The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-12-13T15:44:19Zhttps://gitlab.torproject.org/tpo/network-health/tor-weather/-/issues/7Do not track Valid flag2023-12-13T15:44:19ZGeorg KoppenDo not track Valid flagThe `Valid` flag is not much used nowadays. Let's just remove everything related to it in the codebase.The `Valid` flag is not much used nowadays. Let's just remove everything related to it in the codebase.https://gitlab.torproject.org/tpo/core/arti/-/issues/211Do we close connections at the right times?2022-07-07T15:22:20ZNick MathewsonDo we close connections at the right times?Tor has a longstanding protocol issue where we don't support "half-open" connections: a stream isn't torn down unless it is actually closed, and shutdown(2) doesn't actually do anything.
But that aside, we may have issues in Arti where...Tor has a longstanding protocol issue where we don't support "half-open" connections: a stream isn't torn down unless it is actually closed, and shutdown(2) doesn't actually do anything.
But that aside, we may have issues in Arti where we don't close things at the right time. @trinity-1686a hit one of these in !90, and it seems that @eta might be hitting another while working on example code. I don't know whether the issues that they've hit are caused by the lonstanding Tor protocol problem above, or whether they are a separate bug in Arti that we need to fix.
See also #190 for a possibly related issue.https://gitlab.torproject.org/tpo/core/arti/-/issues/1158Do we want an "enabled" option for onion services?2023-12-12T20:08:05ZNick MathewsonDo we want an "enabled" option for onion services?We had the idea of having an "enabled" option on each onion service so you could turn it off without having to remove it from the configuration.
I can add this without too much effort by making it another overlay item in the combined pr...We had the idea of having an "enabled" option on each onion service so you could turn it off without having to remove it from the configuration.
I can add this without too much effort by making it another overlay item in the combined proxy configuration. But do we want to do this at all? We could just tell people to comment out onion services they don't want.Ian Jacksoniwj@torproject.orgIan Jacksoniwj@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/docker-snowflake-proxy/-/issues/5Docker build improvements (minor)2021-12-14T03:55:03Zguest42069Docker build improvements (minor)```docker
RUN git clone -b ${VERSION} --depth=1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git/
```
performing a shallow clone e.g. `git clone --depth=1 ...` reduces the amount of data downloaded fr...```docker
RUN git clone -b ${VERSION} --depth=1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git/
```
performing a shallow clone e.g. `git clone --depth=1 ...` reduces the amount of data downloaded from the git server, since we don't need all the git history and commits, just the last for the branch/tag.
```
$ git clone -b main https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git/ snowflake-git
$ git clone -b main --depth=1 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git/ snowflake-git-shallow
$ du -h -s snowflake-git snowflake-git-shallow
3.4M snowflake-git
1.1M snowflake-git-shallow
```
not a *huge* improvement in this case, but as the git history grows so will the overhead improvement.https://gitlab.torproject.org/tpo/tpa/team/-/issues/40537docker cannot start containers after reboots2021-12-06T21:35:02ZJim Newsomedocker cannot start containers after rebootsWe occasionally see errors like this: https://gitlab.torproject.org/jnewsome/sponsor-61-sims/-/jobs/64984
According to @anarcat, a little while after rebooting these machines, the kernel enters lockdown and will no longer load new modul...We occasionally see errors like this: https://gitlab.torproject.org/jnewsome/sponsor-61-sims/-/jobs/64984
According to @anarcat, a little while after rebooting these machines, the kernel enters lockdown and will no longer load new modules. If Docker hasn't been used before then, when the runner tries to use it, some kernel modules it needs can't be loaded.
