The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-04-05T17:50:20Zhttps://gitlab.torproject.org/tpo/web/support/-/issues/265[Relay Operators] What's MetricsPort and how to enable it2022-04-05T17:50:20ZGus[Relay Operators] What's MetricsPort and how to enable itAs MetricsPort is a new Tor feature, we should add a new entry explaining what's it, how operators can enable it, and what precautions they should take.
We should not copy and paste little-t-tor docs, but point it as a reference.
...As MetricsPort is a new Tor feature, we should add a new entry explaining what's it, how operators can enable it, and what precautions they should take.
We should not copy and paste little-t-tor docs, but point it as a reference.
MetricsPort [address:]port [format]
WARNING: Before enabling this, it is important to understand that exposing tor metrics publicly is dangerous to the Tor network users. Please take extra precaution and care when opening this
port. Set a very strict access policy with MetricsPortPolicy and consider using your operating systems firewall features for defense in depth.
We recommend, for the prometheus format, that the only address that can access this port should be the Prometheus server itself. Remember that the connection is unencrypted (HTTP) hence consider
using a tool like stunnel to secure the link from this port to the server.
If set, open this port to listen for an HTTP GET request to "/metrics". Upon a request, the collected metrics in the the tor instance are formatted for the given format and then sent back. If
this is set, MetricsPortPolicy must be defined else every request will be rejected.
Supported format is "prometheus" which is also the default if not set. The Prometheus data model can be found here: https://prometheus.io/docs/concepts/data_model/
The tor metrics are constantly collected and they solely consists of counters. Thus, asking for those metrics is very lightweight on the tor process. (Default: None)
As an example, here only 5.6.7.8 will be allowed to connect:
MetricsPort 1.2.3.4:9035
MetricsPortPolicy accept 5.6.7.8
MetricsPortPolicy policy,policy,...
Set an entrance policy for the MetricsPort, to limit who can access it. The policies have the same form as exit policies below, except that port specifiers are ignored. For multiple entries,
this line can be used multiple times. It is a reject all by default policy. (Default: None)
Please, keep in mind here that if the server collecting metrics on the MetricsPort is behind a NAT, then everything behind it can access it. This is similar for the case of allowing localhost,
every users on the server will be able to access it. Again, strongly consider using a tool like stunnel to secure the link or to strengthen access control.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/web/community/-/issues/151[Onion Services] Add new ways to deploy your onion site2021-03-25T15:07:32ZGus[Onion Services] Add new ways to deploy your onion site@Hiro developed different ways to deploy onion sites with terraform, heroku. We should promote it in a special page or/and update our docs to include it.
- [ ] terraform
- [x] ansible
- [ ] heroku@Hiro developed different ways to deploy onion sites with terraform, heroku. We should promote it in a special page or/and update our docs to include it.
- [ ] terraform
- [x] ansible
- [ ] herokuSponsor 84: Onion GuidesGusGushttps://gitlab.torproject.org/tpo/web/manual/-/issues/69Please document Tor Browser environment variables2022-03-16T20:56:20ZMatt PaganPlease document Tor Browser environment variablesIt's not uncommon for users to want Tor Browser to use their already running system Tor. Doing this requires familiarity with the TOR_SKIP_LAUNCH environment variable. Rather than only documenting one or some of the env variables, they s...It's not uncommon for users to want Tor Browser to use their already running system Tor. Doing this requires familiarity with the TOR_SKIP_LAUNCH environment variable. Rather than only documenting one or some of the env variables, they should all be documented in one place. Users should be able to visit a single document, FAQ entry, or wiki page where they can read the functionality of
TOR_SKIP_LAUNCH
TOR_FORCE_NET_CONFIG
TOR_CONFIGURE_ONLY
TOR_CONTROL_HOST
TOR_CONTROL_PORT
TOR_CONTROL_PASSWD
TOR_CONTROL_COOKIE_AUTH_FILE
TOR_SOCKS_HOST
TOR_SOCKS_PORT
TOR_TRANSPROXY
and how to set each. (Did I miss any?)https://gitlab.torproject.org/tpo/community/l10n/-/issues/40038Document what are access keys and how to translate them2023-01-23T09:14:43ZemmapeelDocument what are access keys and how to translate themWe are having issues with the Access Keys for the [BridgeDB options page](https://bridges.torproject.org/options). Translators do not realise what are they and how they work. Plus, they repeat the same access key for different options.
