ChangeLog 199 KB
Newer Older
1
Changes in version 0.1.2.7-alpha - 2007-??-??
2
  o Major bugfixes (rate limiting):
3
4
5
    - Servers decline directory requests much more aggressively when
      they're low on bandwidth. Otherwise they end up queueing more and
      more directory responses, which can't be good for latency.
6
    - But never refuse directory requests from local addresses.
7
8
    - Be willing to read or write on local connections (e.g. controller
      connections) even when the global rate limiting buckets are empty.
9
10
11
    - If our system clock jumps back in time, don't publish a negative
      uptime in the descriptor. Also, don't let the global rate limiting
      buckets go absurdly negative.
12
13
14
15
16
17
18
19
20
21
    - Flush local controller connection buffers periodically as we're
      writing to them, so we avoid queueing 4+ megabytes of data before
      trying to flush.

  o Major bugfixes (other):
    - Fix a crash bug in the presence of DNS hijacking (reported by Andrew
      Del Vecchio).
    - Previously, we would cache up to 16 old networkstatus documents
      indefinitely, if they came from nontrusted authorities. Now we
      discard them if they are more than 10 days old.
22
23
    - Detect and reject malformed DNS responses containing circular
      pointer loops.
24
25
    - Fix a memory leak when sending a 503 response for a networkstatus
      request.
26
27
    - If we're not marking exits as guards, ignore exit bandwidth
      when we're deciding the required bandwidth to become a guard.
28

29
  o Minor bugfixes:
30
    - When computing clock skew from directory HTTP headers, consider what
31
32
      time it was when we finished asking for the directory, not what
      time it is now.
33
34
    - Add some defensive programming to eventdns.c in an attempt to catch
      possible memory-stomping bugs.
35
    - Fix crash with "tor --list-fingerprint" (reported by seeess).
36
37
38
    - Expire socks connections if they spend too long waiting for the
      handshake to finish. Previously we would let them sit around for
      days, if the connecting application didn't close them either.
39
40
    - And if the socks handshake hasn't started, don't send a
      "DNS resolve socks failed" handshake reply; just close it.
41
    - Stop using C functions that OpenBSD's linker doesn't like.
42
    - Detect and reject DNS replies containing IPv4 or IPv6 records with
43
44
45
      an incorrect number of bytes. (Previously, we would ignore the
      extra bytes.)
    - Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles
46
      in the correct order, and doesn't crash.
47
48
    - Free memory held in recently-completed DNS lookup attempts on exit.
      This was not a memory leak, but may have been hiding memory leaks.
49
    - Don't launch requests for descriptors unless we have networkstatuses
50
51
52
53
54
      from at least half of the authorities.  This delays the first
      download slightly under pathological circumstances, but can prevent
      us from downloading a bunch of descriptors we don't need.
    - Do not log IPs with TLS failures for incoming TLS
      connections. (Fixes bug 382.)
55
56
57
58
59
60
    - When we're handling a directory connection tunneled over Tor,
      don't fill up internal memory buffers with all the data we want
      to tunnel; instead, only add it if the OR connection that will
      eventually receive it has some room for it. (This can lead to
      slowdowns in tunneled dir connections; a better solution will have
      to wait for 0.2.0.)
61
62
    - If the user asks to use invalid exit nodes, be willing to use the
      unstable ones.
63
    - Handle TTL values correctly on reverse DNS lookups.
64
    - Stop using the reserved ac_cv namespace in our configure script.
65
    - Call stat() slightly less often; use fstat() when possible.
66
    - Treat failure to parse resolv.conf as an error.
67

68
69
70
71
72
  o Major features:
    - Weight directory requests by advertised bandwidth. Now we can
      let servers enable write limiting but still allow most clients to
      succeed at their directory requests.

Roger Dingledine's avatar
Roger Dingledine committed
73
  o Minor features:
74
75
76
    - Create a new file ReleaseNotes which was the old ChangeLog. The
      new ChangeLog file now includes the summaries for even development
      versions.
77
78
79
    - Check for addresses with invalid characters at the exit as well
      as at the client, and warn less verbosely when they fail. You can
      override this by setting ServerDNSAllowNonRFC953Addresses to 1.
Roger Dingledine's avatar
Roger Dingledine committed
80
81
    - Adapt a patch from goodell to let the contrib/exitlist script
      take arguments rather than require direct editing.
82
83
84
    - Inform the server operator when we decide not to advertise a
      DirPort due to AccountingMax enabled or a low BandwidthRate. It
      was confusing Zax, so now we're hopefully more helpful.
85
86
87
88
    - Bring us one step closer to being able to establish an encrypted
      directory tunnel without knowing a descriptor first. Still not
      ready yet. As part of the change, now assume we can use a
      create_fast cell if we don't know anything about a router.
89
    - Allow exit nodes to use nameservers running on ports other than 53.
90
    - Servers now cache reverse DNS replies.
Roger Dingledine's avatar
Roger Dingledine committed
91
92

  o Minor features (controller):
93
94
95
96
    - Track reasons for OR connection failure; make these reasons
      available via the controller interface. (Patch from Mike Perry.)
    - Add a SOCKS_BAD_HOSTNAME client status event so controllers
      can learn when clients are sending malformed hostnames to Tor.
Roger Dingledine's avatar
Roger Dingledine committed
97
98
    - Clean up documentation for controller status events.