Presumably the right solution here is to add something to the machines' startup scripts such that these modules are loaded eagerly at startupJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/29Docker installation stopped working 4 days ago (after reboot)2024-03-11T17:42:37Zzfgwsi7xDocker installation stopped working 4 days ago (after reboot)My docker setup stopped working and I can no longer connect to the webtunnel:
Debian 12 6.1.0-13-cloud-amd64
Firewall (also opened on the cloud provider's firewall)
```sh
$ sudo ufw status
80/tcp ALLOW Anywher...My docker setup stopped working and I can no longer connect to the webtunnel:
Debian 12 6.1.0-13-cloud-amd64
Firewall (also opened on the cloud provider's firewall)
```sh
$ sudo ufw status
80/tcp ALLOW Anywhere
443 ALLOW Anywhere
<SSH> ALLOW Anywhere
80/tcp (v6) ALLOW Anywhere (v6)
443 (v6) ALLOW Anywhere (v6)
<SSH> (v6) ALLOW Anywhere (v6)
```
Docker processes
```sh
$ sudo docker ps
ID IMAGE COMMAND CREATED STATUS PORTS NAMES
<ID> containrrr/watchtower:latest "/watchtower" 4 weeks ago Up 20 hours (healthy) 8080/tcp debian-watchtower-1
<ID> thetorproject/webtunnel-bridge:latest "/usr/local/bin/star…" 3 months ago Up 20 hours 127.0.0.1:15000->15000/tcp, 0.0.0.0:<ORPORT>-><ORPORT>/tcp, :::<ORPORT>-><ORPORT>/tcp webtunnelBridge
[debian@jep
```
Logs (these lines keep repeating thousands of times)
```sh
$ sudo docker logs webtunnelBridge
Dec 11 17:27:22.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <IP>:<ORPORT>. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Dec 11 17:27:22.000 [notice] Unable to find IPv6 address for ORPort <ORPORT>. You might want to specify IPv4Only to it or set an explicit address or set Address. [59 similar message(s) suppressed in last 3540 seconds]
Dec 11 17:47:22.000 [warn] Your server has not managed to confirm reachability for its ORPort(s) at <IP>:<ORPORT>. Relays do not publish descriptors until their ORPort and DirPort are reachable. Please check your firewalls, ports, address, /etc/hosts file, etc.
Dec 11 18:27:22.000 [notice] Unable to find IPv6 address for ORPort <ORPORT>. You might want to specify IPv4Only to it or set an explicit address or set Address. [60 similar message(s) suppressed in last 3540 seconds]
Dec 11 18:43:24.000 [notice] No circuits are opened. Relaxed timeout for circuit 738 (a Testing circuit 3-hop circuit in state doing handshakes with channel state open) to 60000ms. However, it appears the circuit has timed out anyway. [19 similar message(s) suppressed in last 8520 seconds]
```
My setup steps:
1. Secure Debian server as usual
2. Follow the docs: https://community.torproject.org/relay/setup/webtunnel/ (choose docker installation)
3. Get bridge address and connect with tor-browser alpha (`sudo docker compose exec webtunnel-bridge get-bridge-line.sh`)
Tor Browser Alpha logs
```sh
2023-12-11 20:00:59.141 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
2023-12-11 20:00:59.156 [NOTICE] Opening Socks listener on 127.0.0.1:9150
2023-12-11 20:00:59.156 [NOTICE] Opened Socks listener connection (ready) on 127.0.0.1:9150
2023-12-11 20:01:00.140 [NOTICE] Bootstrapped 1% (conn_pt): Connecting to pluggable transport
2023-12-11 20:01:00.141 [NOTICE] Bootstrapped 2% (conn_done_pt): Connected to pluggable transport
2023-12-11 20:01:00.226 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with <IPV6>:443 ID=<none> RSA_ID=<RSA_ID>
2023-12-11 20:01:00.229 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with <IPV6>:443 ID=<none> RSA_ID=<RSA_ID> ("general SOCKS server failure")
2023-12-11 20:01:06.262 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with <IPV6>:443 ID=<none> RSA_ID=<RSA_ID> ("general SOCKS server failure")
2023-12-11 20:01:06.271 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with <IPV6>:443 ID=<none> RSA_ID=<RSA_ID> ("general SOCKS server failure")
2023-12-11 20:01:06.776 [NOTICE] Application request when we haven't used client functionality lately. Optimistically trying known bridges again.