...We are having issues with the Access Keys for the [BridgeDB options page](https://bridges.torproject.org/options). Translators do not realise what are they and how they work. Plus, they repeat the same access key for different options.
Strings that use access keys at the moment are: '_Just give me bridges', 'Do you need a Pluggable _Transport?' and '_Yes'.
Once we have a proper explanation we can ask BridgeDB devs to add it or link it to the translator's comments.
Related BridgeDB issue: https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/12957emmapeelemmapeelhttps://gitlab.torproject.org/tpo/applications/tor-browser-spec/-/issues/21566Document Tor Browser hardening in the Tor Browser design document2021-06-25T15:44:23ZGeorg KoppenDocument Tor Browser hardening in the Tor Browser design documentWe compile Tor Browser with different hardening flags for different platforms we should document that in our design document.We compile Tor Browser with different hardening flags for different platforms we should document that in our design document.https://gitlab.torproject.org/tpo/web/community/-/issues/130[Onion Services][SSL][Vanity] FR: writeup about authentication for onion site...2021-03-25T15:07:32ZJim Newsome[Onion Services][SSL][Vanity] FR: writeup about authentication for onion sites. SSL certs, vanity addresses, etc.Context - I was reaching out to the owners of securityinabox.org about their onion address https://bpo4ybbs2apk4sk4.onion/, which presents a cert for a completely different domain. I looked for but couldn't find authoritative docs about ...Context - I was reaching out to the owners of securityinabox.org about their onion address https://bpo4ybbs2apk4sk4.onion/, which presents a cert for a completely different domain. I looked for but couldn't find authoritative docs about best practices around SSL for onion sites.
It'd at least be nice to have a short writeup about the recent movement about not requiring EV certs (https://cabforum.org/pipermail/servercert-wg/2020-February/001637.html).
At the risk of scope creep it'd perhaps be even better to have a more comprehensive writeup about best practices around proving authenticity for onion addresses. e.g. perhaps also mention why vanity addresses aren't helpful, alternatives to certs you *can* do (link from something else already securely tied to your identity), etc.
FWIW here's what I sent to the securityinabox folks:
FYI the onion address (http://bpo4ybbs2apk4sk4.onion) linked from your 'about' page (https://securityinabox.org/en/about) appears to be broken. It presents a certificate for common-name "api-test.ttc.io", which results in browser warnings. Unfortunately even if the user clicks through the warnings, the server then just returns a 502 error.
I wanted to mention a few things about the cert in particular, but I should preface with: I'm a developer at the Tor Project; I'm somewhat familiar with this subject but to be clear I'm new and this is outside my primary area
The Tor protocol itself already provides encryption and authentication. Most of the potential value in a certificate would be to link the onion address to your clear-web domain name, but a cert for some other domain, as your server is presenting, doesn't do that either.
A cert for "securityinabox.org" might be a little better - it'd still cause a warning, but at least on inspection would prove that this onion address really belongs to the owner of that domain. OTOH simply having a link to your onion site from an SSL/TLS clear-web page you own, which you already do, already does that in a less obscure way.
A cert that includes the onion address itself would get rid of the warning. Until recently this required getting an expensive EV cert, but this is changing now (https://cabforum.org/pipermail/servercert-wg/2020-February/001637.html).