99

100
101
102
Changes in version 0.1.2.6-alpha - 2007-01-09
  o Major bugfixes:
    - Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS
103
104
105
106
107
      connection handles more than 4 gigs in either direction, we crash.
    - Fix an assert error introduced in 0.1.2.5-alpha: if we're an
      advertised exit node, somebody might try to exit from us when
      we're bootstrapping and before we've built your descriptor yet.
      Refuse the connection rather than crashing.
108
109
110
111
112
113
114
115
116
117
118

  o Minor bugfixes:
    - Warn if we (as a server) find that we've resolved an address that we
      weren't planning to resolve.
    - Warn that using select() on any libevent version before 1.1 will be
      unnecessarily slow (even for select()).
    - Flush ERR-level controller status events just like we currently
      flush ERR-level log events, so that a Tor shutdown doesn't prevent
      the controller from learning about current events.

  o Minor features (more controller status events):
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
    - Implement EXTERNAL_ADDRESS server status event so controllers can
      learn when our address changes.
    - Implement BAD_SERVER_DESCRIPTOR server status event so controllers
      can learn when directories reject our descriptor.
    - Implement SOCKS_UNKNOWN_PROTOCOL client status event so controllers
      can learn when a client application is speaking a non-socks protocol
      to our SocksPort.
    - Implement DANGEROUS_SOCKS client status event so controllers
      can learn when a client application is leaking DNS addresses.
    - Implement BUG general status event so controllers can learn when
      Tor is unhappy about its internal invariants.
    - Implement CLOCK_SKEW general status event so controllers can learn
      when Tor thinks the system clock is set incorrectly.
    - Implement GOOD_SERVER_DESCRIPTOR and ACCEPTED_SERVER_DESCRIPTOR
      server status events so controllers can learn when their descriptors
      are accepted by a directory.
    - Implement CHECKING_REACHABILITY and REACHABILITY_{SUCCEEDED|FAILED}
      server status events so controllers can learn about Tor's progress in
      deciding whether it's reachable from the outside.
138
139
140
    - Implement BAD_LIBEVENT general status event so controllers can learn
      when we have a version/method combination in libevent that needs to
      be changed.
141
142
143
    - Implement NAMESERVER_STATUS, NAMESERVER_ALL_DOWN, DNS_HIJACKED,
      and DNS_USELESS server status events so controllers can learn
      about changes to DNS server status.
144

145
  o Minor features (directory):
146
147
    - Authorities no longer recommend exits as guards if this would shift
      too much load to the exit nodes.
148

149

150
Changes in version 0.1.2.5-alpha - 2007-01-06
151
  o Major features:
152
153
154
    - Enable write limiting as well as read limiting. Now we sacrifice
      capacity if we're pushing out lots of directory traffic, rather
      than overrunning the user's intended bandwidth limits.
155
    - Include TLS overhead when counting bandwidth usage; previously, we
156
157
      would count only the bytes sent over TLS, but not the bytes used
      to send them.
158
159
160
161
162
163
164
165
166
167
168
    - Support running the Tor service with a torrc not in the same
      directory as tor.exe and default to using the torrc located in
      the %appdata%\Tor\ of the user who installed the service. Patch
      from Matt Edman.
    - Servers now check for the case when common DNS requests are going to
      wildcarded addresses (i.e. all getting the same answer), and change
      their exit policy to reject *:* if it's happening.
    - Implement BEGIN_DIR cells, so we can connect to the directory
      server via TLS to do encrypted directory requests rather than
      plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
      config options if you like.
169

170
  o Minor features (config and docs):
171
    - Start using the state file to store bandwidth accounting data:
Roger Dingledine's avatar
Roger Dingledine committed
172
      the bw_accounting file is now obsolete. We'll keep generating it
173
      for a while for people who are still using 0.1.2.4-alpha.
Roger Dingledine's avatar
Roger Dingledine committed
174
175
176
    - Try to batch changes to the state file so that we do as few
      disk writes as possible while still storing important things in
      a timely fashion.
177
    - The state file and the bw_accounting file get saved less often when
178
      the AvoidDiskWrites config option is set.
179
    - Make PIDFile work on Windows (untested).
180
181
182
    - Add internal descriptions for a bunch of configuration options:
      accessible via controller interface and in comments in saved
      options files.
183
    - Reject *:563 (NNTPS) in the default exit policy. We already reject
184
      NNTP by default, so this seems like a sensible addition.
185
186
187
188
    - Clients now reject hostnames with invalid characters. This should
      avoid some inadvertent info leaks. Add an option
      AllowNonRFC953Hostnames to disable this behavior, in case somebody
      is running a private network with hosts called @, !, and #.
189
    - Add a maintainer script to tell us which options are missing
190
      documentation: "make check-docs".
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
    - Add a new address-spec.txt document to describe our special-case
      addresses: .exit, .onion, and .noconnnect.

  o Minor features (DNS):
    - Ongoing work on eventdns infrastructure: now it has dns server
      and ipv6 support. One day Tor will make use of it.
    - Add client-side caching for reverse DNS lookups.
    - Add support to tor-resolve tool for reverse lookups and SOCKS5.
    - When we change nameservers or IP addresses, reset and re-launch
      our tests for DNS hijacking.

  o Minor features (directory):
    - Authorities now specify server versions in networkstatus. This adds
      about 2% to the side of compressed networkstatus docs, and allows
      clients to tell which servers support BEGIN_DIR and which don't.
      The implementation is forward-compatible with a proposed future
      protocol version scheme not tied to Tor versions.
    - DirServer configuration lines now have an orport= option so
209
210
211
      clients can open encrypted tunnels to the authorities without
      having downloaded their descriptors yet. Enabled for moria1,
      moria2, tor26, and lefkada now in the default configuration.
212
213
214
215
    - Directory servers are more willing to send a 503 "busy" if they
      are near their write limit, especially for v1 directory requests.
      Now they can use their limited bandwidth for actual Tor traffic.
    - Clients track responses with status 503 from dirservers. After a
216
217
      dirserver has given us a 503, we try not to use it until an hour has
      gone by, or until we have no dirservers that haven't given us a 503.
218
    - When we get a 503 from a directory, and we're not a server, we don't
219
220
221
      count the failure against the total number of failures allowed
      for the thing we're trying to download.
    - Report X-Your-Address-Is correctly from tunneled directory
222
      connections; don't report X-Your-Address-Is when it's an internal
223
224
      address; and never believe reported remote addresses when they're
      internal.
225
    - Protect against an unlikely DoS attack on directory servers.
226
    - Add a BadDirectory flag to network status docs so that authorities
227
228
      can (eventually) tell clients about caches they believe to be
      broken.
229

230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
  o Minor features (controller):
    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
    - Reimplement GETINFO so that info/names stays in sync with the
      actual keys.
    - Implement "GETINFO fingerprint".
    - Implement "SETEVENTS GUARD" so controllers can get updates on
      entry guard status as it changes.

  o Minor features (clean up obsolete pieces):
    - Remove some options that have been deprecated since at least
      0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
      SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
      to set log options.
    - We no longer look for identity and onion keys in "identity.key" and
      "onion.key" -- these were replaced by secret_id_key and
      secret_onion_key in 0.0.8pre1.
    - We no longer require unrecognized directory entries to be
      preceded by "opt".

  o Major bugfixes (security):
250
251
252
253
254
255
256
257
258
259
260
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.
    - When generating bandwidth history, round down to the nearest
      1k. When storing accounting data, round up to the nearest 1k.
    - When we're running as a server, remember when we last rotated onion
      keys, so that we will rotate keys once they're a week old even if
      we never stay up for a week ourselves.

