The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-01-23T19:09:39Zhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41036needrestart configuration clobbers sane exclude list2023-01-23T19:09:39Zanarcatneedrestart configuration clobbers sane exclude listAt home I use the same needrestart Puppet profile as we do here. Recently, I noticed that needrestart was rather aggressively killing my user sessions and, after tracking it down, I isolated the issue to needrestart. It would restart pro...At home I use the same needrestart Puppet profile as we do here. Recently, I noticed that needrestart was rather aggressively killing my user sessions and, after tracking it down, I isolated the issue to needrestart. It would restart processes that should normally be skipped like `gdm3`, `dbus`, and even `unattended-upgrades` itself, arghl.
I deployed this fix at home to work around the issue: //gitlab.com/anarcat/puppet/-/commit/2c48079c16cd700783f2d0394a8b3ad249c6a250
... and reported that as a bug in the puppet module as well:
https://github.com/xneelo/hetzner-needrestart/issues/24
I was about to just deploy this patch everywhere, but figured it might be safer to test it at home a little longer first, and to do a progressive deployment.
Changes live in the `needrestart-safe` branch in the tor-puppet.git repository.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41034Deploy tor-weather on weather-012023-03-21T18:37:30ZKezDeploy tor-weather on weather-01with <https://gitlab.torproject.org/tpo/network-health/tor-weather/-/merge_requests/33> is merged, i've got the documentation needed to deploy tor-weather on the weather-01 machinewith <https://gitlab.torproject.org/tpo/network-health/tor-weather/-/merge_requests/33> is merged, i've got the documentation needed to deploy tor-weather on the weather-01 machinehttps://gitlab.torproject.org/tpo/team/-/issues/130Complete documents for NCE for sponsor 962023-04-03T19:09:59ZGabagaba@torproject.orgComplete documents for NCE for sponsor 96Template and documents are in nextcloud.Template and documents are in nextcloud.Gabagaba@torproject.orgGabagaba@torproject.org2023-04-03https://gitlab.torproject.org/tpo/tpa/team/-/issues/41029look at fsn-node-05 spurious reboots2023-01-25T17:50:26Zanarcatlook at fsn-node-05 spurious rebootsJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/team/-/issues/128Apply to gsoc 20232023-02-01T23:31:35ZGabagaba@torproject.orgApply to gsoc 2023- [x] Request for projects in tor-internal.
- [x] Update https://gitlab.torproject.org/tpo/team/-/wikis/gsoc
- [x] Apply to gsoc- [x] Request for projects in tor-internal.
- [x] Update https://gitlab.torproject.org/tpo/team/-/wikis/gsoc
- [x] Apply to gsoc2023-02-02https://gitlab.torproject.org/tpo/team/-/issues/127January report for s1392023-01-30T22:25:48ZGabagaba@torproject.orgJanuary report for s1392023-01-31https://gitlab.torproject.org/tpo/team/-/issues/124Information about licenses2023-01-12T20:21:49ZkngrhInformation about licensesI have searched the website after information about licenses for using, redistributing etc. content and software is possible.
Unfortunately I have not found anything.
Right now I would like to use the following picture: https://gitlab.to...I have searched the website after information about licenses for using, redistributing etc. content and software is possible.
Unfortunately I have not found anything.
Right now I would like to use the following picture: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/wikis/uploads/8716c3ba1226bd90009268a777ed2ccb/snowflake-diagram.png
in an wiki article about snowflake.
Is it allowed, which credentials need to be fullfilled.
In generell it would be very helpful, if the top landing site: https://gitlab.torproject.org/tpo/team where you are redirected from https://gitlab.torproject.org/, would contain a section with all needed license information about Tor.Gabagaba@torproject.orgGabagaba@torproject.orghttps://gitlab.torproject.org/tpo/team/-/issues/123help on indicators for new SIDA proposal2023-01-12T19:28:30ZGabagaba@torproject.orghelp on indicators for new SIDA proposalhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41026data update service and timer on meronense2023-01-10T16:41:24ZHirodata update service and timer on meronenseI would need some help figuring out why the update service on meronense doesn't wait for the previous run to finish before starting a new one.
The timer and service are in puppet and they only start this script: https://gitlab.torprojec...I would need some help figuring out why the update service on meronense doesn't wait for the previous run to finish before starting a new one.
The timer and service are in puppet and they only start this script: https://gitlab.torproject.org/tpo/network-health/metrics/metrics-bin/-/blob/main/website/run-web.sh
\cc @gkanarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41025Ask for closing tor-relays-fr mailing list2023-01-09T19:50:00ZChreAsk for closing tor-relays-fr mailing listHi all,
Can you close tor-relays-fr mailing list please? Thanks for help :smile:
Many of us, French relay operators and Tor volunteers, thought it would be useful to restart the tor-relays-fr list, to discuss Tor relays in French.
