Start work on an 0.2.9.1-alpha changelog

(sort, fold, and reflow.)

ChangeLog

-Changes in version 0.2.9.1-alpha - 2016-??-??
+Changes in version 0.2.9.1-alpha - 2016-08-??
+  Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9
+  development series.
+
+  o New system requirements:
+    - Tor requires Libevent version 2.0.10-stable or later now.
+      Implements ticket 19554.
+    - We now require zlib version 1.2 or later. (Back when we started,
+      zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
+      released in 2003. We recommend the latest version.)
+
+  o Major features (dirauths, security, hidden services):
+    - Directory authorities can now perform the shared randomness
+      protocol specified by proposal 250. Using this protocol, directory
+      authorities can generate a global fresh random number every day.
+      In the future, this global randomness will be used by hidden
+      services to select their responsible HSDirs. This release only
+      implements the directory authority feature; the hidden service
+      side will be implemented in the future as part of proposal 224 .
+      Resolves ticket 16943; implements proposal 250.
+
+  o Major features (build, hardening):
+    - Tor now builds with -ftrapv by default on compilers that support
+      it. This option detects signed integer overflow, and turns it into
+      a hard-failure. We do not apply this option to code that needs to
+      run in constant time to avoid side-channels; instead, we use
+      -fwrapv. Closes ticket 17983.
+    - When --enable-expensive-hardening is selected, stop applying the
+      clang/gcc sanitizers to code that needs to run in constant-time to
+      avoid side channels: although we are aware of no introduced side-
+      channels, we are not able to prove that this is safe. Related to
+      ticket 17983.
+
+  o Major bugfixes (exit policies):
+    - Avoid disclosing exit outbound bind addresses, configured port
+      bind addresses, and local interface addresses in relay descriptors
+      by default under ExitPolicyRejectPrivate. Instead, only reject
+      these (otherwise unlisted) addresses if
+      ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
+      0.2.7.2-alpha. Patch by teor.
+
+  o Major bugfixes (hidden service client):
+    - With FetchHidServDescriptors set to 0, there is no descriptor
+      fetch (which is intended) but also no descriptor cache lookup was
+      done making any Tor client not working with this option unset.
+      Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
+
+  o Major bugfixes (user interface):
+    - Fix an integer overflow in the rate-limiter that caused displaying
+      of wrong number of suppressed messages (if there are too many of
+      them). If the number of messages hits the limit of messages per
+      interval the rate-limiter doesn't count any further. Fixes bug
+      19435; bugfix on 0.2.4.11-alpha.
+
+  o Minor features (backend):
+    - Tor now uses the operating system's monotonic timers (where
+      available) for internal fine-grained timing. Previously we would
+      look at the system clock, and then attempt to compensate for the
+      clock running backwards. Closes ticket 18908.
+
+  o Minor features (build):
+    - Detect and work around a libclang_rt problem that prevents clang
+      from finding __mulodi4() on some 32-bit platforms. This clang bug
+      would keep -ftrapv from linking on those systems. Closes
+      ticket 19079.
+    - Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
+      turn on C and POSIX extensions. Closes ticket 19139.
+    - When building on a system without runtime support for some of the
+      runtime hardening options, try to log a useful warning at
+      configuration time, rather than an incomprehensible warning at
+      link time. If expensive hardening was requested, this warning
+      becomes an error. Closes ticket 18895.
+
+  o Minor features (code safety):
+    - In our integer-parsing functions, check that the maxiumum value
+      given is no smaller than the minimum value. Closes ticket 19063;
+      patch from U+039b.
+
+  o Minor features (compilation):
+    - Our big list of extra GCC warnings is now enabled by default when
+      building with GCC (or with anything like Clang that claims to be
+      GCC-compatible). To make all warnings into fatal compilation
+      errors, pass --enable-fatal-warnings to configure. Closes
+      ticket 19044.
+
+  o Minor features (control port):
+    - Implement new GETINFO queries for all downloads using