261
  o Major bugfixes (other):
262
    - Fix a longstanding bug in eventdns that prevented the count of
Roger Dingledine's avatar
Roger Dingledine committed
263
264
265
      timed-out resolves from ever being reset. This bug caused us to
      give up on a nameserver the third time it timed out, and try it
      10 seconds later... and to give up on it every time it timed out
266
      after that.
267
268
269
270
    - Take out the '5 second' timeout from the connection retry
      schedule. Now the first connect attempt will wait a full 10
      seconds before switching to a new circuit. Perhaps this will help
      a lot. Based on observations from Mike Perry.
Roger Dingledine's avatar
Roger Dingledine committed
271
    - Fix a bug on the Windows implementation of tor_mmap_file() that
272
273
      would prevent the cached-routers file from ever loading. Reported
      by John Kimble.
274
275

  o Minor bugfixes:
Roger Dingledine's avatar
Roger Dingledine committed
276
    - Fix an assert failure when a directory authority sets
277
      AuthDirRejectUnlisted and then receives a descriptor from an
278
279
280
281
      unlisted router. Reported by seeess.
    - Avoid a double-free when parsing malformed DirServer lines.
    - Fix a bug when a BSD-style PF socket is first used. Patch from
      Fabian Keil.
282
283
284
    - Fix a bug in 0.1.2.2-alpha that prevented clients from asking
      to resolve an address at a given exit node even when they ask for
      it by name.
285
286
287
    - Servers no longer ever list themselves in their "family" line,
      even if configured to do so. This makes it easier to configure
      family lists conveniently.
Roger Dingledine's avatar
Roger Dingledine committed
288
289
290
291
    - When running as a server, don't fall back to 127.0.0.1 when no
      nameservers are configured in /etc/resolv.conf; instead, make the
      user fix resolv.conf or specify nameservers explicitly. (Resolves
      bug 363.)
292
    - Stop accepting certain malformed ports in configured exit policies.
293
294
    - Don't re-write the fingerprint file every restart, unless it has
      changed.
295
    - Stop warning when a single nameserver fails: only warn when _all_ of
296
297
      our nameservers have failed. Also, when we only have one nameserver,
      raise the threshold for deciding that the nameserver is dead.
298
299
    - Directory authorities now only decide that routers are reachable
      if their identity keys are as expected.
300
301
    - When the user uses bad syntax in the Log config line, stop
      suggesting other bad syntax as a replacement.
302
    - Correctly detect ipv6 DNS capability on OpenBSD.
303

304
305
306
  o Minor bugfixes (controller):
    - Report the circuit number correctly in STREAM CLOSED events. Bug
      reported by Mike Perry.
307
    - Do not report bizarre values for results of accounting GETINFOs
308
      when the last second's write or read exceeds the allotted bandwidth.
309
310
    - Report "unrecognized key" rather than an empty string when the
      controller tries to fetch a networkstatus that doesn't exist.
311
312


313
314
315
316
317
318
319
320
321
322
323
324
325
326
Changes in version 0.1.1.26 - 2006-12-14
  o Security bugfixes:
    - Stop sending the HttpProxyAuthenticator string to directory
      servers when directory connections are tunnelled through Tor.
    - Clients no longer store bandwidth history in the state file.
    - Do not log introduction points for hidden services if SafeLogging
      is set.

  o Minor bugfixes:
    - Fix an assert failure when a directory authority sets
      AuthDirRejectUnlisted and then receives a descriptor from an
      unlisted router (reported by seeess).


327
Changes in version 0.1.2.4-alpha - 2006-12-03
328
329
330
331
  o Major features:
    - Add support for using natd; this allows FreeBSDs earlier than
      5.1.2 to have ipfw send connections through Tor without using
      SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
332

333
334
335
336
337
338
339
340
341
  o Minor features:
    - Make all connections to addresses of the form ".noconnect"
      immediately get closed. This lets application/controller combos
      successfully test whether they're talking to the same Tor by
      watching for STREAM events.
    - Make cross.sh cross-compilation script work even when autogen.sh
      hasn't been run. (Patch from Michael Mohr.)
    - Statistics dumped by -USR2 now include a breakdown of public key
      operations, for profiling.
342

343
344
345
346
  o Major bugfixes:
    - Fix a major leak when directory authorities parse their
      approved-routers list, a minor memory leak when we fail to pick
      an exit node, and a few rare leaks on errors.
347
    - Handle TransPort connections even when the server sends data before
348
      the client sends data. Previously, the connection would just hang
349
350
      until the client sent data. (Patch from tup based on patch from
      Zajcev Evgeny.)
351
352
    - Avoid assert failure when our cached-routers file is empty on
      startup.
353

354
  o Minor bugfixes:
355
356
    - Don't log spurious warnings when we see a circuit close reason we
      don't recognize; it's probably just from a newer version of Tor.
357
358
    - Have directory authorities allow larger amounts of drift in uptime
      without replacing the server descriptor: previously, a server that
359
360
      restarted every 30 minutes could have 48 "interesting" descriptors
      per day.
361
362
    - Start linking to the Tor specification and Tor reference manual
      correctly in the Windows installer.
363
364
365
366
367
368
    - Add Vidalia to the OS X uninstaller script, so when we uninstall
      Tor/Privoxy we also uninstall Vidalia.
    - Resume building on Irix64, and fix a lot of warnings from its
      MIPSpro C compiler.
    - Don't corrupt last_guessed_ip in router_new_address_suggestion()
      when we're running as a client.
369