Ha...Hi all,
Can you close tor-relays-fr mailing list please? Thanks for help :smile:
Many of us, French relay operators and Tor volunteers, thought it would be useful to restart the tor-relays-fr list, to discuss Tor relays in French.
Having lost access to the original list created in 2012, we asked The Tor Project to create a new one. Arma was kind enough to respond, and despite his questions about the relevance of such a list, agreed to play along.
This new tor-relays list was created on 9/22/2020. Thank you Tor Project!
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays-fr
But... after over two years of existence, this list is clearly not very active. Probably because most people running Tor relays are fluent enough in English to discuss directly on... tor-relays.
So we announce the closing of this list at the beginning of this year 2023, and we invite interested people to use on tor-relays (in English) !
Thank you for your help in trying to keep this list alive :smile:anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41024Fatal error from remote when pushing to alberti/ldap2023-02-01T17:52:21ZJérôme Charaouilavamind@torproject.orgFatal error from remote when pushing to alberti/ldapWhen updating the key for jnewsome in #41022 I hit a similar issue as #41013 :
```
$ git push alberti
Énumération des objets: 7, fait. ...When updating the key for jnewsome in #41022 I hit a similar issue as #41013 :
```
$ git push alberti
Énumération des objets: 7, fait.
Décompte des objets: 100% (7/7), fait.
Compression par delta en utilisant jusqu'à 4 fils d'exécution
Compression des objets: 100% (4/4), fait.
Écriture des objets: 100% (4/4), 577 octets | 577.00 Kio/s, fait.
Total 4 (delta 3), réutilisés 0 (delta 0), réutilisés du pack 0
remote: + env -i make -C /srv/db.torproject.org/keyrings
remote: make: Entering directory '/srv/db.torproject.org/keyrings'
remote: umask 002 && \
remote: cd keyring && \
remote: git pull && \
remote: rm -f torproject-keyring.gpg && \
remote: ./build-keyring && \
remote: cp -f torproject-*.gpg ..
remote: fatal: detected dubious ownership in repository at '/srv/db.torproject.org/keyrings/keyring'
remote: To add an exception for this directory, call:
remote:
remote: git config --global --add safe.directory /srv/db.torproject.org/keyrings/keyring
remote: make: *** [Makefile:5: torproject-keyring.gpg] Error 128
remote: make: Leaving directory '/srv/db.torproject.org/keyrings'
To alberti.torproject.org:/srv/db.torproject.org/keyrings/keyring.git
3ce936a..d00c61c master -> master
```
However, running the `git config` command did not fix the problem, likely because of the `env -i` bit unsetting `$HOME` and making `git` unable to find `$HOME`. I had to run `make -C /srv/db.torproject.org/keyrings` manually instead.
I'm wondering if the fix here is to change `git pull` with `git -c safe.directory=/srv/db.torproject.org/keyrings/keyring pull` in the Makefile?anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41021Please change LDAP OpenPGP key for micah2022-12-22T19:40:43Zmicahmicah@torproject.orgPlease change LDAP OpenPGP key for micahHi,
The day before it expired, I broke my hardware token, where my OpenPGP key resided. I am unable to recover that key, or perform any operations with it. Unfortunately, the hardware token also contained my ssh key. This makes it so I ...Hi,
The day before it expired, I broke my hardware token, where my OpenPGP key resided. I am unable to recover that key, or perform any operations with it. Unfortunately, the hardware token also contained my ssh key. This makes it so I am unable to either use my currently configured ssh key for tor machines/services[0], and I cannot change that ssh key, because my OpenPGP key must be used to change the ssh key.
So I humbly request that you update my OpenPGP key. For obvious reasons, I'm unable to sign this request with my other key, so I'd have to do some kind of out of band confirmation.
