The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2024-03-06T20:15:16Zhttps://gitlab.torproject.org/tpo/network-health/metrics/descriptorParser/-/issues/84Running flag in server statuses2024-03-06T20:15:16ZHiroRunning flag in server statusesWe have been thinking about what could be the best way to represent a relay status between when it is running and when it has fallen from the consensus. I have currently a patch where I go through the nodes that have not been updated fro...We have been thinking about what could be the best way to represent a relay status between when it is running and when it has fallen from the consensus. I have currently a patch where I go through the nodes that have not been updated from a consensus and set the flag to running false.
I am thinking instead that we might use a sort of 'relationship' table for this and then do a join query at the API level.
Ex:
```
fingerprint | nickname | latest_status_published_timestamp | latest_network_status_entry_digest | latest_network_status_digest | running
```
The first three fields identify the latest status published, then we have the digest for the latest consensus entry where the relay was included and the document digest. Finally we save the running flag.
This way we are able to make a quick query to find relays that have fallen out from the consensus without saving another status.HiroHirohttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/lyrebird/-/issues/40013version is reported as lyrebird-0.0.142024-03-04T19:48:23Ztoralfversion is reported as lyrebird-0.0.14shouldn't it be 0.1.0 ?shouldn't it be 0.1.0 ?meskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/onion-services/ecosystem/-/issues/3Add Onion Launchpad documentation2024-02-26T17:45:09ZSilvio RhattoAdd Onion Launchpad documentation# Tasks
* [x] Add the Onion Launchpad documentation once it's [converted to Onion MkDocs][].
[converted to Onion MkDocs]: tpo/onion-services/onion-launchpad#72
# Time estimation
* Complexity: negligible (0.1 day)
* Uncertainty: low (...# Tasks
* [x] Add the Onion Launchpad documentation once it's [converted to Onion MkDocs][].
[converted to Onion MkDocs]: tpo/onion-services/onion-launchpad#72
# Time estimation
* Complexity: negligible (0.1 day)
* Uncertainty: low (x1.1)
* [Reference](https://jacobian.org/2021/may/25/my-estimation-technique/) (adapted)Silvio RhattoSilvio Rhatto2024-03-28https://gitlab.torproject.org/tpo/core/arti/-/issues/1298Do not include escape codes when logging to file2024-02-23T15:47:13Zgabi-250Do not include escape codes when logging to fileWe shouldn't be printing terminal escape codes when logging to file.
The log files currently look like this:
```
�[2m2024-02-22T18:09:58Z�[0m �[32m INFO�[0m �[2marti�[0m�[2m:�[0m Starting Arti 1.1.13 in SOCKS proxy mode on localhost po...We shouldn't be printing terminal escape codes when logging to file.
The log files currently look like this:
```
�[2m2024-02-22T18:09:58Z�[0m �[32m INFO�[0m �[2marti�[0m�[2m:�[0m Starting Arti 1.1.13 in SOCKS proxy mode on localhost port 9150 ...
�[2m2024-02-22T18:09:58Z�[0m �[34mDEBUG�[0m �[2marti::process�[0m�[2m:�[0m Increased process file limit to 16384
```
I routinely `sed -i "s,\x1B\[[0-9;]*[a-zA-Z],,g"` logs from bug reports, shadow etc. in order to make them readable.gabi-250gabi-250https://gitlab.torproject.org/tpo/tpa/team/-/issues/41541Vaultwarden experiment2024-03-26T20:46:38Zmicahmicah@torproject.orgVaultwarden experimentI have been working in the engineering side of the organization to organize accounts we have with different online services. That work has identified that we have accounts that have been setup by different individuals over time (some who...I have been working in the engineering side of the organization to organize accounts we have with different online services. That work has identified that we have accounts that have been setup by different individuals over time (some who are no longer with us, many who should not even have access any longer), with different personal or outdated organization information configured, and their associated passwords being shared in numerous ways of various levels of security or insecurity (signal, matrix, email, etc.). Accounts such as google play store, apple developer console, dockerhub, domain fronting CDN providers, browser extension stores, AWS, GKE, etc. are strewn about in a fairly haphazard way. The goal of this effort is to bring sanity to these accounts and reduce the overhead involved in regaining access, performing necessary billing work, adjusting organizational details, updating legal agreements, etc. Having a single password vault for accounts that can be organized in ways that different people can have appropriate access would go a long ways towards making things less chaotic.
