The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-01-11T13:54:11Zhttps://gitlab.torproject.org/tpo/web/team/-/issues/44Archive and redirect gettor.torproject.org landing page to support portal2024-01-11T13:54:11ZGusArchive and redirect gettor.torproject.org landing page to support portalAlthough GetTor service is very important and useful for users where torproject.org website is blocked, I don't get what's the point of having GetTor landing page since all the instructions are available on Support portal and on Tor Brow...Although GetTor service is very important and useful for users where torproject.org website is blocked, I don't get what's the point of having GetTor landing page since all the instructions are available on Support portal and on Tor Browser Manual, which is bundled in TB.
So, here is my proposal to archive and redirect gettor.torproject.org:
- Improve gettor entry on https://support.torproject.org/censorship
- Archive the repository: https://gitlab.torproject.org/tpo/web/gettor-web
- Redirect gettor.torproject.org to support.torproject.org/censorship
- Remove gettor-web from weblateSponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetemmapeelemmapeelhttps://gitlab.torproject.org/tpo/web/community/-/issues/335(Snowflake guide) Add Snowflake debian package2024-02-05T19:12:52ZGus(Snowflake guide) Add Snowflake debian packageSnowflake-proxy is available as a package in Debian bookworm. We should mention at https://community.torproject.org/relay/setup/snowflake/standalone/Snowflake-proxy is available as a package in Debian bookworm. We should mention at https://community.torproject.org/relay/setup/snowflake/standalone/Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & TibetGusGushttps://gitlab.torproject.org/tpo/community/team/-/issues/93Onion Services PoW feature release strategy2023-09-25T16:04:26ZSilvio RhattoOnion Services PoW feature release strategyRelease strategy on the [PoW](tpo/core/tor#40634) protection:
* [x] Draft [Q&A][] for ext. inquiries (cc @rhatto).
* [x] Write the docs (handled on tpo/web/community#312).
* [x] Write a [call for ~testers~ operators](https://pad.riseup....Release strategy on the [PoW](tpo/core/tor#40634) protection:
* [x] Draft [Q&A][] for ext. inquiries (cc @rhatto).
* [x] Write the docs (handled on tpo/web/community#312).
* [x] Write a [call for ~testers~ operators](https://pad.riseup.net/p/powcallfortesters) for a forum post (how/where to test, submitting feedback etc) (audience: Onion Service operators). Consider using the [Conjure one](https://forum.torproject.net/t/call-for-testers-help-the-tor-project-to-test-conjure-on-tor-browser-alpha/7815) as a template.
* [x] Write a blog post to be released along with the stable; involve Comms team (cc @pavel).
* [x] Final fact check with the larger team.
* [x] Publish the [blog post][].
* [x] Publish the [forum post][].
* [x] Publish an additional ~forum post~ [wiki page][] with the full [Q&A][].
Feedback collection ([moved to another ticket](tpo/community/team#95)):
* [~] Report back ~"For Network Health Team" (via forum post comments and issues).
* [~] Update the [Support Portal](https://support.torproject.org/) with the questions most asked by users (instead of just including everything from the Q&A, which would increase the number of strings to translate).
[Q&A]: https://pad.riseup.net/p/powqna
[blog post]: https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/
[forum post]: https://forum.torproject.org/t/proof-of-work-pow-defense-for-onion-service-is-released/8887
[wiki page]: https://gitlab.torproject.org/tpo/onion-services/onion-support/-/wikis/Documentation/PoW-FAQSilvio RhattoSilvio Rhatto2023-08-23https://gitlab.torproject.org/tpo/anti-censorship/lox/-/issues/10Populate wiki with documentation2023-10-03T18:38:55ZCecylia BocovichPopulate wiki with documentationLet's use this overview project as a way to aggregate issues and documentation since Lox is made of many different pieces. A good start would be:
- There's some high level docs written up at https://gitlab.torproject.org/cohosh/lox/-/wi...Let's use this overview project as a way to aggregate issues and documentation since Lox is made of many different pieces. A good start would be:
- There's some high level docs written up at https://gitlab.torproject.org/cohosh/lox/-/wikis/Lox-Overview that should be moved here and also checked to see if they are accurate
- @onyinyang made some cool graphics at https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/116#note_2884107Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetonyinyangonyinyanghttps://gitlab.torproject.org/tpo/web/support/-/issues/320Add an FAQ like "anybody can run a relay, including NSA/governments/big data ...2023-11-07T13:31:21ZPier Angelo VendrameAdd an FAQ like "anybody can run a relay, including NSA/governments/big data companies/etc. Isn't this bad?"We often receive that question in several places, like #tor-project, but also on Reddit and other places.