My new key is as follows:
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGOg+PcBEADa2wab1UFD0S7dyUKJzTZI3yqpwFV6Yq4dfB/gD/Xjzj709Dpr
SkyIiGS52dtk9KQFdysN6Tx9zd6NO71dNAXq3SbFaj5Gvnh8Mo9gTX7nujqMIWaR
tHitcrz8PT0LNBSauMpXpgQatyzZn/AcDAHKRrNK/7YLpAmodhfYZSfWZ+RLNgQZ
bnomNVCcKrySps4O/llGcJNVfbyg0PNfhPoKUvCle6/5D7YgEZI65wwhfTWD0z+M
EgyhMMLlv3MpbaiwABurEj+zjfKz2NUVzdYhhWHLHsur7nKM3FtzY9wr+4xXpuwE
oXyu5YeKSUq+xMwA4A8MXLuZgXQ5qcJ9/9HWQTm7KLlVhP296QFWx81CE+qScytC
aNJ4jcMobeQXmle3xQ/HMHuBmQfr4Rpe2WO5dz8au3ve6zqh9y/Nd8fViZZr42B3
LAsZz6MA58Sa4W4jvNGYcMt8LA+aH80dKAv+3/nQrR/Jkk2hS+wc1g1ZUHv5aJd4
jVeXp39bvfpTbDszyworQYFC6NFuBSWakgvkED0GlRQJkQnsbogHOEp1bby4uGKp
MWrGvsNnuuNv2N4/MVPsXp2lewQq3GlLreSPG4hLi+pDDmGSN5Chj3neS0o/Kaeu
MuBcgSY6gxiTBW2nuFMD6cW3PjlX+TwxB7a0wjzVuTRTn5ayzCW4sVv27QARAQAB
tCFNaWNhaCBBbmRlcnNvbiA8bWljYWhAcmlzZXVwLm5ldD6JAlQEEwEKAD4WIQSk
DUXsofJWBG6qsRE2UNMQliHDhgUCY6D49wIbAwUJAeEzgAULCQgHAwUVCgkICwUW
AgMBAAIeAQIXgAAKCRA2UNMQliHDhrn9D/4+5By/ohLQ3gQjbYS3xIbflRhDUPTd
vx0z6MJdfWn7uXKGgSmrZqaBs+XH/tslEW/hkXQvSHnqb61XJmT996QkUwgmBWw0
OY9Y8Gvc4BVVZDpJeF7THP0NoXLMKazxoshHnzZSez25njCd/pno9HTQPp0OIoQJ
jVCeOgJ/YHqLVFggNKyFPBQnkJzb6jfiHTs0bONnYplZH0OvhN6e1LJZMMTciMtJ
Y6K0XK5754vS7emhHK53XZDabcjCea2OBFfyOwBGyONA0DtVmWwTlCe+DGVZvZ0u
1EjdcKm5x6Dv+E/RYmxNpI5H3SKrMxDPvEM5JIrRS2jFMyKKWVrHf4cFdSPr5kMu
KLpmugAZEdqjst2Y8HsLVlGW2ARnpJ0ifpVZsJUad9CAVN7gVq8Y1lKOh6DOkLSX
E567DLYWjNsU712XhLiwXw3SdWXSKm31y8Rg3lUZxBku1fIfKh0eWnfNYdSCaUAy
VFMVaFGcTXJlcvYLjNlVNfRwBchtmWhSAB5a/fm2YpxWwZCnPku8iPlYDh02GQvI
67D/wplZZujHXo4dblvdieFzkBZjHaHcXWaDTXiX4yE1NAj056C12tY2zn/+0unu
TVt4tTo7XSBMIWKxCXA9N7aqBUvkF+e37srUAfK7z0hIRbc3FN+N1LbUN2T2XFnK
+qcXRlfQ262ghrkCDQRjoPj3ARAAq4hy2tGQTkdoVHwGHQ72LQt0OHMMA4QAcJTD
Ne9x5hG4KOY4POG3FbHgkJaI7e1uD6RGFpqHI8YlnaUI6RP7xMX4xlOqclPP38CY
t1RcXNulY25p7TzMjOLLiBa2uaLJIu/9kx0puTUBa2aIj/wAHcWI0yxyH2dz+BI9
eTSToJysVx4nAvdS4ppQHoVHThvEjJ/tysREbvhnsMDzxPuThoxuCcjEYwZXKHiq
OXbPoAjlFqih3jU1lq1LyweP3W21Ei3qau8bZl3RAm+Rt6mArDmcFM8iaQSK5nrj
y+yH4BKeYwZJTHeaQ3dAocNi3fylzW2of3/cW7AtSKTv+yAkpEX70eIjNERVqYwa
5nNkf52dNgjhqZSvMetXA5IsM8DsMyuiNGtCrGfR2K4j0xrXNL3RPsUYGc1v8bGi
j6c9a3ksFyFWb6Csg133cSPVm8siFCeQgILHXsAPhvWt/4CsPqMmvvES/R+C8KNx
hIzjWqIeGkA221l5YVcAL+hd/Ia99eHxaQdPgtL5KBXwziX1+ArrGjeyxVCFwVxR
p3LHdgTfQs3WSy+aLyB4uh5vJSJLdjVgLHv6gHyxIHUbgZ8PBGbIfEArvU1rByv9
5z3sk6pAhxGnnQlHrULL4cERvooVENAL2TYgOYYnk9Z4qnkonX/LHJcaEeE/sU1X
EQQZwcMAEQEAAYkCPAQYAQoAJhYhBKQNReyh8lYEbqqxETZQ0xCWIcOGBQJjoPj3
AhsMBQkB4TOAAAoJEDZQ0xCWIcOGwbIQALNDQwp5nUphg5PaiAIRYAzFfofaMSte
I7qJu5ajg42AgIM/eU0XPB32hassQzc0zKfrwsZROSjX2jm6T84/iEc53NLsmfnU
L9ZLp+mU4M4C81ouAERX8MmYWv37vwWOioDaWyLh0ugeaguuwQb8b+YifksGrvpe
ZeOGYxvqVEAYLhiX3EGZFJO5s0xjVA2I/tHeE/kiRpvxg1vEB3W7WMOPPfgDgfQh
AG3LNC7jXQ4CvjMvQs54h0eAHRukCWC7jHnRavACERZUgrTQGpSNF08DFn6o6ned
yHgJ2RWvLFVM4LFvhNXbKvVp5Sp+iPWPK+9lIg3A9H2pIhPFjb7VILciwaEVFWFf
VMw96kyKLIQQ65gmHLSYgI7zTFCU3akaSQmSPzdFents/CugnIjOn6Ybb+VkT8iN
