The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-06-17T00:40:36Zhttps://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/47Add issue template to all TPO repos2022-06-17T00:40:36ZGabagaba@torproject.orgAdd issue template to all TPO reposWe can add templates for how issues are being created to improve the information we have about a specific issue.
On gitlab templates: https://docs.gitlab.com/ee/user/project/description_templates.html
Proposal: https://gitlab.torproje...We can add templates for how issues are being created to improve the information we have about a specific issue.
On gitlab templates: https://docs.gitlab.com/ee/user/project/description_templates.html
Proposal: https://gitlab.torproject.org/gaba/sandbox/-/issues/new
Core
- [x] arti
- [x] tpa
- [x] tor
- [ ] applications
- [ ] community
- [ ] network health
- [ ] ux
- [ ] anti-censorship
- [ ] web
- [ ] metricshttps://gitlab.torproject.org/tpo/anti-censorship/bridge-port-scan/-/issues/1/scan/ URL requires a trailing slash2020-07-02T00:54:18ZDavid Fifielddcf@torproject.org/scan/ URL requires a trailing slashDuring the [2020-06-30 Internet Measurement Village talk](https://www.youtube.com/watch?v=g6xEfNHkFKY), participants in chat tried to access a URL that doesn't work:
* https://bridges.torproject.org/scan ([archive](https://web.archive.or...During the [2020-06-30 Internet Measurement Village talk](https://www.youtube.com/watch?v=g6xEfNHkFKY), participants in chat tried to access a URL that doesn't work:
* https://bridges.torproject.org/scan ([archive](https://web.archive.org/save/https://bridges.torproject.org/scan)) gives status 404
It only works if you include the trailing slash:
* https://bridges.torproject.org/scan/ ([archive](https://web.archive.org/web/20200630152455/https://bridges.torproject.org/scan/))https://gitlab.torproject.org/tpo/anti-censorship/bridge-port-scan/-/issues/2Make HTML use our torproject.org CSS style2022-01-20T21:31:11ZPhilipp Winterphw@torproject.orgMake HTML use our torproject.org CSS styleOur static CSS files are available here: https://gitlab.torproject.org/tpo/web/lego/-/tree/master/assets
The site is in https://bridges.torproject.org/scanOur static CSS files are available here: https://gitlab.torproject.org/tpo/web/lego/-/tree/master/assets
The site is in https://bridges.torproject.org/scanSponsor 30 - Objective 2.2https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40021Consider protecting against webextensions with "proxy" permissions2023-01-05T17:38:50ZAlex CatarineuConsider protecting against webextensions with "proxy" permissionsAFAIK, if a user installs a webextension with "proxy" permissions it may result in proxy bypass. We don't support nor encourage users installing extensions, but given how critical are proxy bypasses it might be a good idea to try to make...AFAIK, if a user installs a