The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-02-07T15:55:26Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41473consider enforcing 2FA across gitlab2024-02-07T15:55:26Zanarcatconsider enforcing 2FA across gitlabIn #41470, we investigated the impact of an [authentication bypass in GitLab](https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/#account-takeover-via-password-reset-without-user-interactions) (...In #41470, we investigated the impact of an [authentication bypass in GitLab](https://about.gitlab.com/releases/2024/01/11/critical-security-release-gitlab-16-7-2-released/#account-takeover-via-password-reset-without-user-interactions) ([CVE-2023-7028](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7028)). One of the key takeaways is that 2FA renders the attack mostly moot. This makes this group (tpo/tpa) immune to it, but not all users benefit from this.
We should consider enforcing 2FA more broadly here. One likely first target would be tpo/web, which has only a handful of users without 2FA (one of which was @gitolite-merge-bot, which was removed access in #41469). But we could broaden this to all of tpo.
Thoughts, @gaba, @lavamind ?Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-02-05https://gitlab.torproject.org/tpo/community/policies/-/issues/16Write a proposal for acceptable/unacceptable sustainability/incentivization o...2024-03-13T14:33:03ZGeorg KoppenWrite a proposal for acceptable/unacceptable sustainability/incentivization of relay operationsFollowing the ATOR incident we should write a proposal about what we expect from schemes claiming to enhance the sustainability of relay operations by providing (a bunch of) incentives. For some recent blog post around this topic, see: h...Following the ATOR incident we should write a proposal about what we expect from schemes claiming to enhance the sustainability of relay operations by providing (a bunch of) incentives. For some recent blog post around this topic, see: https://blog.torproject.org/tor-network-community-health-update/GusGushttps://gitlab.torproject.org/tpo/team/-/issues/243Setup weekly meetings with team leads2024-01-29T21:02:09Zbellabella@torproject.orgSetup weekly meetings with team leads- Schedule weekly meetings with @gus, @donuts and @richard
- Introductions, roles and expections, preferred forms of communication.- Schedule weekly meetings with @gus, @donuts and @richard
- Introductions, roles and expections, preferred forms of communication.bellabella@torproject.orgbellabella@torproject.org2024-01-18https://gitlab.torproject.org/tpo/tpa/team/-/issues/41420Pipeline housekeeping for tpo/core/debian/tor project2023-12-12T15:29:52ZJérôme Charaouilavamind@torproject.orgPipeline housekeeping for tpo/core/debian/tor projectAs a follow-up for https://gitlab.torproject.org/tpo/tpa/team/-/issues/41402#note_2970105 I would like to propose that daily-scheduled CI pipelines that build supported branches in `tpo/core/debian/tor` be automatically deleted after 2 w...As a follow-up for https://gitlab.torproject.org/tpo/tpa/team/-/issues/41402#note_2970105 I would like to propose that daily-scheduled CI pipelines that build supported branches in `tpo/core/debian/tor` be automatically deleted after 2 weeks.
There are currently three such schedules, and they each run daily, adding some ~50MB of logs. When CI artifacts cleanup is broken, they also each add ~250MB of artifacts.
Implementing this automatic deletion would:
- Significantly reduce the storage requirements for job logs (currently 13.80GB of job logs for these pipelines specifically)
- Help limit the impact of any GitLab regresssion causing CI build artifacts to accumulate
Artifacts and build logs for [CI pipelines that run on *tagged* commits](https://gitlab.torproject.org/tpo/core/debian/tor/-/pipelines?scope=tags) would not be affected, and still be kept indefinitely.
This can be implemented very easily using either a cron job or service/timer pair, to run the following shell command:
gitlab-rails runner "Ci::Pipeline.where(project_id: 1218, source: 'schedule', locked: 'unlocked').where('finished_at < ?', 2.weeks.ago).delete
Unless further discussion is needed, I will implement this on Monday, December 11.
