1MB, 2MB, and 3MB marks. That might be a temporary solution for bypassing the limit.

    If you have a friend who is not on campus, you may be able to rig up a system that will remove the restriction on file sizes. (Be aware that any attempt at circumventing the file size policy may be viewed as a violation of your school's computer use policy.)

    Here's the idea: Different protocols handle data in different ways, but you can generally manage to transport the data for one protocol over another. (For example, an SSH session can be transported over HTTPS.) This is what I call protocol tunneling -- I don't think that's the actual name. If you set up a tunnel between your computer and an off-campus friend's computer, using a protocol that only transmits data in small chunks. I don't know enough about the various protocols and tools to know how one would construct this system, but it is definitely within the range of possibility.

  7. reEz says:

    i have heard about firefox download manager before this but i never try it..hm..i think i will try it after this but surely cant do that now right,i cant download anything bigger than 2mb..most of my friends use to have DSL connection which using broadband connection and some setting..i can do that but i affaid it would be my last choice because if i want to do so i must pay around us30 just to get that connection every month while if i can get internet for free as a normal user...about LAN connection,we have already figure out how to share any file between student and we can pass that rule.right now that way that i have mentioned is the only one way do get free in internet..using broadband connection...i very hope u can see this webpages and please do not publish this web address in your blog and i hope you can give feedback personally to my email
    [URL removed by request]

    ~alexander reEz~

  8. Tim McCormack says:

    Well, if a friend has broadband and you can connect to their machine, just have them set up a proxy on their machine that you can use. I've heard good things about the SwitchProxy extension for Firefox.

  9. Kees says:

    You seem to have forgotten to add the following line in the "trust weasel" section, got this of the original instructions link:

    gpg --export 94C09C7F | sudo apt-key add -

  10. Tim McCormack says:

    Oh, you're right! Thank you very much. I'll edit the post now.