webextension with "proxy" permissions it may result in proxy bypass. We don't support nor encourage users installing extensions, but given how critical are proxy bypasses it might be a good idea to try to make sure that no webextension can cause one.https://gitlab.torproject.org/tpo/network-health/exitmap/-/issues/1Port exitmap to Python32023-03-01T16:13:21ZPhilipp Winterphw@torproject.orgPort exitmap to Python3Exitmap is written in Python 2. Given Python 2's end of life, it's a good time to port the code base to Python 3. For the most part, this should be an easy task but [the way exitmap monkey-patches Python's socket API](https://gitlab.torp...Exitmap is written in Python 2. Given Python 2's end of life, it's a good time to port the code base to Python 3. For the most part, this should be an easy task but [the way exitmap monkey-patches Python's socket API](https://gitlab.torproject.org/tpo/network-health/exitmap/-/blob/master/src/command.py#L37) may require a closer look: when I attempted a port a few years ago, this is where I got stuck.Kushal DasKushal Dashttps://gitlab.torproject.org/tpo/core/tor/-/issues/40053Verbose bootstrap logging2020-10-20T13:05:43ZDamian JohnsonVerbose bootstrap loggingTor should strive to some extent for its warn runlevel logging to be understandable by non-techies. Startup with the current git tip sometimes warn about 301 redirects:
```
Jul 19 16:09:49.163 [warn] Received http status code 301 ("Mo...Tor should strive to some extent for its warn runlevel logging to be understandable by non-techies. Startup with the current git tip sometimes warn about 301 redirects:
```
Jul 19 16:09:49.163 [warn] Received http status code 301 ("Moved Permanently") from server 94.130.186.5:80 while fetching "/tor/server/d/9F300A9D1EC61AD61E89C3BE8363E7AD741C021A+9F3E1D574F6A0F031288F03E814CDA6DEF99DA6B+9F43F95166272EBC78380E9D80D54F0D065E79B1+9F4B18D9F1151BB984C303284E34B684E94D34F3+9F4F31E957CCE77C741FBF5B5E56933C9182EBE8+9F509520BD93D6C7F0C619CA5F7DB5C56DBB2B1B+9F5CC78A6034A7CF6834F2136D6569BC9DD9B50D+9F63F117EBDD957F1C199B6EA5FD6072E2E1625B+9F6E909102173C9BBD3D56CC57069E8F56695BB9+9F734D22C8FEC4FF62D8F43BB416FB3F458EC266+9F74867E22731A0BA1429456B9B98511F72D5C9A+9FAA129A7742B8CC504D864C6C9C88C448DF7702+9FAFF25E5F4066C33D9E200A1B5945FDE65BFE68+9FB6B3E7F446E71E3B0099F20188B0A39B0D8799+9FBC599DCE4105781D97343E1E2BA1BF89329240+9FC26FF923367B89050AC97C951537ADDB4CDAE8+9FDC14A920F3CC4CFB5AB119E52D7FD946D170F5+9FDC58A314EA64D84E113BC772BCC654F33424A3+9FE950F8ACC5FC5AECD9F17E1D0FF32D4F414154+9FF2E49FBEE581F460BE708BBFEB2265C6C1A0E7+9FF489559C5C50A86E00E23736DA6C22B97B30BD+9FFA264DB99F6FD43853C82A412310CC7161989D+9FFE39D33104591594063026FA4C2029EB9151AC+A00AF4DB2355FAB4DBFA577B397F5EC3B070C889+A014E05B39F03416F8BD7A716B5A717B1C784E6B+A018338DEDF556261EE8193EE06FAD3165A8B2BC+A0342DD22627F828550F7652A5C4635