t55djtsnDi9dS7P6ZNkILkyeCWUZtehIw3C2zdsVQBFQa2Zwd/wDMXDM+51hMX07
k3HxZDAvDiAq72vTKep2cWnseRVhtWrLkYj3BwO+T1iKlXyt6lvqfKLB4ATNldMs
I0CmUA76eeUkPb0CxDqCWUtXogu+4RL7JRtMHelKvxOIjiBSOQPA4TI61EXO9jH0
6hZtURg0Mn69rvA7FhaH1KccDwobLUsQ4uQylJK4dfEhIXqeL37y/mT+N/0Gv99e
mA8voJu0yYiE
=X42i
-----END PGP PUBLIC KEY BLOCK-----
```
Which can be additionally found at [keys.openpgp.org](https://keys.openpgp.org/search?q=micah%40riseup.net)
0. except gitlab, where I was able to update my keys/loginanarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41020Delete contents of /srv/aus1-master.torproject.org/htdocs/torbrowser please2022-12-22T16:06:42ZrichardDelete contents of /srv/aus1-master.torproject.org/htdocs/torbrowser pleaseWe have a ton of cruft with various write permissions in this dir. We've migrated this data to https://gitlab.torproject.org/tpo/applications/tor-browser-update-responses which we will be using to update in the future using the tb-releas...We have a ton of cruft with various write permissions in this dir. We've migrated this data to https://gitlab.torproject.org/tpo/applications/tor-browser-update-responses which we will be using to update in the future using the tb-release user.
Once everything's gone I can go back in and init a git repo in-place and pull down the remote main branch and all will be good.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41019Allow to sudo as the tb-release user on staticiforme for members of the tb-re...2022-12-22T15:20:22ZboklmAllow to sudo as the tb-release user on staticiforme for members of the tb-release groupWhen we release a new Tor Browser update we need to update some files in `/srv/aus1-master.torproject.org/htdocs/torbrowser` on `staticiforme.tpo`. As we are multiple people in the team publishing updates (members of the ldap group `tb-r...When we release a new Tor Browser update we need to update some files in `/srv/aus1-master.torproject.org/htdocs/torbrowser` on `staticiforme.tpo`. As we are multiple people in the team publishing updates (members of the ldap group `tb-release`), we make the files there group-owned by `tb-release` and add write permission for group on the files.
However there are some problems with doing things like that:
* if one of us create files but forget to set write permission for the group, other members of the group cannot modify those files
* because permission on directories have the sticky bit, we cannot remove files from other users
I think it would be better if all files in `/srv/aus1-master.torproject.org/htdocs/torbrowser` are owned by the `tb-release` user, and we use `sudo -s -u tb-release` when we need to update files in this directory.
Currently running `sudo -s -u tb-release` tells me:
```
Sorry, user boklm is not allowed to execute '/bin/bash' as tb-release on staticiforme.torproject.org.
