The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-03-07T18:13:49Zhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40252Standalone proxy probetest Wiki inconsistency and implementation details2023-03-07T18:13:49ZitchyonionStandalone proxy probetest Wiki inconsistency and implementation details1. Our [Wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/NAT-matching#determining-nat-behaviour) states that:
> We determine the NAT behaviour of clients by using the tricks in [RFC 5780](ht...1. Our [Wiki](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/NAT-matching#determining-nat-behaviour) states that:
> We determine the NAT behaviour of clients by using the tricks in [RFC 5780](https://tools.ietf.org/html/rfc5780) ... For standalone proxies written in Go, we use the same method.
Which is not true since we switched to probetest https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/commit/00f8f85f412878c2066fcb5d3f4739e50912a925
Cecylia linked the issue for the change: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40013. I will update the Wiki.
2. Right now we are [logging the SDP offer](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/proxy/lib/snowflake.go#L676) used for probetest, which might be misleading because before looking into this in detail I always thought we were logging the SDP candidates used for WebRTC connection. Does this help the user in any way or is simplying logging the resultant NAT type enough? Some options to consider:
- keep the same logging, but made it extra clear that this is only used for probetest, not peer connection
- log SDP candidates for WebRTC. I think this would be helpful for debugging, but could produce much more logs
- log both
- [x] Update Wiki with reason to use probetest
- [x] Research on whether we should respect proxy options in probetest
- [x] Decide what to logitchyonionitchyonionhttps://gitlab.torproject.org/tpo/web/community/-/issues/305Update relay docs to the new possible amount of relays per IP2023-02-21T15:49:19ZGusUpdate relay docs to the new possible amount of relays per IPRelay operator docs should reflect the new limit of possible amount of relays per IP (2 -> 4):
```
Hello everyone!
You might recall that Tor is restricting the possible amount of Tor
relays per IP address to 2, mainly for Sybil preven...Relay operator docs should reflect the new limit of possible amount of relays per IP (2 -> 4):
```
Hello everyone!
You might recall that Tor is restricting the possible amount of Tor
relays per IP address to 2, mainly for Sybil prevention reasons.[1]
Given that Tor on the relay side at least is not multithreaded yet (and
will likely not be for the near and medium future) that's wasting a lot
of useful resources as many servers can easily handle more than 2
relays. Additionally, IPv4 addresses are scarce/expensive.
I have good news for you, though. Thanks to a push by our relay operator
community we raised that limit to 4 with the help of the directory
authorities (by having set `AuthDirMaxServersPerAddr 4` on a majority of
them) and, depending on how that experiment goes, consider raising it
even to 8.
Thus from now one should be able to run 4 relays per IP address. We are
looking very much forward to seeing a bunch of additional relays
entering the network and making it stronger. :)
For more details, information and discussion see: tor#40744.[2]
Thanks,
Georg
https://lists.torproject.org/pipermail/tor-relays/2023-February/020999.html
```GusGushttps://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/142Ensure deployment instructions and install example include the steps for a no...2023-09-21T10:34:49ZjugaEnsure deployment instructions and install example include the steps for a non root userAfter meskio has explained me how things are deployed, we should facilitate the deployment for a non root user at https://gitlab.torproject.org/tpo/tpa/team/-/issues/41046.After meskio has explained me how things are deployed, we should facilitate the deployment for a non root user at https://gitlab.torproject.org/tpo/tpa/team/-/issues/41046.jugajugahttps://gitlab.torproject.org/tpo/web/support/-/issues/322Update FAQ entry "Are there any paid versions of Tor Browser?"2023-06-23T14:57:09Zchampionquizzerchampionquizzer@torproject.orgUpdate FAQ entry "Are there any paid versions of Tor Browser?"A lot of users have been reporting to the donations@/giving@ queues for refunds towards fraudulent and fake Tor apps downloaded from the app stores. As suggested in https://gitlab.torproject.org/tpo/community/support/-/issues/40108#note_...A lot of users have been reporting to the donations@/giving@ queues for refunds towards fraudulent and fake Tor apps downloaded from the app stores. As suggested in https://gitlab.torproject.org/tpo/community/support/-/issues/40108#note_2876211, let's add a line about this.championquizzerchampionquizzer@torproject.orgchampionquizzerchampionquizzer@torproject.orghttps://gitlab.torproject.org/tpo/web/manual/-/issues/140Add info about the WhatsApp support channel to the Manual2023-02-09T14:34:45Zchampionquizzerchampionquizzer@torproject.orgAdd info about the WhatsApp support channel to the ManualAdd a section for WhatsApp to https://tb-manual.torproject.org/support/Add a section for WhatsApp to https://tb-manual.torproject.org/support/championquizzerchampionquizzer@torproject.orgchampionquizzerchampionquizzer@torproject.orghttps://gitlab.torproject.org/tpo/web/manual/-/issues/139Remove upload bug on Tor Browser for Android from Known