440F2E1BA+A036A55293285EEA8C13C4015452E4823807F52F+A044DE324466700F3A4D665CE04B72F9282DA876+A05044D36ABED05D49E5F3F563041D4A0D87DF4A+A05F5F615CBD6671A3A58F4D046214640BA13366+A06DD0D81CA23DE856B174F09C2E083F03C24FCF+A074C7A35D755D88B9F65F09B2A970A8478C6D3E+A074D1041CD337C4633BFB1B2C0E96C6A1A24C7E+A07C18B82D3D198CDEEAD5EE2079C52A231E61F8+A098916130C7A38A70584CB31CCCAFFF988CAFE5+A0A4E497B4651DDB10CE854E438035AC9851B519+A0A5F6BB05503A4853C6A28DF7B42447717FD178+A0A76D57576484E44BC32A816F475BF9B711CEC4+A0B136A0D18C19BDF9712F4132622B40F2E7BA2E+A0B29AEE21DF9D1FB4493442B4E0C10EFCFA5CCF+A0B4606B325FCB5172CB4AABCB73794999326CAF+A0B707AFD2431ECD30D66772E931B11CCE2487C8+A0C1B9FEFC5C0E78E3B6AB8E0CCDA80222AB0D5F+A0C6C655A11B003FAB55B5FB7FC6F37A5449FB1D+A0CD92573CBC2DDA14913A3381B11A00BE27057E+A0D4116CFD13135C051475FE9DC29635AACA8412+A0D9E8D87327778B96EEB82233AD0EE43505123A+A0E100FC2C67FB250FE9DEC3BC7072ABF14E41AC+A0EEF1B60485BB42D0C13484883FD76444870255+A0F9F8C62E3470D9FD7B4386A4D887423B568B9A+A100E113328B1EEA331FD04443CE070CBE6A9675+A119EEEF6F0AB3EBA493576E870611580C6F7721+A12067A6C1DBBA91EEBE3AE82273F3AC59D1A85D+A122DA57D0C0480149588B3E2E43EEBE6982E047+A13923A0764D7FB4131E66184AC9CA6ECE36D752+A13F18CFCC1ED297B2A5806CA0C845CE9D67FF53+A146E72AE2B145D4F99AE5B19F2A6CA62FE61585+A14A466D6CA94BE3C5852A773E95096489C95AB8+A162BB7A03DD034FDB6544203EB7AD5309F1EA66+A165FA2D707880FFD6C8D3EF438D8F2F08CA54A1+A16675B3DB81C9348C954E884735E0E801B473F4+A17719E267538F021940B45EE4B23B7E6721AE21+A17C8A27CF2A4452C1430A10413824D1158B0642+A189538F6F91CD26B8CDA1D140EA24E6977AD11F+A18AA6DABD116556908D889BA5CCC40D1ADAB9F4+A195347CED171375DD41F1BFC2FE647B05AB7F9F+A1956D69DB13A86E9A837FCBB77CAFE084B3ED8C+A19BB6E20CB005986C4FBC53B7B9F31144BB51F5+A1A2E24A951ACBEB93899C66E3A3386C9034EF2A+A1A5534DD78833658DBF7CCE623F8D04D3AE4344+A1A6183299D844467ADCED00E6BE5094F5EEA591+A1A770915E955AADF9CAB8F3EA0BFF482EA8B80A+A1B3722EB7492AFAA504BAAA47D66930D35EAD85+A1B9B76223FCBF4A36D7AD92BA08BBDDC00A7EFD+A1C667169BC4E2A08AA04BE813D92D2641740559+A1D2F9030072F26180518868F349FF1947EA7EE7+A1E13EAE9FC084CBE8849B2FC8B1A10B17C23413+A1E67EA2570CEC3E1EC22359C820013490AFBB3C+A1E8DB09047F9AB6F05B11B4F587D7F4EBB325C2+A1FC4B0C821FF812F35C2AC65C44AAA7F06298A5+A202EFC3C1E0D04A8EF1E103E34139686119986A+A23A9005362C460C6B09CA70C175696DD0232514+A23CDB0CF5D3881764C45746F5AFE5F5B145B141+A23E04FAA93C49809EE3B7BD5DEF5DF5821C2CA9+A2415C2252CB41CCBB5DDA6F4563889A080E3A3D+A242A7689749C03418BEA95351F26E19B9AC34DC+A25F0EA85A30739901F77B34C66D3185AD93E7EA+A26246CCB78529EE1BDF8A7F2E94F809F1A11587+A27D214B43AFDFB2D2BBA64D4775D8C9437993FD+A285A9939B0175C73748F900CD04C37CBE434ADC+A28B072B072FE5352C632B58E170711BB9E2191E+A28BECE82E9487E1BA09BF42599D9F54CE2D896E+A28F025D7973AC4CF7204392A9074606A422E372+A2903E40032786A7A730B34669E8DA885E7B169A+A29A2CED54EFCDF3A6E832CA0FEAD07319638103.z". I'll try again soon.