2023-12-11 20:01:30.981 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with <IPV6>:443 ID=<none> RSA_ID=<RSA_ID> ("general SOCKS server failure")
2023-12-11 20:01:31.000 [WARN] Proxy Client: unable to connect OR connection (handshaking (proxy)) with <IPV6>:443 ID=<none> RSA_ID=<RSA_ID> ("general SOCKS server failure")
```shelikhooshelikhoohttps://gitlab.torproject.org/tpo/network-health/metrics/onionoo/-/issues/40020Document current data models for onionoo data2022-02-11T18:23:01ZHiroDocument current data models for onionoo dataCurrently we have some issues related to our underlying data model in onionoo (Ex: https://gitlab.torproject.org/tpo/network-health/metrics/onionoo/-/issues/40018) we should document the dependencies between the raw descriptors data, our...Currently we have some issues related to our underlying data model in onionoo (Ex: https://gitlab.torproject.org/tpo/network-health/metrics/onionoo/-/issues/40018) we should document the dependencies between the raw descriptors data, our processing pipeline, and our current data models as expressed in onionoo APIs.Metrics OKR Q1 - Q2 2022https://gitlab.torproject.org/tpo/network-health/metrics/onionoo/-/issues/40021Document current model for tor nodes history and status and define future imp...2022-03-28T14:59:06ZHiroDocument current model for tor nodes history and status and define future implementation for the metrics pipelineWe want to be able to track tor nodes behavior beyond their current status to understand some patterns of their life on the Tor network.We want to be able to track tor nodes behavior beyond their current status to understand some patterns of their life on the Tor network.Metrics OKR Q1 - Q2 2022https://gitlab.torproject.org/tpo/core/tor/-/issues/40901Document for the Relay Operator community how to debug relays that are slower...2023-12-19T07:53:56ZAlexander Færøyahf@torproject.orgDocument for the Relay Operator community how to debug relays that are slower than what the operator expectsThis idea origins from a conversation betweeh @beth, @gk and I on #tor-dev today.
We often release new features of C Tor to the relay operators that causes discussions/conversations around whether Tor has gotten faster/slower/uses (more...This idea origins from a conversation betweeh @beth, @gk and I on #tor-dev today.
We often release new features of C Tor to the relay operators that causes discussions/conversations around whether Tor has gotten faster/slower/uses (more|less) memory/crashes (more|less) often/etc. many of these items are hard to give a definitive "yes, the cause of this is X" and it's very time consuming for the Network Team to debug each item individually with the operator.
It would be very useful to have a document in place that informs relay operators about the different situations that may impact performance and how they can get some performance measurements they can then compare to and see if our performance have truly regressed. This can also be used to push MetricsPort to more operators.
We can expand upon the document over time as we discover new ways to do this analysis and/or from feedback from the relay operator community.
This is related to:
- https://lists.torproject.org/pipermail/tor-relays/2023-December/021409.html
- https://lists.torproject.org/pipermail/tor-relays/2023-December/021407.html
This may be relevant to Arti Relay too.
CC @mikeperry for awareness.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/31document gitlab user creation, project adhesion and permission policies2020-10-20T15:42:39ZGabagaba@torproject.orgdocument gitlab user creation, project adhesion and permission policiesWe need
* clear criterias on adding a user to a project
* clear criterias on which role/permissions to give users added to a projectWe need
* clear criterias on adding a user to a project
* clear criterias on which role/permissions to give users added to a projectGabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/community/l10n-for-markdown/-/issues/1Document how to integrate with the translation repository2024-01-24T21:11:33ZSilvio RhattoDocument how to integrate with the translation repositoryDocument how this project can be used in an integrated workflow with the [translations repository](https://gitlab.torproject.org/tpo/translation), in accordance with the [Localization for developers](https://gitlab.torproject.org/tpo/com...Document how this project can be used in an integrated workflow with the [translations repository](https://gitlab.torproject.org/tpo/translation), in accordance with the [Localization for developers](https://gitlab.torproject.org/tpo/community/l10n/-/wikis/Localization-for-developers) document.https://gitlab.torproject.org/tpo/tpa/team/-/issues/40979document our fastly/CDN setup2022-11-30T19:55:45Zanarcatdocument our fastly/CDN setupso we have a CDN we use here, and it's not really documented. we have fairly good docs on the ~"static-component" system, but nothing on ~Fastly. we didn't even have a tag for it until #40978 was filed (and i made it).
so we should docu...so we have a CDN we use here, and it's not really documented. we have fairly good docs on the ~"static-component" system, but nothing on ~Fastly. we didn't even have a tag for it until #40978 was filed (and i made it).
