The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-03-26T09:04:49Zhttps://gitlab.torproject.org/tpo/core/tor/-/issues/40924tor_bug_reached counter does not increase as expected2024-03-26T09:04:49Zapplied_privacytor_bug_reached counter does not increase as expected### Summary
When we see this in the log file we would assume the tor_bug_reached metric is increased, but it does not:
```
conflux_validate_legs(): Bug: Number of legs is above maximum of 2 allowed: 3#012 (on Tor 0.4.9.0-alpha-dev )
``...### Summary
When we see this in the log file we would assume the tor_bug_reached metric is increased, but it does not:
```
conflux_validate_legs(): Bug: Number of legs is above maximum of 2 allowed: 3#012 (on Tor 0.4.9.0-alpha-dev )
```
### What is the current bug behavior?
tor_bug_reached counter does not increase in this example
### What is the expected behavior?
tor_bug_reached counter should increase.
implemented in
#40839
### Environment
```
tor --version
Tor version 0.4.9.0-alpha-dev.
This build of Tor is covered by the GNU General Public License (https://www.gnu.org/licenses/gpl-3.0.en.html)
Tor is running on Linux with Libevent 2.1.12-stable, OpenSSL 3.0.11, Zlib 1.2.13, Liblzma 5.4.1, Libzstd 1.5.4 and Glibc 2.36 as libc.
Tor compiled with GCC version 12.2.0
```
OS: Debian 12
installation method: deb.torproject.org
package version: 0.4.9.0-alpha-dev-20240325T020413Z-1~d12.bookworm+1https://gitlab.torproject.org/tpo/community/outreach/-/issues/40070Formatting and layout design2024-03-26T00:38:30ZnicobFormatting and layout designExplore formatting and layout with content and illustrations that will work well for both online and print.
* complexity: medium (3 days)
* uncertainty: moderate (1.5)
* total: 3-4.5 days
* actual:Explore formatting and layout with content and illustrations that will work well for both online and print.
* complexity: medium (3 days)
* uncertainty: moderate (1.5)
* total: 3-4.5 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40069Content review2024-03-26T00:39:27ZnicobContent reviewHow much/if any of this content will change/do we need to consider with overall design? Suggestions per feedback could mean adding more information. Is it helpful to have individual documents or should they all be combined? Some of these...How much/if any of this content will change/do we need to consider with overall design? Suggestions per feedback could mean adding more information. Is it helpful to have individual documents or should they all be combined? Some of these answers will probably depend on information from others, so may be more of an ongoing task.
* complexity: medium (3 days)
* uncertainty: moderate (1.5)
* total: 3-4.5 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40068Illustrating design2024-03-25T23:58:03ZnicobIllustrating design* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3.3 days
* actual:* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3.3 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40067Concepting and sketching
2024-03-25T23:52:36ZnicobConcepting and sketching
* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3-3.3 days
* actual:* complexity: medium (3 days)
* uncertainty: low (1.1)
* total: 3-3.3 days
* actual:Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/community/outreach/-/issues/40066Redesign the "Tor for xyz" outreach materials2024-03-26T21:21:40ZnicobRedesign the "Tor for xyz" outreach materialsThe existing outreach materials we have need to be updated as part of the work for Sponsor 9. There are currently four "Tor for xyz" pieces that we will be redesigning to fit a single template that works for both online and print, and is...The existing outreach materials we have need to be updated as part of the work for Sponsor 9. There are currently four "Tor for xyz" pieces that we will be redesigning to fit a single template that works for both online and print, and is consistent with Tor's evolving visual brand.