370

371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
Changes in version 0.1.1.25 - 2006-11-04
  o Major bugfixes:
    - When a client asks us to resolve (rather than connect to)
      an address, and we have a cached answer, give them the cached
      answer. Previously, we would give them no answer at all.
    - We were building exactly the wrong circuits when we predict
      hidden service requirements, meaning Tor would have to build all
      its circuits on demand.
    - If none of our live entry guards have a high uptime, but we
      require a guard with a high uptime, try adding a new guard before
      we give up on the requirement. This patch should make long-lived
      connections more stable on average.
    - When testing reachability of our DirPort, don't launch new
      tests when there's already one in progress -- unreachable
      servers were stacking up dozens of testing streams.

  o Security bugfixes:
    - When the user sends a NEWNYM signal, clear the client-side DNS
      cache too. Otherwise we continue to act on previous information.

  o Minor bugfixes:
    - Avoid a memory corruption bug when creating a hash table for
      the first time.
    - Avoid possibility of controller-triggered crash when misusing
      certain commands from a v0 controller on platforms that do not
      handle printf("%s",NULL) gracefully.
    - Avoid infinite loop on unexpected controller input.
    - Don't log spurious warnings when we see a circuit close reason we
      don't recognize; it's probably just from a newer version of Tor.
    - Add Vidalia to the OS X uninstaller script, so when we uninstall
      Tor/Privoxy we also uninstall Vidalia.


404
Changes in version 0.1.2.3-alpha - 2006-10-29
405
  o Minor features:
406
    - Prepare for servers to publish descriptors less often: never
407
      discard a descriptor simply for being too old until either it is
408
409
      recommended by no authorities, or until we get a better one for
      the same router. Make caches consider retaining old recommended
410
      routers for even longer.
411
412
413
    - If most authorities set a BadExit flag for a server, clients
      don't think of it as a general-purpose exit. Clients only consider
      authorities that advertise themselves as listing bad exits.
414
415
416
    - Directory servers now provide 'Pragma: no-cache' and 'Expires'
      headers for content, so that we can work better in the presence of
      caching HTTP proxies.
417
418
    - Allow authorities to list nodes as bad exits by fingerprint or by
      address.
419

420
  o Minor features, controller:
421
422
    - Add a REASON field to CIRC events; for backward compatibility, this
      field is sent only to controllers that have enabled the extended
423
424
425
      event format.  Also, add additional reason codes to explain why
      a given circuit has been destroyed or truncated. (Patches from
      Mike Perry)
426
427
    - Add a REMOTE_REASON field to extended CIRC events to tell the
      controller about why a remote OR told us to close a circuit.
428
429
    - Stream events also now have REASON and REMOTE_REASON fields,
      working much like those for circuit events.
430
    - There's now a GETINFO ns/... field so that controllers can ask Tor
431
432
433
      about the current status of a router.
    - A new event type "NS" to inform a controller when our opinion of
      a router's status has changed.
434
435
    - Add a GETINFO events/names and GETINFO features/names so controllers
      can tell which events and features are supported.
436
437
    - A new CLEARDNSCACHE signal to allow controllers to clear the
      client-side DNS cache without expiring circuits.
438

Roger Dingledine's avatar
Roger Dingledine committed
439
440
441
442
  o Security bugfixes:
    - When the user sends a NEWNYM signal, clear the client-side DNS
      cache too. Otherwise we continue to act on previous information.

443
  o Minor bugfixes:
444
445
446
447
448
449
450
451
    - Avoid sending junk to controllers or segfaulting when a controller
      uses EVENT_NEW_DESC with verbose nicknames.
    - Stop triggering asserts if the controller tries to extend hidden
      service circuits (reported by mwenge).
    - Avoid infinite loop on unexpected controller input.
    - When the controller does a "GETINFO network-status", tell it
      about even those routers whose descriptors are very old, and use
      long nicknames where appropriate.
452
    - Change NT service functions to be loaded on demand.  This lets us
453
      build with MinGW without breaking Tor for Windows 98 users.
454
455
456
457
    - Do DirPort reachability tests less often, since a single test
      chews through many circuits before giving up.
    - In the hidden service example in torrc.sample, stop recommending
      esoteric and discouraged hidden service options.
458
459
    - When stopping an NT service, wait up to 10 sec for it to actually
      stop.  (Patch from Matt Edman; resolves bug 295.)
460
461
462
    - Fix handling of verbose nicknames with ORCONN controller events:
      make them show up exactly when requested, rather than exactly when
      not requested.
463
    - When reporting verbose nicknames in entry_guards_getinfo(), avoid
464
465
466
467
468
469
470
471
472
473
474
      printing a duplicate "$" in the keys we send (reported by mwenge).
    - Correctly set maximum connection limit on Cygwin. (This time
      for sure!)
    - Try to detect Windows correctly when cross-compiling.
    - Detect the size of the routers file correctly even if it is
      corrupted (on systems without mmap) or not page-aligned (on systems
      with mmap). This bug was harmless.
    - Sometimes we didn't bother sending a RELAY_END cell when an attempt
      to open a stream fails; now we do in more cases. This should
      make clients able to find a good exit faster in some cases, since
      unhandleable requests will now get an error rather than timing out.
475
476
    - Resolve two memory leaks when rebuilding the on-disk router cache
      (reported by fookoowa).
477
478
    - Clean up minor code warnings suggested by the MIPSpro C compiler,
      and reported by some Centos users.
479
480
    - Controller signals now work on non-Unix platforms that don't define
      SIGUSR1 and SIGUSR2 the way we expect.
481
482
    - Patch from Michael Mohr to contrib/cross.sh, so it checks more
      values before failing, and always enables eventdns.
483
484
485
486
    - Libevent-1.2 exports, but does not define in its headers, strlcpy.
      Try to fix this in configure.in by checking for most functions
      before we check for libevent.