We should add an official FAQ to definitely answer that question, so that we can just link it whenever we are asked again.
The ol...We often receive that question in several places, like #tor-project, but also on Reddit and other places.
We should add an official FAQ to definitely answer that question, so that we can just link it whenever we are asked again.
The old site had https://2019.www.torproject.org/docs/faq#CanExitNodesEavesdrop.ebanamebanam@torproject.orgebanamebanam@torproject.orghttps://gitlab.torproject.org/tpo/community/support/-/issues/40093Provide a recommended set of iptables/nftables rules to help in case of DoS a...2023-07-14T15:15:42ZGeorg KoppenProvide a recommended set of iptables/nftables rules to help in case of DoS attacksA bunch of DoS attacks are essentially ongoing since June 2022 and we discussed a bunch of potential solution to improve things for our users. One thing folks started to experiment with is trying to come up with good iptables rules to he...A bunch of DoS attacks are essentially ongoing since June 2022 and we discussed a bunch of potential solution to improve things for our users. One thing folks started to experiment with is trying to come up with good iptables rules to help fighting ongoing attacks.
This ticket is for collecting all the information we gathered so far and coming up with some rules we can recommend to our relay operators (and updating our support guidelines accordingly).https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40128Give standalone snowflakes guidance on how best to set up their nat2023-03-31T16:56:08ZRoger DingledineGive standalone snowflakes guidance on how best to set up their natAccording to our current broker stats (https://snowflake-broker.torproject.net/debug), we have
```
current snowflakes available: 3021
standalone proxies: 2589
browser proxies: 5
webext proxies: 250
unknown proxies: 177
NAT Types avai...According to our current broker stats (https://snowflake-broker.torproject.net/debug), we have
```
current snowflakes available: 3021
standalone proxies: 2589
browser proxies: 5
webext proxies: 250
unknown proxies: 177
NAT Types available:
restricted: 2512
unrestricted: 386
unknown: 123
```
i.e. most of the snowflakes that we're giving out seem to be standalone ones as opposed to browser extension ones, and also most of the ones we have available to us are behind restricted nat.
It seems to me that the standalone ones are probably in a better position to be behind the good kind of nat (or no nat at all). But does our docker image impose the bad kind of nat on them by default? How come so many standalone proxies are behind restricted nat?
More generally: is there useful guidance we can give people, on setting themselves up with the right kind of nat, presuming they're on a VPS or otherwise on a 'real' internet connection?shelikhooshelikhoohttps://gitlab.torproject.org/tpo/web/support/-/issues/263[HTTPS] Duplicate phrase2022-01-20T01:36:49Zchampionquizzerchampionquizzer@torproject.org[HTTPS] Duplicate phraseAs a user on [twitter](https://twitter.com/dejacrypto/status/1444273178549891076) pointed out, on https://support.torproject.org/https/https-1/, the phrase *"The/This visualization shows what information is visible to eavesdroppers with ...As a user on [twitter](https://twitter.com/dejacrypto/status/1444273178549891076) pointed out, on https://support.torproject.org/https/https-1/, the phrase *"The/This visualization shows what information is visible to eavesdroppers with and without Tor Browser and HTTPS encryption."* appears twice in subsequent lines.championquizzerchampionquizzer@torproject.orgchampionquizzerchampionquizzer@torproject.orghttps://gitlab.torproject.org/tpo/ux/research/-/issues/40Add a persona who uses a public computer2023-08-08T18:55:10ZcypherpunksAdd a persona who uses a public computerFrom the blog:
https://blog.torproject.org/comment/291342#comment-291342
https://blog.torproject.org/comment/291422#comment-291422
> [The commenter] then said, "this could be a problem in a public computer, when many persons want to use...From the blog:
https://blog.torproject.org/comment/291342#comment-291342
https://blog.torproject.org/comment/291422#comment-291422
> [The commenter] then said, "this could be a problem in a public computer, when many persons want to use same account." It sounds like a kiosk or an Internet café. That is an interesting new persona to study, Community Team!! (to Gus, et al.) Usually though, public computers are configured for a guest account and/or to automatically log out after a period of time and delete the guest account's files.