issues2023-02-23T12:25:34Zchampionquizzerchampionquizzer@torproject.orgRemove upload bug on Tor Browser for Android from Known issuesAs https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40283 is now fixed, we should remove it from the 'Known issues' section in Mobile Tor: https://tb-manual.torproject.org/mobile-tor/#known-issuesAs https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40283 is now fixed, we should remove it from the 'Known issues' section in Mobile Tor: https://tb-manual.torproject.org/mobile-tor/#known-issueschampionquizzerchampionquizzer@torproject.orgchampionquizzerchampionquizzer@torproject.orghttps://gitlab.torproject.org/tpo/network-health/team/-/issues/286Create repository for our Grafana MetricsPort template2024-03-27T09:40:08ZGeorg KoppenCreate repository for our Grafana MetricsPort templateWe have a `MetricsPort`-related template for our Grafana dashboard. It might benefit the community from having that template in a dashboards project in Gitlab so we can easily track changes in it. And maybe we want to add other dashboard...We have a `MetricsPort`-related template for our Grafana dashboard. It might benefit the community from having that template in a dashboards project in Gitlab so we can easily track changes in it. And maybe we want to add other dashboards as well making them available to the wider public.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/web/support/-/issues/320Add an FAQ like "anybody can run a relay, including NSA/governments/big data ...2023-11-07T13:31:21ZPier Angelo VendrameAdd an FAQ like "anybody can run a relay, including NSA/governments/big data companies/etc. Isn't this bad?"We often receive that question in several places, like #tor-project, but also on Reddit and other places.
We should add an official FAQ to definitely answer that question, so that we can just link it whenever we are asked again.
The ol...We often receive that question in several places, like #tor-project, but also on Reddit and other places.
We should add an official FAQ to definitely answer that question, so that we can just link it whenever we are asked again.
The old site had https://2019.www.torproject.org/docs/faq#CanExitNodesEavesdrop.ebanamebanam@torproject.orgebanamebanam@torproject.orghttps://gitlab.torproject.org/tpo/network-health/tor-weather/-/issues/19Explain requirements for variables in settings.py2023-02-02T04:39:52ZGeorg KoppenExplain requirements for variables in settings.pyWe have some variables needed in src/settings.py that are pretty straightforward to deal with (like `SMTP_PORT`) but others need some comment/explanation so folks know what they are supposed to so. Two examples that come to mind right no...We have some variables needed in src/settings.py that are pretty straightforward to deal with (like `SMTP_PORT`) but others need some comment/explanation so folks know what they are supposed to so. Two examples that come to mind right now:
1. We should mention that the onionoo job interval specified is in *minutes*.
2. We should give some hint as to whether there are some needs for the `JWT_SECRET`. Could it just be "test1234" or some other text or does it need to be formatted particularly or...?
Apart from those two we might want to think whether other variables would benefit from a comment having in mind someone needing to set this app up who might not know all of the nitty-gritty details involved in it.https://gitlab.torproject.org/tpo/network-health/tor-weather/-/issues/16Update README with section for dependency update procedure2023-12-13T16:00:24ZGeorg KoppenUpdate README with section for dependency update procedureIn case we need to update some of our dependencies e.g. due to a security fix it would be nice to have a section in our README detailing how to do that so that our prod deployment is affected as little as possible and someone who has to ...In case we need to update some of our dependencies e.g. due to a security fix it would be nice to have a section in our README detailing how to do that so that our prod deployment is affected as little as possible and someone who has to do that job has a step-by-step recipe.https://gitlab.torproject.org/tpo/network-health/onbasca/-/issues/134Add documentation on how to build documentation, run tests and add example co...2023-12-11T09:55:56ZjugaAdd documentation on how to build documentation, run tests and add example configurationsjugajugahttps://gitlab.torproject.org/tpo/web/manual/-/issues/138Update GetTor instructions2023-01-12T21:01:16Zchampionquizzerchampionquizzer@torproject.orgUpdate GetTor instructionsSince Tor Browser 12 we have single multi-locale builds and users, while downloading from the GetTor service either via email or Telegram distributors, don't need to specify the locale. The instructions on https://tb-manual.torproject.or...Since Tor Browser 12 we have single multi-locale builds and users, while downloading from the GetTor service either via email or Telegram distributors, don't need to specify the locale. The instructions on https://tb-manual.torproject.org/downloading/ should reflect this update.championquizzerchampionquizzer@torproject.orgchampionquizzerchampionquizzer@torproject.orghttps://gitlab.torproject.org/tpo/web/community/-/issues/303Add NAT/firewall setup instructions for Snowflake2023-05-11T18:26:19ZWofWcawofwca@protonmail.comAdd NAT/firewall setup instructions for Snowflakehttps://gitlab.torproject.org/tpo/web/community/-/tree/main/content/relay/setup/snowflake
Need to add instructions for how to set up the machine for it to have an "unrestricted NAT".