+      download_status_t to schedule retries. Closes ticket 19323.
+
+  o Minor features (controller):
+    - Add support for configuring basic client authorization on hidden
+      services created with the ADD_ONION control command. Implements
+      ticket 15588. Patch by "special".
+    - Fire a `STATUS_SERVER` event whenever the hibernation status
+      changes between "awake"/"soft"/"hard". Closes ticket 18685.
+
+  o Minor features (debugging):
+    - When dumping unparseable router descriptors, optionally store them
+      in separate filenames by hash, up to a configurable limit. Closes
+      ticket 18322.
+
+  o Minor features (directory authority):
+    - Directory authorities now only give the Guard flag to a relay if
+      they are also giving it the Stable flag. This change allows us to
+      simplify path selection for clients, and it should have minimal
+      effect in practice since >99% of Guards already have the Stable
+      flag. Implements ticket 18624.
+    - Make directory authorities write the v3-status-votes file out to
+      disk earlier in the consensus process, so we have the votes even
+      if we abort the consensus process below. Resolves ticket 19036.
+
+  o Minor features (downloading):
+    - Use random exponential backoffs when retrying downloads from the
+      dir servers. Closes ticket 15942.
+
+  o Minor features (hidden service):
+    - Stop being so strict about the payload length of "rendezvous1"
+      cells. We used to be locked in to the "tap" handshake length, and
+      now we can handle better handshakes like "ntor". Resolves
+      ticket 18998.
+
+  o Minor features (infrastructure):
+    - Tor now includes an improved timer backend, so that we can
+      efficiently support tens or hundreds of thousands of concurrent
+      timers, as will be needed for some of our planned anti-traffic-
+      analysis work. This code is based on William Ahern's "timeout.c"
+      project, which implements a "tickless hierarchical timing wheel".
+      Closes ticket 18365.
+
+  o Minor features (logging):
+    - Provide a more useful warning message when configured with an
+      invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
+
+  o Minor features (performance):
+    - When fetching a consensus for the first time, use optimistic data.
+      This saves a round-trip during startup. Closes ticket 18815.
+
+  o Minor features (relay, usability):
+    - When the directory authorities refuse a bad relay's descriptor,
+      encourage the relay operator to contact us. Many relay operators
+      won't notice this line in their logs, but it's a win if even a few
+      learn why we don't like what their relay was doing. Resolves
+      ticket 18760.
+
+  o Minor features (safety, debugging):
+    - Add a set of macros to check nonfatal assertions, for internal
+      use. Migrating more of our checks to these should help us avoid
+      needless crash bugs. Closes ticket 18613.
+
+  o Minor features (testing):
+    - Let backtrace tests work correctly under AddressSanitizer. Fixes
+      part of bug 18934; bugfix on 0.2.5.2-alpha.
+    - Move the test-network.sh script to chutney, and modify tor's test-
+      network.sh to call the (newer) chutney version when available.
+      Resolves ticket 19116. Patch by teor.
+    - Use the lcov convention for marking lines as unreachable, so that
+      we don't count them when we're generating test coverage data.
+      Update our coverage tools to understand this convention. Closes
+      ticket 16792.
+
+  o Minor bugfixes (bootstrap):
+    - Remember the directory we fetched the consensus or previous
+      certificates from, and use it to fetch future authority
+      certificates. Fixes bug 18963; bugfix on 0.2.8.1-alpha.
+
+  o Minor bugfixes (build):
+    - Make the test-stem and test-network targets depend only on the tor
+      binary to be tested. Previously, they depended on "make all".
+      Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a patch
+      from "cypherpunks".
+
+  o Minor bugfixes (circuits):
+    - Make sure extend_info_from_router is only called on servers. Fixes
+      bug 19639; bugfix on 0.2.8.1-alpha.
+
+  o Minor bugfixes (compilation):
+    - When building with Clang, include our full array of GCC warnings.
+      (Previously, we included only a subset, because of the way we
+      detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
+
+  o Minor bugfixes (directory authority):
+    - Authorities now sort the "package" lines in their votes, for ease
+      of debugging. (They are already sorted in the consensus