/cc @anarcat @weaselJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2023-12-12https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42292 Draw new icons for Telegram, web and email bridge channels2023-12-05T00:58:18Zdonuts Draw new icons for Telegram, web and email bridge channelsHey @nicob, see the "Telegram", "Web" and "Gmail or Riseup" bridge distribution channels at the bottom-left of this page: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42036/designs/lox-not-connected.png
The globe ...Hey @nicob, see the "Telegram", "Web" and "Gmail or Riseup" bridge distribution channels at the bottom-left of this page: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42036/designs/lox-not-connected.png
The globe for "Web" makes sense as the default favicon that Fx uses, however could you draw custom icons in the Acorn style for Telegram (i.e. based on their paper plane logo) and Email (i.e. a standard mail icon) please?Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetnicobnicob2023-11-30https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42274Draw a new "bridge-pass" icon for lox bridges2023-12-04T20:33:23ZdonutsDraw a new "bridge-pass" icon for lox bridgesI've just grabbed an icon from Material Symbols and rotated it 45 degrees as a placeholder in these designs: [Figma / Tor Browser 13.5 / lox](https://www.figma.com/file/rWgMwiiFTDFp4ujuP3PKbq/Tor-Browser-13.5?type=design&node-id=151%3A92...I've just grabbed an icon from Material Symbols and rotated it 45 degrees as a placeholder in these designs: [Figma / Tor Browser 13.5 / lox](https://www.figma.com/file/rWgMwiiFTDFp4ujuP3PKbq/Tor-Browser-13.5?type=design&node-id=151%3A9289&mode=design&t=wDYnw2iq2A868OmH-1) (see the top-right of the bridge card for lox bridges). Could you draw a custom icon based on this please @nicob?Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetnicobnicob2023-11-30https://gitlab.torproject.org/tpo/tpa/team/-/issues/41396Help operations team use the submission server2024-03-13T19:43:23Zmicahmicah@torproject.orgHelp operations team use the submission serverMany folks on the ops/moneymachine teams are having email problems, and while it may not be the only problem, one of the issues is that many of them are not using the tor submission server. They aren't using it often because they don't h...Many folks on the ops/moneymachine teams are having email problems, and while it may not be the only problem, one of the issues is that many of them are not using the tor submission server. They aren't using it often because they don't have a LDAP account in order to set up a submission password.
I've talked with @anarcat and @lavamind about this and @smith has shared with @lavamind a spreadsheet that has each person's individual state.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/network-health/metrics/descriptorParser/-/issues/58Estimate DB grow rate over time2023-11-30T14:16:53ZHiroEstimate DB grow rate over timeWe should estimate how the network grew over time since we are collecting data in order to have an idea of how much space we will need for the DB we are building.
See: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41372#note_2959888We should estimate how the network grew over time since we are collecting data in order to have an idea of how much space we will need for the DB we are building.
See: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41372#note_2959888HiroHirohttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41373please update my key in the TPA keyring2023-11-07T15:39:49Ziwakehplease update my key in the TPA keyringMy key is available here:
https://keys.openpgp.org/search?q=iwakeh%40torproject.org
or
https://pgp.mit.edu/pks/lookup?search=iwakeh%40torproject.org&op=index
Many thanks,
iwakehMy key is available here:
https://keys.openpgp.org/search?q=iwakeh%40torproject.org
or
https://pgp.mit.edu/pks/lookup?search=iwakeh%40torproject.org&op=index
Many thanks,
iwakehanarcatanarcathttps://gitlab.torproject.org/tpo/team/-/issues/225Review priorities for next year for each team2023-12-07T19:20:01ZGabagaba@torproject.orgReview priorities for next year for each team@micah @meskio @richard @donuts @gk @ahf @anarcat I'm sending you all invites to meet the first week of December to discuss priorities.@micah @meskio @richard @donuts @gk @ahf @anarcat I'm sending you all invites to meet the first week of December to discuss priorities.Gabagaba@torproject.orgGabagaba@torproject.org2023-12-08https://gitlab.torproject.org/tpo/core/tor/-/issues/40871Tor incorrectly stores stats on incoming PT connections2023-12-10T21:38:18ZAlexander Færøyahf@torproject.orgTor incorrectly stores stats on incoming PT connections@trinity-1686a and @dcf discussed this issue on tor-dev@ in https://lists.torproject.org/pipermail/tor-dev/2023-October/014858.html
It seems like we have a bug after we updated our connectiong tracking code to track incoming connections...@trinity-1686a and @dcf discussed this issue on tor-dev@ in https://lists.torproject.org/pipermail/tor-dev/2023-October/014858.html
It seems like we have a bug after we updated our connectiong tracking code to track incoming connections earlier. We don't handle the transport name parameter of our eager call to `geoip_note_client_seen()`.
@trinity-1686a may potentially have a patch for this. I think it would be good if we could get some testing on this before we merge it.
