Automated disclaimer: This post was written more than 16 years ago and I may not have looked at it since.
Older posts may not align with who I am today and how I would think or write, and may have been written in reaction to a cultural context that no longer applies. Some of my high school or college posts are just embarrassing. However, I have left them public because I believe in keeping old web pages alive—and it's interesting to see how I've changed.
The Tor packages in the Debian (and Ubuntu) respositories are not up-to-date. This is dangerous, since people do rely on them for strong anonymity, even though the package warns them not to do so (it's still the best out there.) To get the latest stable version, you'll have to add another repository to your
sources.list file and set your system to trust it.
- I discovered that I didn't have the latest stable version of Tor when I tried to install Vidalia from source (there are no Debian/Ubuntu packages for it at this time.) Irresponsibly, the Debian Tor packages are out of date (I don't know who is being irresponsible, but clearly someone is.)
To get the latest version of Tor, you'll need to 1) add the noreply.org repository, 2) trust the signer (weasel), and 3) update the tor package.
Add the noreply.org repository
- Open the sources list: sudo gedit /etc/apt/sources.list
- Add the following lines to your sources.list file:
## Just for Tor deb http://mirror.noreply.org/pub/tor dapper main deb-src http://mirror.noreply.org/pub/tor dapper main
- Save & exit
This step allows the package manager to be sure that packages were not altered in transit by a malicious third party. I had a bit of a dilemma with this step. I was viewing the page from which I got weasel's key and fingerprint over an insecure connection, so I could have been subject to a man-in-the-middle attack. But the keyservers I retrieved from only had one Peter Palfrader (a.k.a. weasel), so I suspect I'm okay. Better to provisionally trust the key than to not authenticate the package at all.
- Retrieve weasel's keys, as specified by noreply.org: gpg --keyserver subkeys.pgp.net --recv 94C09C7F
- Verify that the key fingerprint matches the one at noreply: gpg --fingerprint 94C09C7F
- Set your trust level to ultimate, because the signed code will be running on your machine: gpg --edit-key 94C09C7F. Enter trust, 5, y, quit.
- Let the package manager know that you trust weasel's code: gpg --export 94C09C7F | sudo apt-key add - (Thanks Kees!)
Update the tor package
You're ready to update now. Two easy steps:
- Update your package list: sudo apt-get update
- Upgrade any packages you can: sudo apt-get upgrade
- Original instructions on the noreply wiki.