It could be any shared device. A neighbor's laptop, phone, etc. If the device is public, then it isn't managed by a neighbor but by an administrator.
I guess this issue should be moved to tpo/ux/research. I wrote it in tpo/web/community because cypherpunks such as myself are not allowed to post in ux/research.https://gitlab.torproject.org/tpo/web/support/-/issues/358Add Letterboxing to the glossary2024-03-25T15:27:33ZemmapeelAdd Letterboxing to the glossaryWe need to add Letterboxing to the glossary, as it is a new term that we use on the documentation.We need to add Letterboxing to the glossary, as it is a new term that we use on the documentation.ebanamebanam@torproject.orgebanamebanam@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41522TPA-RFC-62: migrate tor-passwords to password-store2024-02-21T19:49:00ZanarcatTPA-RFC-62: migrate tor-passwords to password-storeIn #29677, we have reviewed a bunch of password managers. Bitwarden seems to be emerging as a possible candidate for an organisation-wide password management service, but in the short term however, we do not want to make any major change...In #29677, we have reviewed a bunch of password managers. Bitwarden seems to be emerging as a possible candidate for an organisation-wide password management service, but in the short term however, we do not want to make any major changes to our workflow. There's also an argument to be made that TPA should *not* be using a global password manager and is best protecting those secrets with a a different mechanism.
In any case, during a recent offboarding process (tpo/tpa/team#41519), it became very clear that our *current* password manager (pwstore) has major flaws:
1. key management: in this case, @hiro's key was expired and had to be manually removed from the user's list. this would be similar in pass, except that the keyid file is easier to manage, as its signature is managed automatically by `pass init`, provided that the `PASSWORD_STORE_SIGNING_KEY` variable is set
2. password rotation: because multiple passwords are stored in the same file, it's hard or impossible to actually see the last rotation on a single password
3. conflicts: because multiple passwords are stored in the same file, we frequently get conflicts when making changes, which is particularly painful if we need to distribute the "rotation" work
4. abandonware: a [pull request to fix Debian bookworm / Ruby 3.1 support](https://github.com/weaselp/pwstore/pull/8) has been ignored for more than a year at this point
5. counter-intuitive interface: there's no command to extract a password, you're presumably supposed to use `gpg -d` to read the password files, yet you can't use other tools to directly manipulate the password files because the target encryption keys are specified in a meta file (that latter issue is shared with pass, to be fair)
6. not packaged: pwstore is not in Debian, flatpak, or anything else
The main downside to pass is the .gpg-id system is less secure than pwstore: its signature is not enforced unless the environment variable is set, which is a bit brittle. It's also relying on the global GPG key store although in theory it should be possible to rely on another keyring by passing different options to GnuPG.
Finally, by splitting secrets into different files, we disclose **which** accounts we have access to, but I consider this a reasonable tradeoff for the benefits it brings.
Update: the above was put in an actual proposal, see https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-62-tpa-password-manageranarcatanarcathttps://gitlab.torproject.org/tpo/core/arti/-/issues/1222Add central documentation for our filesystem layout2024-02-01T15:43:34ZNick MathewsonAdd central documentation for our filesystem layoutSomewhere in doc/dev, we should document all the files that we create or look at.
This will include:
* `tor-keymgr` stuff, possibly by reference
* All state files
* All onion-service-related files
* All cache files
* All locks...Somewhere in doc/dev, we should document all the files that we create or look at.