so we should document:
* [ ] what we use fastly for
* [ ] how it's configured (e.g. `cdn-config-fastly.git`, `./tor-puppet/modules/roles/files/puppetmaster/update-fastly-ips`, static-component yaml file, probably more)
* [ ] what talks to it and why not everything is on there
* [ ] what our limits are
* [ ] contact information
* [ ] password management
basically make a full service audit.anarcatanarcathttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/40002Document publishing updated PGP Signing Key process2022-03-25T09:05:16ZMatthew FinkelDocument publishing updated PGP Signing Key processBegin documenting.Begin documenting.https://gitlab.torproject.org/tpo/community/relays/-/issues/57Document relay community governance processes2024-02-06T12:34:59ZGabagaba@torproject.orgDocument relay community governance processesThis is activity O2.4 for [sponsor 112](https://gitlab.torproject.org/groups/tpo/-/milestones/44#tab-issues):
Document relay community governance processes. In this activity, we will publish public-facing documentation on what enforceme...This is activity O2.4 for [sponsor 112](https://gitlab.torproject.org/groups/tpo/-/milestones/44#tab-issues):
Document relay community governance processes. In this activity, we will publish public-facing documentation on what enforcement mechanisms were considered, why the ones that were selected were chosen, and why the ones that were not implemented but were considered as possible candidates, were eventually rejected. The audience for these documents will be future technology projects that utilize the similar volunteer-run infrastructure and may be able to benefit from the insights Tor obtained during this process.Georg KoppenGeorg Koppen2024-03-04https://gitlab.torproject.org/tpo/web/team/-/issues/6Document the process to edit and test the CSS in lektor websites2021-09-08T19:50:35ZemmapeelDocument the process to edit and test the CSS in lektor websitesWe need a clear set of instructions for contributors to be able to help with CSS problems.
Maybe we should add them to the wiki at https://gitlab.torproject.org/tpo/web/wiki
```
22:18 < rotationmatrix> If I recall correctly, you'll need...We need a clear set of instructions for contributors to be able to help with CSS problems.
Maybe we should add them to the wiki at https://gitlab.torproject.org/tpo/web/wiki
```
22:18 < rotationmatrix> If I recall correctly, you'll need the sass compiler installed and then you should be able to
compile with:
22:18 < rotationmatrix> $ sass lego/assets/scss:lego/assets/static/css
22:18 < rotationmatrix> from the root of the project
22:19 < rotationmatrix> https://sass-lang.com/install
```https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/webtunnel/-/issues/20Documentation about server file2023-10-25T15:46:06ZJacobo NájeraDocumentation about server fileI am trying to install a webtunnel server. I am not understand the following instruction in the documentation:
### Get Environment Ready
```
#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel
`...I am trying to install a webtunnel server. I am not understand the following instruction in the documentation:
### Get Environment Ready
```
#copy server file to server
scp server root@$SERVER_ADDRESS:/var/lib/torwebtunnel/webtunnel
```
Where is server file? whe i tried it:
ssh: connect to host ip port 22: Connection timed out
lost connection
Thanks, Jacoboshelikhooshelikhoohttps://gitlab.torproject.org/tpo/core/arti/-/issues/1017Documentation for `BridgesConfigBuilder` (and likely other autogenerated buil...2023-08-28T12:46:43ZetaDocumentation for `BridgesConfigBuilder` (and likely other autogenerated builder accessors) is confusing in the presence of #[cfg]The `bridges()` (and friends) accessors on `BridgesConfigBuilder` are only compiled in [when feature `bridge-client` is enabled](https://gitlab.torproject.org/eta/arti/-/blob/exit-selection-draft/crates/arti-client/src/config.rs#L431).
...The `bridges()` (and friends) accessors on `BridgesConfigBuilder` are only compiled in [when feature `bridge-client` is enabled](https://gitlab.torproject.org/eta/arti/-/blob/exit-selection-draft/crates/arti-client/src/config.rs#L431).
But, because they're autogenerated using a macro, docs.rs [does not display any conditional compilation/features warning](https://docs.rs/arti-client/0.10.0/arti_client/config/struct.BridgesConfigBuilder.html), and trying to use the feature just results in the minorly infuriating error message
```
error[E0599]: no method named `bridges` found for mutable reference `&mut BridgesConfigBuilder` in the current scope
--> crates/onionmasq-mobile/src/lib.rs:200:38
|
200 | config.bridges().bridges().push(bcb);
| ^^^^^^^ private field, not a method
For more information about this error, try `rustc --explain E0599`.
```
This seems like an oversight.https://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/170Does Mullvad Browser actually need a custom $HOME on Linux?2024-03-05T17:02:13ZPier Angelo VendrameDoes Mullvad Browser actually need a custom $HOME on Linux?Our `start-$name-browser` script customizes the home directory path.
I think it might not be very good from a UX point of view for MB users (maybe we could stop that for TB, too).
Also, it could be something to fix for the system-wide ...Our `start-$name-browser` script customizes the home directory path.
I think it might not be very good from a UX point of view for MB users (maybe we could stop that for TB, too).
Also, it could be something to fix for the system-wide install.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/40012Domain fronting requests don't work on some older Android versions2024-03-12T00:09:26ZPier Angelo VendrameDomain fronting requests don't work on some older Android versionsTor Browser for Android supports old versions of Android (API21, i.e., Android Lollipop).