As we continue to [evaluate passsword management options](https://gitlab.torproject.org/tpo/tpa/team/-/issues/29677), and because there is a need in engineering to solve our messy password situation, I'd like to propose that we try an experiment with a [vaultwarden](https://github.com/dani-garcia/vaultwarden) server (the free software, rust rewrite of Bitwarden). I have been managing a valutwarden server for personal use, and it appears to work well, and functions well in organizations who have different access and client needs. My proposal is that TPA would setup and manage a VM, with the vaultwarden-server container setup, and I would manage the service. I would attempt to use this system to organize these efforts, and this can be simultaneously an opportunity to evaluate the relative merits of this system for potential wider use. We can check in on the effectiveness of this as we go along and change course without difficulty.
Vaultwarden was designed to run on a raspberry pi, and it [appears](https://github.com/dani-garcia/vaultwarden/issues/277#issuecomment-445526374) that hosting up to 100 users works just fine on [such a setup](https://github.com/dani-garcia/vaultwarden/issues/645). Thus the [required specifications](https://github.com/dani-garcia/vaultwarden/wiki/Deployment-examples) for a server are quite minimal. Considering this is a experiment, I would suggest we start off with a minimal configuration and monitor it and adjust on the way.
**Specs requested:**
- Memory: 512MB
- CPU: 1 core
- Storage: 5GB (in addition to what your typical Debian installation with podman would reuqire)
- DNS: vault.torproject.org
- Software:
podman configured to auto-update the docker image `vaultwarden/server:latest` -- this [tracks the latest released tagged version number](https://github.com/dani-garcia/vaultwarden/wiki/Which-container-image-to-use) with an appropriate rw volume/directory mounted on `/data` and port 80 exposed (`-p 80:80`), passing the following environment variables:
```
SIGNUPS_ALLOWED: false
ORG_CREATION_USERS: none
INVITATIONS_ALLOWED: false
INVITATION_ORG_NAME: Tor
DOMAIN: 'https://vault.torproject.org'
ADMIN_TOKEN: <provided out of band>
SMTP_HOST: <tpa provided>
SMTP_FROM: <tpa provided>
SMTP_USERNAME: <tpa provided>
SMTP_PASSWORD: <tpa provided>
SMTP_SECURITY: <tpa provided: starttls for 587, force_tls for 465)
SMTP_AUTH_MECHANISM: <tpa provided: Plain, Login, Xoauth2>
HELO_NAME: vault.torproject.org
```
```
TPA's choice:
USE_SYSLOG: true (depends on TPA logging policy)
LOG_FILE: /path/to/log (if not using syslog, depending on TPA log poligy)
```
- Reverse Proxy: avec TLS certificate, please see [these examples](https://github.com/dani-garcia/vaultwarden/wiki/Proxy-examples), presumably the normal `nginx` one there is what you would use, but if that isn't the typical tpa webserver, other options are there.
- Backups: please backup the volume that is passed, it contains a sqlite database that is critical.
- Firewall:
ALL IN/OUT: port 443 for reverse proxy
OUT: either port 587 or 465, depending on `SMTP_SECURITY`Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/core/arti/-/issues/1297Improve logging around circuit errors2024-02-28T14:04:12Zgabi-250Improve logging around circuit errorsI was trying to diagnose this error from https://gitlab.torproject.org/tpo/core/arti/-/issues/1280#note_2998936
```
2000-01-01T04:25:23Z WARN tor_hsservice::helpers: Problem while accepting rendezvous request: error: Could not connect ...I was trying to diagnose this error from https://gitlab.torproject.org/tpo/core/arti/-/issues/1280#note_2998936
```
2000-01-01T04:25:23Z WARN tor_hsservice::helpers: Problem while accepting rendezvous request: error: Could not connect rendezvous circuit.: Could not establish circuit to rendezvous point: Tried to Establish a circuit to a rendezvous point 2 times, but all attempts failed
Attempt 1: Problem building a circuit, while extending to chosen HS hop: Circuit closed
Attempt 2: Problem building a circuit, while extending to chosen HS hop: Circuit closed
```
but it doesn't say *which* circuit failed (so I can't find the corresponding `tor_proto::circuit::reactor` logs)Arti: Onion service supportgabi-250gabi-250https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42425Improve accessibility of the bridge emoji cells2024-03-04T15:14:34ZhenryImprove accessibility of the bridge emoji cellsWhen testing https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42413 with screen readers I noticed:
+ NVDA does not like to read the table cell accessible name, but will instead read the content of the cell only.
+ Orc...When testing https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42413 with screen readers I noticed:
+ NVDA does not like to read the table cell accessible name, but will instead read the content of the cell only.
