Closed
Milestone
Mar 1, 2022–Sep 1, 2022
Arti 1.0.0: Ready for production use
For some users, Arti is a better choice than the C client. Some embedders can ship Arti.
6 months to complete
Proposal: https://forum.zcashcommunity.com/t/arti-a-pure-rust-tor-implementation-for-zcash-and-beyond/38776
Unstarted Issues (open and unassigned)
42
- Move more config reading code into arti-client
- Provide more API and documentation for AddrPortPattern
- Better coarsetime strategy needed
- Scripted tests for bootstrap and other failures
- Current DirMgrConfig makes every new config section a breaking change
- Test Windows behavior on CI, maybe with Wine
- Reconfiguration, particularly socks and dns ports
- Early rejection for consensus documents we would never accept as timely
- Smarter timing for dirmgr downloads and retries
- Mechanism to warn loudly when running with dubious features enabled
- netdoc: Do _something_ with ConsensusVoterInfo.
- Review module structure, API, and docs, of arti library crate
- Consider alternate designs for traits and APIs for stream isolation
- CLI: unify, streamline, and refactor listener code
- If we have no consensus, save any well-signed consensus we're given?
- A well-signed consensus from the future indicates that our clock is wrong.
- Stream directory downloads to reduce latency and save RAM
- Change Store::microdescs to return an Iterator? Or to parse incrementally?
- Support for binding low ports, then dropping privileges
- Integration support for systemd and similar systems
- Always build a circuit before calling ourselves "bootstrapped"?
- initial_predicted_ports and handling during reconfigure
- Config "errors If a required field has not been initialized" docs message
- Don't sample guards until we have a very good directory status
- Check "send" failures in tor-proto, and handle them appropriately
- Do half-open streams behave correctly for RESOLVE/RESOLVED and similar commands?
- Expire half-open streams, possibly using a timer?
- Reschedule circuit timeouts when the configuration changes
- Re-enable (or rewrite) skipped tests in tor-proto
- Some tor-proto tests seem unreliable now
- Halfstream receive window is created afresh after reactor refactor
- Follow-up from "Draft: Completely overhaul the tor-proto circuit reactor"
- Enable RUST_BACKTRACE by default for panics?
- Always select paths from back to front?
- Can we use guards when we don't have a usable NetDir?
- Recover from corrupted state or cache on startup.
- Improved logic for flush_state_to_disk
- Fuzzing coverage tor-proto crate
- How-to documentation for getting existing programs to use Arti
- Stable, usable command-line interface.
- Profile, identify code bottlenecks, and optimize
- Select paths correctly (according to Tor rules)
Ongoing Issues (open and assigned)
9
- Global "tradeoffs", "security", "perf" config options
- define_list_builder_accessors contrives to hide documentation
- Use of `nf_conntimeout_clients` seems incorrect
- async cancellation hazards - consider select_safe! or other countermeasures
- syslog logging support
- Discard consensus if certificates can't be found.
- No longer impl HasKind for tor-proto::Error
- Include (or ship) recommended integration layer(s) for various HTTP clients
- Parallize bootstrapping download attempts
Completed Issues (closed)
115
- Make tor-rtcompat traits sealed in 1.0
- Test-case preemptive::test::does_not_predict_old_ports fails in AppVeyor
- Make fs-mistrust tests pass on Windows
- In our docs, annotate more items with which features they depend on?
- Refactor away from `anyhow` in `arti` crate
- Decide whether to increment MSRV for Arti 1.0.0
- Mark most public rust apis in `arti` crate as experimental
- Give NetDirProvider a NetParams accessor
- Make directory objects expire faster
- Warn loudly if anybody tries to run arti in a setuid context
- Reconsider: Should a breaking change in a dependency mean a breaking change in a crate?
- Decide which data are "Sensitive" for logging purposes.
- Rename download_tolerance to something more accurate
- New high-level features for arti and arti-client
- Facility to disable even more background tasks when dormant.
- tor-guardmgr filtering_basics test failure - Job Failed #138380
- config "download_*" should probably become download.*
- Decide and implement policy on Option in config
- Add support for pre-seeded RNGs in unit tests
- CI should be using "normal" mistrust config
- Consider making mistrust disablement env var part of mistrust API
- arti bootstraping panic, spent 100 iterations in the same state
- arti -o silently ignores unrecognized options
- tor-config: default fs-mistrust should tolerate readable config files
- Default config location should include a Debian-style arti.d
- Move config mistrust checking to load
- Detect stalled directory downloads in tor-dirmgr, report them to boostrap status checker.
