The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-05-24T20:03:16Zhttps://gitlab.torproject.org/tpo/core/torsocks/-/issues/40002Assertion 'fclose_nointr(f) != -EBADF' failed at src/basic/fd-util.c:125, fun...2022-05-24T20:03:16ZilfAssertion 'fclose_nointr(f) != -EBADF' failed at src/basic/fd-util.c:125, function safe_fclose()torsocks crashes Mutt. Mutt does this fine without torsocks.
```
% mutt -v
Mutt 1.14.7 (2020-08-29)
% torsocks --version
Torsocks 2.3.0
% torsocks --quiet mutt
-> c (change-folder)
-> ~f <enter>
Open mailbox: ~f
Assertion 'fclose_no...torsocks crashes Mutt. Mutt does this fine without torsocks.
```
% mutt -v
Mutt 1.14.7 (2020-08-29)
% torsocks --version
Torsocks 2.3.0
% torsocks --quiet mutt
-> c (change-folder)
-> ~f <enter>
Open mailbox: ~f
Assertion 'fclose_nointr(f) != -EBADF' failed at src/basic/fd-util.c:125, function safe_fclose(). Aborting.
zsh: abort (core dumped) torsocks --quiet mutt
```
https://github.com/systemd/systemd/blob/master/src/basic/fd-util.c#L125https://gitlab.torproject.org/tpo/tpa/team/-/issues/40637Add Austin into the tor-browser gitolite groups2022-05-24T20:52:04ZMatthew FinkelAdd Austin into the tor-browser gitolite groupsSpecifically `builders/tor-browser-build` and `tor-browser`, right now.
cc @boklm @aguestuserSpecifically `builders/tor-browser-build` and `tor-browser`, right now.
cc @boklm @aguestuserhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/40768Features in NC Polls not working2022-05-24T20:58:46ZErin WyattFeatures in NC Polls not workingHello,
A couple of features are not working on NC Polls:
1) When inviting internal people to a poll, no one was notified. I manually added each person to the poll in NC itself and not a single person received a notification in NC or an...Hello,
A couple of features are not working on NC Polls:
1) When inviting internal people to a poll, no one was notified. I manually added each person to the poll in NC itself and not a single person received a notification in NC or an email notification.
2) The download/export feature doesn't work. I tried in 3 different browsers with all privacy-enhancing features turned off, and could not get any of the download options to work.
Thank you!https://gitlab.torproject.org/tpo/web/blog/-/issues/40027Discourse is unable to replace the lead image in the embed topic with an inte...2022-05-24T23:29:09ZJérôme Charaouilavamind@torproject.orgDiscourse is unable to replace the lead image in the embed topic with an internal uploadCurrently, when the forum embed a blog post on the forum and creates a new topic, the lead image `<img>` tag is replaced with an internal upload (which we want). But this upload goes wrong somewhere and instead, a visible markdown fragme...Currently, when the forum embed a blog post on the forum and creates a new topic, the lead image `<img>` tag is replaced with an internal upload (which we want). But this upload goes wrong somewhere and instead, a visible markdown fragment similar to this appears in its place:
```
![](upload://5I9gkH7W5MiboevmjzfyMDYfrJD.png)
```
I reported this to the Discourse team and they're looking into it.
In the meantime I've applied a workaround by configuring the forum to [disable auto image downloads](https://forum.torproject.net/admin/site_settings/category/files?filter=disabled%20image) from `blog.torproject.net` which isn't ideal because PrivacyBadger block this as a cross-domain embed.Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/onion-services/onionmine/-/issues/21Symlink tested keys2022-05-25T00:13:44ZSilvio RhattoSymlink tested keysSymlink tested keys at `pools/<pool>/tested/`. This helps one to know if a keypair is already tested.Symlink tested keys at `pools/<pool>/tested/`. This helps one to know if a keypair is already tested.https://gitlab.torproject.org/tpo/network-health/sbws/-/issues/40140flowctrl2 subcommand fails with: `TypeError: only_relays_with_bandwidth() got...2022-05-25T07:49:43Zjugaflowctrl2 subcommand fails with: `TypeError: only_relays_with_bandwidth() got multiple values for argument 'min_bw'`This has been introduced by dc06bbdcd001ac0786ed9b2269f55b232b105eb9. We changed a couple of the calls to `stem_utils.only_relays_with_bandwidth` but there are more.
I don't think we need to release another bugfix version because this d...This has been introduced by dc06bbdcd001ac0786ed9b2269f55b232b105eb9. We changed a couple of the calls to `stem_utils.only_relays_with_bandwidth` but there are more.
I don't think we need to release another bugfix version because this doesn't affect the scanner nor the generator.
