The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-01-17T20:23:21Zhttps://gitlab.torproject.org/tpo/core/arti/-/issues/1139Create fs-mistrust wrapper for WalkDir2024-01-17T20:23:21Zgabi-250Create fs-mistrust wrapper for WalkDirWe need an `fs-mistrust`-based alternative to [`WalkDir`](https://crates.io/crates/walkdir).
This is a follow-up from !1769 (see [discussion](https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1769#note_2970121))We need an `fs-mistrust`-based alternative to [`WalkDir`](https://crates.io/crates/walkdir).
This is a follow-up from !1769 (see [discussion](https://gitlab.torproject.org/tpo/core/arti/-/merge_requests/1769#note_2970121))Nick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42307Consider adjusting Nightly app icon color for a11y2024-01-29T19:18:54ZThorinConsider adjusting Nightly app icon color for a11yI used https://www.color-blindness.com/coblis-color-blindness-simulator/ cc @donuts to triage
![colors](/uploads/9a40f550015248dda2a429d6ad58843e/colors.png)I used https://www.color-blindness.com/coblis-color-blindness-simulator/ cc @donuts to triage
![colors](/uploads/9a40f550015248dda2a429d6ad58843e/colors.png)nicobnicobhttps://gitlab.torproject.org/tpo/core/arti/-/issues/1138Shall we start setting the Host header in our HTTP requests?2023-11-27T14:46:20ZNick MathewsonShall we start setting the Host header in our HTTP requests?We only claim to be speaking HTTP 1.0, so we aren't strictly required to set the Host header. (The Host header became mandatory in HTTP 1.1.) Nonetheless, C tor sets the Host header unconditionally; it may be that we want to do so as we...We only claim to be speaking HTTP 1.0, so we aren't strictly required to set the Host header. (The Host header became mandatory in HTTP 1.1.) Nonetheless, C tor sets the Host header unconditionally; it may be that we want to do so as well.
See #1024 for a little discussion.https://gitlab.torproject.org/tpo/network-health/metrics/descriptorParser/-/issues/62Add `dirauth_nickname` as label in Victoria Metrics2024-01-16T13:49:10ZjugaAdd `dirauth_nickname` as label in Victoria Metricsto be able to filter by bwauth, in a similar way we can filter by `fingeprint` and `node`. This needs #61to be able to filter by bwauth, in a similar way we can filter by `fingeprint` and `node`. This needs #61https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42300Do not store logs inside TorProvider2023-12-21T09:04:03ZPier Angelo VendrameDo not store logs inside TorProviderDropping the entire `TorProvider` in case of failure has some advantages, but also a big disadvantage: logs are stored in the `TorProvider` object.
When we drop it we also drop logs.
If Tor died for an actual bug/problem, we remove the ...Dropping the entire `TorProvider` in case of failure has some advantages, but also a big disadvantage: logs are stored in the `TorProvider` object.
When we drop it we also drop logs.
If Tor died for an actual bug/problem, we remove the way of knowing that.
So, we shouldn't store the logs in the provider, but store them elsewhere.
/related #41921https://gitlab.torproject.org/tpo/tpa/team/-/issues/41412fail2ban ineffective on submit-012023-11-22T18:01:51Zanarcatfail2ban ineffective on submit-01We're seeing repeated failed authentication attempts in the postfix logs and they do not seem to get picked up by fail2ban, investigate.We're seeing repeated failed authentication attempts in the postfix logs and they do not seem to get picked up by fail2ban, investigate.https://gitlab.torproject.org/tpo/core/torspec/-/issues/242Followups from cert-spec revision2023-11-22T17:32:35ZNick MathewsonFollowups from cert-spec revisionWhile reviewing !221, @Diziet made a bunch of good suggestions. I should implement them _after !226 (which is based on !221) also goes in, to avoid conflicts.While reviewing !221, @Diziet made a bunch of good suggestions. I should implement them _after !226 (which is based on !221) also goes in, to avoid conflicts.Nick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/core/onionmasq/-/issues/81Make the CI build the Docker images used for other CI tasks2024-02-02T00:04:30ZetaMake the CI build the Docker images used for other CI taskshttps://gitlab.torproject.org/tpo/core/onionmasq/-/commit/4f410442a8baf3c0898ffe31520e7c8ee6708b4c switched the image used in CI to one I built locally on my machine. We should get the image to be built in CI instead, and run that regula...https://gitlab.torproject.org/tpo/core/onionmasq/-/commit/4f410442a8baf3c0898ffe31520e7c8ee6708b4c switched the image used in CI to one I built locally on my machine. We should get the image to be built in CI instead, and run that regularly (for example, when the Renovate bot bumps the versions used).https://gitlab.torproject.org/tpo/ux/design/-/issues/63Develop a workflow to use Firefox's libraries2023-12-08T21:18:55ZdonutsDevelop a workflow to use Firefox's librariesMozilla have generously provided us with guest access to their Figma libraries for Firefox. Since they're on a separate team from us, it doesn't look like we can "add" these libraries to our files in the same manner we can with internal ...Mozilla have generously provided us with guest access to their Figma libraries for Firefox. Since they're on a separate team from us, it doesn't look like we can "add" these libraries to our files in the same manner we can with internal libraries.