* [Tor for Anti-censorship](https://gitlab.torproject.org/tpo/community/outreach/-/raw/master/print/en_EN/Front_anti-censorship_en_EN.pdf)
* [Tor for Feminists](https://gitlab.torproject.org/torproject/community/outreach/-/raw/master/print/en_EN/Front_feminist_en_EN.pdf)
* [Tor for Human Rights](https://gitlab.torproject.org/tpo/community/outreach/-/raw/master/print/en_EN/Front_humanrights_en_EN.pdf)
* [Tor for Privacy](https://gitlab.torproject.org/torproject/community/outreach/-/raw/master/print/en_EN/Front_privacy_en_EN.pdf)
There is also this back cover for Anti-censorship, Human Rights, and Privacy: [Back](https://gitlab.torproject.org/tpo/community/outreach/-/raw/master/print/en_EN/Back_stencil_en_EN.pdf)
And this back cover for Feminists: [Back](https://gitlab.torproject.org/tpo/community/outreach/-/raw/master/print/en_EN/Back_feminist_en_EN.pdf)
We should incorporate this feedback that was previously collected from partners in LATAM too: https://gitlab.torproject.org/tpo/ux/research/-/issues/22#note_2825275Sponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/network-health/metrics/metrics-bin/-/issues/3Run cleanup and other checks for NS API build2024-03-26T07:25:52ZMattia RighettiRun cleanup and other checks for NS API buildIt could be useful to do some cleanup of the build folder each time we need to build a new version of the ns api
Referencing https://gitlab.torproject.org/tpo/network-health/metrics/networkstatusapi/-/issues/54#note_3011903It could be useful to do some cleanup of the build folder each time we need to build a new version of the ns api
Referencing https://gitlab.torproject.org/tpo/network-health/metrics/networkstatusapi/-/issues/54#note_3011903Mattia RighettiMattia Righettihttps://gitlab.torproject.org/tpo/applications/android-components/-/issues/40080Change Tor Browser language by App languages system setting screen2024-03-25T21:00:55ZRahim RollinsChange Tor Browser language by App languages system setting screenI suggest you consider changing the language of the application through a single control center for the languages of installed applications, available in the latest versions of Google Android. Read more about it in the article "[Change a...I suggest you consider changing the language of the application through a single control center for the languages of installed applications, available in the latest versions of Google Android. Read more about it in the article "[Change app language on your Android phone](https://support.google.com/android/answer/12395118)" of the official OS help. [Screenshot](https://drive.google.com/file/d/1rhT3cFpo8cpeLrXIPteFH-0202ks_IYy/view)https://gitlab.torproject.org/tpo/tpa/team/-/issues/41563evaluate impact of Let's Encrypt chain shortening2024-03-25T20:15:38Zanarcatevaluate impact of Let's Encrypt chain shorteningIn [this article from July 2023](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html), let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
> - On Thursday, Feb 8t...In [this article from July 2023](https://letsencrypt.org/2023/07/10/cross-sign-expiration.html), let's encrypt mentioned the cross-sign with IdenTrust will stop working in September 2024.
Their timeline is this:
> - On Thursday, Feb 8th, 2024, we stopped providing the cross-sign by default in requests made to our /acme/certificate API endpoint. For most Subscribers, this means that your ACME client will configure a chain which terminates at ISRG Root X1, and your webserver will begin providing this shorter chain in all TLS handshakes. The longer chain, terminating at the soon-to-expire cross-sign, will still be available as an alternate chain which you can configure your client to request.
> - On Thursday, June 6th, 2024, we will stop providing the longer cross-signed chain entirely. This is just over 90 days (the lifetime of one certificate) before the cross-sign expires, and we need to make sure subscribers have had at least one full issuance cycle to migrate off of the cross-signed chain.
> - On Monday, September 30th, 2024, the cross-signed certificate will expire. This should be a non-event for most people, as any client breakages should have occurred over the preceding six months.
So part of the transition has already happened, with a reduced chain for most certificates issued. This should already have impacted us.
We need to see what other impacts that has for us. In #32351, we've been hesitant at performing cipher changes for backwards compatibility concerns. According to [this graph](https://gs.statcounter.com/android-version-market-share/mobile-tablet/worldwide/#monthly-202302-202402-bar), we're talking about 5% of Android users affected here, for example. The [compatibility page](https://letsencrypt.org/docs/certificate-compatibility/) has a more detailed breakdown.
So basically the task is to evaluate the above table and see if we need to do anything special to any of our services.2024-04-25https://gitlab.torproject.org/tpo/community/outreach/-/issues/40065Create new onion routing digram in new illustration style2024-03-26T18:31:14ZnicobCreate new onion routing digram in new illustration styleIn part of the effort to revise outreach materials, we also need to develop a new and simple diagram of onion routing to be used across materials, online and in print. We'll be integrating the new illustration style into this diagram as ...In part of the effort to revise outreach materials, we also need to develop a new and simple diagram of onion routing to be used across materials, online and in print. We'll be integrating the new illustration style into this diagram as well.