+      documents.) Fixes bug 18840; bugfix on 0.2.6.3-alpha.
+    - When parsing detached signature, make sure we use the length of
+      the digest algorithm instead of an hardcoded DIGEST256_LEN in
+      order to avoid comparing bytes out of bound with a smaller digest
+      length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
+
+  o Minor bugfixes (documentation):
+    - Document the --passphrase-fd option in the tor manpage. Fixes bug
+      19504; bugfix on 0.2.7.3-rc.
+    - Fix the description of the --passphrase-fd option in the
+      tor-gencert manpage. The option is used to pass the number of a
+      file descriptor to read the passphrase from, not to read the file
+      descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
+
+  o Minor bugfixes (ephemeral hidden service):
+    - When deleting an ephemeral hidden service, close its intro points
+      even if not in the open state. Fixes bug 18604; bugfix
+      on 0.2.7.1-alpha.
+
+  o Minor bugfixes (guard selection):
+    - Use a single entry guard even if the NumEntryGuards consensus
+      parameter is not provided. Fixes bug 17688; bugfix
+      on 0.2.5.6-alpha.
+
+  o Minor bugfixes (guards):
+    - Don't mark guards as unreachable if connection_connect() fails.
+      That function fails for local reasons, so it shouldn't reveal
+      anything about the status of the guard. Fixes bug 14334; bugfix
+      on 0.2.3.10-alpha.
+
+  o Minor bugfixes (hidden service client):
+    - Increase the minimum number of internal circuits we preemptively
+      build from 2 to 3 so they are available when a client connects to
+      another onion service. Fixes bug 13239; bugfix on 0.1.0.1-rc.
+
+  o Minor bugfixes (logging):
+    - When logging a directory ownership mismatch, log the owning
+      username correctly. Fixes bug 19578; bugfix on 0.2.2.29-beta.
+
+  o Minor bugfixes (memory leaks):
+    - Fix a small, uncommon memory leak that could occur when reading a
+      truncated ed25519 key file. Fixes bug 18956; bugfix
+      on 0.2.6.1-alpha.
+
+  o Minor bugfixes (test networks):
+    - Allow clients to retry HSDirs much faster in test networks. Fixes
+      bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
+
+  o Minor bugfixes (testing):
+    - Disable ASAN's detection of segmentation faults while running
+      test_bt.sh, so that we can make sure that our own backtrace
+      generation code works. Fixes another aspect of bug 18934; bugfix
+      on 0.2.5.2-alpha. Patch from "cypherpunks".
+    - Fix the test-network-all target on out-of-tree builds by using the
+      correct path to the test driver script. Fixes bug 19421; bugfix
+      on 0.2.7.3-rc.
+
+  o Minor bugfixes (time):
+    - Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
+      bugfix on all released tor versions.
+
+  o Minor bugfixes (timing):
+    - When computing the difference between two times in milliseconds,
+      we now round to the nearest millisecond correctly. Previously, we
+      could sometimes round in the wrong direction. Fixes bug 19428;
+      bugfix on 0.2.2.2-alpha.
+
+  o Minor bugfixes (user interface):
+    - Fix a typo in the getting passphrase prompt for the ed25519
+      identity key. Fixes bug 19503; bugfix on 0.2.7.2-alpha.
+
+  o Code simplification and refactoring:
+    - Remove redundant declarations of the MIN macro. Closes
+      ticket 18889.
+    - Rename tor_dup_addr() to tor_addr_to_str_dup() to avoid confusion.
+      Closes ticket 18462; patch from "icanhasaccount".
+    - Split the 600-line directory_handle_command_get function into
+      separate functions for different URL types. Closes ticket 16698.
+
+  o Documentation:
+    - Fix spelling of "--enable-tor2web-mode" in the manpage. Closes
+      ticket 19153. Patch from "U+039b".
+
+  o Removed features:
+    - Remove support for "GET /tor/bytes.txt" DirPort request, and
+      "GETINFO dir-usage" controller request, which were only available
+      via a compile-time option in Tor anyway. Feature was added in
+      0.2.2.1-alpha. Resolves ticket 19035.
+    - There is no longer a compile-time option to disable support for
+      TransPort. (If you don't want TransPort; just don't use it.) Patch
+      from "U+039b". Closes ticket 19449.
+
+  o Testing:
+    - Run more workqueue tests as part of "make check". These had
+      previously been implemented, but you needed to know special
+      command-line options to enable them.
+    - We now have unit tests for our code to reject zlib "compression
+      bombs". (Fortunately, the code works fine.)
 Changes in version 0.2.8.6 - 2016-08-02

