The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-05-10T21:46:19Zhttps://gitlab.torproject.org/tpo/ux/research/-/issues/100Users find it difficult to differentiate between Tor Browser's various bridge...2023-05-10T21:46:19ZdonutsUsers find it difficult to differentiate between Tor Browser's various bridge optionsDuring usability testing of Connection Settings conducted in tpo/ux/research#52 & tpo/ux/research#78 participants who elected to select a bridge manually tended to try the various options at random.
For the most part, the options are pl...During usability testing of Connection Settings conducted in tpo/ux/research#52 & tpo/ux/research#78 participants who elected to select a bridge manually tended to try the various options at random.
For the most part, the options are placed in the order it's most useful to try them in:
1. Select a built-in bridge
1. obfs4
2. snowflake
3. meek-azure
2. Request a bridge from torproject.org
3. Provide a bridge manually
However we don't communicate that explicitly to the user.
The redesign conducted in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41080 also attempted to improve the UX by tidying away the inputs into separate dialogues, and by has provided extra space for descriptions to accompany each bridge option within the dialogues themselves. I think it would be worthwhile reviewing the descriptions added for built-in-bridges, looking for potential improvements, and to consider adding similar descriptions to the request a bridge and provide a bridge dialogues.Sponsor 30 - Objective 3.5https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41060Figuring out how to connect after configuring a bridge is a pain point2023-05-10T21:45:20ZdonutsFiguring out how to connect after configuring a bridge is a pain pointUsability testing of the Connection settings redesign conducted in https://gitlab.torproject.org/tpo/ux/research/-/issues/52 & https://gitlab.torproject.org/tpo/ux/research/-/issues/78 has highlighted a pain point: some participants foun...Usability testing of the Connection settings redesign conducted in https://gitlab.torproject.org/tpo/ux/research/-/issues/52 & https://gitlab.torproject.org/tpo/ux/research/-/issues/78 has highlighted a pain point: some participants found it difficult to figure out the next step after configuring a bridge. Often they seem to pause after clicking the blue `OK` button, presumably believing that this is enough to connect.
At present, these users need to either:
1. Scroll back up to the purple banner at the top of the page, and click `Connect` – or:
2. Return to `about:torconnect` and click `Connect` there.
However neither of these routes are obvious initially.Sponsor 30 - Objective 3.5NahNahhttps://gitlab.torproject.org/tpo/ux/research/-/issues/113Write and publish a public report for the usability findings during activitie...2023-06-07T18:44:29ZNahWrite and publish a public report for the usability findings during activities in Brazil, Ecuador and MexicoAs part of Sponsor 30, we are going to write a public facing report with the methods and findings from this project. The report will condense TGP, Tails and Tor's findings.
3.7.3: Anonymize research collected over the course of the proj...As part of Sponsor 30, we are going to write a public facing report with the methods and findings from this project. The report will condense TGP, Tails and Tor's findings.
3.7.3: Anonymize research collected over the course of the project and publicize report for the broader open source community.
- [x] Consolidate, condense and anonymize all feedback data.
- [x] Write a report to share our methods and findings with the community.
- [x] Publish and share reports with interested groups.Sponsor 30 - Objective 3.7donutsdonuts2023-05-31https://gitlab.torproject.org/tpo/core/tor/-/issues/40686SocksPort WorldWritable sets file mode to 755 instead of 6662022-12-14T15:47:28ZJeremy Sakladjeremy@saklad5.comSocksPort WorldWritable sets file mode to 755 instead of 666### Summary
Unix domain sockets that are configured to be WorldWritable have incorrect permissions. Such sockets are unusable as a result, since write access is needed for clients to work.
### Steps to reproduce:
1. Use a configuratio...### Summary
Unix domain sockets that are configured to be WorldWritable have incorrect permissions. Such sockets are unusable as a result, since write access is needed for clients to work.