Tor onion routing diagrams being used/have been used in the past:
* https://community.torproject.org/onion-services/overview/
* https://2019.www.torproject.org/images/htw2_zh.png
* https://community.torproject.org/static/images/outreach/print/minizine-onion-routing-A4.jpg
* https://gitlab.torproject.org/tpo/community/outreach/-/raw/master/print/en_EN/Front_humanrights_en_EN.pdf
EFF onion routing diagrams:
* https://tor-https.eff.org/
* https://www.eff.org/files/2023/04/26/circumvention-toronionaddress.pngSponsor 9 - Phase 7 - Usability and Community Intervention on Support for Democracy and Human Rightsnicobnicobhttps://gitlab.torproject.org/tpo/web/donate/-/issues/21implement a way to ban email addresses2024-03-27T16:33:58Zanarcatimplement a way to ban email addressesIn the last donate card testing attack (#19), Stripe claims that hundreds of attempts came from the same email address. now, it's possible this is misreported (like the IP address, #20), but if it isn't, we should just block that email a...In the last donate card testing attack (#19), Stripe claims that hundreds of attempts came from the same email address. now, it's possible this is misreported (like the IP address, #20), but if it isn't, we should just block that email address already.anarcatanarcathttps://gitlab.torproject.org/tpo/applications/mullvad-browser/-/issues/278Create asset(s) for the Mullvad Browser installer2024-03-25T19:09:50ZPier Angelo VendrameCreate asset(s) for the Mullvad Browser installerCurrently, we use NSIS's default images for the last page of the installers, however we could customize it:
<details><summary>Screenshots</summary>
Our page:
![Screenshot_from_2024-02-06_17-22-53](/uploads/cbbb28d1d4fb72f83165b82ba92...Currently, we use NSIS's default images for the last page of the installers, however we could customize it:
<details><summary>Screenshots</summary>
Our page:
![Screenshot_from_2024-02-06_17-22-53](/uploads/cbbb28d1d4fb72f83165b82ba920bc04/Screenshot_from_2024-02-06_17-22-53.png)
Firefox:
![Screenshot_2024-01-17_054914](/uploads/513037b0c2df23114fb5008bf431fa0f/Screenshot_2024-01-17_054914.png)
</details>
Firefox uses the same asset is used also for the first page.
We don't use that page, but in case we can also re-use the same asset, or create a new issue if needed.
We customize the icon for the channel, so if easy enough we could have multiple version of that asset, too (but I'm not sure of the requirement on the sponsor side).
/cc @donuts @nicobnicobnicobhttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40354Extract reusable parts to a shared library2024-03-26T10:41:06Zmeskiomeskio@torproject.orgExtract reusable parts to a shared library[RoundCounter](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/broker/prometheus.go?ref_type=heads) is a useful wrapper on top of prometheus to round metrics to 8. We want to use it in other p...[RoundCounter](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/broker/prometheus.go?ref_type=heads) is a useful wrapper on top of prometheus to round metrics to 8. We want to use it in other projects like rdsys.
Another useful piece for other projects is [safelog](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/common/safelog?ref_type=heads) that is already being imported by bridgestrap and conjure. Maybe we want to be able to import it without snowflake.
We could bundle both into a single library as this might make it easier to add other pieces in the future and each extra library makes it harder to package software to distros.meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42478Update text in the "remove all bridges" warning dialog2024-03-25T16:15:15ZhenryUpdate text in the "remove all bridges" warning dialogTaken from https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/890#note_2985074.
Currently, whenever the user selects "..." > "Remove all bridges", they get a warning dialog, with the text:
> Remove all bridges?...Taken from https://gitlab.torproject.org/tpo/applications/tor-browser/-/merge_requests/890#note_2985074.
Currently, whenever the user selects "..." > "Remove all bridges", they get a warning dialog, with the text:
> Remove all bridges?
>
> If these bridges were received from torproject.org or added manually, this action cannot be undone
This is shown whether the user is removing *any* of the following:
1. Bridges they added themselves.
2. Bridges added through the Tor Browser captcha request.
3. Built-in bridges.
4. Bridge pass (Lox) bridges.
Do we want to update this text, or customize it for the individual cases? For example, if you are removing built-in bridges the warning is less relevant.
The other consideration is that "added manually" is the old wording, that we replaced with "added by you" in the UI.
