The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-04-28T08:58:47Zhttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/68Add disabled state for switch components2023-04-28T08:58:47ZcybertaAdd disabled state for switch componentsCurrently a visual disabled state is missing. An example: If protect all apps in the App routing screen was enabled, all subsequent settings are disabled. That's not visually indicated though.
see @donuts comment from figma:
> That's ...Currently a visual disabled state is missing. An example: If protect all apps in the App routing screen was enabled, all subsequent settings are disabled. That's not visually indicated though.
see @donuts comment from figma:
> That's a good question. I noticed M3 uses state layers for this, but I didn't bother with them when designing these components. For the purposes of the pre-alpha I think a general rule of 40% opacity will be fine – and we can refine this later if needed.VPN pre-alpha 01cybertacybertahttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/66Add touch feedback in Configuration screen settings entries2023-04-28T09:20:34ZcybertaAdd touch feedback in Configuration screen settings entriescurrently there is no optical feedback / a selection state for the settings listcurrently there is no optical feedback / a selection state for the settings listVPN pre-alpha 01cybertacybertahttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/65Improve App routing screen2023-04-28T08:58:47ZcybertaImprove App routing screen* [x] reduce list flickering
* [x] show loading indicator on initial loading. Initial loading takes some time so that an empty list is presented for about 1-2 seconds.
* [x] reorder cached app list items after loading from shared prefere...* [x] reduce list flickering
* [x] show loading indicator on initial loading. Initial loading takes some time so that an empty list is presented for about 1-2 seconds.
* [x] reorder cached app list items after loading from shared preferences to reduce the diff between async queried app list and immediately loaded cached app list. That reduces the likelihood of visual list changes after entering the the app routing screenVPN pre-alpha 01cybertacybertahttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/24Quickstart2023-06-14T17:51:52Zmicahmicah@torproject.orgQuickstartThe "Quickstart" is defined as essentially a user restarting their device and connecting to Tor automatically. The goal is to browse 'safely' by default, if the user forgets to connect, or traffic would be sent out of the device before m...The "Quickstart" is defined as essentially a user restarting their device and connecting to Tor automatically. The goal is to browse 'safely' by default, if the user forgets to connect, or traffic would be sent out of the device before manual activation.
This would also cover the Job Story "Turn off network before bootstrapping" which describes blocking any connections when launching the TorVPN.
Although https://gitlab.torproject.org/tpo/ux/research/-/issues/66 indicates it as 'Research', this could be integrated fairly easily and I'd advocate that it be moved to being MVP.VPN pre-alpha 01cybertacybertahttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40235Help partner organizations to setup standalone snowflake proxies2023-03-03T17:00:16ZGabagaba@torproject.orgHelp partner organizations to setup standalone snowflake proxiesSnowflake works by creating a “flurry” of available proxies all around the world. Individuals who want to help people bypass censorship can install a Snowflake proxy into their web browser and become a temporary proxy as long as their br...Snowflake works by creating a “flurry” of available proxies all around the world. Individuals who want to help people bypass censorship can install a Snowflake proxy into their web browser and become a temporary proxy as long as their browser is open and online. This means that it’s extremely easy for many people to run proxies–we’ve seen an increase from about 30,000 to about 110,000 in the last month!
It’s also possible to set up standalone Snowflake proxies that run on their own machines or servers. While they are not as easy as a browser plugin to run, standalone Snowflake proxies have some benefits:
(1) standalone Snowflakes are connected 24/7 (instead of just when a user’s browser is on);
(2) they have a dedicated, fast, and stable connection in a data center; and
(3) they have unrestricted NAT–this is important because when using residential connections, modems and routers limit a lot of what can connect to an individual’s proxy.
In order to accommodate the amount of new traffic on the network, we need to increase the number of standalone Snowflake proxies.
In this activity, we will work with partner organizations and individuals to set up, host, and run standalone Snowflake proxies and offer them technical support. We also will help the operators monitor their proxies for blocking and respond when there are censorship events or changes so that these proxies remain available.Sponsor 139: Rapid Response IranHackerNCoderhackerncoder@encryptionin.spaceHackerNCoderhackerncoder@encryptionin.spacehttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/46distribute Onion Browser .ipa files2023-04-22T12:23:13Zmeskiomeskio@torproject.orgdistribute Onion Browser .ipa filesWe can fetch them from their github releases:
https://github.com/OnionBrowser/OnionBrowser/releasesWe can fetch them from their github releases:
https://github.com/OnionBrowser/OnionBrowser/releasesSponsor 139: Rapid Response Iranirlirlhttps://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBot/-/issues/15provide android builds2023-04-22T12:23:15Zn0tooseprovide android buildsWe want to provide Android builds, but the endpoint we use (https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/onionsproutsbot/-/blob/rewrite/example.yaml#L6) only provides downloads for desktop versions.