- Don't fetch from very skewed directories
- Improved configuration for fs-mistrust
- Sometimes config errors are reported without the filename
- Review config taxonomy
- Default config file testing, and comment out settings
- config: sort out default config file location etc.
- arti-0.3 test failure
- update notify to remove exception from cargo audit
- Consider renaming fs_mistrust make_secure_dir
- Want builder-consuming build methods
- CfgPath deserialisation is capricious
- Upgrade rsa to ≥0.6
- Option to use openssl cryptography back-ends?
- Enable "sha-1/asm" feature in top-level binaries?
- Bootstrapping exits early if consensus signatures are bad
- Cached directory object from the future makes us fail bootstrapping; is this right?
- Use backoff for timing when predicted circuit building fails.
- Race conditions make restrict_mut failures possible.
- Better logic for retrying a failure to plan a circuit
- SystemConfig is duplicated, and should be only in ArtiConfig
- Tolerate but warn on unknown fields when deserialising config
- Need an API to get the path of a circuit
- Handle followup tickets from stream isolation
- Rationalise override_net_params in config
- Refactor `UDPSocket `API
- Possibly use decorrelated-jitter backoff for channel/circuits too?
- Fallback identity mismatches lead to awful behavior
- Track reported skew from channel handshake
- Remember which directory caches give us unusable consensuses.
- Set `If-Modified-Since` on every consensus request
- arti-bench: do not allocate individual receive buffers for every receiver
- Keep directory-related hash tables smaller, closer to capacities
- Have `GenericRouterStatus` use less RAM.
- Use less space in hashmaps to store Microdescs and RouterDescs
- Intern protover lines for relays to save RAM
- Intern relay families to save memory, like C Tor does
- Use of Error::Internal in chanmgr get_or_launch allocates too much
- Add multicircuit support for arti-bench
- Decide how cargo.lock and MSRV interrelate
- Use non-allocating versions of hex decoding
- Consider having arti publish a library, and abolishing arti-config
- arti-config should not recapitulate arti-client config sections
- Drop Into<ConfigBuilder> for Config
- Simplify config API types and accessors, and config handling code
- Alternative DirProvider API can force provider to lie about errors
- TorClient::dirmgr() and circmgr() should return &Arc.
- Process-hardening and permission-dropping as appropriate
- Eventually, upgrade to aes ≥0.8 and cipher≥0.4
- Be "at least as secure" as Tor (as a client)
- Make sure high-level APIs are stable and sensible.
- Recover from bootstrap failures, or at least don't misbehave
- Refactor per-crate errors to better match plan in doc/Errors.md
- Check and improve behavior when running offline
- Reload configuration on SIGHUP, or something
- Should we be checking directory and file permissions?
- Should the [system] configuration belong to `arti`, not `arti-client`?
- Upgrade to async_executors 0.5?
- Extreme CPU usage
- Audit usage of SystemTime::now() outside of tests, rtcompat.
- Upgrade to Rustls 0.20
- Review/rework config API
- Delete old "default_guards" state file on startup.
- Send SOCKS replies on failing cases
- Decide how and when to use zeroize, and do it consistently.
- Export nightly coverage information for arti
- Avoid calling real sleep() functions in unit tests
- Examine the circuit reactor's congestion control-related dequeue behaviour
- Run strip --strip-debug in reproducible_build.sh
- Allow use of guards as directory caches when we have no NetDir
- Pick an Arti logo and use it in our documentation and website
- tor-circmgr test "request_retried" is not reliable
- Generate docs from README?
- Implement something like "SafeLogging" for Arti
- Periodic events should wake up less often
- Integration-test Arti in a Shadow network
- Improve continually_expire_circuits() to wake up only as needed.
- Consider `pem-rfc7468` instead of current pem implementation in tor-netdoc
- Improve and refactor circuit isolation code
- Measure fuzzing-based coverage
- Ensure behavior is reasonable when paths can't be generated
- Have more experienced Rust programmers read our code
- Reachable-address logic for direct connections
- Automatically detect and tolerate IPv6-only environments
- Suspend circuit creation if netdir is far far too old
- Client-side: reject bad hostnames and internal addresses
- Improve buffering and maybe performance on DataStream
- Implement relevant network parameters
- Implement connection padding (link protocol 5)
Loading
Loading
Loading