The Tor Project issues
https://gitlab.torproject.org/groups/tpo/-/issues
2024-02-08T16:05:24Z
https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/148
Wrong domain of GitLab's mail server certificate
2024-02-08T16:05:24Z
Mynacol
Wrong domain of GitLab's mail server certificate
I wanted to reply to a GitLab issue by mail, but my mail server refused to send it, as the TLS certificate could not be verified. My mail server is configured to strictly verify the respective certificates.
The mail was headed to `[...]...
I wanted to reply to a GitLab issue by mail, but my mail server refused to send it, as the TLS certificate could not be verified. My mail server is configured to strictly verify the respective certificates.
The mail was headed to `[...]@gitlab.torproject.org`. My mail server queried the MX record of gitlab.torproject.org, but only got a CNAME response, which leads to gitlab-02.torproject.org that points to the right IP addresses. Now my mail server expected a TLS certificate for gitlab.torproject.org, but your postfix provided a certificate for gitlab-02.torproject.org, which my mail server regarded as invalid.
The easiest way to fix this is to add a MX record to gitlab.torproject.org pointing at gitlab-02.torproject.org. That could even help with mail deliverability.
Alternatively, you can provide a certificate for gitlab.torproject.org from your mail server just like on the website.
Maybe the test page on [internet.nl](https://internet.nl/mail/gitlab.torproject.org/1127446/) helps you too.
improve mail services
Jérôme Charaoui
lavamind@torproject.org
Jérôme Charaoui
lavamind@torproject.org
https://gitlab.torproject.org/tpo/applications/rbm/-/issues/40069
Make stdout and stderr utf8
2024-02-08T06:46:40Z
boklm
Make stdout and stderr utf8
It seems stdout and stderr are not in utf8, so commands such as `rbm/rbm
showconf browser build --target torbrowser-windows-x86_64 --target
nightly --target testbuild` in tor-browser-build will not show correctly
the character `©` (used...
It seems stdout and stderr are not in utf8, so commands such as `rbm/rbm
showconf browser build --target torbrowser-windows-x86_64 --target
nightly --target testbuild` in tor-browser-build will not show correctly
the character `©` (used in `projects/browser/windows-installer.nsi`)
correctly when the terminal is in utf8.
/cc @PieroV
boklm
boklm
https://gitlab.torproject.org/tpo/team/-/issues/257
Find a third party consultant for privacy assessment
2024-02-07T15:31:41Z
Gaba
gaba@torproject.org
Find a third party consultant for privacy assessment
For the project "Sponsor 112" we need to "Conduct a privacy impact assessment of monitoring tools with an external party.". This assessment needs to start in July 2024. The first step is to find a consultant to run the assessment.
`O1.4...
For the project "Sponsor 112" we need to "Conduct a privacy impact assessment of monitoring tools with an external party.". This assessment needs to start in July 2024. The first step is to find a consultant to run the assessment.
`O1.4: Conduct a privacy impact assessment of monitoring tools with an external party. In this activity, we will engage a third party to conduct a privacy impact assessment of the tools developed in this Objective. The goal of this assessment is to investigate whether or not these tools impact the privacy of relay operators and to ensure that these tools are working in the most rights preserving ways possible. Should issues be discovered in this assessment, we will take recommended action to remedy them. This assessment will include both public- and internal-facing components of these tools. We will make a redacted, summarized, and/or plain language version of this report public.`
Gaba
gaba@torproject.org
Gaba
gaba@torproject.org
2024-05-13
https://gitlab.torproject.org/tpo/core/arti/-/issues/1192
Pick a name for the subcomponents of an ArtiPathComponent
2024-02-07T14:48:50Z
gabi-250
Pick a name for the subcomponents of an ArtiPathComponent
#### Context
We need a name for the individual subcomponents (substrings) of non-leaf `ArtiPathComponent`s. These subcomponents (let's call them "slugs" for the purposes of this ticket) have the following properties:
* slugs can be co...