If needed, we could also just separate the script with little effort.sbws: 1.5.x-finaljugajugahttps://gitlab.torproject.org/tpo/network-health/exitmap/-/issues/37Update exitmap's copyright notices2022-05-25T10:54:50ZGeorg KoppenUpdate exitmap's copyright noticesThe `exitmap` copyright notices are quite outdated. I pinged @phw and we agreed to the following plan:
We extend the current copyright notice until (and including 2020) and then start from 2021 on with something like "Copyright 2021, Th...The `exitmap` copyright notices are quite outdated. I pinged @phw and we agreed to the following plan:
We extend the current copyright notice until (and including 2020) and then start from 2021 on with something like "Copyright 2021, The Tor Project, Inc.".Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13252Tor Browser on OS X should not store data into the application bundle2022-05-25T10:55:34ZTracTor Browser on OS X should not store data into the application bundle
The Tor application on OS X stores user data into its bundle (TorBrowser.app/Data/). This is bad. This causes various issues:
- the Tor application can't be code sign which decreases the security. See Ticket legacy/trac#13251: CodeSign...
The Tor application on OS X stores user data into its bundle (TorBrowser.app/Data/). This is bad. This causes various issues:
- the Tor application can't be code sign which decreases the security. See Ticket legacy/trac#13251: CodeSign Tor for OS X
- when installing a new version of Tor, all previous user data (bookmarks) are deleted.
**Trac**:
**Username**: torosxhttps://gitlab.torproject.org/tpo/core/arti/-/issues/258Send SOCKS replies on failing cases2022-05-25T13:13:18ZNick MathewsonSend SOCKS replies on failing casesRight now, our proxy code just closes the connections when it encounters an error that keeps it from getting a stream. Instead, it should send back a SOCKS reply to tell the application that something went wrong. (See TODOs in proxy.rs)Right now, our proxy code just closes the connections when it encounters an error that keeps it from getting a stream. Instead, it should send back a SOCKS reply to tell the application that something went wrong. (See TODOs in proxy.rs)Arti 1.0.0: Ready for production usehttps://gitlab.torproject.org/tpo/core/arti/-/issues/379Decide how cargo.lock and MSRV interrelate2022-05-25T13:14:54ZNick MathewsonDecide how cargo.lock and MSRV interrelateOn #376, I asked:
> As a side-note, do we care if our Cargo.lock file requires a newer rust than our MSRV? I say "no", but we should open another ticket to discuss if so.
This is that ticket.On #376, I asked:
> As a side-note, do we care if our Cargo.lock file requires a newer rust than our MSRV? I say "no", but we should open another ticket to discuss if so.
This is that ticket.Arti 1.0.0: Ready for production useNick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/core/torsocks/-/issues/40009signal-cli broken (ipv6 issue?)2022-05-25T13:49:17ZJim Newsomesignal-cli broken (ipv6 issue?)
```
$ torsocks -d ./signal-cli link
...
1652748828 DEBUG torsocks[3430431]: [getaddrinfo] Node chat.signal.org resolved to 76.223.92.165 (in tsocks_getaddrinfo() at getaddrinfo.c:107)
...
1652748828 DEBUG torsocks[3430431]: Connect caug...
```
$ torsocks -d ./signal-cli link
...
1652748828 DEBUG torsocks[3430431]: [getaddrinfo] Node chat.signal.org resolved to 76.223.92.165 (in tsocks_getaddrinfo() at getaddrinfo.c:107)
...
1652748828 DEBUG torsocks[3430431]: Connect caught on fd 35 (in tsocks_connect() at connect.c:118)
1652748828 DEBUG torsocks[3430431]: [connect] Socket family AF_INET6 and type 1 (in tsocks_validate_socket() at connect.c:76)
1652748828 DEBUG torsocks[3430431]: Connecting to the Tor network on fd 35 (in tsocks_connect_to_tor() at torsocks.c:473)
1652748828 DEBUG torsocks[3430431]: Setting up a connection to the Tor network on fd 35 (in setup_tor_connection() at torsocks.c:368)
1652748828 PERROR torsocks[3430431]: socks5 libc connect: Invalid argument (in socks5_connect() at socks5.c:202)
1652748828 DEBUG torsocks[3430431]: [close] Close caught for fd 35 (in tsocks_close() at close.c:33)
Link request error: Connection closed!
1652748828 DEBUG torsocks[3430431]: [onion] Destroying onion pool containing 0 entry (in onion_pool_destroy() at onion.c:148)
```
It appears to get a v4 address, and subsequently create a v6 socket.
Inside `socks5_connect` it chooses the address type based on the single immutable configured address type to the local tor daemon, instead of the address type of the socket/connection, which seems wrong. On my machine it tries to connect to the local v4 address using the v6 socket, which I assume is why it's failing.
I tried hacking it up to choose the protocol family to match the connection instead of the configuration, and hard-coded the ipv6 loopback address to my local tor daemon, but that's not working either.