### Steps to reproduce:
1. Use a configuration file with the following options, where `/usr/local/var/run/tor` is a directory with appropriate permissions:
```
SocksPort unix:/usr/local/var/run/tor/socks-group GroupWritable RelaxDirCheck
SocksPort unix:/usr/local/var/run/tor/socks-world WorldWritable
```
2. Run the following command to view their permissions:
```sh
stat /usr/local/var/run/tor/socks-group /usr/local/var/run/tor/socks-world
```
Note that listening on two sockets is **not** necessary to reproduce this bug: it merely makes it easier to see the difference.
### What is the current bug behavior?
Sockets with WorldWritable have the wrong permissions, in contrast to the correctly-implemented GroupWritable:
```
srw-rw---- /usr/local/var/run/tor/socks-group
srwxr-xr-x /usr/local/var/run/tor/socks-world
```
### What is the expected behavior?
```
srw-rw---- /usr/local/var/run/tor/socks-group
srw-rw-rw- /usr/local/var/run/tor/socks-world
```
### Environment
- Which version of Tor are you using? Run `tor --version` to get the version if you are unsure.
0.4.7.10
- Which operating system are you using? For example: Debian GNU/Linux 10.1, Windows 10, Ubuntu Xenial, FreeBSD 12.2, etc.
macOS 12.6
- Which installation method did you use? Distribution package (apt, pkg, homebrew), from source tarball, from Git, etc.
Homebrew
### Relevant logs and/or screenshots
N/A: even `Log debug` doesn't say anything beyond noting that a socket is successfully opened.
### Possible fixes
Investigate whether [this conditional statement](https://gitlab.torproject.org/tpo/core/tor/-/blob/28413e75605cc2d05a2a3e4c766bfbe0a47d848d/src/core/mainloop/connection.c#L1358-1362) is somehow causing an issue.Tor: 0.4.8.x-freezehttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/28Public documentation about how we manage projects at Tor2023-11-30T16:16:39ZGabagaba@torproject.orgPublic documentation about how we manage projects at Tor# About the project
* Contact: Gaba
* Chat: #tor-project on `irc.oftc.net`
* Video room: https://tor.meet.coop/gab-tph-u9q-eo0
* Meet Monday, Tuesday, Wednesday, Thursday from 12UTC to 20UTC
# Participants
- Gaba
- You?
# Summary...# About the project
* Contact: Gaba
* Chat: #tor-project on `irc.oftc.net`
* Video room: https://tor.meet.coop/gab-tph-u9q-eo0
* Meet Monday, Tuesday, Wednesday, Thursday from 12UTC to 20UTC
# Participants
- Gaba
- You?
# Summary
We have some [outdated documentation](https://gitlab.torproject.org/tpo/team/-/wikis/process/How-we-do-project-management-at-The-Tor-Project) on how we do project management at Tor. We also have templates and checklists in Nextcloud about different parts of a project's lifetime. I would like to update and expand them to be more clear and all public.
# Skills
Experience working in a sponsored project a TPO.Hackweek 2023Gabagaba@torproject.orgGabagaba@torproject.org2023-11-09https://gitlab.torproject.org/tpo/community/hackweek/-/issues/27TPA issue templates2023-11-30T16:16:39ZanarcatTPA issue templates# About the project
* Contact: @anarcat
* Chat: #tor-admin on `irc.oftc.net`
* Video room: https://tor.meet.coop/ana-amp-2kq-z2o
# Participants
- @anarcat
# Summary
An ancient ticket in the TPA issue tracker has been found, and i...# About the project
* Contact: @anarcat
* Chat: #tor-admin on `irc.oftc.net`
* Video room: https://tor.meet.coop/ana-amp-2kq-z2o
# Participants
- @anarcat
# Summary
An ancient ticket in the TPA issue tracker has been found, and it is full of precious metals, behold https://gitlab.torproject.org/tpo/tpa/team/-/issues/29398. The idea is that many (MANY) tickets issued in TPA often require the same basic data. Want a server? How big? who's team? Your PGP key expired? Please ship the key, etc. We waste an inordinate amount of time collecting that information when people open new issues.