#### Context
We need a name for the individual subcomponents (substrings) of non-leaf `ArtiPathComponent`s. These subcomponents (let's call them "slugs" for the purposes of this ticket) have the following properties:
* slugs can be concatenated to build file names
* when concatenating slugs, they should be separated using `/`, `+`, or `.`. The first slug should not be empty
* slugs should not be concatenated without separators (for security reasons)
* their charset is: lowercase ASCII alphanumerics and underscore. We may extend this to allow additional characters in the future, but `/`, `+`, and `.` (the slug separators) will never be valid slug characters
* they may be empty, but most (all?) of our use cases don't allow empty slugs
`HsNickname`s, non-leaf `ArtiPathComponent`s are slugs, as are the non-leaf components that make up `KeySpecifier`. The leaf component of an `ArtiPath` consists of one or more slugs, concatenated using `+` (for example, some keys have a `TimePeriod` slug)
#### Some possible names
Here are some possible names for the slugs described here:
* Slug
* PathElement
* FnameElement
* NameElement
* IdElt
* PathSlug
* IdStr
* FsId
* FnameId
* PathBlob
* PathSlug
* PathChunk
* Name
* Nick
* ...something else?
#### Platform-specific restrictions
On Windows, the following slugs are forbidden:
* con
* prn
* aux
* nul
* com1, com2, com3, com4, com5, com6, com7, com8, com9, com0
* lpt1, lpt2, lpt3, lpt4, lpt5, lpt6, lpt7, lpt8, lpt9, lpt0
Arti: Onion service support
https://gitlab.torproject.org/tpo/anti-censorship/bridge-port-scan/-/issues/7
Build process needs updating
2024-02-07T13:11:37Z
Kez
Build process needs updating
The web team's lektor site build process has changed a bit since this repo was last updated, and the repo no longer builds with the instructions provided (the build instructions seem a bit incomplete even without these build changes). So...
The web team's lektor site build process has changed a bit since this repo was last updated, and the repo no longer builds with the instructions provided (the build instructions seem a bit incomplete even without these build changes). So the build process needs to be updated, and more thoroughly documented.
https://gitlab.torproject.org/tpo/core/arti/-/issues/964
keymgr: Think about remove semantics
2024-02-06T13:12:04Z
gabi-250
keymgr: Think about remove semantics
How should `KeyMgr::remove` work? Does it remove the specified from a) from _all_ key stores, b) from the default keystore, c) from a _specific_ keystore? Prompted by https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1421#note...
How should `KeyMgr::remove` work? Does it remove the specified from a) from _all_ key stores, b) from the default keystore, c) from a _specific_ keystore? Prompted by https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1421#note_2923757
Arti: Onion service support
gabi-250
gabi-250
https://gitlab.torproject.org/tpo/community/relays/-/issues/66
Get an overview of how we dealt with past suggestions for network-health/comm...
2024-02-06T12:36:56Z
Georg Koppen
Get an overview of how we dealt with past suggestions for network-health/community improvements
It would be good to dig a bit into past suggestions for improvement made by relay operators and community members on how to improve the health of the operator community and the overall health of the Tor network and how we dealt with them...
It would be good to dig a bit into past suggestions for improvement made by relay operators and community members on how to improve the health of the operator community and the overall health of the Tor network and how we dealt with them. We could then come up with recommendations for improvement on that process which could guide our current work on establishing a (new and better) process.
Georg Koppen
Georg Koppen
https://gitlab.torproject.org/tpo/community/relays/-/issues/57
Document relay community governance processes
2024-02-06T12:34:59Z
Gaba
gaba@torproject.org
Document relay community governance processes
This is activity O2.4 for [sponsor 112](https://gitlab.torproject.org/groups/tpo/-/milestones/44#tab-issues):
Document relay community governance processes. In this activity, we will publish public-facing documentation on what enforceme...
This is activity O2.4 for [sponsor 112](https://gitlab.torproject.org/groups/tpo/-/milestones/44#tab-issues):
Document relay community governance processes. In this activity, we will publish public-facing documentation on what enforcement mechanisms were considered, why the ones that were selected were chosen, and why the ones that were not implemented but were considered as possible candidates, were eventually rejected. The audience for these documents will be future technology projects that utilize the similar volunteer-run infrastructure and may be able to benefit from the insights Tor obtained during this process.