Would you be up for running your Tor instance with a patch that potentially fixes this issue, @dcf ?Tor: 0.4.8.x-post-stabletrinity-1686atrinity-1686ahttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40101Advanced Search on relay search has selected the obfs4 transport as default2023-10-25T10:49:28ZGeorg KoppenAdvanced Search on relay search has selected the obfs4 transport as defaultAfter the fixes for https://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40093 landed our Advanced Search regressed as the obfs4 transport is selected by default. In fact, there is no option to *not* include any tran...After the fixes for https://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40093 landed our Advanced Search regressed as the obfs4 transport is selected by default. In fact, there is no option to *not* include any transport at all. If I want to just see all relays that joined during the last 7 days I am not executing something like https://metrics.torproject.org/rs.html#search/type:relay%20first_seen_days:0-7%20transport:obfs4?fields=transports, which, somewhat surprisingly, gives 0 results.
We should have by default something like `Any` for the transports, I guess.Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41330Create a `lox` user on rdsys-frontend-012023-10-23T18:30:48ZCecylia BocovichCreate a `lox` user on rdsys-frontend-01On the rdsys-frontend-01 machine, we're going with the plan to create a user per service and setup systemd for that user (see https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/167#note_2943424)). We're planning to deploy t...On the rdsys-frontend-01 machine, we're going with the plan to create a user per service and setup systemd for that user (see https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/167#note_2943424)). We're planning to deploy the lox distributor and would like a user for that service.
cc @meskio @onyinyanganarcatanarcathttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/13Onion MkDocs tryout2023-11-30T16:16:40ZSilvio RhattoOnion MkDocs tryout# About the project
* Contact: @rhatto
* Chat: #tor-dev on `irc.oftc.net`
* Video room: to be defined.
# Participants
- @rhatto
- @gus
- etc
# Summary
This is a proposal to try [Onion MkDocs][] for documenting things at Tor.
[Onion...# About the project
* Contact: @rhatto
* Chat: #tor-dev on `irc.oftc.net`
* Video room: to be defined.
# Participants
- @rhatto
- @gus
- etc
# Summary
This is a proposal to try [Onion MkDocs][] for documenting things at Tor.
[Onion MkDocs]: https://rhatto.pages.torproject.net/onion-mkdocs/
## Project A - Support
* [x] Provide support for people/teams that want to convert their wikis
to or have docs for their projects using [Onion MkDocs][].
* [x] Improve [Onion MkDocs][] stylesheet, plugins etc.
* [x] Improve [Onion MkDocs][] documentation.
## Project B - Convert
* [x] Convert some GitLab wikis to GitLab pages using Onion MkDocs:
* [x] Overview:
https://gitlab.torproject.org/tpo/tpa/team/-/issues/41119#note_2898441
* [x] Candidates for merge requests:
* [x] The Hackweek project itself:
https://gitlab.torproject.org/tpo/community/hackweek, with site now available
at https://tpo.pages.torproject.net/community/hackweek/
* [~] Onion Support Wiki:
https://gitlab.torproject.org/tpo/onion-services/onion-support/. To be done on Project C below.
* [x] Tor Policies repository:
https://gitlab.torproject.org/tpo/community/policies/-/issues/3
## Project C - Investigate
* [x] Investigate how Onion MkDocs could be a [TPA-RFC-38 wiki replacement (#40909) · TPA / TPA team](https://gitlab.torproject.org/tpo/tpa/team/-/issues/40909) ([tpa rfc 38 new wiki service](https://gitlab.torproject.org/tpo/tpa/team/-/wikis/policy/tpa-rfc-38-new-wiki-service)):
* [x] One approach would be to create a script that import content from some existing GitLab wikis into a single Onion MkDocs instance, to see how it would like to have a convergent "documentation integration" place. How it could be structured? Could it be easily searchable? What would be the best practices for this?
# Skills
Some knowledge in the following technologies may be needed in order to participate:
* Git/GitLab.
* Markdown.
* Basic scripting (Python, shell).