487

488
Changes in version 0.1.2.2-alpha - 2006-10-07
489
  o Major features:
490
    - Make our async eventdns library on-by-default for Tor servers,
491
      and plan to deprecate the separate dnsworker threads.
492
    - Add server-side support for "reverse" DNS lookups (using PTR
Roger Dingledine's avatar
Roger Dingledine committed
493
      records so clients can determine the canonical hostname for a given
494
495
      IPv4 address). Only supported by servers using eventdns; servers
      now announce in their descriptors whether they support eventdns.
496
    - Specify and implement client-side SOCKS5 interface for reverse DNS
497
      lookups (see doc/socks-extensions.txt).
498
    - Add a BEGIN_DIR relay cell type for an easier in-protocol way to
499
500
501
502
503
504
505
      connect to directory servers through Tor. Previously, clients needed
      to find Tor exits to make private connections to directory servers.
    - Avoid choosing Exit nodes for entry or middle hops when the
      total bandwidth available from non-Exit nodes is much higher than
      the total bandwidth available from Exit nodes.
    - Workaround for name servers (like Earthlink's) that hijack failing
      DNS requests and replace the no-such-server answer with a "helpful"
506
507
508
509
      redirect to an advertising-driven search portal. Also work around
      DNS hijackers who "helpfully" decline to hijack known-invalid
      RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
      lets you turn it off.
510
511
512
    - Send out a burst of long-range padding cells once we've established
      that we're reachable. Spread them over 4 circuits, so hopefully
      a few will be fast. This exercises our bandwidth and bootstraps
513
      us into the directory more quickly.
514
515
516

  o New/improved config options:
    - Add new config option "ResolvConf" to let the server operator
517
      choose an alternate resolve.conf file when using eventdns.
518
    - Add an "EnforceDistinctSubnets" option to control our "exclude
519
      servers on the same /16" behavior. It's still on by default; this
520
521
      is mostly for people who want to operate private test networks with
      all the machines on the same subnet.
522
    - If one of our entry guards is on the ExcludeNodes list, or the
Roger Dingledine's avatar
Roger Dingledine committed
523
524
525
526
527
528
      directory authorities don't think it's a good guard, treat it as
      if it were unlisted: stop using it as a guard, and throw it off
      the guards list if it stays that way for a long time.
    - Allow directory authorities to be marked separately as authorities
      for the v1 directory protocol, the v2 directory protocol, and
      as hidden service directories, to make it easier to retire old
529
      authorities. V1 authorities should set "HSAuthoritativeDir 1"
Roger Dingledine's avatar
Roger Dingledine committed
530
      to continue being hidden service authorities too.
531
532
533
534
535
    - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).

  o Minor features, controller:
    - Fix CIRC controller events so that controllers can learn the
      identity digests of non-Named servers used in circuit paths.
536
537
538
539
540
    - Let controllers ask for more useful identifiers for servers. Instead
      of learning identity digests for un-Named servers and nicknames
      for Named servers, the new identifiers include digest, nickname,
      and indication of Named status. Off by default; see control-spec.txt
      for more information.
541
542
    - Add a "getinfo address" controller command so it can display Tor's
      best guess to the user.
543
544
545
    - New controller event to alert the controller when our server
      descriptor has changed.
    - Give more meaningful errors on controller authentication failure.
546
547
548
549
550
551

  o Minor features, other:
    - When asked to resolve a hostname, don't use non-exit servers unless
      requested to do so. This allows servers with broken DNS to be
      useful to the network.
    - Divide eventdns log messages into warn and info messages.
Roger Dingledine's avatar
Roger Dingledine committed
552
    - Reserve the nickname "Unnamed" for routers that can't pick
553
      a hostname: any router can call itself Unnamed; directory
Roger Dingledine's avatar
Roger Dingledine committed
554
555
      authorities will never allocate Unnamed to any particular router;
      clients won't believe that any router is the canonical Unnamed.
Roger Dingledine's avatar
Roger Dingledine committed
556
557
    - Only include function names in log messages for info/debug messages.
      For notice/warn/err, the content of the message should be clear on
558
      its own, and printing the function name only confuses users.
Roger Dingledine's avatar
Roger Dingledine committed
559
560
    - Avoid some false positives during reachability testing: don't try
      to test via a server that's on the same /24 as us.
561
562
    - If we fail to build a circuit to an intended enclave, and it's
      not mandatory that we use that enclave, stop wanting it.
563
564
    - When eventdns is enabled, allow multithreaded builds on NetBSD and
      OpenBSD. (We had previously disabled threads on these platforms
565
      because they didn't have working thread-safe resolver functions.)
566

567
  o Major bugfixes, anonymity/security:
Roger Dingledine's avatar
Roger Dingledine committed
568
569
    - If a client asked for a server by name, and there's a named server
      in our network-status but we don't have its descriptor yet, we
570
      could return an unnamed server instead.
571
572
573
    - Fix NetBSD bug that could allow someone to force uninitialized RAM
      to be sent to a server's DNS resolver. This only affects NetBSD
      and other platforms that do not bounds-check tolower().
Roger Dingledine's avatar
Roger Dingledine committed
574
575
576
    - Reject (most) attempts to use Tor circuits with length one. (If
      many people start using Tor as a one-hop proxy, exit nodes become
      a more attractive target for compromise.)
577
578
579
    - Just because your DirPort is open doesn't mean people should be
      able to remotely teach you about hidden service descriptors. Now
      only accept rendezvous posts if you've got HSAuthoritativeDir set.
580

581
  o Major bugfixes, other:
582
    - Don't crash on race condition in dns.c: tor_assert(!resolve->expire)
583
584
585
    - When a client asks the server to resolve (not connect to)
      an address, and it has a cached answer, give them the cached answer.
      Previously, the server would give them no answer at all.
586
587
    - Allow really slow clients to not hang up five minutes into their
      directory downloads (suggested by Adam J. Richter).
Roger Dingledine's avatar
Roger Dingledine committed
588
589
590
    - We were building exactly the wrong circuits when we anticipated
      hidden service requirements, meaning Tor would have to build all
      its circuits on demand.
591
592
593
594
595
596
597
598
599
600
601
602
603
604
    - Avoid crashing when we mmap a router cache file of size 0.
    - When testing reachability of our DirPort, don't launch new
      tests when there's already one in progress -- unreachable
      servers were stacking up dozens of testing streams.

