Onion services v2 are retiring.
It's time to migrate to onion services v3.
Here is the planned deprecation timeline:
https://blog.torproject.org/v2-deprecation-timeline
@resist1984
If you're still running oldstable, you can remedy that in a number of ways:
1) upgrade to stable (the Hard-Freeze for the *next* stable release is in <1 week)
2) install tor from oldstable-backports (3.5.10) or -backports-sloppy (4.4.5)
While I (always) appreciate coordination, @torproject shouldn't restrict their own directions/actions based on what another project does.
It's also not the first time that Debian supports software which is unsupported upstream (f.e. Qt4 in Stable)
@FreePietje @torproject It's a reckless schedule largely because it lacks coordination with the highest quality most disciplined distro of all mainstream distros. Onion v2 & v3 can coexist just fine, but because of some people's unreasonable paranoia everyone is being hastily forced into upgrades and migrations.
@torproject @FreePietje Migrations are not just the flip of a switch. I've seen dist-upgrade totally hose a simple stock installation beyond repair. In my case I have some packages on life support which interact with other pkgs, a hack-job that becomes more labor intensive & fragile with every migration. It's reckless for Tor project to put unjustified urgency on v2 obsolescence when v3 can coexist.
@resist1984
> the highest quality most disciplined distro of all mainstream distros
Ofc I can only agree to that 😄
@torproject will remove support for onion v2 in *their* (ie upstream) git repo in version 4.6.
The Tor version in #Debian #Bullseye will be 4.5.6 which supports both v2 and v3 onions.
I don't recommend it, but that means you can use v2 for some 5+ years to come?
I don't think you can compare a whole OS upgrade with the upgrade of 1 package, unless I'm misunderstanding you.
@FreePietje @torproject I guess I didn't understand the consequences of v2 obsolescence. I thought the network and directory would break onion v2, so that a v2 supporting client couldn't talk to a v2 server. If the network will still allow v2, i'd say that's fair enough.
@resist1984 @torproject
It can be that I'm not fully understanding it (too), because I don't know/understand all the aspects of how the tor network works.
My initial/primary reaction was that *I* think your argument was unfair.
If you're running oldstable, which soon (tm) will be oldoldstable, that's your choice but you also have to accept the consequences. But solutions exist.
Also note that the link in OP points to a post from July 2nd, 2020, so OP is a reminder not an initial announcement.
@FreePietje @torproject i know it's not an initial announcement. When I 1st heard the announcement stretch was /stable/. I found it so proposterous at the time that I was certain they wouldn't get away with that nutty schedule. The schedule has already slipped & rightfully so. If they break the network this year, it would be reckless. If this move doesn't break the network, then it's not an issue.
I just logged in to the GUI & noticed your avatar. Normally I just use a terminal. I appreciate the heads up on Debian getting a new release in the next week.
I only migrate from scratch anymore (no dist-upgrade), so perhaps I'll skip buster.
@resist1984
Friday (2021-03-12) will be the start of the Hard Freeze (https://release.debian.org/testing/freeze_policy.html). It may take weeks/months for the actual release of Bullseye.
There's nothing wrong with dist-upgrade afaic and it's (much) safer to first upgrade Stretch -> Buster and then Buster -> Bullseye. You could do them in close succession.
Upgrades to the next Stable release are tested; skipping one, not, and is much more likely to break things.
I personally prefer aptitude (better resolver) to apt/apt-get.
@torproject
Can you clarify this?
Recently I learned through an issue with v3 onions, that there was a central coordination part of the Tor network.
So the primary question is:
will onion v2 sites cease to function (at all) on October 15th, 2021 (onward)?
@FreePietje @torproject @resist1984 yup, v2 onion will be disabled from the Tor network on October 15th.
@ggus
Holy crap!
The impact of that is FAR bigger then I thought.
Deprecation in my understanding is a 'nudge' to use a better way.
Not "it ceases to work at all".
@resist1984 I still recommend to upgrade from oldstable, but other then that, it looks like you were (far) more correct then I was.
@torproject
Assuming gus is right, you really need to work on your messaging.
If you're intimately familiar with Tor internals, 'retiring' may have been clear enough.
For normal users, not so much.
@FreePietje @resist1984 a great and positive impact to the Tor network health. Please read why we’re removing v2 onions: https://lists.torproject.org/pipermail/tor-dev/2020-June/014365.html
@ggus @FreePietje I think everyone agrees that v3 is more secure. The problem is two-fold. It's a reckless schedule. Demanding everyone migrate in 15 months grossly miscalculates many different situations. Not everyone is a gamer who can simply hit an upgrade button without side-effects.. without important tools failing. 15 months would be reasonable *iff* the network were not impacted.
@FreePietje @ggus The 2nd problem is that people know their own threat models better than you do, and they know better than you if their adversary is going to have the capability of cracking RSA1024. Users should be in control of their own security, not have a vendor impose on them.
@resist1984 @FreePietje the problem is not only your threat model, but the whole Tor network.
@ggus @resist1984
It was likely through that ML post that I learned v2 uses RSA1024 and my reaction to that was "holy crap!" as well.
I'm thoroughly convinced of the superiority and need for v3 onions.
My complaint is about the non-clear messaging to normal users.
And also the lack of messaging. Possibly through my 'nagging' they tooted about it recently. The previous one was ~9 months ago.
@torproject RSA/DH-1024/SHA-1 are finally gone for good, a new onion for a new decade 🎉
Server run by the main developers of the project 
It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!
@torproject that's too soon. Debian still officially supports versions that can't do v3.