```
This has a couple issues:
1. These urls are huuuuuge and incomprehensible to anyone but us.
2. Are redirects really a problem we should warn about?
Roger discovered that these redirects are being produced by one of our fallback directories.https://gitlab.torproject.org/tpo/tpa/gitlab-lobby/-/issues/5secrets should not be in public version control2022-05-30T19:11:49ZNick Mathewsonsecrets should not be in public version controlInstead of having the secrets put in a settings.py file, they should be in some other file that settings.py references. This other file should not be under version control in our public repository.Instead of having the secrets put in a settings.py file, they should be in some other file that settings.py references. This other file should not be under version control in our public repository.https://gitlab.torproject.org/tpo/core/chutney/-/issues/40009Add a stub geoip file for chutney networks2022-02-07T19:31:37ZNick MathewsonAdd a stub geoip file for chutney networksFor Chutney networks, it would be handy to have geoip files for IPv4 and IPv6. Since all chutney relays are on localhost in our networks, the geoip files should map localhost to a make-believe country code.For Chutney networks, it would be handy to have geoip files for IPv4 and IPv6. Since all chutney relays are on localhost in our networks, the geoip files should map localhost to a make-believe country code.https://gitlab.torproject.org/tpo/anti-censorship/docker-obfs4-bridge/-/issues/1Make image more configurable2021-04-12T14:58:25ZPhilipp Winterphw@torproject.orgMake image more configurableSome operators want to set more advanced tor config options like:
* `BandwidthRate` and `BandwidthBurst`
* `BridgeDistribution`
* ...?
We should make it possible to pass these to the docker image. Instead of predicting what options our ...Some operators want to set more advanced tor config options like:
* `BandwidthRate` and `BandwidthBurst`
* `BridgeDistribution`
* ...?
We should make it possible to pass these to the docker image. Instead of predicting what options our operators would like, it would be great if we could pass arbitrary config options to the image. Once this is done, let's not forget to update our [docker bridge setup guide](https://community.torproject.org/relay/setup/bridge/docker/).https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40100Tor Browser waits for the page to fully finish loading before showing Onion L...2023-03-02T16:23:08ZRoger DingledineTor Browser waits for the page to fully finish loading before showing Onion Location pillI just loaded a nytimes.com page, and it had a bunch of little tracking/whatever links embedded in it. It took 30 seconds or something for one of those extraneous links to finish loading. The browser had rendered (most of) the page quite...I just loaded a nytimes.com page, and it had a bunch of little tracking/whatever links embedded in it. It took 30 seconds or something for one of those extraneous links to finish loading. The browser had rendered (most of) the page quite early in that 30 seconds, but the purple Onion-Location pill didn't show up until the page had entirely and completely finished rendering.
We knew there was an onion-location header when we got the headers for the main html response, so we knew very early in the process. Does that mean we can put up the pill (or automatically switch, if that's what the user has configured) much earlier too?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40111Rename "OS X" to "macOS"2022-08-22T16:32:08ZGeorg KoppenRename "OS X" to "macOS"We should go over our patches and rename every "OS X" instance to
"macOS". Apple changed the name in 2016 with 10.12 (which is the minimum
supported version after ESR 78) and there is macOS 11 in beta (thus no X
anymore). Thanks to a cyp...We should go over our patches and rename every "OS X" instance to
"macOS". Apple changed the name in 2016 with 10.12 (which is the minimum
supported version after ESR 78) and there is macOS 11 in beta (thus no X
anymore). Thanks to a cypherpunk for pointing that out.https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/4Build API that lets resources register themselves2022-08-30T18:24:51ZPhilipp Winterphw@torproject.orgBuild API that lets resources register themselvesRdsys supports both a push and pull-based model to ingest resources. So far, we only read Tor's cached-extrainfo file (which comes from the bridge authority). Let's build an API that allows systems like HTTPS Proxy to register themselves...Rdsys supports both a push and pull-based model to ingest resources. So far, we only read Tor's cached-extrainfo file (which comes from the bridge authority). Let's build an API that allows systems like HTTPS Proxy to register themselves. There's a diagram over at tpo/anti-censorship/rdsys#3, which shows the big picture:
![Rdsys's architecture](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/uploads/8d3021a46a656585fb02431b4ef77b81/BridgeDB-NG.png "Rdsys's architecture")
This issue concerns the arrow that's labeled with "Publish bridge line."Sponsor 30 - Objective 2.3Philipp Winterphw@torproject.orgPhilipp Winterphw@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/5Implement persistence mechanism for resources2021-01-15T22:45:17ZPhilipp Winterphw@torproject.orgImplement persistence mechanism for resourcesRdsys's backend currently does not write anything to disk. Let's implement a persistence mechanism that allows rdsys to write its resources to disk so that they can persist across restarts. I suggest starting with a simple serialisation ...Rdsys's backend currently does not write anything to disk. Let's implement a persistence mechanism that allows rdsys to write its resources to disk so that they can persist across restarts. I suggest starting with a simple serialisation format like Golang's [gob](https://golang.org/pkg/encoding/gob/). Bridgestrap [does something similar](https://gitlab.torproject.org/tpo/anti-censorship/bridgestrap/-/blob/master/tor.go#L86).Sponsor 30 - Objective 2.3Armin HuremagicArmin Huremagichttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/6Implement integration tests2023-11-02T11:08:42ZPhilipp Winterphw@torproject.orgImplement integration testsLet's figure out a way to implement integration tests for rdsys. Here's a simple suggestion for a simple shell script:
1. Write a simple cached-extrainfo file to disk.
2. Start the backend.
3. Start the HTTPS distributor.
4. Use curl to ...Let's figure out a way to implement integration tests for rdsys. Here's a simple suggestion for a simple shell script:
1. Write a simple cached-extrainfo file to disk.
2. Start the backend.
3. Start the HTTPS distributor.
4. Use curl to fetch bridges from the HTTPS distributor.
5. Make sure that the bridges are the same as those in the cached-extrainfo file.
There are probably smarter ways to accomplish this. Let's make sure that our integration tests are lightweight and can be run as part of a continuous integration test infrastructure.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/core/tor/-/issues/40119Tor fails to build on Ubuntu Groovy Gorilla: -Wextra-semi only used for Obj-C...2022-11-03T19:44:58ZAlexander Færøyahf@torproject.orgTor fails to build on Ubuntu Groovy Gorilla: -Wextra-semi only used for Obj-C and C++@weasel reported the following error today on `#tor-dev`: https://jenkins.torproject.org/job/tor-ci-linux-master/4880/
The error seems to be:
cc1: error: command-line option '-Wextra-semi' is valid for C++/ObjC++ but not for C [-We...@weasel reported the following error today on `#tor-dev`: https://jenkins.torproject.org/job/tor-ci-linux-master/4880/
The error seems to be:
cc1: error: command-line option '-Wextra-semi' is valid for C++/ObjC++ but not for C [-Werror]
cc1: all warnings being treated as errors
As seen in: https://jenkins.torproject.org/job/tor-ci-linux-master/4880/ARCHITECTURE=amd64,SUITE=groovy/consoleText
We should probably disable `-Wextra-semi` as this seems to only apply for C++ and Objective C.Alexander Færøyahf@torproject.orgAlexander Færøyahf@torproject.orghttps://gitlab.torproject.org/tpo/web/community/-/issues/213Come up with a better terminology for bridges2021-10-27T13:31:53ZPhilipp Winterphw@torproject.orgCome up with a better terminology for bridgesOur terminology for bridges is confusing:
* *Private* bridges are bridges that BridgeDB doesn't know about. Users may mistakenly conclude that if a bridge isn't private, it must be public, which is incorrect. Suggestions for other terms:...Our terminology for bridges is confusing:
* *Private* bridges are bridges that BridgeDB doesn't know about. Users may mistakenly conclude that if a bridge isn't private, it must be public, which is incorrect. Suggestions for other terms: unshared, exclusive, unlisted, unknown.
* *Default* bridges are part of Tor Browser. Conceptually, default bridges are more like obfs4-enabled guard relays. Suggestions for other terms: built-in (we may have been using that term occasionally), standard, public.