Georg Koppen
Georg Koppen
2024-03-04
https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41010
Create a project to ship tor binaries in an Android-developer friendly way
2024-02-05T18:15:26Z
richard
Create a project to ship tor binaries in an Android-developer friendly way
`tor-onion-proxy-library` is going away, we need to setup the torrc and populate tor+PTs using the `tor-expert-bundle` project
`tor-onion-proxy-library` is going away, we need to setup the torrc and populate tor+PTs using the `tor-expert-bundle` project
Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibet
https://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40184
Create new Debian backports release 1.9.0
2024-02-05T09:03:05Z
juga
Create new Debian backports release 1.9.0
sbws: 1.9.x-final
juga
juga
https://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40191
Debian package: solve systemd unit permissions when enabling apparmor
2024-02-05T08:25:05Z
juga
Debian package: solve systemd unit permissions when enabling apparmor
sbws: 1.9.x-final
juga
juga
https://gitlab.torproject.org/tpo/core/onionmasq/-/issues/81
Make the CI build the Docker images used for other CI tasks
2024-02-02T00:04:30Z
eta
Make the CI build the Docker images used for other CI tasks
https://gitlab.torproject.org/tpo/core/onionmasq/-/commit/4f410442a8baf3c0898ffe31520e7c8ee6708b4c switched the image used in CI to one I built locally on my machine. We should get the image to be built in CI instead, and run that regula...
https://gitlab.torproject.org/tpo/core/onionmasq/-/commit/4f410442a8baf3c0898ffe31520e7c8ee6708b4c switched the image used in CI to one I built locally on my machine. We should get the image to be built in CI instead, and run that regularly (for example, when the Renovate bot bumps the versions used).
https://gitlab.torproject.org/tpo/core/arti/-/issues/1262
Rethink descriptor publisher rate-limiting
2024-02-01T18:10:55Z
gabi-250
Rethink descriptor publisher rate-limiting
The following discussion from !1951 should be addressed:
- [ ] @Diziet started a [discussion](https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1951#note_2991914): (+1 comment)
> So, suppose it's 50s since we last uploa...
The following discussion from !1951 should be addressed:
- [ ] @Diziet started a [discussion](https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1951#note_2991914): (+1 comment)
> So, suppose it's 50s since we last uploaded. We reach this point and see that `duration_since_upload` is 50s, which is less than `UPLOAD_RATE_LIM_THRESHOLD` (60s).
>
> Then we call `start_rate_limit(60s)`. `start_rate_limit` calls `runtime.now()` and adds its argument, so scheduling a wakeup 60s from now.
>
> We will upload again 110s after the last upload. I think though, that we should do it 60s after.
>
> I think the root cause of this bug is the *storage* of a separate "we are rate limited" state in the reactor state, and using it to control the upload logic. Whether "we are rate limited" is really just "is the last upload more than `UPLOAD_RATE_LIM_THRESHOLD` ago" - ie, we could recalculate that on each loop iteration.
>
> In terms of `PublishStatus` (the status reporting output) I'm not sure "we are rate limited" is a particularly useful status to advertise. I think it's an entirely normal condition.
>
> Also we should perhaps randomise this?
>
> OTOH I don't think either of these questions are a blockers for this MR. The code here is a lot nicer, so thanks :-).
Arti: Onion service support
gabi-250
gabi-250
https://gitlab.torproject.org/tpo/core/arti/-/issues/1222
Add central documentation for our filesystem layout
2024-02-01T15:43:34Z
Nick Mathewson
Add central documentation for our filesystem layout
Somewhere in doc/dev, we should document all the files that we create or look at.
This will include:
* `tor-keymgr` stuff, possibly by reference
* All state files
* All onion-service-related files
* All cache files
* All locks...
Somewhere in doc/dev, we should document all the files that we create or look at.
This will include:
* `tor-keymgr` stuff, possibly by reference
* All state files
* All onion-service-related files
* All cache files
* All locks
* All configuration files
This should replace `crates/tor-hsservice/src/state_dir.md` (cc @diziet)
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42347
Add a banner warning users about the upcoming EOL for Win ≤8.1 and macOS ≤10.14
2024-02-01T14:39:44Z
Pier Angelo Vendrame
Add a banner warning users about the upcoming EOL for Win ≤8.1 and macOS ≤10.14
13.5 will be the last Windows version, Mozilla bumped the requirement to Windows 10.
We could add a warning to Windows 7 users somewhere, e.g., in about:tor.
We can check the version of the OS with `Services.sysinfo.getProperty("versio...
13.5 will be the last Windows version, Mozilla bumped the requirement to Windows 10.