+ Orca will not read the `aria-describedby` in a table.henryhenryhttps://gitlab.torproject.org/tpo/network-health/team/-/issues/349New round of contacting operators for DNS issues and badexiting problematic r...2024-03-25T10:08:02ZGeorg KoppenNew round of contacting operators for DNS issues and badexiting problematic relays (2024-02-19)This week we got:
```
Relay 032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2 failed DNS check 5/5 times
Relay 052848D49E213DE9F85C8721E138DAABA2DE08C8 failed DNS check 5/5 times
Relay 322AB34E14CD3B08946B5BC109A74A82EDB5298F failed DNS check 2/2...This week we got:
```
Relay 032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2 failed DNS check 5/5 times
Relay 052848D49E213DE9F85C8721E138DAABA2DE08C8 failed DNS check 5/5 times
Relay 322AB34E14CD3B08946B5BC109A74A82EDB5298F failed DNS check 2/2 times
Relay A924AB95F7D77E323A0B9F4CA082F0E13839667B failed DNS check 5/5 times
Relay AFCD245212A6737BE69C312140DB52186D930099 failed DNS check 5/5 times
Relay EB437DB78BBF273458FBD50D152E93A3A2D91B0B failed DNS check 5/5 times
```
Upon re-testing it turns out that `322AB34E14CD3B08946B5BC109A74A82EDB5298F` and `EB437DB78BBF273458FBD50D152E93A3A2D91B0B` are fine now. `052848D49E213DE9F85C8721E138DAABA2DE08C8` and `A924AB95F7D77E323A0B9F4CA082F0E13839667B` have still resolution issues. `032E18F26B35047A20EB1F0E480D0DFD3D8AB6E2` got dealt with in https://gitlab.torproject.org/tpo/network-health/team/-/issues/347Georg KoppenGeorg Koppenhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42424Should we default enable SQS rendezvous of Snowflake in built-in bridge?2024-02-22T19:52:25Zsnowflake_user_40314Should we default enable SQS rendezvous of Snowflake in built-in bridge?The current default rendezvous(domain fronting) is [expect to stop work](https://lists.torproject.org/pipermail/anti-censorship-team/2023-October/000328.html).
Current 13.0.10 do not enable SQS rendezvous by default.The current default rendezvous(domain fronting) is [expect to stop work](https://lists.torproject.org/pipermail/anti-censorship-team/2023-October/000328.html).
Current 13.0.10 do not enable SQS rendezvous by default.https://gitlab.torproject.org/tpo/tpa/gitlab/-/issues/150Gitlab Default sender name is too generic2024-02-26T21:02:21ZkwadronautGitlab Default sender name is too genericmails show up as `gitlab` in my mailclient - one of the many gitlabs around. These are generic ones, like `From: GitLab <git@gitlab.torproject.org>)subject: Your resource access tokens will expire in 7 days or less`
`This so question mig...mails show up as `gitlab` in my mailclient - one of the many gitlabs around. These are generic ones, like `From: GitLab <git@gitlab.torproject.org>)subject: Your resource access tokens will expire in 7 days or less`
`This so question might be useful: https://stackoverflow.com/questions/24834339/how-to-change-sender-name-from-gitlab-emails`
Can you change that?Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40335No release for version 2.9.02024-02-27T16:41:36ZPonchoNo release for version 2.9.0Hi there
Some time ago, you've tagged version 2.9.0
It's available under https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tags
But there is no corresponding release under https://gitlab.torproject.org/...Hi there
Some time ago, you've tagged version 2.9.0
It's available under https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tags
But there is no corresponding release under https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/releases and the release job was skipped https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/jobs/471273
Not sure whether this is all on purpose or if something went wrong. Therefore, opening this issue.Cecylia BocovichCecylia Bocovichhttps://gitlab.torproject.org/tpo/tpa/team/-/issues/41539Create an operations email list2024-03-28T01:14:48Zal smithCreate an operations email listThe operations team needs an email list to coordinate its work. (This will help with our grants@torproject.org email issues, as we'll be able to reduce the number of people using that alias once the operations list is established.)
**Re...The operations team needs an email list to coordinate its work. (This will help with our grants@torproject.org email issues, as we'll be able to reduce the number of people using that alias once the operations list is established.)
**Requirements**
1. Does **not** require a moderation queue
2. Allows people who are not subscribed to the list to send email to the list **without friction**
3. Is not archived (for anyone, including members of the list)
4. Is not displayed on lists.torproject.org
Is that something a list can do?