We can export each library as a .fig, and re-import it into our Figma team, however I think Figma will drop the associations between each file in the process (e.g. color styles from the Styles file that get reused in design files). Alternatively, we can copy/paste individual components across where needed.
With both approaches, we'd lose updates from the canonical libraries on Mozilla's end in the process too.https://gitlab.torproject.org/tpo/ux/design/-/issues/61Draw new illustration set2024-03-27T14:34:40ZdonutsDraw new illustration setDuring the hackweek, @nicob worked on a prototype for a new illustration style:
![new-illustration-style](/uploads/5e7358be99ff09fcd647a6389eacbf25/new-illustration-style.png)
And it looks great!
The next steps are to:
0. Maybe docum...During the hackweek, @nicob worked on a prototype for a new illustration style:
![new-illustration-style](/uploads/5e7358be99ff09fcd647a6389eacbf25/new-illustration-style.png)
And it looks great!
The next steps are to:
0. Maybe document the basic rules for the style? I attempted to describe it here: [Figma / design-dot / Pages](https://www.figma.com/file/nIpahk0b9VMaeEnubiO33g/design-dot?type=design&node-id=291%3A10068&mode=design&t=fHze76LK0jCQsL6Y-1)
1. Create and agree on a list of themes to illustrate for the base set
2. Draw the illustrations!design-dot MVPnicobnicob2024-03-28https://gitlab.torproject.org/tpo/tpa/team/-/issues/41410monitor GitLab's incoming email processing2023-11-21T21:39:07Zanarcatmonitor GitLab's incoming email processingIn #41409, incoming email stopped being processed by GitLab. No alarm was raised, and only because @boklm noticed did we even know we need to do something.
We should monitor the number of mails in /srv/mail/git@gitlab.torproject.org/Mai...In #41409, incoming email stopped being processed by GitLab. No alarm was raised, and only because @boklm noticed did we even know we need to do something.
We should monitor the number of mails in /srv/mail/git@gitlab.torproject.org/Maildir/. If it's above zero for, say, two minutes, a flag should be raised. We should also check the age of that mailbox so that it's not older than, say, a week or so, to confirm that email is coming in as well, although this is a poor replacement for end-to-end testing...https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42290"DuckDuckGoOnion" is a weird naming format for onion search engines2024-03-01T23:19:31Zdonuts"DuckDuckGoOnion" is a weird naming format for onion search enginesAt some point, we seem to have adopted this naming convention for default search engine options provided over onions in Tor Browser.
For example, on desktop we have:
- DuckDuckGoOnion
- BlockchairOnion
and on Android:
- DuckDuckGoOni...At some point, we seem to have adopted this naming convention for default search engine options provided over onions in Tor Browser.
For example, on desktop we have:
- DuckDuckGoOnion
- BlockchairOnion
and on Android:
- DuckDuckGoOnion
Our naming conventions for onion sites can be inconsistent at best, but I think "DuckDuckGo onion" would be an improvement, and "DuckDuckGo onion site" seems like the most official way to describe an onion search engine (see [Glossary / onion site](https://support.torproject.org/glossary/#onion-site)).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/4228913.5 FP list [part 1: the easy stuff]2024-02-27T15:03:37ZThorin13.5 FP list [part 1: the easy stuff]details to follow
cc: @pierov @richard @cypherpunks1details to follow
cc: @pierov @richard @cypherpunks1https://gitlab.torproject.org/tpo/core/arti/-/issues/1133Clean up references to DOS_PARAMS to match spec.2023-11-16T16:49:06ZNick MathewsonClean up references to DOS_PARAMS to match spec.See discussion at arti!1740.