* We don't have a consistent term for bridges that are distributed by BridgeDB/rdsys. Perhaps we don't need a term because that's the default?
How can we improve the situation?
Copying @cohosh, @antonela, @arma, and @gus.
# Update
proposal is to change this terminology **everywhere**
- default bridges -> built-in bridges
- will not do private/public bridges anymore
- private bridges -> secret bridges
- public bridges -> distributed bridges
Everywhere means:
- [ ] documentation - needs tickets in each portal
- [ ] [Browser's UI](tpo/applications/tor-browser#40623)
- [ ] Code - needs ticketSponsor 30 - Objective 2.2GusGushttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/8Come up with a better terminology for bridges2021-06-10T14:14:46ZPhilipp Winterphw@torproject.orgCome up with a better terminology for bridgesOur terminology for bridges is confusing:
* *Private* bridges are bridges that BridgeDB doesn't know about. Users may mistakenly conclude that if a bridge isn't private, it must be public, which is incorrect. Suggestions for other terms:...Our terminology for bridges is confusing:
* *Private* bridges are bridges that BridgeDB doesn't know about. Users may mistakenly conclude that if a bridge isn't private, it must be public, which is incorrect. Suggestions for other terms: unshared, exclusive, unlisted, unknown.
* *Default* bridges are part of Tor Browser. Conceptually, default bridges are more like obfs4-enabled guard relays. Suggestions for other terms: built-in (we may have been using that term occasionally), standard, public.
* We don't have a consistent term for bridges that are distributed by BridgeDB/rdsys. Perhaps we don't need a term because that's the default?
How can we improve the situation?
Copying @cohosh, @antonela, @arma, and @gus.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/71Send commits to mailing list(s)2022-10-31T14:01:56ZAlexander Færøyahf@torproject.orgSend commits to mailing list(s)The browser folks wants us to enable commit emails from fenix and other TB related repositories to their commit mailing list. We should find a way to do this in a structured way for the tpo/ namespace such that all our projects (also upc...The browser folks wants us to enable commit emails from fenix and other TB related repositories to their commit mailing list. We should find a way to do this in a structured way for the tpo/ namespace such that all our projects (also upcoming) gets these hooks enabled.
For now, we need to get Fenix and Tor-Browser.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40144about:privatebrowsing Firefox branding2023-02-22T11:40:50ZPassword is "Cypherpunks Write Code" without quotescypherpunks@mailinator.comabout:privatebrowsing Firefox brandingabout:privatebrowsing contains Firefox branding instead of Tor Browser oneabout:privatebrowsing contains Firefox branding instead of Tor Browser oneSponsor 131 - Phase 2 - Privacy BrowserPier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40145Investigate alt-svc validation and cache eviction2023-11-27T08:30:55ZMatthew FinkelInvestigate alt-svc validation and cache evictionAfter connecting to a site that sends an alt-svc onion header (such as a site fronted by Cloudflare), Tor Browser receives an alt-svc. When Firefox receives an alt-svc, it establishes a connection with it as verification that it is usefu...After connecting to a site that sends an alt-svc onion header (such as a site fronted by Cloudflare), Tor Browser receives an alt-svc. When Firefox receives an alt-svc, it establishes a connection with it as verification that it is useful and usable. There seems to be a bug in Firefox (or Tor Browser) where this verification continues indefinitely, regardless of whether the original site is still open.
I'm not sure if this is because every response from Cloudflare's IP address site may return a different alt-srv, and Tor Browser connects with the IP address when the alt-srv connection fails or the connection cache is bypassed, therefore Tor Browser creates a very long lists of sites it should contact and verify. Or, maybe Tor Browser enters an infinite loop (or finite but sufficiently large in size) of testing the alt-srv's in its list, and never marks them as valid. I'm not sure why this is happening.
However, the most problematic and concerning result is that Tor Browser continually tries connecting with these sites long after any tabs for that site are closed.Tor Browser: 11.0 Issues with previous release