/cc @donutshttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40353Rename Container Image Tag for containers built from main branch to nightly2024-03-25T15:21:37ZshelikhooRename Container Image Tag for containers built from main branch to nightlyThe current container image tag for container images built from main branch is latest, which is typically expected to the most recent stable release, instead of the unstable main branch build result. The tag should be renamed to `nightly...The current container image tag for container images built from main branch is latest, which is typically expected to the most recent stable release, instead of the unstable main branch build result. The tag should be renamed to `nightly` as [discussed](https://lists.torproject.org/pipermail/tor-project/2024-March/003787.html) in the during the weekly meeting.shelikhooshelikhoohttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42477Decide what to do with the "Choose a bridge for me" button in Tor Connection ...2024-03-25T15:53:46ZhenryDecide what to do with the "Choose a bridge for me" button in Tor Connection settings.Spin off from https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42036#note_2974796.
When "about:torconnect" has failed to perform a regular Bootstrap we show in "about:preferences#connection" the location selector and ...Spin off from https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42036#note_2974796.
When "about:torconnect" has failed to perform a regular Bootstrap we show in "about:preferences#connection" the location selector and a "Choose a Bridge for me..." button to open "about:preferences" and trigger "Auto-Bootstrapping". Once connected to tor, it won't show again.
![Screenshot of location selector and trigger button shown in the bridge settings](/uploads/7f82218d21c518f003e24931d9775ddf/choose-bridge.png)
We should decide on whether we want to drop this, or replace it with something else.
/cc @donuts do we want to do anything for 13.5?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42476Only allow Lox (invites) in alpha and nightly builds2024-03-25T14:14:39ZhenryOnly allow Lox (invites) in alpha and nightly buildsWe should add some kind of guard to prevent Lox invites for the stable 13.5 release.
I imagine we could use a preference. In terms of the UI, I think we only need to change [one line](https://gitlab.torproject.org/tpo/applications/tor-b...We should add some kind of guard to prevent Lox invites for the stable 13.5 release.
I imagine we could use a preference. In terms of the UI, I think we only need to change [one line](https://gitlab.torproject.org/tpo/applications/tor-browser/-/blob/b7fc915f3ed100830bd8574a62f9cd653c1ec250/browser/components/torpreferences/content/provideBridgeDialog.js#L79-80) to disallow Lox invites in the "Add new bridges" dialog.
Do we also want some extra safety checks in other places to prevent the Lox module from doing anything?
/cc @richard @pierovhttps://gitlab.torproject.org/tpo/network-health/metrics/tor_fusion/-/issues/6Use UPDATE instead of INSERT?2024-03-25T09:08:39ZjugaUse UPDATE instead of INSERT?Reviewing !5 with a local database, i realized that to insert the same data with the changes, i've to truncate the tables first,because the primary keys already existed. I wonder whether using update instead of insert, would easy new dep...Reviewing !5 with a local database, i realized that to insert the same data with the changes, i've to truncate the tables first,because the primary keys already existed. I wonder whether using update instead of insert, would easy new deployments, since it'd modify the existing rows for the same primary keys. However i've not checked how worst would performance be nor how it could break if we change primary keys.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/conjure/-/issues/40Can't connect to phantoms acquired from CDN77 domain front2024-03-24T18:39:43ZCecylia BocovichCan't connect to phantoms acquired from CDN77 domain frontConjure works just fine with the fastly front and by contacting the registration server directly, but any connections through CDN77 fail. If I recall correctly, Conjure does a check to see whether the originating IP to the phantom matche...Conjure works just fine with the fastly front and by contacting the registration server directly, but any connections through CDN77 fail. If I recall correctly, Conjure does a check to see whether the originating IP to the phantom matches the IP address of the client registration. So either CDN77 is doing something unexpected with the `X-Forwarded-For` header, or the station needs to be told to check for it from CDN77 addresses.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42475about:tor lacks branding2024-03-25T03:51:14ZThorinabout:tor lacks branding![about-tor](/uploads/1aa737b9f7b5de00b0d3540cf5689521/about-tor.png)
Roger brought up that there's nothing to "say" Tor Browser (excluding when you have the byline that Tor Browser updated)
> - i am trying to show a screenshot of tor ...![about-tor](/uploads/1aa737b9f7b5de00b0d3540cf5689521/about-tor.png)
Roger brought up that there's nothing to "say" Tor Browser (excluding when you have the byline that Tor Browser updated)
> - i am trying to show a screenshot of tor browser and i find myself needed to write "Tor Browser" at the top or nobody will know what it is a screenshot of
> - it looks mainly like a duck duck go browser because that's what gets the real estate
My initial suggestion is add a smaller sized `Tor Browser` byline directly beneath `Explore. Privately`, but inline to the icon, and obviously adjust their vertical alignment
cc: @donuts @arma