Assuming you don't have much resources to dedicate to this, the best short-term course of action might be to just drop the cert (and hence SSL/TLS) for now to get ride of the warnings (and thus not either scare people away or train them to click away the warnings).https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/issues/7Add a short FAQ to snowflake.tp.o2021-06-17T14:13:21ZArlo BreaultAdd a short FAQ to snowflake.tp.oThis should include explanations for the missing feature error messages. See comment:13:ticket:31391This should include explanations for the missing feature error messages. See comment:13:ticket:31391https://gitlab.torproject.org/tpo/web/support/-/issues/212Add a short FAQ to snowflake.tp.o2024-01-10T23:43:36ZArlo BreaultAdd a short FAQ to snowflake.tp.oThis should include explanations for the missing feature error messages. See comment:13:ticket:31391This should include explanations for the missing feature error messages. See comment:13:ticket:31391https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/31document gitlab user creation, project adhesion and permission policies2020-10-20T15:42:39ZGabagaba@torproject.orgdocument gitlab user creation, project adhesion and permission policiesWe need
* clear criterias on adding a user to a project
* clear criterias on which role/permissions to give users added to a projectWe need
* clear criterias on adding a user to a project
* clear criterias on which role/permissions to give users added to a projectGabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/28How we are going to use Gitlab for organizing projects and Tor's work2020-11-13T17:50:19ZGabagaba@torproject.orgHow we are going to use Gitlab for organizing projects and Tor's work- [ ] ***CONVERT THIS THREAD INTO DOCUMENTATION* (Tails example https://tails.boum.org/contribute/working_together/GitLab/)**
Attention @tpo/core @tpo/ux @tpo/metrics @tpo/anti-censorship @tpo/community @tpo/applications @tpo/tpa
We ...- [ ] ***CONVERT THIS THREAD INTO DOCUMENTATION* (Tails example https://tails.boum.org/contribute/working_together/GitLab/)**
Attention @tpo/core @tpo/ux @tpo/metrics @tpo/anti-censorship @tpo/community @tpo/applications @tpo/tpa
We have [user stories](#26) for how we need to use Gitlab. I'm writing down here a proposal on how to use Gitlab, open up for discussion.
**SPONSOR/PROJECT PLANNING AND WORK**
- To track a sponsor's project, including how much time there is for the project and what is still not assigned (pm user stories #26):
Create a milestone per objective of the project OR for the whole project, depending on size. The milestone should be in the group that includes all groups working on this project. Examples:
* For OnionPerf https://gitlab.torproject.org/groups/tpo/metrics/-/milestones/1
* For objectives in the Sponsor 30: https://gitlab.torproject.org/groups/tpo/-/milestones/4
Each milestone will have:
* dates when the project/objective starts or end
* information about the project or objective
* all the tickets that need to be completed with this milestone
To mark that a ticket could be in a specific sponsor/project:
* Mark that ticket with the label for the sponsor. For example label 'Sponsor 55'. The tickets with this label may not go into the sponsor but are a possible fit for it.
To divide objectives/tickets into smaller tasks (dev stories for sponsor planning):
* Create an issue for that objective with the label 'project'
* In that issue write down a list of "children" that are the tasks that need to be completed. Each child is a new issue. Example: https://gitlab.torproject.org/tpo/anti-censorship/bridgedb/-/issues/31274
**RELEASE PLANNING**
To decide which open bugs must be finished before we can put out the next release.
* Create a milestone for each release. The milestone will be at the level of the team's group or project. For example:
* Tor 0.4.4 https://gitlab.torproject.org/groups/tpo/-/milestones/tor-044x-final?title=Tor%3A+0.4.4.x-final
* Tor unspecified https://gitlab.torproject.org/groups/tpo/-/milestones/tor-unspecified?title=Tor%3A+unspecified
**TEAM WORK**
To organize work per team or per project (TBB, tor, onionperf, etc):
* Create a kanban board where we can set stacks with:
* backlog: indicates all the work that we have planned to do
* next: indicates all the work that we are doing in the next sprint. (decide with your lovely PM and your team how long your sprint should be)
* doing: indicates all the tickets that people are working on right now
* needs review: some teams needs this label to indicate the tickets/issues that needs somebody to review them.
* Each "stack" in the board will be a label. The labels that we are all using for this are: backlog, next, doing, needs review.
* The issues at the top of the stack are the ones with the most priority in that stack.
For example:
1. OnionPerf https://gitlab.torproject.org/tpo/metrics/onionperf/-/boards
1. SysadminXs https://gitlab.torproject.org/groups/tpo/tpa/-/boards
1. Network https://gitlab.torproject.org/groups/tpo/core/-/boards
**To decide on what to work next**
* There is this neat place where you can see all the issues assigned to you, issues that you were mentioned in, merge requests. https://gitlab.torproject.org/dashboard/todos
**To assign reviews**
* Issues in Gitlab do not have a review but merge requests do have them. To work around this (as we still need to mark down issues for review) we will have labels at the project or group level (not TPO level) to mark who is reviewing which issue. The labels will be "review-by-X" with X the name of the person.
**COMMUNICATION BETWEEN TEAMS**
In an issue you can mention a group (for example @core) and that issue gets into the dashboard of all the people in that group. Use this power with responsability.