changes/19044

-  o Minor features (compilation):
-    - Our big list of extra GCC warnings is now enabled by default when
-      building with GCC (or with anything like Clang that claims to be
-      GCC-compatible). To make all warnings into fatal compilation errors,
-      pass --enable-fatal-warnings to configure. Closes ticket 19044.

changes/assert_nonfatal

-  o Minor features (safety, debugging):
-    - Add a set of macros to check nonfatal assertions, for internal
-      use. Migrating more of our checks to these should help us avoid
-      needless crash bugs. Closes ticket 18613.

changes/bug13239

-  o Minor bugfixes (hidden service client):
-    - Increase the minimum number of internal circuits we preemptively build
-      from 2 to 3 so they are available when a client connects to another
-      onion service. Fixes bug 13239; bugfix on 0.1.0.1-rc.

changes/bug14334

-  o Minor bugfixes (guards):
-    - Don't mark guards as unreachable if connection_connect() fails. That
-      function fails for local reasons, so it shouldn't reveal anything about
-      the status of the guard. Fixes bug 14334; bugfix on 0.2.3.10-alpha.

changes/bug15942

-  o Minor features (downloading):
-    - Use random exponential backoffs when retrying downloads from the dir
-      servers. Closes ticket 15942.

changes/bug16943

-  o Major features (dirauths, security, hidden services):
-    - Directory authorities can now perform the shared randomness protocol
-      specified by proposal 250. Using this protocol, directory authorities can
-      generate a global fresh random number every day. In the future, this
-      global randomness will be used by hidden services to select their
-      responsible HSDirs. This release only implements the directory authority
-      feature; the hidden service side will be implemented in the future as
-      part of proposal 224 . Resolves ticket 16943; implements proposal 250.

changes/bug17688

-  o Minor bugfixes (guard selection):
-    - Use a single entry guard even if the NumEntryGuards consensus parameter
-      is not provided. Fixes bug 17688; bugfix on 0.2.5.6-alpha.
-

changes/bug17983

-  o Major features (build, hardening):
-    - Tor now builds with -ftrapv by default on compilers that support it.
-      This option detects signed integer overflow, and turns it into a
-      hard-failure.  We do not apply this option to code that needs to run
-      in constant time to avoid side-channels; instead, we use -fwrapv.
-      Closes ticket 17983.
-    - When --enable-expensive-hardening is selected, stop applying the clang/gcc
-      sanitizers to code that needs to run in constant-time to avoid side
-      channels: although we are aware of no introduced side-channels, we
-      are not able to prove that this is safe. Related to ticket 17983.
-

changes/bug18240

-  o Minor bugfixes (build):
-    - Make the test-stem and test-network targets depend only on the
-      tor binary to be tested. Previously, they depended on "make all".
-      Fixes bug 18240; bugfix on 0.2.8.2-alpha.
-      Based on a patch from "cypherpunks".

changes/bug18300

-  o Minor features (logging):
-    - Provide a more useful warning message when configured with an
-      invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".

changes/bug18322

-  o Minor features (debugging):
-    - When dumping unparseable router descriptors, optionally store them in
-      separate filenames by hash, up to a configurable limit.
-      Closes ticket 18322.

changes/bug18456

-  o Major bugfixes (exit policies):
-    - Avoid disclosing exit outbound bind addresses, configured port bind
-      addresses, and local interface addresses in relay descriptors by
-      default under ExitPolicyRejectPrivate. Instead, only reject these
-      (otherwise unlisted) addresses if ExitPolicyRejectLocalInterfaces is set.
-      Fixes bug 18456; bugfix on 0.2.7.2-alpha. Patch by teor.

changes/bug18604

-  o Minor bugfixes (ephemeral hidden service):
-    - When deleting an ephemeral hidden service, close its intro points even
-      if not in the open state. Fixes bug 18604; bugfix on
-      0.2.7.1-alpha.

changes/bug18704

-  o Major bugfixes (hidden service client):
-    - With FetchHidServDescriptors set to 0, there is no descriptor fetch
-      (which is intended) but also no descriptor cache lookup was done
-      making any Tor client not working with this option unset. Fixes
-      bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".

changes/bug18815

-  o Minor features (performance):
-    - When fetching a consensus for the first time, use optimistic data.
-      This saves a round-trip during startup. Closes ticket 18815.

changes/bug18840

-  o Minor bugfixes (directory authority):
-    - Authorities now sort the "package" lines in their votes, for ease
-      of debugging. (They are already sorted in the consensus documents.)
-      Fixes bug 18840; bugfix on 0.2.6.3-alpha.

changes/bug18889

-  o Code simplification and refactoring:
-    - Remove redundant declarations of the MIN macro. Closes ticket 18889.

changes/bug18895

-  o Minor features (build):
-    - When building on a system without runtime support for some of the
-      runtime hardening options, try to log a useful warning at configuration
-      time, rather than an incomprehensible warning at link time.
-      If expensive hardening was requested, this warning becomes an error.
-      Closes ticket 18895.

changes/bug18934

-  o Minor features (testing):
-    - Let backtrace tests work correctly under AddressSanitizer.
-      Fixes part of bug 18934; bugfix on 0.2.5.2-alpha.