This will include:
* `tor-keymgr` stuff, possibly by reference
* All state files
* All onion-service-related files
* All cache files
* All locks
* All configuration files
This should replace `crates/tor-hsservice/src/state_dir.md` (cc @diziet)https://gitlab.torproject.org/tpo/tpa/team/-/issues/41456monitor technical debt and legacy2024-03-27T15:29:42Zanarcatmonitor technical debt and legacyI often say that we have a huge technical debt in TPA, and that we keep needing to close things down and document and so on.
But we do not have hard data on this. After reading [Managing Technical Debt](https://jacobian.org/2023/dec/20/...I often say that we have a huge technical debt in TPA, and that we keep needing to close things down and document and so on.
But we do not have hard data on this. After reading [Managing Technical Debt](https://jacobian.org/2023/dec/20/tech-debt/), I realized we should at least keep track of metrics about this. What's interesting about that article is it says we shouldn't necessarily set *targets*, but keeping track of metrics would be a good start.
He specifically [suggests DORA metrics](https://jacobian.org/2022/jun/17/dora-metrics/), but I'm not sure it's the best match for us. Here's what I think we should monitor:
* tickets
* "lead time" (time between when a ticket enters backlog/next/doing and closing)
* start using the ~"Technical Debt" ticket and measure ticket counts
* general per-queue ticket counts (already done in monthly reports, put in prometheus, see https://gitlab.torproject.org/tpo/tpa/team/-/issues/40591)
* incidents:
* "lead time" is specially important here: how long do tickets get opened in incidents? might also be a measure of MTTR (mean time to recovery)
* "change failure rate": measure how many incidents are caused by deployment failures
* documentation: systematically measure how many services we have and how well they are documented (this is partially done, by hand, in the `service.md` wiki page, but could be somehow automated)
* untracked package counts: use anarcat's [puppet-package-check](https://gitlab.com/anarcat/scripts/-/blob/main/puppet-package-check?ref_type=heads) to generate metrics on how many packages are *not* managed by puppet, per host, as a rough estimate of the "puppetization ratio"
* unit test coverage: across all our software projects (or maybe per project?), what is the coverage of unit tests? (requires CI and extraction of those numbers in an exporter)
* out of date systems: how long does it take to update the fleet, and how long do we live on LTS? (at least partly tracked in Prometheus now, but not retained long enough to have good metrics, see also #40330)
The end result here is a small set of metrics that describe the current state of affairs, and its evolution over time. It will allow us to more easily realize when we're in trouble (e.g. https://gitlab.torproject.org/tpo/tpa/team/-/issues/41411) and evaluate how much effort we should put into this.
It might be more effective to have those metrics beyond the "one year" mark. Ticket counts, for example, are kept forever in the minutes, and that's a good thing, so we should consider expanding the storage retention here (#40330).
One thing Kaplan-Moss advises is to set time apart to deal with technical debt, he advises 10%. He also says we shouldn't set "sprints" to deal with technical debt, but I disagree with that: I have found that Debian upgrades are working well with sprints and wonder to what else we could extend the practice. On the other hand, the docs hack week wasn't a clear success for us, so maybe he's at least partly right in some aspects.cleanup and publish the sysadmin codebaseanarcatanarcathttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/28Public documentation about how we manage projects at Tor2023-11-30T16:16:39ZGabagaba@torproject.orgPublic documentation about how we manage projects at Tor# About the project
* Contact: Gaba
* Chat: #tor-project on `irc.oftc.net`
* Video room: https://tor.meet.coop/gab-tph-u9q-eo0
* Meet Monday, Tuesday, Wednesday, Thursday from 12UTC to 20UTC
# Participants
- Gaba
- You?
# Summary...# About the project
* Contact: Gaba
* Chat: #tor-project on `irc.oftc.net`
* Video room: https://tor.meet.coop/gab-tph-u9q-eo0
* Meet Monday, Tuesday, Wednesday, Thursday from 12UTC to 20UTC
# Participants
- Gaba
- You?