# LinksHackweek 2023Silvio RhattoSilvio Rhatto2023-11-09https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42095Implement Android application icons2023-10-04T18:44:55ZnicobImplement Android application iconsTor Browser application icons have gotten a refresh from the UX & Design team! Can we push these new assets to TB for **android** as well please? @dan would you mind taking a look at what I'm sharing in this folder for stable and whether...Tor Browser application icons have gotten a refresh from the UX & Design team! Can we push these new assets to TB for **android** as well please? @dan would you mind taking a look at what I'm sharing in this folder for stable and whether this is sufficient or overkill for what assets you need? These are exports directly from an official Google Material 3 template on figma, but last time we tried to do this for another project, we came across some issues on the implementation side. If these look good, I'll go ahead and export for alpha and nightly too :)
android app icons (all releases): [Nextcloud](https://nc.torproject.net/s/BiFJzyTdmf7N8c5)clairehurstclairehursthttps://gitlab.torproject.org/tpo/web/donate-static/-/issues/120disable donate onion site and remove onion location header2023-08-30T18:00:40ZKezdisable donate onion site and remove onion location headerdonate's onion site hasn't worked for at least a few years. it wasn't working when i started working on donate 2 years ago. the remnants of the onion site code in the donate middleware uses v2 onion URLs, so it probably hasn't worked for...donate's onion site hasn't worked for at least a few years. it wasn't working when i started working on donate 2 years ago. the remnants of the onion site code in the donate middleware uses v2 onion URLs, so it probably hasn't worked for even longer than 2 years.
since we plan on deprecating the current donate site in favor of donate-neo, we're going to deprecate the onion site now so that TBB users aren't misled into thinking the onion site works. those users should still be able to donate through stripe, paypal, btcpay, or through our crypto wallets.
i don't have a proper estimation for this ticket, but it'll probably take a few days to a week at most. the most time consuming part will be finding where the onion site is configured, actually removing it should only take an hour or two.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41279Enable s3 storage for runners2023-09-25T15:03:43Zmicahmicah@torproject.orgEnable s3 storage for runnersNow that [minio s3 storage is setup](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41257) it would probably be worth setting up the runner cache to use the s3 storage, which will make the cache available to all runners.
Its a fair...Now that [minio s3 storage is setup](https://gitlab.torproject.org/tpo/tpa/team/-/issues/41257) it would probably be worth setting up the runner cache to use the s3 storage, which will make the cache available to all runners.
Its a fairly simple change to the runner's `config.toml`, something like the following works:
```
[[runners]]
name = "xxx"
output_limit = 10240
url = "https://xxx"
id = 0
token = "xxx"
token_obtained_at = 0001-01-01T00:00:00Z
token_expires_at = 0001-01-01T00:00:00Z
executor = "docker"
pre_clone_script = "umask 022"
pre_get_sources_script = "umask 022"
[runners.cache]
Type = "s3"
Shared = true
MaxUploadedArchiveSize = 0
[runners.cache.s3]
ServerAddress = "objects.torproject.org"
AccessKey = "gitlab"
SecretKey = "xxx"
BucketName = "gitlab-runner"
BucketLocation = "seattle"
[runners.docker]
tls_verify = false
image = "docker:stable"
privileged = true
disable_entrypoint_overwrite = false
oom_kill_disable = false
disable_cache = false
volumes = ["/certs/client", "/cache", "/run/docker.sock:/run/docker.sock"]
shm_size = 0
```Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40093search by transport2023-10-04T10:50:49Zmeskiomeskio@torproject.orgsearch by transportIt would be really useful to be able to search for bridges by their transport in the relay search.It would be really useful to be able to search for bridges by their transport in the relay search.HiroHirohttps://gitlab.torproject.org/tpo/network-health/metrics/website/-/issues/40092Add new Pluggable Transports source stats2023-09-27T13:14:09ZGusAdd new Pluggable Transports source statsThe AC-Team is developing two new PTs: WebTunnel and Conjure.
Could you add their visualization on the Metrics website?
- https://metrics.torproject.org/userstats-bridge-transport.htmlThe AC-Team is developing two new PTs: WebTunnel and Conjure.
Could you add their visualization on the Metrics website?
- https://metrics.torproject.org/userstats-bridge-transport.htmlHiroHirohttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/211Change "Mullvad Browser Home" to "New tab"2023-10-03T13:30:01ZruihildtChange "Mullvad Browser Home" to "New tab"At some point, it was decided to use "Mullvad Browser Home" when opening the browser.
I don't see what it adds not to simply call it "New tab", which it is.
It's also the default in Chrome, Brave, Firefox.
CC @donutsAt some point, it was decided to use "Mullvad Browser Home" when opening the browser.
I don't see what it adds not to simply call it "New tab", which it is.
It's also the default in Chrome, Brave, Firefox.
CC @donutshenryhenry