Typical firewall settings appear to result in a ["re...https://gitlab.torproject.org/tpo/web/community/-/tree/main/content/relay/setup/snowflake
Need to add instructions for how to set up the machine for it to have an "unrestricted NAT".
Typical firewall settings appear to result in a ["restricted NAT"](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/7db2568448fed6d883b33db11e3a497c69f1748f/broker/broker.go#L125), even if the machine has a dedicated IP (no NAT) (see [this forum post](https://forum.torproject.net/t/firewall-needs-settings-for-running-standalone-snowflake-proxy/4314/2?u=wofwca), for example), while an unrestricted one is more desirable. (Although I might be wrong, since [the metrics](https://snowflake-broker.torproject.net/metrics) say that there are ~2000 unrestricted proxies?) We [already have instructions](https://gitlab.torproject.org/tpo/web/community/-/blob/abea7a2c54a959136dc573489bfd3b24dd399703/content/relay/setup/post-install/contents.lr#L9) for regular Tor relays, but WebRTC (ICE) is a different kind of beast.
Need to consider both the NATed (say, behind a router), and the dedicated IP cases.
In case there's no NAT, simply allowing all incoming connections to the entire [allowed port range](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/7db2568448fed6d883b33db11e3a497c69f1748f/proxy/main.go#L35) should solve the problem, allowing the use of [`host` ICE candidates](https://webrtcforthecurious.com/docs/03-connecting/#host), but it compromises security, because another app may get assigned an ephemeral port from that range. So I thought maybe there is a way to disable [filtering](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/NAT-matching#nat-filtering-behaviour) for the Snowflake process specifically. Or maybe use a non-ephemeral port range so that other apps can't randomly get a port from that range (but this may affect censorship-resistance). Or maybe there is a way to have one dedicated port for Snowflake (is [`SetICEUDPMux`](https://pkg.go.dev/github.com/pion/webrtc/v3#SettingEngine.SetICEUDPMux) it?) which can be opened up, with fallback to ephemeral ports in case the client's censor blocks that one.
There may be better mechanisms that I'm just not aware of since I'm not that good at networking (in both meanings of the word XD).
Related:
* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40092
* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/57
* https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40235https://gitlab.torproject.org/tpo/community/l10n/-/issues/40107Broken link in the Wiki2023-02-02T15:31:30ZDavid Figueradfb@mm.stBroken link in the WikiAt https://gitlab.torproject.org/tpo/community/l10n/-/wikis/Localization-for-reviewers there's a link to https://tpo.pages.torproject.net/community/l10n/ which results in NXDOMAIN in DNS.At https://gitlab.torproject.org/tpo/community/l10n/-/wikis/Localization-for-reviewers there's a link to https://tpo.pages.torproject.net/community/l10n/ which results in NXDOMAIN in DNS.emmapeelemmapeelhttps://gitlab.torproject.org/tpo/community/relays/-/issues/59Add instructions for relay tuning2023-02-01T20:34:50ZGeorg KoppenAdd instructions for relay tuningWe have a bunch of instructions about what to do in case of [overload](https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded) but we lack a somewhat related set of tips and tricks to tune relays (e.g. co...We have a bunch of instructions about what to do in case of [overload](https://support.torproject.org/relay-operators/#relay-operators_relay-bridge-overloaded) but we lack a somewhat related set of tips and tricks to tune relays (e.g. conntrack table adjustments), in particular as that might help with fending off attacks in the future.