# Summary
We have some [outdated documentation](https://gitlab.torproject.org/tpo/team/-/wikis/process/How-we-do-project-management-at-The-Tor-Project) on how we do project management at Tor. We also have templates and checklists in Nextcloud about different parts of a project's lifetime. I would like to update and expand them to be more clear and all public.
# Skills
Experience working in a sponsored project a TPO.Hackweek 2023Gabagaba@torproject.orgGabagaba@torproject.org2023-11-09https://gitlab.torproject.org/tpo/community/hackweek/-/issues/24Public documentation about project design and grant writing process2024-01-11T17:32:09Zal smithPublic documentation about project design and grant writing process# About the project
* Contact: @smith
* Chat: #tor-internal on `irc.oftc.net`
* Video room: tbd
# Participants
- @smith
- etc
# Summary
- Write a guide on the process of project design and grant proposal writing
- Publish that ...# About the project
* Contact: @smith
* Chat: #tor-internal on `irc.oftc.net`
* Video room: tbd
# Participants
- @smith
- etc
# Summary
- Write a guide on the process of project design and grant proposal writing
- Publish that guide
- Create a template spreadsheet with guidelines on how to do estimations (@gaba, any interest in helping?)
We created an [overview of the grants process in Costa Rica and presented it in an in-person session](https://gitlab.torproject.org/tpo/team/-/wikis/Meetings/2023/2023-Tor-Meeting-Costa-Rica-Wiki/overview-of-how-projects-get-funded). We can use this to create something that's easier to read, more well-resourced, and easier to find.
# Skills
- Familiarity with the project design and grant writing process, either from a team participant side (e.g., someone from the network team who has been involved grant writing before) or from the design and writing side (e.g., someone form the money machine team).
# LinksHackweek 2023al smithal smithhttps://gitlab.torproject.org/tpo/web/support/-/issues/336Add a FAQ on how users can check their version of Tor Browser on all platforms2023-11-23T15:34:14Zebanamebanam@torproject.orgAdd a FAQ on how users can check their version of Tor Browser on all platformsAs part of our user support work and for troubleshooting in general, we fairly regularly ask users about the version of Tor Browser they are using. I think we should add some steps on how users can check their version of Tor Browser.
Fo...As part of our user support work and for troubleshooting in general, we fairly regularly ask users about the version of Tor Browser they are using. I think we should add some steps on how users can check their version of Tor Browser.
For Tor Browser on desktop we can create a entry in https://support.torproject.org/tbb/
and for Tor Browser for Android in https://support.torproject.org/tormobile/
/cc @ninahttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/17Clean up and improve the user support FAQ text2023-11-30T16:16:39ZRoger DingledineClean up and improve the user support FAQ text# About the project
* Contact: Roger Dingledine
* Chat: #tor-www on `irc.oftc.net` / [#tor-www](https://matrix.to/#/#tor-www:matrix.org) on matrix
* Video room: https://tor.meet.coop/pav-g4m-iys-h7n (kick off meeting on Monday, 06 No...# About the project
* Contact: Roger Dingledine
* Chat: #tor-www on `irc.oftc.net` / [#tor-www](https://matrix.to/#/#tor-www:matrix.org) on matrix
* Video room: https://tor.meet.coop/pav-g4m-iys-h7n (kick off meeting on Monday, 06 November at 14 UTC)
* Pad: https://pad.riseup.net/p/improve-support-faqs-hackweek-qwjebqwjqedwqebdj
# Participants
- Roger Dingledine
- ebanam
- @gus
- you?
# Summary
Tor has a huge variety of FAQ entries on support.torproject.org, copied over from the original FAQ, the abuse FAQ, etc. When we made support.tpo, we only took some of the entries. Then we updated those over the years, but actually we have mostly left them alone -- I imagine it's hard for most individuals to decide to change one of these support entries, because they don't know who needs to buy in, or they worry that somebody else thinks it's perfect the way it is.
Let's look again at the big picture of which entries are useful, which ones are right, and whether there are any missing. The outcome will be a better support site.