If so, we request `tor-operations@` to be created. :smile:
Note: It's possible that an operations list exits already, per this ticket from 8 years ago, but I don't think so based on my quick test. Just adding for due diligence since I noticed it: https://gitlab.torproject.org/tpo/tpa/team/-/issues/15992Jérôme Charaouilavamind@torproject.orgJérôme Charaouilavamind@torproject.org2024-03-31https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41089Add filetype association to the installer of Mullvad Browser2024-03-11T14:10:05ZPier Angelo VendrameAdd filetype association to the installer of Mullvad BrowserFor setting Mullvad Browser as a default browser, we need to populate some registry data first, and Firefox expects the installer to do it.
So, we do it from the installer as well.For setting Mullvad Browser as a default browser, we need to populate some registry data first, and Firefox expects the installer to do it.
So, we do it from the installer as well.Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/41088Remove use of projects/browser/run_scripts2024-03-26T20:31:48ZboklmRemove use of projects/browser/run_scriptsIn `projects/browser/build` we are creating a script (in
`"$scripts_dir/create-$PKG_DIR"`), and use `run_scripts` to run it.
This was added in dfa0cc46fc and was useful to generate bundles for the
different locales in parallel. However ...In `projects/browser/build` we are creating a script (in
`"$scripts_dir/create-$PKG_DIR"`), and use `run_scripts` to run it.
This was added in dfa0cc46fc and was useful to generate bundles for the
different locales in parallel. However since we now have one bundle for
all locales, it's not useful anymore, and we can simplify the build
script by not doing that.boklmboklmhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42423Move temporary Lox Fluent strings to new file2024-02-22T12:53:35ZhenryMove temporary Lox Fluent strings to new fileThe Lox invite dialog is due to be re-designed in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42385
We should move the temporary strings to a new Fluent file so they don't end up on weblate.The Lox invite dialog is due to be re-designed in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42385
We should move the temporary strings to a new Fluent file so they don't end up on weblate.henryhenryhttps://gitlab.torproject.org/tpo/web/onion-mkdocs/-/issues/13Action Required: Fix Renovate Configuration2024-02-21T15:04:29ZRenovate BotAction Required: Fix Renovate ConfigurationThere is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop MRs until it is resolved.
Location: `renovate.json`
Error type: Invalid JSON (parsing failed)
Message: Syntax er...There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop MRs until it is resolved.
Location: `renovate.json`
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting String near ],
{Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42421Remove bridge option should be hidden for Lox bridges2024-03-04T15:14:03ZhenryRemove bridge option should be hidden for Lox bridgesCurrently we allow individual Lox bridges to be removed through the "Bridge options" menu.Currently we allow individual Lox bridges to be removed through the "Bridge options" menu.henryhenryhttps://gitlab.torproject.org/tpo/web/tpo/-/issues/419New translations for website: be, el, tk2024-02-21T13:49:15ZemmapeelNew translations for website: be, el, tkNew translations: Belarusian, Turkmen, Greek.New translations: Belarusian, Turkmen, Greek.emmapeelemmapeelhttps://gitlab.torproject.org/tpo/web/onion-mkdocs/-/issues/12Action Required: Fix Renovate Configuration2024-02-21T13:35:20ZRenovate BotAction Required: Fix Renovate ConfigurationThere is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop MRs until it is resolved.
Location: `renovate.json`
Error type: Invalid JSON (parsing failed)
Message: JSON.pars...There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop MRs until it is resolved.
Location: `renovate.json`
Error type: Invalid JSON (parsing failed)
Message: JSON.parse error: `JSON5: invalid character ',' at 6:2`Silvio RhattoSilvio Rhattohttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42419torrc-defaults use "\r\n" as the end-of-line on Linux.2024-02-21T15:30:49Zcypherpunkstorrc-defaults use "\r\n" as the end-of-line on Linux.Version and sha256sum: 6aad967df4376542f4be8a5b0d4e67f5b59bf0c0bbac7a1acf9e24cf6a1a5f3f ./tor-browser-linux-i686-13.0.9.tar.xz
Reproduce step:
1. extract tor-browser-linux-i686-13.0.9.tar.xz
2. run hd ./torrc-defaults | grep -e '^' ...Version and sha256sum: 6aad967df4376542f4be8a5b0d4e67f5b59bf0c0bbac7a1acf9e24cf6a1a5f3f ./tor-browser-linux-i686-13.0.9.tar.xz
Reproduce step:
1. extract tor-browser-linux-i686-13.0.9.tar.xz
2. run hd ./torrc-defaults | grep -e '^' -e '0d'
I think normal text configuration file in Linux should never include the "\r"(0x0d) character.
Is my understanding correct?