Once the torspec cleanups in torspec!229 are merged, and all the relevant parts of the `DOS_PARAMS` description have nice anchors and clean text, we should change our documentation to quote the spec rather t...See discussion at arti!1740.
Once the torspec cleanups in torspec!229 are merged, and all the relevant parts of the `DOS_PARAMS` description have nice anchors and clean text, we should change our documentation to quote the spec rather than paraphrase it (as appropriate).Arti: Onion service supportNick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/core/arti/-/issues/1120Increase descriptor publisher test coverage2024-01-09T17:29:43Zgabi-250Increase descriptor publisher test coverageArti: Onion service supportgabi-250gabi-250https://gitlab.torproject.org/tpo/core/arti/-/issues/1118Warn about unrecognized keys2024-01-09T17:29:21Zgabi-250Warn about unrecognized keys`ArtiNativeKeystore::list()` currently silently ignores any unrecognized keys. We might want to warn about them instead.`ArtiNativeKeystore::list()` currently silently ignores any unrecognized keys. We might want to warn about them instead.Arti: Onion service supportgabi-250gabi-250https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41019Sign dmg files2024-01-09T14:56:01ZboklmSign dmg filesWe are currently signing the content of dmg files, but not the dmg file
itself.We are currently signing the content of dmg files, but not the dmg file
itself.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42279Investigate UX impact of removing window titles2024-02-27T19:07:30ZJag TalonInvestigate UX impact of removing window titlesInvestigate UX issue of removing window titles in Tor for GNOME and KDE and possibly Windows.
Background: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41988
## Design estimate:
* Complexity: medium (3 days)
*...Investigate UX issue of removing window titles in Tor for GNOME and KDE and possibly Windows.
Background: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41988
## Design estimate:
* Complexity: medium (3 days)
* Create an option in `about:preferences#privacy` that toggles the titles from being shown on the window.
* Decide if the option should be enabled by default. [Preliminary findings show that it will have minimal impact to usability](https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41988#note_2971226), but perhaps more research and discussion is warranted.
* Create copy for help pages.
* Uncertainty level: moderate (1.5)
* This is a small, but far reaching change especially when releasing to multiple platforms. I imagine there's some uncertainty in this task.
* Total: 3-4.5 dayshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42278The browser is playing media notification has Firefox branding2024-01-09T13:50:46ZPier Angelo VendrameThe browser is playing media notification has Firefox brandingSpotted on my Ubuntu Mate VM, Tor Browser alpha 13.5a1:
![Screenshot_from_2023-11-15_08-44-31](/uploads/9af3c15cb22e9ac71d2bb2c7c6546f01/Screenshot_from_2023-11-15_08-44-31.png)
I haven't checked other OS, they might have the same prob...Spotted on my Ubuntu Mate VM, Tor Browser alpha 13.5a1:
![Screenshot_from_2023-11-15_08-44-31](/uploads/9af3c15cb22e9ac71d2bb2c7c6546f01/Screenshot_from_2023-11-15_08-44-31.png)
I haven't checked other OS, they might have the same problem.https://gitlab.torproject.org/tpo/web/support/-/issues/355Please add a FAQ to explain users that disabling RFP is very bad2023-11-23T15:32:50ZPier Angelo VendramePlease add a FAQ to explain users that disabling RFP is very badStarting with Tor Browser 13.0, we decided to lock `privacy.resistFingerprinting`.
RFP is a very important setting.
Disabling RFP makes you easily fingerprintable in a lot of ways, including hardware!
Generally speaking, Mozilla is well...Starting with Tor Browser 13.0, we decided to lock `privacy.resistFingerprinting`.
RFP is a very important setting.
Disabling RFP makes you easily fingerprintable in a lot of ways, including hardware!
Generally speaking, Mozilla is well aware of these fingerprinting vectors and continuously add even more.
At the moment, the protection isn't granular, it's all or nothing (and I'm not saying it's bad - quite the opposite - it's the same philosophy of Tor Browser: normalize everything).
Also, when we send patches to Mozilla, we often gate them behind RFP.
Setting RFP to false is like telling that you don't want a bunch of our patches.
RFP has usability issues (e.g., it constantly resets the zoom level, which can be a big accessibility problem).
We're aware of that and it's in our roadmap.
We've received some feedback against our decision after the release, and we still get from time to time.
I think we could have a FAQ about this.ebanamebanam@torproject.orgebanamebanam@torproject.org