# Skills
We will need people who know how to technical write, people who know what problems/questions/concerns Tor users encounter, people who know how Tor and Tor Browser work, people who have an interest in Tor comms and framing, and people who know basic html/markup. These don't all have to be the same people! :)
# LinksHackweek 2023Roger DingledineRoger Dingledinehttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/13Onion MkDocs tryout2023-11-30T16:16:40ZSilvio RhattoOnion MkDocs tryout# About the project
* Contact: @rhatto
* Chat: #tor-dev on `irc.oftc.net`
* Video room: to be defined.
# Participants
- @rhatto
- @gus
- etc
# Summary
This is a proposal to try [Onion MkDocs][] for documenting things at Tor.
[Onion...# About the project
* Contact: @rhatto
* Chat: #tor-dev on `irc.oftc.net`
* Video room: to be defined.
# Participants
- @rhatto
- @gus
- etc
# Summary
This is a proposal to try [Onion MkDocs][] for documenting things at Tor.
[Onion MkDocs]: https://rhatto.pages.torproject.net/onion-mkdocs/
## Project A - Support
* [x] Provide support for people/teams that want to convert their wikis
to or have docs for their projects using [Onion MkDocs][].
* [x] Improve [Onion MkDocs][] stylesheet, plugins etc.
* [x] Improve [Onion MkDocs][] documentation.
## Project B - Convert
* [x] Convert some GitLab wikis to GitLab pages using Onion MkDocs:
* [x] Overview:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41119#note_2898441
* [x] Candidates for merge requests:
* [x] The Hackweek project itself:
https://gitlab.torproject.org/tpo/community/hackweek, with site now available
at https://tpo.pages.torproject.net/community/hackweek/
* [~] Onion Support Wiki:
https://gitlab.torproject.org/tpo/onion-services/onion-support/. To be done on Project C below.
* [x] Tor Policies repository:
https://gitlab.torproject.org/tpo/community/policies/-/issues/3
## Project C - Investigate
* [x] Investigate how Onion MkDocs could be a [TPA-RFC-38 wiki replacement (#40909) · TPA / TPA team](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40909) ([tpa rfc 38 new wiki service](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-38-new-wiki-service)):
* [x] One approach would be to create a script that import content from some existing GitLab wikis into a single Onion MkDocs instance, to see how it would like to have a convergent "documentation integration" place. How it could be structured? Could it be easily searchable? What would be the best practices for this?
# Skills
Some knowledge in the following technologies may be needed in order to participate:
* Git/GitLab.
* Markdown.
* Basic scripting (Python, shell).
# LinksHackweek 2023Silvio RhattoSilvio Rhatto2023-11-09https://gitlab.torproject.org/tpo/ux/research/-/issues/115Evaluate if Tor Browser is meeting the needs of our users2023-06-28T16:20:06ZMatthew FinkelEvaluate if Tor Browser is meeting the needs of our usersTor Browser has many goals as defined in the [Design document](https://2019.www.torproject.org/projects/torbrowser/design/), but we should take a step backward and look at the larger picture of whether these goals are actually important ...Tor Browser has many goals as defined in the [Design document](https://2019.www.torproject.org/projects/torbrowser/design/), but we should take a step backward and look at the larger picture of whether these goals are actually important for the [people](https://community.torproject.org/user-research/persona/) we are trying to protect.
We should be able to justify our general design requirements through the needs of our users, instead of defining the strictest-possible private browser design and then applying that to all of the use cases. Indeed, this should influence tpo/applications/tor-browser-spec#25021.https://gitlab.torproject.org/tpo/network-health/metrics/descriptorParser/-/issues/44Review when a bridge is labeled as online or offline2023-10-09T11:24:01ZHiroReview when a bridge is labeled as online or offlineWe currently use both bridgestrap tests and online/offline flag from the bridge authority to mark when a bridge is online or offline.
We might have to review all the rules that we are currently using and document them. If necessary we ...We currently use both bridgestrap tests and online/offline flag from the bridge authority to mark when a bridge is online or offline.
We might have to review all the rules that we are currently using and document them. If necessary we should check if we can change these rules.
@meskio do we have any other test that we are currently performing for bridges besides bridgestrap?