```
diff --git a/src/common/socks5.c b/src/common/socks5.c
index 9f7853b..e9676bd 100644
--- a/src/common/socks5.c
+++ b/src/common/socks5.c
@@ -19,6 +19,7 @@
#include <assert.h>
#include <errno.h>
#include <inttypes.h>
+#include <signal.h>
#include <stdlib.h>
#include <lib/torsocks.h>
@@ -160,23 +161,35 @@ int socks5_connect(struct connection *conn)
assert(conn);
assert(conn->fd >= 0);
+ struct sockaddr_in6 sin6 = {
+ .sin6_family = AF_INET6,
+ .sin6_port = 9050,
+ .sin6_addr = IN6ADDR_LOOPBACK_INIT,
+ };
+
/*
* We use the connection domain here since the connect() call MUST match
* the right socket family. Thus, trying to establish a connection to a
* remote IPv6, we have to connect to the Tor daemon in v6.
*/
- switch (tsocks_config.socks5_addr.domain) {
+ DBG("conn.domain:%d config.domain:%d", conn->dest_addr.domain, tsocks_config.socks5_addr.domain);
+ //switch (tsocks_config.socks5_addr.domain) {
+ switch (conn->dest_addr.domain) {
case CONNECTION_DOMAIN_NAME:
+ DBG("domainname");
/*
* For a domain name such as an onion address, use the default IPv4 to
* connect to the Tor SOCKS port.
*/
case CONNECTION_DOMAIN_INET:
+ DBG("ipv4");
socks5_addr = (struct sockaddr *) &tsocks_config.socks5_addr.u.sin;
len = sizeof(tsocks_config.socks5_addr.u.sin);
break;
case CONNECTION_DOMAIN_INET6:
- socks5_addr = (struct sockaddr *) &tsocks_config.socks5_addr.u.sin6;
+ DBG("ipv6");
+ //socks5_addr = (struct sockaddr *) &tsocks_config.socks5_addr.u.sin6;
+ socks5_addr = &sin6;
len = sizeof(tsocks_config.socks5_addr.u.sin6);
break;
default:
```
```
...
1652749541 DEBUG torsocks[3433257]: conn.domain:2 config.domain:1 (in socks5_connect() at socks5.c:175)
1652749541 DEBUG torsocks[3433257]: ipv6 (in socks5_connect() at socks5.c:190)
1652749541 PERROR torsocks[3433257]: socks5 libc connect: Connection refused (in socks5_connect() at socks5.c:216)
1652749541 DEBUG torsocks[3433257]: [close] Close caught for fd 35 (in tsocks_close() at close.c:33)
Link request error: Connection closed!
1652749541 DEBUG torsocks[3433257]: [fclose] Close caught for fd 35 (in tsocks_fclose() at fclose.c:45)
1652749541 DEBUG torsocks[3433257]: [fclose] Close caught for fd 35 (in tsocks_fclose() at fclose.c:45)
1652749541 DEBUG torsocks[3433257]: [onion] Destroying onion pool containing 0 entry (in onion_pool_destroy() at onion.c:148)
```https://gitlab.torproject.org/tpo/core/arti/-/issues/475tor-config: default fs-mistrust should tolerate readable config files2022-05-25T14:26:23ZNick Mathewsontor-config: default fs-mistrust should tolerate readable config filesRight now, if you don't call `set_mistrust` on your `ConfigurationSources`, you get a default `Mistrust` object.
That's probably not right default for configuration files: The default mistrust object forbids configuration files that are...Right now, if you don't call `set_mistrust` on your `ConfigurationSources`, you get a default `Mistrust` object.
That's probably not right default for configuration files: The default mistrust object forbids configuration files that are _readable_ by untrusted users, when previously we only forbade those that were _writable` by untrusted users.
I can make this change, but first I want to make sure that the behavioral change wasn't intentional. cc @dizietArti 1.0.0: Ready for production useNick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/core/arti/-/issues/484DirMgr: Remove Error::NoChange2022-05-25T14:35:33ZNick MathewsonDirMgr: Remove Error::NoChangeThis is a followup from !527, since we now track changed-or-not via an output parameter.This is a followup from !527, since we now track changed-or-not via an output parameter.Nick MathewsonNick Mathewsonhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40141are snowflake events safe to make public their content2022-05-25T16:09:39Zmeskiomeskio@torproject.orgare snowflake events safe to make public their contentOONI wants to use the client event API and publish the strings of the events in the json. Do they contain any personal data like IP addresses?OONI wants to use the client event API and publish the strings of the events in the json. Do they contain any personal data like IP addresses?meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/onion-services/onion-launchpad/-/issues/15Clean up CSS, class/ID names2022-05-25T18:35:59ZKezClean up CSS, class/ID namesRelated to #1
There are a lot of *really* terrible ID and class names throughout the page: `#page-content`, `#container`, etc. They're vague, and usually aren't representative of what the element actually is. Most of them are left over ...Related to #1
There are a lot of *really* terrible ID and class names throughout the page: `#page-content`, `#container`, etc. They're vague, and usually aren't representative of what the element actually is. Most of them are left over from early in the dev process when I just needed a name for something.
