non-anonymous hidden service configuration option details
Currently (after !1557 (merged)) the code expects this:
# in TOML
anonymity = "not_anonymous"
// in Rust
OnionServiceConfig::builder()
.anonymity(Anonymity::DangerouslyNonAnonymous)
...
IMO:
-
This does not warrant "Dangerously". "Dangerously" should be reserved for APIs where the programmer takes on a proof obligation (eg a typecheck is being bypassed), or the configuration being requested is not expected to be safe for use in the real world, not ordinary config options. As precedent I offer (for example)
address_filter.allow_local_addrs
,override_net_params
,storage.permissions.trust_user
. Like in those caes, the right answer for "single onions" configuration is to name the configuration option so that it does what it says on the tin. -
I think the name in the config file and the name in the Rust source code should be the same.
-
OTOH this is insufficiently explicit: IMO it should mention in the name or value (at least in the TOML) that it is the server end (ie, us) which is being non-anonymous (ie, this is a "Tor Hidden Service" but it is not in fact hidden).
anonymity = "not_anonymous"
might mean that it is the clients who don't get anonymity.
I don't have particularly strong opinions about the precise names, subject to the above constraints. Following on from some things I said in !1557 (comment 2938351), how about:
# in TOML
server_end_privacy = "non_anonymous"
// in Rust
OnionServiceConfig::builder()
.server_end_privacy(Anonymity::NonAnonymous)
...
I suspect that the above arguments won't be convincing to @nickm. I suggest we get a third opinion, and go with that. Although I would like this changed before we release, this is a bit of a bikeshed.