  o Minor bugfixes, correctness:
    - If we're a directory mirror and we ask for "all" network status
      documents, we would discard status documents from authorities
      we don't recognize.
    - Avoid a memory corruption bug when creating a hash table for
      the first time.
    - Avoid controller-triggered crash when misusing certain commands
      from a v0 controller on platforms that do not handle
      printf("%s",NULL) gracefully.
605
    - Don't crash when a controller sends a third argument to an
606
607
608
609
610
      "extendcircuit" request.
    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
      response; fix error code when "getinfo dir/status/" fails.
    - Avoid crash when telling controller stream-status and a stream
      is detached.
611
    - Patch from Adam Langley to fix assert() in eventdns.c.
612
613
    - Fix a debug log message in eventdns to say "X resolved to Y"
      instead of "X resolved to X".
614
615
616
617
618
619
    - Make eventdns give strings for DNS errors, not just error numbers.
    - Track unreachable entry guards correctly: don't conflate
      'unreachable by us right now' with 'listed as down by the directory
      authorities'. With the old code, if a guard was unreachable by
      us but listed as running, it would clog our guard list forever.
    - Behave correctly in case we ever have a network with more than
620
      2GB/s total advertised capacity.
621
622
623
624
625
626
    - Make TrackExitHosts case-insensitive, and fix the behavior of
      ".suffix" TrackExitHosts items to avoid matching in the middle of
      an address.
    - Finally fix the openssl warnings from newer gccs that believe that
      ignoring a return value is okay, but casting a return value and
      then ignoring it is a sign of madness.
627
628
    - Prevent the contrib/exitlist script from printing the same
      result more than once.
629
630
    - Patch from Steve Hildrey: Generate network status correctly on
      non-versioning dirservers.
631
632
    - Don't listen to the X-Your-Address-Is hint if you did the lookup
      via Tor; otherwise you'll think you're the exit node's IP address.
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652

  o Minor bugfixes, performance:
    - Two small performance improvements on parsing descriptors.
    - Major performance improvement on inserting descriptors: change
      algorithm from O(n^2) to O(n).
    - Make the common memory allocation path faster on machines where
      malloc(0) returns a pointer.
    - Start remembering X-Your-Address-Is directory hints even if you're
      a client, so you can become a server more smoothly.
    - Avoid duplicate entries on MyFamily line in server descriptor.

  o Packaging, features:
    - Remove architecture from OS X builds. The official builds are
      now universal binaries.
    - The Debian package now uses --verify-config when (re)starting,
      to distinguish configuration errors from other errors.
    - Update RPMs to require libevent 1.1b.

  o Packaging, bugfixes:
    - Patches so Tor builds with MinGW on Windows.
653
    - Patches so Tor might run on Cygwin again.
654
655
656
    - Resume building on non-gcc compilers and ancient gcc. Resume
      building with the -O0 compile flag. Resume building cleanly on
      Debian woody.
657
    - Run correctly on OS X platforms with case-sensitive filesystems.
658
    - Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
659
    - Add autoconf checks so Tor can build on Solaris x86 again.
660

661
662
663
  o Documentation
    - Documented (and renamed) ServerDNSSearchDomains and
      ServerDNSResolvConfFile options.
664
665
    - Be clearer that the *ListenAddress directives can be repeated
      multiple times.
666

667

668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
Changes in version 0.1.1.24 - 2006-09-29
  o Major bugfixes:
    - Allow really slow clients to not hang up five minutes into their
      directory downloads (suggested by Adam J. Richter).
    - Fix major performance regression from 0.1.0.x: instead of checking
      whether we have enough directory information every time we want to
      do something, only check when the directory information has changed.
      This should improve client CPU usage by 25-50%.
    - Don't crash if, after a server has been running for a while,
      it can't resolve its hostname.
    - When a client asks us to resolve (not connect to) an address,
      and we have a cached answer, give them the cached answer.
      Previously, we would give them no answer at all.

  o Minor bugfixes:
    - Allow Tor to start when RunAsDaemon is set but no logs are set.
    - Don't crash when the controller receives a third argument to an
      "extendcircuit" request.
    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
      response; fix error code when "getinfo dir/status/" fails.
    - Fix configure.in to not produce broken configure files with
      more recent versions of autoconf. Thanks to Clint for his auto*
      voodoo.
    - Fix security bug on NetBSD that could allow someone to force
      uninitialized RAM to be sent to a server's DNS resolver. This
      only affects NetBSD and other platforms that do not bounds-check
      tolower().
    - Warn user when using libevent 1.1a or earlier with win32 or kqueue
      methods: these are known to be buggy.
    - If we're a directory mirror and we ask for "all" network status
      documents, we would discard status documents from authorities
      we don't recognize.


702
703
704
Changes in version 0.1.2.1-alpha - 2006-08-27
  o Major features:
    - Add "eventdns" async dns library from Adam Langley, tweaked to
705
706
      build on OSX and Windows. Only enabled if you pass the
      --enable-eventdns argument to configure.
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
    - Allow servers with no hostname or IP address to learn their
      IP address by asking the directory authorities. This code only
      kicks in when you would normally have exited with a "no address"
      error. Nothing's authenticated, so use with care.
    - Rather than waiting a fixed amount of time between retrying
      application connections, we wait only 5 seconds for the first,
      10 seconds for the second, and 15 seconds for each retry after
      that. Hopefully this will improve the expected user experience.
    - Patch from Tup to add support for transparent AP connections:
      this basically bundles the functionality of trans-proxy-tor
      into the Tor mainline. Now hosts with compliant pf/netfilter
      implementations can redirect TCP connections straight to Tor
      without diverting through SOCKS. Needs docs.
    - Busy directory servers save lots of memory by spooling server
      descriptors, v1 directories, and v2 networkstatus docs to buffers
      as needed rather than en masse. Also mmap the cached-routers
      files, so we don't need to keep the whole thing in memory too.
    - Automatically avoid picking more than one node from the same
      /16 network when constructing a circuit.
    - Revise and clean up the torrc.sample that we ship with; add
      a section for BandwidthRate and BandwidthBurst.