While 13.5a3 doesn't work there because I used some NIO API that requires API26+, I've opened a MR to fix this (tpo/applications/tor-browser!894)....Tor Browser for Android supports old versions of Android (API21, i.e., Android Lollipop).
While 13.5a3 doesn't work there because I used some NIO API that requires API26+, I've opened a MR to fix this (tpo/applications/tor-browser!894).
While checking if things worked, I noticed that domain fronting requests don't (I don't get the special countries list).
As written in that MR, I tried to enable logging (I added `"-enableLogging", "-logLevel", "DEBUG", "-unsafeLogging"` as arguments), but I could get only these messages:
```
2024/01/22 10:20:23 [NOTICE]: obfs4proxy-0.0.14 - launched
2024/01/22 10:20:23 [INFO]: libObfs4proxy.so - initializing client transport listeners
2024/01/22 10:20:23 [INFO]: meek_lite - registered listener: 127.0.0.1:55852
2024/01/22 10:20:23 [INFO]: libObfs4proxy.so - accepting connections
2024/01/22 10:20:23 [WARN]: meek_lite(bridges.torproject.org:443) - closed connection: readfrom tcp 127.0.0.1:55852->127.0.0.1:48836: io: read/write on closed pipe
```
I think there might be some problems with some HTTPS certificate (at least letsencrypt had this problem a few years ago, indeed cohosh mentioned snowflake#40087. Fastly isn't using letsencrypt, but maybe they have a similar problem).
I can open bridges.torproject.org both in TBA and in the system browser, but I can't open https://moat.torproject.org.global.prod.fastly.net/ because it has a wrong certificate.
I don't think I'm using the latest version of Lyrebird, because in the last one the log file should be called lyrebird.log (I submitted a patch for that, unless I missed the log filename), but I can try to build one from a nightly build.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/74don't advertise a single bitcoin address2022-07-19T15:18:21Zanarcatdon't advertise a single bitcoin addressRight now we advertise a single Bitcoin address on the [donate page](https://donate.torproject.org/cryptocurrency/):
![image](/uploads/8c830a5f4a6ce5c9126229162f182523/image.png)
(well, technically, there's many: one per altcoin, but i...Right now we advertise a single Bitcoin address on the [donate page](https://donate.torproject.org/cryptocurrency/):
![image](/uploads/8c830a5f4a6ce5c9126229162f182523/image.png)
(well, technically, there's many: one per altcoin, but it's always the same, per alt coin.)
Because of this, we can tell how much money was paid to that address. For example, looking at that page:
https://www.blockchain.com/btc/address/bc1qtt04zfgjxg7lpqhk9vk8hnmnwf88ucwww5arsd
... we can tell that account received 10.87363514BTC ($457,737.41), and has a current balance of 0.00025257 BTC ($10.64).
I don't think we want those numbers to be *that* public. Maybe we don't care, because those end up in our annual reports anyways. But I think there are other, more serious issues at play here. Take the last transaction for example:
https://www.blockchain.com/btc/tx/e99d13972e0ee51575222e09f86aceeb2cd868951cc676e60ef683cffc765b56
"At the time of this transaction, 0.00653778 BTC was sent with a value of $278.10. The current value of this transaction is now $275.38."
So someone sent us $300, great! (You should also appreciate how the actual value of that transfer fluctuated in the *one* hour since it was made, but that's not the point.)
That was paid from this wallet:
https://www.blockchain.com/btc/address/bc1q8zrxl2lk66llzrhduqjg7qkpwlxjcyhr9em7yn
That is an ... interesting wallet:
> This address has transacted 12,052 times on the Bitcoin blockchain. It has received a total of 92,529.64257253 BTC ($3,898,153,553.05) and has sent a total of 91,069.01833338 BTC ($3,836,619,352.66). The current value of this address is 1,460.62423915 BTC ($61,534,200.38).
You read that right: that wallet currently holds more than a THOUSAND bitcoin, for a value of more than sixty million dollars!
If I was that person, the last thing I'd want is someone being able to tell who I'm transferring money to and why.
And this is just scratching the surface. There's much more things we can do from here: people have been able to deanonymize transactions and wallets like this pretty effectively by doing all sorts of tricks, which I'm less familiar with.
The blockchain is public, that's the whole thing here. I understand that. But we don't *have* to deanonymize people that way: we can (and should) generate bitcoin addresses on the fly. This is what BTCpayserver does, and I don't quite get why we have those addresses there.
It seems like a huge honeypot to me.