```
/cc @richardanarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41018incoming SPF and DKIM checks on RT2023-08-29T13:20:49Zanarcatincoming SPF and DKIM checks on RTin #41016, I found out that the rt-spam-blocklist hack that @lavamind developed was merrily dropping internal email addresses from traffic. things like frontdesk@torproject.org couldn't send mail anymore.
that has been worked around by ...in #41016, I found out that the rt-spam-blocklist hack that @lavamind developed was merrily dropping internal email addresses from traffic. things like frontdesk@torproject.org couldn't send mail anymore.
that has been worked around by moving the header check to the SMTP level, but we shouldn't have allowed those mails in, in the first place. i bet those emails were failing DKIM and SPF checks.
so here implement an inbound mail filter that will check SPF and DKIM before allowing the mail in. i implemented this using OpenDMARC on my home configuration, with relative success, see:
https://anarc.at/services/mail/#dmarc-spf-pre-checksJérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41016Gmail delivery issue on frontdesk@tpo2023-07-04T16:02:16ZGusGmail delivery issue on frontdesk@tpoWe're receiving emails from Gmail accounts on RT (frontdesk@tpo), but our replies aren't being delivered. I also don't see the email bouncing on RT or going to my Gmail spam folder.We're receiving emails from Gmail accounts on RT (frontdesk@tpo), but our replies aren't being delivered. I also don't see the email bouncing on RT or going to my Gmail spam folder.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41014schleuder lists retirements2023-02-15T16:43:15Zanarcatschleuder lists retirementsin #40564, it became apparent that most Schleuder mailing lists are not actually much in use anymore and should be retired. specifically, the tasks here are:
* [x] retire network-team-security@
* [x] retire tor-security-encrypted@
* [x]...in #40564, it became apparent that most Schleuder mailing lists are not actually much in use anymore and should be retired. specifically, the tasks here are:
* [x] retire network-team-security@
* [x] retire tor-security-encrypted@
* [x] retire tor-security@ and forward to security@
~~@micah could you confirm the fate of those lists? thanks!~~ doneanarcatanarcathttps://gitlab.torproject.org/tpo/team/-/issues/121Coordinate onboarding of new people in the network-team2023-01-19T21:51:45ZGabagaba@torproject.orgCoordinate onboarding of new people in the network-teamThere are 2 people starting in Q1 2022 to work on Onion Services. The first person will be starting on January 16th.
cc @ahf @ewyatt
Template for the meeting agenda: https://gitlab.torproject.org/tpo/team/-/wikis/OnBoardingAgendaTemplateThere are 2 people starting in Q1 2022 to work on Onion Services. The first person will be starting on January 16th.
cc @ahf @ewyatt
Template for the meeting agenda: https://gitlab.torproject.org/tpo/team/-/wikis/OnBoardingAgendaTemplateAlexander Færøyahf@torproject.orgAlexander Færøyahf@torproject.org2023-01-11https://gitlab.torproject.org/tpo/tpa/team/-/issues/41013Fatal error from remote when pushing to puppet2023-01-10T20:43:16ZKezFatal error from remote when pushing to puppetI just tried to push a small change to puppet. I was able to push, but then got this output
```
git push origin master
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 12 threads
Compres...I just tried to push a small change to puppet. I was able to push, but then got this output
```
git push origin master
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 12 threads
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 627 bytes | 627.00 KiB/s, done.
Total 7 (delta 4), reused 0 (delta 0), pack-reused 0
remote: Sending notification emails to: torproject-admin-vcs@torproject.org
remote: checkout for stage: production
remote: fatal: detected dubious ownership in repository at '/etc/puppet'
remote: To add an exception for this directory, call:
remote:
remote: git config --global --add safe.directory /etc/puppet
To puppet.torproject.org:/srv/puppet.torproject.org/git/tor-puppet
98326862..4fa943e1 master -> master
```
When I ran `patn` on the server after pushing, my change didn't take effect in puppet. So it seems like whatever this dubious ownership is, it stops one of our git hooks from properly updating puppet.anarcatanarcathttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41010overload on gnt-fsn cluster2023-02-21T18:17:26Zanarcatoverload on gnt-fsn clusterHigher than usual traffic was observed starting 2022-12-16 06:35UTC on the two onionoo frontends which negatively impacted other services (gitlab-02, eugeni, so mails, and anecdotal reports of failures of static site deployments).
Situa...Higher than usual traffic was observed starting 2022-12-16 06:35UTC on the two onionoo frontends which negatively impacted other services (gitlab-02, eugeni, so mails, and anecdotal reports of failures of static site deployments).
Situation has returned to almost normal at around 16:00, enough to be able to open this issue. @hiro will followup with Microsoft to see if this was some legitimate traffic or an attack. It's possible a researcher was fetching data from the frontends possibly a little too enthusiastically.anarcatanarcat