## Solutions
###...We want to provide Android builds, but the endpoint we use (https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/onionsproutsbot/-/blob/rewrite/example.yaml#L6) only provides downloads for desktop versions.
## Solutions
### httpdirfs
We could use httpdirfs (see https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/onionsproutsbot/-/issues/11) and use binaries as provided by https://dist.torproject.org, but it's a bit hard to distinguish which files are to be used, as, not only is there a "version mismatch" between the latest stable version of the desktop and the mobile edition, but there are also many different versions, some of which are suitable for daily usage, whereas some of them aren't. (As of the time of this writing, the example that shows this happens to be **11.0.8**, https://dist.torproject.org/torbrowser/11.0.8/ with the latest version being 11.0.10. The former version's directory only contains Android builds, whereas none of the more latest, stable versions provide Android builds.)
The bot having to decide which version is good based on parameters that may no longer exist in the future (e.g. someone could remove all Android builds ending in `*androidTest.apk`, because "why not, what could possibly go wrong with this" is most likely a bad idea, and the maintenance burden would be higher than desired. This bot is meant to be robust, just running in the background and doing its job without causing problems every now and then.
### F-Droid
We could use an F-Droid endpoint that provides builds (right now, the Guardian Project does so, and if the work is made to support obtaining files from their frontend, this can be easily switched to Tor's later on). This is by far the most realistic approach if other teams are not able to work on this, and F-Droid does provide APIs that could help. My recent efforts to make different parts of the program modular would help with getting something like this done. They have APIs as well: https://f-droid.org/en/docs/All_our_APIs/
However, I am concerned that the end result would turn out to be more fragile than it should be (such as telling apart the correct versions to be included), and a big refactoring session would still turn out to be required.
### Website scraping
This website providing a list of downloads for the browser is manually updated (I think I recall @gaba telling me this): https://www.torproject.org/download/#android
We could hypothetically just scrape the website and just get the downloads and be done with this. However, again, this bot should just sit back, quietly, doing its job and not breaking over the smallest changes, such as a website redesign. In conclusion, *no.*
### Tor Endpoint
To obtain a list of downloads for the desktop version, we currently use the following API endpoint: https://aus1.torproject.org/torbrowser/update_3/release/downloads.json
(See: https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/onionsproutsbot/-/blob/rewrite/example.yaml#L6)
It would be pretty great if the project provided an endpoint for Android builds as well, especially because that would mean that a single "point of contact" would be telling my bot, as well as other projects that utilize the aforementioned endpoint, what to do, instead of my own bot scrambling to figure out what to do with a volatile set of data like that. However, with an F-Droid repository being supposedly around the corner, such a feature may be realistically way too much effort that I would be "outsourcing" to other people. However, something like that could also be useful for things such as providing lists of downloads through the website quickly. But that's neither my field or my fight.Sponsor 139: Rapid Response Iranirlirlhttps://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/144Public JSON file with mappings of websites to onion services2022-11-07T13:57:27ZirlPublic JSON file with mappings of websites to onion servicesVarious websites and browser extensions exist to make it possible to discover onion services for websites. These allow showcasing how many and which websites support onion services, an independent function to discovering the onion servic...Various websites and browser extensions exist to make it possible to discover onion services for websites. These allow showcasing how many and which websites support onion services, an independent function to discovering the onion service address for a single website at the time of a visit.
The Bypass Censorship portal can now publish JSON files to Tor's GitLab due to a bit of recent work on the dynamic bridges system. This means the portal can publish a JSON file with this mapping of website to onionsite.
https://github.com/alecmuffett/real-world-onion-sites is one such thing that would like to consume this JSON.
Questions:
* Which GitLab repo should contain this file?
* Do you want to build a static website around the JSON file or just publish the JSON file?