**REPORTING BUGS**
We still do not have signups in Gitlab so for now people have to send a mail to gitlab-admin@torproject.org to be able to get an account in Gitlab. Once they have an account they can easily report a bug in https://gitlab.torproject.org/groups/tpo/-/boards or https://gitlab.torproject.org/groups/tpo/-/issues
I'm not totally sure if that board in TPO is the best one so we need to think a little more about how to show all the work happening as well as all the work to be done in the whole organization. https://gitlab.torproject.org/groups/tpo/-/boards
I would like to add issue templates to all projects so people can easily follow the template to post the information that we need from the issue. Example: https://gitlab.torproject.org/ahf/lobby/-/issues/new?issue%5Bassignee_id%5D=&issue%5Bmilestone_id%5D=
**Templates** to report a bug should contain:
* summary
* steps to reproduce
* expected results
* actual results
* version that the bug was found in
For people to search between all the issues in TPO (if they for example want to check all the issues they authored) they can do it in https://gitlab.torproject.org/groups/tpo/-/issues
**VOLUNTEERING WORK**
To help volunteers I think we could have labels that help people find something they can collaborate to:
* Documentation
* 1st contribution
**We are discussing email interaction with Gitlab on #29**
**We are discussing labels in #4**
Please, make commments, things that may not work, something that I maybe forgot.Gabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/29document how to use GitLab through email2021-01-30T22:56:52ZGabagaba@torproject.orgdocument how to use GitLab through email(Note: this is just for issues right now as I've not been dealing with merge requests lately. But a bunch of the notes below should apply to them, too)
@gk started writing this and I'm moving it into an issue.
**Creating a new issue**
...(Note: this is just for issues right now as I've not been dealing with merge requests lately. But a bunch of the notes below should apply to them, too)
@gk started writing this and I'm moving it into an issue.
**Creating a new issue**
Clicking on the per project issues gives a link at the bottom of the page, say "Email a new issue to this project".
That link should go into the From of your email. The subject is the title of the issue and the body the description. You can start right away using shortcuts in the body, like /assign @foo, /estimate 1d etc. (see: https://docs.gitlab.com/ee/user/project/issues/managing_issues.html#new-issue-via-email for more details)
**Adding a comment to an existing issue**
Replying to an existing comment
You need to have notifications enabled for this part and then just reply to the particular comment as you would reply to an email in a thread (see: https://docs.gitlab.com/ee/administration/reply_by_email.html for more details)
Creating a new comment
This is not easily doable right now (see: https://gitlab.com/gitlab-org/gitlab/-/issues/18816). However, it works if you have notifications enabled and then reply to any notification email for the issue of interest by replacing everything that would get quoted with the comment you want to add. This works as well with shortcuts like /estimate 1d or /spend -1h (note: for those you won't get notification emails back, though, while for others like /assign @foo you would).
**Using quick actions to update an issue**
There are a bunch of quick actions available which are handy to update an issue (see: https://gitlab.torproject.org/help/user/project/quick_actions.md). As mentioned above they can be sent by email as well, both within a comment (be it as a reply to a previous one or in a new one) or just instead of it. So, if you for example want to update the amount of time spent on ticket $foo by one hours, find any notification email for that issue and reply to it by replacing any quoted text with "/spend 1h".anarcatanarcathttps://gitlab.torproject.org/tpo/web/community/-/issues/213Come up with a better terminology for bridges2021-10-27T13:31:53ZPhilipp Winterphw@torproject.orgCome up with a better terminology for bridgesOur terminology for bridges is confusing:
* *Private* bridges are bridges that BridgeDB doesn't know about. Users may mistakenly conclude that if a bridge isn't private, it must be public, which is incorrect. Suggestions for other terms:...Our terminology for bridges is confusing:
* *Private* bridges are bridges that BridgeDB doesn't know about. Users may mistakenly conclude that if a bridge isn't private, it must be public, which is incorrect. Suggestions for other terms: unshared, exclusive, unlisted, unknown.
* *Default* bridges are part of Tor Browser. Conceptually, default bridges are more like obfs4-enabled guard relays. Suggestions for other terms: built-in (we may have been using that term occasionally), standard, public.
* We don't have a consistent term for bridges that are distributed by BridgeDB/rdsys. Perhaps we don't need a term because that's the default?
How can we improve the situation?
Copying @cohosh, @antonela, @arma, and @gus.