The task here is to setup those templates in the TPA issue tracker. The twist is that right now the TPA project doesn't have any code at all: it's a "wiki only" GitLab project, and the code is instead in the tpo/tpa/wiki-replica project, mirrored into the tpo/tpa/team wiki, which shows up as the frontpage for the project. We need to find a way to do this transition cleanly, probably by moving wiki-replica directly into tpo/tpa/team (in which case we lose the homepage) or some other sheninagan.
# Skills
Some experience with GitLab is important. Probably relevant only to TPA people, but other contributors are of course welcome!
# Links
* https://gitlab.torproject.org/tpo/tpa/team/-/issues/29398
* https://gitlab.torproject.org/tpo/tpa/wiki-replica/
* https://gitlab.torproject.org/tpo/tpa/team/Hackweek 2023anarcatanarcathttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/24Public documentation about project design and grant writing process2024-01-11T17:32:09Zal smithPublic documentation about project design and grant writing process# About the project
* Contact: @smith
* Chat: #tor-internal on `irc.oftc.net`
* Video room: tbd
# Participants
- @smith
- etc
# Summary
- Write a guide on the process of project design and grant proposal writing
- Publish that ...# About the project
* Contact: @smith
* Chat: #tor-internal on `irc.oftc.net`
* Video room: tbd
# Participants
- @smith
- etc
# Summary
- Write a guide on the process of project design and grant proposal writing
- Publish that guide
- Create a template spreadsheet with guidelines on how to do estimations (@gaba, any interest in helping?)
We created an [overview of the grants process in Costa Rica and presented it in an in-person session](https://gitlab.torproject.org/tpo/team/-/wikis/Meetings/2023/2023-Tor-Meeting-Costa-Rica-Wiki/overview-of-how-projects-get-funded). We can use this to create something that's easier to read, more well-resourced, and easier to find.
# Skills
- Familiarity with the project design and grant writing process, either from a team participant side (e.g., someone from the network team who has been involved grant writing before) or from the design and writing side (e.g., someone form the money machine team).
# LinksHackweek 2023al smithal smithhttps://gitlab.torproject.org/tpo/community/hackweek/-/issues/21Spell checker CI for Markdown (and maybe other) files2023-11-30T16:16:39ZSilvio RhattoSpell checker CI for Markdown (and maybe other) files# About the project
* Contact: @rhatto
* Chat: #tor-dev on `irc.oftc.net`
* Video room: to be defined.
# Participants
- @rhatto (I'm proposing more than one project to the 2023 Hackweek, so I might end up participating in just one, de...# About the project
* Contact: @rhatto
* Chat: #tor-dev on `irc.oftc.net`
* Video room: to be defined.
# Participants
- @rhatto (I'm proposing more than one project to the 2023 Hackweek, so I might end up participating in just one, depending on other people interest in participate)
- etc
# Summary
This is a proposal to write a spell checking [GitLab CI/CD](https://about.gitlab.com/topics/ci-cd/) job (or a bot) to look for typos in Markdown files (and maybe other types).
## Project A - Writing
The first project in this proposal would be to actually write the spell checking routine.
Some existing solutions that can be evaluated and used, or being just a source of inspiration:
* [R2Devops - codespell](https://r2devops.io/marketplace/gitlab/r2devops/hub/codespell)
* [codespell-project/codespell: check code for common misspellings](https://github.com/codespell-project/codespell)
* [check-spelling/check-spelling: Spelling checker action to check spelling in repositories / pull requests / commits](https://github.com/check-spelling/check-spelling)
* [betrybe/code-spell-checker-action](https://github.com/betrybe/code-spell-checker-action)
* [CSpell | A Spell Checker for Code!](http://cspell.org/)
* [Documentation for Spelling - spell checker for CI!](https://spelling-dev.readthedocs.io/en/latest/)
It may also be important to find a way to reduce false positives.
## Project B - Integrating
In this project, the spell checker would be integrated into the following projects:
* [Onion MkDocs](https://rhatto.pages.torproject.net/onion-mkdocs/).