Additionally, CSS is strewn everywhere. A few macros define their own `<style>` and `<script>` tags, and several elements have inline CSS. These are messy and hard to follow, and will break if a landing page is served with a strict CSP.
- [x] The styles (inline and style tags) need to all be pulled into the main style tag in page.html
- [x] IDs need to be cleaned up and given actual names that represent the element
- [ ] Class names need to be cleaned up as well (`onion-url-span-uncopied` isn't great)
- [x] Scripts need to be consolidated into their own files
- [ ] Consider SCSS as part of the build process to make the styles even easier to read
- [x] Clean up jinja macros. They're unreadable and obtuseKezKezhttps://gitlab.torproject.org/tpo/tpa/schleuder/-/issues/40005Please refresh sysrqb's pgp key2022-05-25T18:37:41ZMatthew FinkelPlease refresh sysrqb's pgp keyRelated to team#40317
thank youRelated to team#40317
thank youDavid Gouletdgoulet@torproject.orgDavid Gouletdgoulet@torproject.orghttps://gitlab.torproject.org/tpo/core/arti/-/issues/485CI should be using "normal" mistrust config2022-05-25T19:45:39ZIan Jacksoniwj@torproject.orgCI should be using "normal" mistrust config#475 occurred in part because our CI is running with wholly unrealistic permissions etc.
Ideally we would fix this, and remove the mistrust override. I guess we would need to (at least) set the umask and perhaps change to a different u...#475 occurred in part because our CI is running with wholly unrealistic permissions etc.
Ideally we would fix this, and remove the mistrust override. I guess we would need to (at least) set the umask and perhaps change to a different user (or have the CI do so for us).
(setting this to the 1.0 milestone, mostly so that if we defer this it's done as a deliberate decision.)Arti 1.0.0: Ready for production usehttps://gitlab.torproject.org/tpo/onion-services/onion-launchpad/-/issues/18The language select hover is broken on mobile2022-05-26T00:02:21ZKezThe language select hover is broken on mobileFirefox's touch simulator has no issues, but iOS Safari opens the language select menu, and then *never closes it*. I'll have to figure out why and see what I can do about it.Firefox's touch simulator has no issues, but iOS Safari opens the language select menu, and then *never closes it*. I'll have to figure out why and see what I can do about it.KezKezhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40155Weird behavior if website is blocking Tor2022-05-26T02:06:17ZPassword is "Cypherpunks Write Code" without quotescypherpunks@mailinator.comWeird behavior if website is blocking Tor- No error message is displayed if website is sending empty response. Tor Browser is just refusing to connect without attempting to use different circuit. If website is blocking Tor in such way, user should use newnym (new identity) to a...- No error message is displayed if website is sending empty response. Tor Browser is just refusing to connect without attempting to use different circuit. If website is blocking Tor in such way, user should use newnym (new identity) to access it.
Example: [ok.ru](https://ok.ru)
- User should wait if website is blocking connection from Tor exit nodes without sending any response. There is no way to change its circuit, as pressing button for it just closes the connection.
Example: [okay-cms.com](https://okay-cms.com)
- If website is redirecting to another domain when Tor is blocked, there is no obvious way to change circuit for it. One workaround is to restart tor daemon.
Example: [youtube.com](https://youtube.com)
Suggested workaround is to insert hyphen-minus character as a subdomain so it won’t resolve, but circuit UI disappears and insecure connection explanation breaks once you try to change it. It appears again once you connect to this website without such subdomain.
Note: just some random websites where I encountered these bugs. You can replace them by another ones if possible, this is Cypherpunks account.https://gitlab.torproject.org/tpo/tpa/team/-/issues/40758install tor-geoipdb package from bullseye-backports in polyanthum2022-05-26T09:46:48Zmeskiomeskio@torproject.orginstall tor-geoipdb package from bullseye-backports in polyanthumThe geoipdb we are using in polyanthum is pretty old, and depends on updates from debian stable (right now oldstable). There are more frequently updated packages for it in deb.torproject.org, could we use those? can unattended-upgrades o...The geoipdb we are using in polyanthum is pretty old, and depends on updates from debian stable (right now oldstable). There are more frequently updated packages for it in deb.torproject.org, could we use those? can unattended-upgrades or something be configured to update tor-geoipdb from deb.tpo?Debian 11 bullseye upgradeanarcatanarcat