# Update
proposal is to change this terminology **everywhere**
- default bridges -> built-in bridges
- will not do private/public bridges anymore
- private bridges -> secret bridges
- public bridges -> distributed bridges
Everywhere means:
- [ ] documentation - needs tickets in each portal
- [ ] [Browser's UI](tpo/applications/tor-browser#40623)
- [ ] Code - needs ticketSponsor 30 - Objective 2.2GusGushttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-mobile/-/issues/8A Readme file for the project.2020-07-08T16:50:12ZHashikDA Readme file for the project.Add a readme file to the project to help future contributors.Add a readme file to the project to help future contributors.HashikDHashikDhttps://gitlab.torproject.org/tpo/web/support/-/issues/10Add instructions how to verify signatures on Android2021-08-23T16:30:49ZGusAdd instructions how to verify signatures on Androidneeds a section for Android.
migrated from: https://trac.torproject.org/projects/tor/ticket/27514needs a section for Android.
migrated from: https://trac.torproject.org/projects/tor/ticket/27514https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/11751Add documentation for using TBB with Windows Tor expert bundle2022-08-02T14:40:21ZcypherpunksAdd documentation for using TBB with Windows Tor expert bundleOn Windows, I installed the expert bundle to have a single tor process to be used by multiple applications, including multiple Tor Browsers.
I can configure Tor Browser by creating a user.js file with extensions.torlauncher.start_tor se...On Windows, I installed the expert bundle to have a single tor process to be used by multiple applications, including multiple Tor Browsers.
I can configure Tor Browser by creating a user.js file with extensions.torlauncher.start_tor set to 0. But this config also leads to this message:
"Something Went Wrong!
Tor is not working in this browser."
Other than that, I can use the browser normally.
Can you fix this?https://gitlab.torproject.org/tpo/community/training/-/issues/6Add 'how to setup a private bridge' training slides2023-06-30T17:21:17ZGusAdd 'how to setup a private bridge' training slidesAdd to community.tpo/training/resources our private bridges slides.Add to community.tpo/training/resources our private bridges slides.GusGushttps://gitlab.torproject.org/tpo/network-health/metrics/exit-scanner/-/issues/40001broken links in docs2024-01-16T15:47:58Zanarcatbroken links in docsit's great to have documentation on the exit scanner and check here:
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Exit-Scanner-Ops
... but there are a bunch of broken links in the page, for example:
https://gitlab.tor...it's great to have documentation on the exit scanner and check here:
https://gitlab.torproject.org/tpo/network-health/team/-/wikis/Exit-Scanner-Ops
... but there are a bunch of broken links in the page, for example:
https://gitlab.torproject.org/tpo/metrics/exit-scanner/-/wikis/check-ops/
https://gitlab.torproject.org/tpo/metrics/exit-scanner/-/wikis/tordnsel
it seems like only a part of the ikiwiki docs were imported here...
also, it would seem important to crossref those docs with https://gitlab.torproject.org/tpo/metrics/team/-/wikis/home
arguably, maybe *all* the metrics docs should be centralised there instead of having multiple wikis like this...https://gitlab.torproject.org/tpo/web/manual/-/issues/42In Mobile Tor section, we should link tickets to GitLab2020-12-01T10:04:16ZGusIn Mobile Tor section, we should link tickets to GitLabUpdate Trac links to GitLab links, so users can follow the issue status.
https://tb-manual.torproject.org/mobile-tor/Update Trac links to GitLab links, so users can follow the issue status.
https://tb-manual.torproject.org/mobile-tor/https://gitlab.torproject.org/tpo/web/manual/-/issues/43F-Droid should be written with a capital D2020-10-13T19:14:36ZGusF-Droid should be written with a capital DA translator reported that:
"F-Droid should be written with a capital D."
http://dgvdmophvhunawds.onion/mobile-tor/index.htmlA translator reported that:
"F-Droid should be written with a capital D."
http://dgvdmophvhunawds.onion/mobile-tor/index.htmlhttps://gitlab.torproject.org/tpo/web/manual/-/issues/44Improve security settings writing2020-10-11T06:22:30ZGusImprove security settings writingA translator opened this issue:
"[Security settings](https://tb-manual.torproject.org/security-settings/) disable certain web features that can be used to attack your security and anonymity."
One doesn't attack someone's security and a...A translator opened this issue:
"[Security settings](https://tb-manual.torproject.org/security-settings/) disable certain web features that can be used to attack your security and anonymity."
One doesn't attack someone's security and anonymity, but rather "can be used to compromise your security and anonymity."