* [Onion TeX Slim](https://gitlab.torproject.org/rhatto/onion-tex-slim).
* [Onion Reveal](https://gitlab.torproject.org/tpo/community/hackweek/-/issues/15) (if it actually exists).
* ... and also in some repositories using these things (like [The Onion Plan](https://tpo.pages.torproject.net/onion-services/onionplan/))!
## Project C - Documenting
This project is about documenting how to use the spell checker in a repository.
# Skills
Some knowledge in the following technologies may be needed in order to participate:
* Git/GitLab CI.
* Markdown.
* Writing documentation.
* Basic scripting (Python, shell).Hackweek 2023Silvio RhattoSilvio Rhatto2023-11-09https://gitlab.torproject.org/tpo/applications/vpn/-/issues/113missing image disconnected default screen2023-11-28T12:01:07Zkwadronautmissing image disconnected default screenShould probably not be black when disconnected
![image](/uploads/92cb39cd6f420c873d7a566f4ad43fef/image.png)Should probably not be black when disconnected
![image](/uploads/92cb39cd6f420c873d7a566f4ad43fef/image.png)VPN pre-alpha 04kwadronautkwadronauthttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/31Request bridge support2024-01-31T17:36:42Zmicahmicah@torproject.orgRequest bridge supportWhen a user cannot connect to Tor due to censorship and the built-in bridges don’t work, then they should be able to request a bridge as an alternative to the built-in bridges.When a user cannot connect to Tor due to censorship and the built-in bridges don’t work, then they should be able to request a bridge as an alternative to the built-in bridges.VPN pre-alpha 04cybertacybertahttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40630Update builtin bridges from Circumvention Settings API2022-12-22T11:22:11Zmeskiomeskio@torproject.orgUpdate builtin bridges from Circumvention Settings APIRight now to update the builtin bridges we need to make a Tor Browser release, it would be nice if TB automatically updates them using [Circumvention Settings API](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/main/doc/m...Right now to update the builtin bridges we need to make a Tor Browser release, it would be nice if TB automatically updates them using [Circumvention Settings API](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/main/doc/moat.md#circumventionbuiltin).
There are two concerns I have about it:
* Users will not be happy with TB making a call to an external API without giving some consent about it.
* We don't want to make easier for censors to notice you are using Tor because of that.
I think it makes sense to update when we do other connections to moat (Connect Assist, captcha bridges, ...), I assume user has already consent to do a request to the API on those cases and having an extra connection over the domain fronting should not make it more noticeable than it already is. We could store when was the last time we had updated them, and don't update them is they are fresh (maybe 24h is a good freshness).
An extra that would be nice is to ask the user if they want to refresh the builtin bridges when they click on Settings to *Select a Built-In Bridge*. I think we should only ask if bridges hasn't being refreshed for a while (maybe 7days). The confirmation popup could have a check box with 'remember that option' or something like that, so the following times they enable builtin bridges we refresh or not without asking (if the bridges hasn't being refreshed in 7days).Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibethttps://gitlab.torproject.org/tpo/network-health/team/-/issues/250Capture telemetry about bootstrapping times by PT configuration in censored r...2022-12-15T11:42:23ZdonutsCapture telemetry about bootstrapping times by PT configuration in censored regionsAs part of the [Sponsor 96 project](https://gitlab.torproject.org/groups/tpo/-/milestones/24) we've implemented a new feature in Tor Browser called Connection Assist (historically referred to as [mostly] automatic censorship detection), ...As part of the [Sponsor 96 project](https://gitlab.torproject.org/groups/tpo/-/milestones/24) we've implemented a new feature in Tor Browser called Connection Assist (historically referred to as [mostly] automatic censorship detection), which gives users the option of trying a second bootstrap after the first fails due to censorship of the Tor Network. During the second bootstrap, Tor Browser looks up the user's location via a new moat API, and returns a short shopping list of bridge configurations to try in order (see [circumvention.json](https://gitlab.torproject.org/tpo/anti-censorship/rdsys-admin/-/blob/main/conf/circumvention.json)), that should circumvent Tor Network blocking in their country.