We could add a warning to Windows 7 users somewhere, e.g., in about:tor.
We can check the version of the OS with `Services.sysinfo.getProperty("version")`. It's `10.0` in my Windows 10 VM, and `6.1` in my Windows 7 VM.
Maybe the first versions of Windows 10 also use 6.1, but if that's the case, they're unsupported too.
https://gitlab.torproject.org/tpo/core/arti/-/issues/1216
Improve descriptor publisher documentation
2024-02-01T13:08:27Z
gabi-250
Improve descriptor publisher documentation
Arti: Onion service support
gabi-250
gabi-250
https://gitlab.torproject.org/tpo/core/onionmasq/-/issues/21
Integrate IPtProxy for PT support
2024-02-01T12:07:48Z
micah
micah@torproject.org
Integrate IPtProxy for PT support
We expect that part of TorVPN need will be onionmasq being able to call IPtProxy for PT support, ideally onionmasq would start and stop IPtProxy as necessary and probably the communication would happen over SOCKS. This integration work i...
We expect that part of TorVPN need will be onionmasq being able to call IPtProxy for PT support, ideally onionmasq would start and stop IPtProxy as necessary and probably the communication would happen over SOCKS. This integration work in onionmasq will need to be done at the rust level and use the FFI to interface.
Sponsor 101 - Tor VPN Client for Android
https://gitlab.torproject.org/tpo/core/tor/-/issues/40802
Dir auths say "Failed to find node for hop #2 of our path. Discarding this ci...
2024-01-31T23:49:46Z
Roger Dingledine
Dir auths say "Failed to find node for hop #2 of our path. Discarding this circuit." every second after boot until new consensus
Starting somewhere in Tor 0.4.7, every directory authority now prints thousands of lines of
```
Jun 01 14:51:33.790 [notice] Failed to find node for hop #2 of our path. Discarding this circuit.
```
on startup. It continues until the top ...
Starting somewhere in Tor 0.4.7, every directory authority now prints thousands of lines of
```
Jun 01 14:51:33.790 [notice] Failed to find node for hop #2 of our path. Discarding this circuit.
```
on startup. It continues until the top of the hour when
```
Jun 01 14:59:59.942 [notice] Failed to find node for hop #2 of our path. Discarding this circuit.
Jun 01 15:00:00.017 [notice] Time to publish the consensus and discard old votes
Jun 01 15:00:00.162 [notice] Published ns consensus
Jun 01 15:00:00.315 [notice] Published microdesc consensus
```
https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/202
Update Updater UX to support System Installs on Windows
2024-01-31T18:36:03Z
richard
Update Updater UX to support System Installs on Windows
Mullvad Browser installed to `%PROGRAMFILES%` would need elevation to perform incremental updates. We have a few options here:
- Update the UX to notify users of when an update is available :disappointed:
- this pathway *is* kind of n...
Mullvad Browser installed to `%PROGRAMFILES%` would need elevation to perform incremental updates. We have a few options here:
- Update the UX to notify users of when an update is available :disappointed:
- this pathway *is* kind of needed for various Linux packages (flatpak, deb, rbm, etc)
- Enable the update pathway the default Firefox uses to get around this problem
- Probably involves running some system service which can with elevated privileges; Mullvad Browser doesn't care about disk leaks like Tor Browser does, so maybe this is fine
- Somehow *hand waving* enable the browser to self-elevate and update
/cc @pierov @ma1 @ruihildt @donuts
## Design estimate:
* Complexity:
* Uncertainty level:
* Total:
https://gitlab.torproject.org/tpo/community/l10n/-/issues/40119
Update torlauncher translation setup
2024-01-31T14:43:58Z
emmapeel
Update torlauncher translation setup
Torlauncher's setup needs to be updated. The repository is now https://gitlab.torproject.org/tpo/applications/torbrowser-launcher and we need to add it to weblate.
We also need to know if we still need this other tor-launcher branches: ...
Torlauncher's setup needs to be updated. The repository is now https://gitlab.torproject.org/tpo/applications/torbrowser-launcher and we need to add it to weblate.
We also need to know if we still need this other tor-launcher branches: https://gitlab.torproject.org/tpo/translation/-/branches?state=all&sort=updated_asc&search=launcher and if not, move them to the attic.
emmapeel
emmapeel