  o Minor features:
730
731
732
    - Split circuit_t into origin_circuit_t and or_circuit_t, and
      split connection_t into edge, or, dir, control, and base structs.
      These will save quite a bit of memory on busy servers, and they'll
733
734
735
736
737
738
739
740
      also help us track down bugs in the code and bugs in the spec.
    - Experimentally re-enable kqueue on OSX when using libevent 1.1b
      or later. Log when we are doing this, so we can diagnose it when
      it fails. (Also, recommend libevent 1.1b for kqueue and
      win32 methods; deprecate libevent 1.0b harder; make libevent
      recommendation system saner.)
    - Start being able to build universal binaries on OS X (thanks
      to Phobos).
741
742
    - Export the default exit policy via the control port, so controllers
      don't need to guess what it is / will be later.
743
744
745
746
747
748
749
750
751
752
753
    - Add a man page entry for ProtocolWarnings.
    - Add TestVia config option to the man page.
    - Remove even more protocol-related warnings from Tor server logs,
      such as bad TLS handshakes and malformed begin cells.
    - Stop fetching descriptors if you're not a dir mirror and you
      haven't tried to establish any circuits lately. [This currently
      causes some dangerous behavior, because when you start up again
      you'll use your ancient server descriptors.]
    - New DirPort behavior: if you have your dirport set, you download
      descriptors aggressively like a directory mirror, whether or not
      your ORPort is set.
754
755
756
757
758
759
760
    - Get rid of the router_retry_connections notion. Now routers
      no longer try to rebuild long-term connections to directory
      authorities, and directory authorities no longer try to rebuild
      long-term connections to all servers. We still don't hang up
      connections in these two cases though -- we need to look at it
      more carefully to avoid flapping, and we likely need to wait til
      0.1.1.x is obsolete.
761
762
763
764
765
766
    - Drop compatibility with obsolete Tors that permit create cells
      to have the wrong circ_id_type.
    - Re-enable per-connection rate limiting. Get rid of the "OP
      bandwidth" concept. Lay groundwork for "bandwidth classes" --
      separate global buckets that apply depending on what sort of conn
      it is.
767
768
769
770
    - Start publishing one minute or so after we find our ORPort
      to be reachable. This will help reduce the number of descriptors
      we have for ourselves floating around, since it's quite likely
      other things (e.g. DirPort) will change during that minute too.
771
    - Fork the v1 directory protocol into its own spec document,
772
773
      and mark dir-spec.txt as the currently correct (v2) spec.

774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
  o Major bugfixes:
    - When we find our DirPort to be reachable, publish a new descriptor
      so we'll tell the world (reported by pnx).
    - Publish a new descriptor after we hup/reload. This is important
      if our config has changed such that we'll want to start advertising
      our DirPort now, etc.
    - Allow Tor to start when RunAsDaemon is set but no logs are set.
    - When we have a state file we cannot parse, tell the user and
      move it aside. Now we avoid situations where the user starts
      Tor in 1904, Tor writes a state file with that timestamp in it,
      the user fixes her clock, and Tor refuses to start.
    - Fix configure.in to not produce broken configure files with
      more recent versions of autoconf. Thanks to Clint for his auto*
      voodoo.
    - "tor --verify-config" now exits with -1(255) or 0 depending on
      whether the config options are bad or good.
    - Resolve bug 321 when using dnsworkers: append a period to every
      address we resolve at the exit node, so that we do not accidentally
      pick up local addresses, and so that failing searches are retried
      in the resolver search domains. (This is already solved for
      eventdns.) (This breaks Blossom servers for now.)
    - If we are using an exit enclave and we can't connect, e.g. because
      its webserver is misconfigured to not listen on localhost, then
      back off and try connecting from somewhere else before we fail.

  o Minor bugfixes:
    - Start compiling on MinGW on Windows (patches from Mike Chiussi).
    - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
    - Fix bug 314: Tor clients issued "unsafe socks" warnings even
      when the IP address is mapped through MapAddress to a hostname.
    - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
      useless IPv6 DNS resolves.
    - Patch suggested by Karsten Loesing: respond to SIGNAL command
      before we execute the signal, in case the signal shuts us down.
    - Clean up AllowInvalidNodes man page entry.
    - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
    - Add more asserts to track down an assert error on a windows Tor
      server with connection_add being called with socket == -1.
    - Handle reporting OR_CONN_EVENT_NEW events to the controller.
813
814
815
816
817
    - Fix misleading log messages: an entry guard that is "unlisted",
      as well as not known to be "down" (because we've never heard
      of it), is not therefore "up".
    - Remove code to special-case "-cvs" ending, since it has not
      actually mattered since 0.0.9.
818
819
820
821
    - Make our socks5 handling more robust to broken socks clients:
      throw out everything waiting on the buffer in between socks
      handshake phases, since they can't possibly (so the theory
      goes) have predicted what we plan to respond to them.
822

823

824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
Changes in version 0.1.1.23 - 2006-07-30
  o Major bugfixes:
    - Fast Tor servers, especially exit nodes, were triggering asserts
      due to a bug in handling the list of pending DNS resolves. Some
      bugs still remain here; we're hunting them.
    - Entry guards could crash clients by sending unexpected input.
    - More fixes on reachability testing: if you find yourself reachable,
      then don't ever make any client requests (so you stop predicting
      circuits), then hup or have your clock jump, then later your IP
      changes, you won't think circuits are working, so you won't try to
      test reachability, so you won't publish.

  o Minor bugfixes:
    - Avoid a crash if the controller does a resetconf firewallports
      and then a setconf fascistfirewall=1.
    - Avoid an integer underflow when the dir authority decides whether
      a router is stable: we might wrongly label it stable, and compute
      a slightly wrong median stability, when a descriptor is published
      later than now.
    - Fix a place where we might trigger an assert if we can't build our
      own server descriptor yet.


847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
Changes in version 0.1.1.22 - 2006-07-05
  o Major bugfixes:
    - Fix a big bug that was causing servers to not find themselves
      reachable if they changed IP addresses. Since only 0.1.1.22+
      servers can do reachability testing correctly, now we automatically
      make sure to test via one of these.
    - Fix to allow clients and mirrors to learn directory info from
      descriptor downloads that get cut off partway through.
    - Directory authorities had a bug in deciding if a newly published
      descriptor was novel enough to make everybody want a copy -- a few
      servers seem to be publishing new descriptors many times a minute.
  o Minor bugfixes:
    - Fix a rare bug that was causing some servers to complain about
      "closing wedged cpuworkers" and skip some circuit create requests.
    - Make the Exit flag in directory status documents actually work.


