[Pkg-privacy-maintainers] Bug#845989: marked as done (browser can't be downloaded because of invalid SSL certificate)

[u]

Hi,

intrigeri:
> u:
>> As you might know, the version in Jessie is 1.9.x - very outdated and
>> one should always use the version from jessie-backports.
> 
> I (mistakenly) thought that the plan was to fix the package in Jessie
> at some point, so thanks for the update!

This was my plan until today.

> Now, this makes me wonder:
> 
> If there's any specific reason why we can't fix the package in Jessie
> (time? technical reasons?), perhaps we should remove the package from
> stable to avoid new users installing something we don't
> support anymore?

The problem is certainly the design of this software which encounters
problems regularly as soon as TorBrowser gets signed using a different
signing key for example, or in this case an invalid SSL certificate.
This has been causing most bug reports since the package was in the
archive IMO.

> And if indeed the package is not maintainable in current stable with
> the resources we have, then I would like to question its inclusion in
> the next stable release: why will we be able to support the package
> for 3-5 years in Stretch, while we apparently are not in a position to
> so for Jessie? (This is *not* a rhetorical question, I surely
> missed something.)

I suppose you're totally right, and we should remove it from the next
stable release. I'll take care of it. I don't see myself maintaining
this for the next 3-5 years of life in Stretch without help from other
team mates. As this has failed in the past, I doubt it will work in the
future.

For Buster, we can issue a call for help if people want to have this
package in stable.

In the meantime, users will still be able to install it from backports
or unstable which does not make a big difference with the current
situation in which the stable release is constantly broken.

Cheers!
u.