In addition to Tor Browser, OnionShare will also implement the censorship circumvention API – and other Tor-powered apps will likely follow suit in future too.
However, bootstrapping times in the target regions for S96 (specifically China & Tibet, rather than Hong Kong) remain a source of concern. Long bootsrapping times create uncertainty over whether or not Tor is actually connecting, or is stuck in a state of infinite bootstrapping (which we've observed too, see: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40970).
We're currently considering a number of workarounds to help alleviate these issues, including (for example):
- Displaying contextual hints about bootstrapping times by region and PT to help set user expectations
- Providing encouragement when Tor has been stuck at the same bootstrapping step for X amount of time
- Introducing timeouts which display non-blocking errors, the duration of which will need to be set per-region (thus providing a means to escape from the dreaded infinite bootstrap issue)
Given the above, it would be useful to measure bootstrapping times by PT/bridge configuration in censored regions. OONI already includes this measurement in their Snowflake tests, [see this example](https://explorer.ooni.org/measurement/20220615T081636Z_torsf_CN_9808_n1_kW4lyakvsSN7XhIG) for instance.
In addition, there may be an opportunity to improve how we collect data about working PT/bridge configurations in order to keep the circumvention.json up to date and as effective as possible.
Three options have been proposed so far:
1. Capturing telemetry about bootstrapping at the network level, i.e. on metrics.torproject.org
2. Adding additional tests to vantage points in the target regions
3. Measuring bootstrapping at the application level, e.g. by implementing cleaninsights.org in Tor Browser, OnionShare etc.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibethttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/97Consider adding a "No internet" state2024-03-27T17:28:52Zmicahmicah@torproject.orgConsider adding a "No internet" stateI was in an airport, with fairly restrictive internet. I had connected to the captive portal and logged in, so I could use the free airport wifi, and I wanted to turn on the Tor VPN to obfuscate my traffic. I launched it, pressed the con...I was in an airport, with fairly restrictive internet. I had connected to the captive portal and logged in, so I could use the free airport wifi, and I wanted to turn on the Tor VPN to obfuscate my traffic. I launched it, pressed the connect button, and it showed connected, and data transfer rates started to show.
However, nothing was loading in my browser on my device, so I went to go look at the logs, and I found that onionmasq underneath was complaining about failing to connect to the tor network, it clearly was not actually connected and was retrying, but the UI was showing I was connected and that data was being transferred.
I failed to copy the logs, and I realize that its not trivial to re-produce this, but I thought I should file an issue to get this out there.VPN pre-alpha 07donutsdonutshttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/151reconnect/new circuit when changing bridge type or on/off2024-03-28T10:49:31Zkwadronautreconnect/new circuit when changing bridge type or on/offIs there a need to reconnect/move to a new circuit when the bridge settings are changed: bridge on/off or type (obfs4 or snowflake for now).Is there a need to reconnect/move to a new circuit when the bridge settings are changed: bridge on/off or type (obfs4 or snowflake for now).Sponsor 101 - Tor VPN Client for Androidhttps://gitlab.torproject.org/tpo/ux/design/-/issues/46Design a temporary application icon for the VPN pre-alpha2023-06-28T14:25:58ZdonutsDesign a temporary application icon for the VPN pre-alphaI think something based on the onion rings (i.e. keeping it generic would be good enough for now. Maybe with a sparkle?
- Resources: [Guidelines](https://developer.android.com/develop/ui/views/launch/icon_design_adaptive) | [Templates](...I think something based on the onion rings (i.e. keeping it generic would be good enough for now. Maybe with a sparkle?