864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
Changes in version 0.1.1.21 - 2006-06-10
  o Crash and assert fixes from 0.1.1.20:
    - Fix a rare crash on Tor servers that have enabled hibernation.
    - Fix a seg fault on startup for Tor networks that use only one
      directory authority.
    - Fix an assert from a race condition that occurs on Tor servers
      while exiting, where various threads are trying to log that they're
      exiting, and delete the logs, at the same time.
    - Make our unit tests pass again on certain obscure platforms.

  o Other fixes:
    - Add support for building SUSE RPM packages.
    - Speed up initial bootstrapping for clients: if we are making our
      first ever connection to any entry guard, then don't mark it down
      right after that.
    - When only one Tor server in the network is labelled as a guard,
      and we've already picked him, we would cycle endlessly picking him
      again, being unhappy about it, etc. Now we specifically exclude
      current guards when picking a new guard.
    - Servers send create cells more reliably after the TLS connection
      is established: we were sometimes forgetting to send half of them
      when we had more than one pending.
    - If we get a create cell that asks us to extend somewhere, but the
      Tor server there doesn't match the expected digest, we now send
      a destroy cell back, rather than silently doing nothing.
    - Make options->RedirectExit work again.
    - Make cookie authentication for the controller work again.
    - Stop being picky about unusual characters in the arguments to
      mapaddress. It's none of our business.
    - Add a new config option "TestVia" that lets you specify preferred
      middle hops to use for test circuits. Perhaps this will let me
      debug the reachability problems better.

  o Log / documentation fixes:
    - If we're a server and some peer has a broken TLS certificate, don't
      log about it unless ProtocolWarnings is set, i.e., we want to hear
      about protocol violations by others.
    - Fix spelling of VirtualAddrNetwork in man page.
    - Add a better explanation at the top of the autogenerated torrc file
      about what happened to our old torrc.


906
Changes in version 0.1.1.20 - 2006-05-23
907
908
909
910
911
912
913
  o Bugfixes:
    - Downgrade a log severity where servers complain that they're
      invalid.
    - Avoid a compile warning on FreeBSD.
    - Remove string size limit on NEWDESC messages; solve bug 291.
    - Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon
      more thoroughly when we're running on windows.
914
915


916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
Changes in version 0.1.1.19-rc - 2006-05-03
  o Minor bugs:
    - Regenerate our local descriptor if it's dirty and we try to use
      it locally (e.g. if it changes during reachability detection).
    - If we setconf our ORPort to 0, we continued to listen on the
      old ORPort and receive connections.
    - Avoid a second warning about machine/limits.h on Debian
      GNU/kFreeBSD.
    - Be willing to add our own routerinfo into the routerlist.
      Now authorities will include themselves in their directories
      and network-statuses.
    - Stop trying to upload rendezvous descriptors to every
      directory authority: only try the v1 authorities.
    - Servers no longer complain when they think they're not
      registered with the directory authorities. There were too many
      false positives.
    - Backport dist-rpm changes so rpms can be built without errors.
933

934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
  o Features:
    - Implement an option, VirtualAddrMask, to set which addresses
      get handed out in response to mapaddress requests. This works
      around a bug in tsocks where 127.0.0.0/8 is never socksified.


Changes in version 0.1.1.18-rc - 2006-04-10
  o Major fixes:
    - Work harder to download live network-statuses from all the
      directory authorities we know about. Improve the threshold
      decision logic so we're more robust to edge cases.
    - When fetching rendezvous descriptors, we were willing to ask
      v2 authorities too, which would always return 404.

  o Minor fixes:
    - Stop listing down or invalid nodes in the v1 directory. This will
      reduce its bulk by about 1/3, and reduce load on directory
      mirrors.
    - When deciding whether a router is Fast or Guard-worthy, consider
      his advertised BandwidthRate and not just the BandwidthCapacity.
    - No longer ship INSTALL and README files -- they are useless now.
    - Force rpmbuild to behave and honor target_cpu.
956
    - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
    - Start to include translated versions of the tor-doc-*.html
      files, along with the screenshots. Still needs more work.
    - Start sending back 512 and 451 errors if mapaddress fails,
      rather than not sending anything back at all.
    - When we fail to bind or listen on an incoming or outgoing
      socket, we should close it before failing. otherwise we just
      leak it. (thanks to weasel for finding.)
    - Allow "getinfo dir/status/foo" to work, as long as your DirPort
      is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
    - Make NoPublish (even though deprecated) work again.
    - Fix a minor security flaw where a versioning auth dirserver
      could list a recommended version many times in a row to make
      clients more convinced that it's recommended.
    - Fix crash bug if there are two unregistered servers running
      with the same nickname, one of them is down, and you ask for
      them by nickname in your EntryNodes or ExitNodes. Also, try
      to pick the one that's running rather than an arbitrary one.
    - Fix an infinite loop we could hit if we go offline for too long.
    - Complain when we hit WSAENOBUFS on recv() or write() too.
      Perhaps this will help us hunt the bug.
    - If you're not a versioning dirserver, don't put the string
      "client-versions \nserver-versions \n" in your network-status.
    - Lower the minimum required number of file descriptors to 1000,
      so we can have some overhead for Valgrind on Linux, where the
      default ulimit -n is 1024.
982

983
984
985
986
987
  o New features:
    - Add tor.dizum.com as the fifth authoritative directory server.
    - Add a new config option FetchUselessDescriptors, off by default,
      for when you plan to run "exitlist" on your client and you want
      to know about even the non-running descriptors.
988

989
990
991
992
993
994
995
996
997
998
999
1000

Changes in version 0.1.1.17-rc - 2006-03-28
  o Major fixes:
    - Clients and servers since 0.1.1.10-alpha have been expiring
      connections whenever they are idle for 5 minutes and they *do*
      have circuits on them. Oops. With this new version, clients will
      discard their previous entry guard choices and avoid choosing
      entry guards running these flawed versions.
    - Fix memory leak when uncompressing concatenated zlib streams. This
      was causing substantial leaks over time on Tor servers.
    - The v1 directory was including servers as much as 48 hours old,
      because that's how the new routerlist->routers works. Now only