* Which entry point should be the canonical way to consume this if you're a machine? (i.e. gitlab raw URL or gitlab pages or static mirror?)
* What format should the JSON file be in and should any extra data go in there?
Future questions:
* We could sign this with a JSON web signature thingy?Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2022-11-11https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/issues/52Create separate metrics for HSDir info and timestamp of last update2022-05-27T17:54:18ZSilvio RhattoCreate separate metrics for HSDir info and timestamp of last updateCreate separate metrics for HSDir info (`hsdir` and `reason`) and timestamp of last update instead of using labels for both, as labels for such variable information creates additional time series.Create separate metrics for HSDir info (`hsdir` and `reason`) and timestamp of last update instead of using labels for both, as labels for such variable information creates additional time series.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/onion-services/onionmine/-/issues/17Adds HARICA's onion-csr tool2022-05-17T21:22:24ZSilvio RhattoAdds HARICA's onion-csr toolAdds [onion-csr](https://github.com/HARICA-official/onion-csr) as a submodule, a compilation procedure and a wrapper to it.Adds [onion-csr](https://github.com/HARICA-official/onion-csr) as a submodule, a compilation procedure and a wrapper to it.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2022-05-13https://gitlab.torproject.org/tpo/onion-services/onionprobe/-/issues/43Stem is unable to find cryptography module when runing from the pip package2022-05-11T15:41:16ZSilvio RhattoStem is unable to find cryptography module when runing from the pip packageHow to reproduce:
$ pip install onionprobe
Collecting onionprobe
Using cached onionprobe-0.3.2-py3-none-any.whl (58 kB)
Requirement already satisfied: pyyaml>=6.0 in /home/user/.local/lib/python3.9/site-packages (from ...How to reproduce:
$ pip install onionprobe
Collecting onionprobe
Using cached onionprobe-0.3.2-py3-none-any.whl (58 kB)
Requirement already satisfied: pyyaml>=6.0 in /home/user/.local/lib/python3.9/site-packages (from onionprobe) (6.0)
Requirement already satisfied: stem>=1.8.0 in /home/user/.local/lib/python3.9/site-packages (from onionprobe) (1.8.0)
Requirement already satisfied: cryptography>=37.0.2 in /home/user/.local/lib/python3.9/site-packages (from onionprobe) (37.0.2)
Requirement already satisfied: requests>=2.27.1 in /home/user/.local/lib/python3.9/site-packages (from onionprobe) (2.27.1)
Requirement already satisfied: prometheus-client>=0.14.1 in /home/user/.local/lib/python3.9/site-packages (from onionprobe) (0.14.1)
Requirement already satisfied: pysocks>=1.7.1 in /home/user/.local/lib/python3.9/site-packages (from onionprobe) (1.7.1)
Requirement already satisfied: cffi>=1.12 in /home/user/.local/lib/python3.9/site-packages (from cryptography>=37.0.2->onionprobe) (1.15.0)
Requirement already satisfied: pycparser in /home/user/.local/lib/python3.9/site-packages (from cffi>=1.12->cryptography>=37.0.2->onionprobe) (2.21)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in /usr/lib/python3/dist-packages (from requests>=2.27.1->onionprobe) (1.26.5)
Requirement already satisfied: certifi>=2017.4.17 in /usr/lib/python3/dist-packages (from requests>=2.27.1->onionprobe) (2020.6.20)
Requirement already satisfied: charset-normalizer~=2.0.0 in /home/user/.local/lib/python3.9/site-packages (from requests>=2.27.1->onionprobe) (2.0.12)
Requirement already satisfied: idna<4,>=2.5 in /usr/lib/python3/dist-packages (from requests>=2.27.1->onionprobe) (2.10)
Installing collected packages: onionprobe
Successfully installed onionprobe-0.3.2
$ onionprobe -e http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion
2022-05-11 13:22:58,482 INFO: Starting Onionprobe version 0.3.2...
2022-05-11 13:22:58,485 INFO: Initializing Tor process...
2022-05-11 13:23:01,668 INFO: Onionprobe is initialized. Hit Ctrl-C to interrupt it.
2022-05-11 13:23:01,669 INFO: Processing http://2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion...
2022-05-11 13:23:01,669 INFO: Trying to get descriptor for 2gzyxa5ihm7nsggfxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid.onion (attempt 1)...