- Resources: [Guidelines](https://developer.android.com/develop/ui/views/launch/icon_design_adaptive) | [Templates](https://www.figma.com/file/sjNWeIOpb0BckjmxApXd5m/VPN-pre-alpha?node-id=939%3A2070&t=xXPiif40TbrHiSJg-1) (in Figma)Sponsor 101 - Tor VPN Client for Androidnicobnicobhttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/21Privacy policy2023-12-07T20:38:42Zmicahmicah@torproject.orgPrivacy policyIn order for an app to be uploaded to the Google Play Store, a privacy policy needs to be defined.
"Adding a privacy policy to your app's store listing helps provide transparency about how you treat sensitive user and device data.
The ...In order for an app to be uploaded to the Google Play Store, a privacy policy needs to be defined.
"Adding a privacy policy to your app's store listing helps provide transparency about how you treat sensitive user and device data.
The privacy policy must, together with any in-app disclosures, comprehensively disclose how your app collects, uses, and shares user data. This includes the types of parties with whom it’s shared. You should consult your legal representative to advise you of what is required.
For apps that request access to sensitive permissions or data (as defined in the user data policies): You must link to a privacy policy on your app's store listing page and within your app. Make sure your privacy policy is available on an active URL, applies to your app, and specifically covers user privacy."Sponsor 101 - Tor VPN Client for AndroidIsabela FernandesIsabela Fernandeshttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/16Use IPtProxy2024-02-01T12:07:49ZMatthew FinkelUse IPtProxyCurrently Tor Browser compiles distinct executables and exec's them. This is discouraged on Android and may become more difficult in the future. Using a library seems to be a better long-term solution.
From #2:
* \[2022/03/15\]:
* TBD...Currently Tor Browser compiles distinct executables and exec's them. This is discouraged on Android and may become more difficult in the future. Using a library seems to be a better long-term solution.
From #2:
* \[2022/03/15\]:
* TBD. Who should maintain and be responsible for it. Schedule meeting with AC team and GP.
* For app, do benefits outweigh additional complexity? Some apps need single-binary when compiling libraries - should Tor support that? How/where?Sponsor 101 - Tor VPN Client for Androidhttps://gitlab.torproject.org/tpo/applications/vpn/-/issues/7Identify important anti-features2023-12-07T20:34:52ZMatthew FinkelIdentify important anti-featuresIdentify features and/or functionality that the app should discourage or prevent (to the best of its ability). This will include anti-abuse mechanisms and potential "footguns" (preferring misuse resistant UI/UX/features).Identify features and/or functionality that the app should discourage or prevent (to the best of its ability). This will include anti-abuse mechanisms and potential "footguns" (preferring misuse resistant UI/UX/features).Sponsor 101 - Tor VPN Client for Android2023-12-04https://gitlab.torproject.org/tpo/ux/research/-/issues/69Test Tor VPN prototypes with potential users2024-03-26T22:46:21ZdonutsTest Tor VPN prototypes with potential usersThis ticket relates to the following objectives:
- O1.4: Test wireframes and user flows with target users, identify user challenges, iterate on these designs throughout the project.
Our target is to conduct 2-3 focus groups with potent...This ticket relates to the following objectives:
- O1.4: Test wireframes and user flows with target users, identify user challenges, iterate on these designs throughout the project.
Our target is to conduct 2-3 focus groups with potential users.
The designs can be found here: [Figma / Tor VPN for Android](https://www.figma.com/file/sjNWeIOpb0BckjmxApXd5m/Tor-VPN-for-Android?type=design&node-id=4280%3A1524&mode=design&t=mNf6BRHqG6b1oXYs-1)Sponsor 101 - Tor VPN Client for Androidsajolidasajolidahttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41222Is the web ui disabled for our VictoriaMetrics version?2023-06-13T12:37:36ZHiroIs the web ui disabled for our VictoriaMetrics version?I see the web ui for VictoriaMetrics at https://metrics-db.torproject.org/vmui/ is returning a 404.
\@gkI see the web ui for VictoriaMetrics at https://metrics-db.torproject.org/vmui/ is returning a 404.
\@gkSponsor 112 : Combating Malicious RelaysJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org