There got tweaks collected [previously](https://torservers.net/exit-relay-setup/#high-bandwidth-tweaks-100-mbps) and some might still be buried on random Trac tickets...
/cc @micahhttps://gitlab.torproject.org/tpo/web/manual/-/issues/137Add section about crypto warning popup2022-12-17T15:19:26ZdonutsAdd section about crypto warning popupSee https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41363 for the most recent work happening on this component, and https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40899#note_2863965 for discussion...See https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41363 for the most recent work happening on this component, and https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40899#note_2863965 for discussion about the support URL.
tl;dr we have a `Learn more` link in the wingpanel that currently points to support-dot, which presumably was a temporary measure until dedicated content could be created.https://gitlab.torproject.org/tpo/core/arti/-/issues/706Missing documentation concerning Bridge and PT configuration.2023-07-03T21:56:53ZNick MathewsonMissing documentation concerning Bridge and PT configuration.`hackerencoder` on IRC spotted these issues:
* The `transports()` method in `BridgesConfig` does not appear in our documentation: https://tpo.pages.torproject.net/core/doc/rust/arti_client/config/struct.BridgesConfig.html
* `BridgeCon...`hackerencoder` on IRC spotted these issues:
* The `transports()` method in `BridgesConfig` does not appear in our documentation: https://tpo.pages.torproject.net/core/doc/rust/arti_client/config/struct.BridgesConfig.html
* `BridgeConfigBuilder`'s documentation doesn't explain itself very well if you don't already know the terminology (What is a direct connection? What is "k"? What is "v"? What is a setting?)
We fix these issues, then we should read over our generated documentation to make sure that it's clear to somebody who doesn't already know how to configure bridges and PTs.Arti 1.1.0: Anticensorship readyNick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40077Document how to reproduce the "Total consensus weights across bandwidth autho...2022-12-14T13:57:05ZGeorg KoppenDocument how to reproduce the "Total consensus weights across bandwidth authorities"-graphOn https://metrics.torproject.org/totalcw.html we link to https://metrics.torproject.org/reproducible-metrics.html#servers for steps on how to reproduce the graph. However, https://metrics.torproject.org/reproducible-metrics.html#servers...On https://metrics.torproject.org/totalcw.html we link to https://metrics.torproject.org/reproducible-metrics.html#servers for steps on how to reproduce the graph. However, https://metrics.torproject.org/reproducible-metrics.html#servers is missing a section documenting the respective steps.https://gitlab.torproject.org/tpo/onion-services/onion-launchpad/-/issues/72Documentation2024-02-26T17:25:15ZSilvio RhattoDocumentation* [x] Setup documentation with [onion-mkdocs]() and GitLab pages withing a subfolder (like `docs/`), since the GitLab pages space is already allocated by the main code.
* [x] Move some [README.md](README.md) content into multiple files i...* [x] Setup documentation with [onion-mkdocs]() and GitLab pages withing a subfolder (like `docs/`), since the GitLab pages space is already allocated by the main code.
* [x] Move some [README.md](README.md) content into multiple files inside a `docs/` folder.Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40711Review and expand the stakeholders we communicate major changes to2022-12-19T18:48:16ZdonutsReview and expand the stakeholders we communicate major changes to@richard has created this checklist as part of the release process (which is awesome):
```
### notify stakeholders
* [ ] Email tor-qa mailing list: [tor-qa@lists.torproject.org](mailto:tor-qa@lists.torproject.org)
* [ ] Provide links...@richard has created this checklist as part of the release process (which is awesome):
```
### notify stakeholders
* [ ] Email tor-qa mailing list: [tor-qa@lists.torproject.org](mailto:tor-qa@lists.torproject.org)
* [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
* [ ] Call out any new functionality which needs testing
* [ ] Link to any known issues
* [ ] Email Tails dev mailing list: [tails-dev@boum.org](mailto:tails-dev@boum.org)
* [ ] Provide links to unsigned builds on `$(BUILD_SERVER)`
```
And also:
```
### tor-announce mailing list
* [ ] Send an email to [tor-announce@lists.torproject.org](mailto:tor-announce@lists.torproject.org), using the same content as the blog post and subject "Tor Browser $version is released".
```
However it looks like we caught torbrowser-launcher unawares with the 12.0 release: https://github.com/micahflee/torbrowser-launcher/issues/659
We should take the opportunity to review how we notify external stakeholders during development, and expand this list to include Micah Lee & The Guardian Project at minimum (who don't necessarily have the time to read every tor-qa or tor-announce email).richardrichard