2022-05-11 13:23:03,630 INFO: Unable to import the cryptography module. Because of this we'll be unable to verify descriptor signature integrity. You can get cryptography from: https://pypi.org/project/cryptography/
UnboundLocalError("local variable 'inner' referenced before assignment")
2022-05-11 13:23:03,630 INFO: Error while receiving a control message (SocketClosed): received exception "read of closed file"Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/onion-services/onionprobe/-/issues/42tpo.py fails with an AttributeError exception2022-05-11T15:21:20Zanarcattpo.py fails with an AttributeError exceptioni tried to run tpo.py without arguments since i don't have the magic configuration file we expect in https://gitlab.torproject.org/tpo/tpa/team/-/issues/40717#note_2796985:
```
exec { 'onionprobe-refresh-config':
command => '/usr/shar...i tried to run tpo.py without arguments since i don't have the magic configuration file we expect in https://gitlab.torproject.org/tpo/tpa/team/-/issues/40717#note_2796985:
```
exec { 'onionprobe-refresh-config':
command => '/usr/share/doc/onionprobe/examples/tpo.py /srv/puppet.torproject.org/puppet-facts/onionbalancev3-services.yaml /etc/onionprobe/tpo.yaml',
creates => '/etc/onionprobe/tpo.yaml',
user => 'root',
}
file { '/etc/onionprobe/tpo.yaml', # or tor.yaml if we don't mind overwriting a file shipped by the package
ensure => 'present',
owner => 'root',
group => 'root',
mode => '0644',
notify => Service['onionprobe'], # defined elsewhere together with the package and the /etc/default/onionprobe config
}
```
unfortunately, it just crashes:
```
root@hetzner-nbg1-02:~# /usr/share/onionprobe/examples/tpo.py
Traceback (most recent call last):
File "/usr/share/onionprobe/examples/tpo.py", line 161, in <module>
instance.build_onionprobe_config()
File "/usr/share/onionprobe/examples/tpo.py", line 132, in build_onionprobe_config
self.config['shuffle'] = False
AttributeError: 'TPOSites' object has no attribute 'config'
```
boom! boom! whoohoo! :smile:Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/onion-services/onionmine/-/issues/3Encrypted storage2022-06-16T17:34:41ZSilvio RhattoEncrypted storageSupport for encrypting pools into a password storage such those mentioned at the [evaluate password management options](https://gitlab.torproject.org/tpo/tpa/team/-/issues/29677) ticket.Support for encrypting pools into a password storage such those mentioned at the [evaluate password management options](https://gitlab.torproject.org/tpo/tpa/team/-/issues/29677) ticket.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2022-06-16https://gitlab.torproject.org/tpo/onion-services/onionmine/-/issues/2Keypair testing2022-05-17T21:22:24ZSilvio RhattoKeypair testingAn Onion Service key is created by Onionmine using an external tool and should be tested:
* Check the quality of generated keys is needed.
* How to properly test ed25519 keys?
* Does keys generated by `mkp224o` pass the criteria?
This ...An Onion Service key is created by Onionmine using an external tool and should be tested:
* Check the quality of generated keys is needed.
* How to properly test ed25519 keys?
* Does keys generated by `mkp224o` pass the criteria?
This issue tracks the support for testing a given candidate keypair by Onionmine, check if it works well as an Onion Service.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/onion-services/onionprobe/-/issues/4Onionprobe: Debian package2022-05-10T20:26:05ZSilvio RhattoOnionprobe: Debian packageCreate a Debian Package for Onionprobe:
* [x] Work on an initial packaging implementation.
* [x] Systemd service unit file.
* [x] Provide a `README.Debian` explaning about the system-wide service and why it's not enabled by default, alo...Create a Debian Package for Onionprobe:
* [x] Work on an initial packaging implementation.
* [x] Systemd service unit file.
* [x] Provide a `README.Debian` explaning about the system-wide service and why it's not enabled by default, along with a link for the upstream documentation.
* [x] Upload the package into the private TPA-only repository.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2022-04-21https://gitlab.torproject.org/tpo/tpa/team/-/issues/40717Onionprobe testbed using TPO onion sites2023-06-30T19:05:40ZSilvio RhattoOnionprobe testbed using TPO onion sitesIntegrate Onionprobe into Tor's Prometheus instance to monitor https://onion.torproject.org sites (and optonally other .onions for comparison).
This could not only helping Onionprobe development but also be a test environment for monito...Integrate Onionprobe into Tor's Prometheus instance to monitor https://onion.torproject.org sites (and optonally other .onions for comparison).
This could not only helping Onionprobe development but also be a test environment for monitoring the quality of service of onion services maintained by Tor.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]anarcatanarcat2022-04-01https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/59Onionprobe testbed using TPO onion sites2022-04-06T18:25:14ZSilvio RhattoOnionprobe testbed using TPO onion sitesIntegrate Onionprobe into Tor's Prometheus instance to monitor https://onion.torproject.org sites (and optonally other .onions for comparison).
This could not only helping Onionprobe development but also be a test environment for monito...Integrate Onionprobe into Tor's Prometheus instance to monitor https://onion.torproject.org sites (and optonally other .onions for comparison).
This could not only helping Onionprobe development but also be a test environment for monitoring the quality of service of onion services maintained by Tor.Sponsor 123: Tor Secure Access Package for USAGM [First Phase]Silvio RhattoSilvio Rhatto2022-04-01https://gitlab.torproject.org/tpo/tpa/team/-/issues/41174retire tpa-bootstrap-012023-06-27T14:32:16Zanarcatretire tpa-bootstrap-01now that dal-rescue-01 is online (#41135), we can retire the tpa-bootstrap VM.
* [x] announcement
* [x] nagios
* [x] retire the host in fabric
* [x] remove from LDAP with `ldapvi`
* [x] power-grep
* [x] remove from tor-passwords
* ~~[ ]...now that dal-rescue-01 is online (#41135), we can retire the tpa-bootstrap VM.
* [x] announcement
* [x] nagios
* [x] retire the host in fabric
* [x] remove from LDAP with `ldapvi`
* [x] power-grep
* [x] remove from tor-passwords
* ~~[ ] remove from DNSwl~~
* [x] remove from docs
* [x] remove from reverse DNStrusted high performance cluster (gnt-dal migration)https://gitlab.torproject.org/tpo/tpa/team/-/issues/41135dal-rescue-01 deployment2023-05-17T19:15:47Zanarcatdal-rescue-01 deploymentdal-rescue-01 has been setup (#41058) and is ready for deployment at the datacenter. coordinate with quintex to operate the following deployment procedure:
1. [x] ship dal-rescue-01 to the datacenter by TPA
2. [x] dal-rescue-01 delivere...dal-rescue-01 has been setup (#41058) and is ready for deployment at the datacenter. coordinate with quintex to operate the following deployment procedure:
1. [x] ship dal-rescue-01 to the datacenter by TPA
2. [x] dal-rescue-01 delivered to Quintex
1. [x] agree on a plan with quintex
3. [x] dal-rescue-01 online, connected to the three VLANs by Quintex
4. [x] access to dal-rescue-01 confirmed by TPA
5. [x] change the IP address of each OOB interface, one by one:
1. [x] dal-node-03
1. [x] dal-node-02
1. [x] dal-node-01
2. [x] chi-node-14
1. [x] dal-sw-01
6. [x] Quintex disconnects the OOB switch from the VPN network, now completely isolated behind dal-rescue-01
7. [x] do one final round of testing
8. [x] one last dal-rescue-01 reboottrusted high performance cluster (gnt-dal migration)anarcatanarcat2023-05-16https://gitlab.torproject.org/tpo/tpa/team/-/issues/41109migrate CiviCRM machines to gnt-dal2023-05-30T12:48:42Zanarcatmigrate CiviCRM machines to gnt-dalthe crm-int-01 machine is having load/performance issues (e.g. https://gitlab.torproject.org/tpo/web/civicrm/-/issues/97 and others). let's see if we can alleviate that by moving it to the new gnt-dal cluster.
i believe that should also...the crm-int-01 machine is having load/performance issues (e.g. https://gitlab.torproject.org/tpo/web/civicrm/-/issues/97 and others). let's see if we can alleviate that by moving it to the new gnt-dal cluster.
i believe that should also involve moving the crm-ext-01 machine, since it's closely related.
@lavamind do you think we have everything ready in Puppet to enable migrations between gnt-fsn and gnt-dal? would you be interested in performing such migration, to see if my documentation works okay?
ETA i gave @mathieu in the other ticket is "one-two weeks".trusted high performance cluster (gnt-dal migration)Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2023-05-28