Make a Tor 0.2.7.7 release, with the patch for #20384

We sent out a patch for legacy/trac#20384 (moved), and apparently some groups like opensuse picked it up and did a package update on their side, but now we're in the unfortunate position of having some relays running 0.2.7.6 because they're buggy and old, and others running 0.2.7.6 because they updated to the patched package.

The smart thing on our side is probably to follow up with an actual release, with its own new version number and everything, which includes that patch plus the other things we've been wanting to backport (e.g. directory authority changes).

We have a release-0.2.7 branch which has a big pile of stuff merged into it from long ago. It is unlikely to now contain the set of things we would like in 0.2.7.7. But I bet it has some good suggestions.

Step one is to gather together the set of things we might want in 0.2.7.7 -- get the list from the current release-0.2.7 branch, and from trac tickets that have the backport-027 keyword, and... anywhere else we should be looking?

Step two is to pick the right subset of them for 0.2.7.7.

Then step three is to do the actual merging, and do up a changelog and release stanza, and put it out.

I can help with step two, but I think Sebastian and weasel can too (and I will be offline for a while starting in a few days, so best not to bottleneck on me anyway).

Who will get us through step one? :)

(And then once we've done an 0.2.7.7, we can think about an 0.2.6.11, and work our way back.)

changed milestone to %Tor: 0.2.7.x-final in legacy/trac

added TorCoreTeam201702 in Legacy / Trac TorCoreTeam201703 in Legacy / Trac component::core tor/tor in Legacy / Trac milestone::Tor: 0.2.7.x-final in Legacy / Trac priority::medium in Legacy / Trac resolution::fixed in Legacy / Trac severity::normal in Legacy / Trac status::closed in Legacy / Trac type::task in Legacy / Trac labels

Replying to arma:

Step one is to gather together the set of things we might want in 0.2.7.7 -- get the list from the current release-0.2.7 branch, and from trac tickets that have the backport-027 keyword, and... anywhere else we should be looking?

Nick was kind enough to manually scrape together this list, which I have annotated:

    * #19728, #19690 (replace bridge authority)
    * #19271 (remove urras from authority list)
    * #19213 (build problems on mingw-w64)
    * #18977 (unit test problems on Windows)
    * #19032 (directory authority crash, not triggerable until 0.2.8)
    * #18841 (obscure unit test failure on gentoo)
    * #19008 (test-network-all can stall at ping6)
    * #18490 (unit-test fail to cross-compile for aarch64)
    * #18570 (bug in an unused codepath in cell queueing)
    * #16248 (rare assert when using DNSPort)
    * #17668, #18318, #18368 (directory authorities generate v3 vote wrong and then don't vote)
    * #15221 (allow more syscalls without crashing when Sandbox 1 is set)
    * #14821 (let hardened builds work when built with clang)
    * #17702 (directory authorities look at ed25519 identity keys)
    * #18162 (difficult-to-trigger heap corruption attack for enormous smartlists)
    * #18089 (runtime error calling memwipe(NULL) when built with hardened)
    * #18050 (sometimes on startup a relay briefly lists a dirport of 0)
    * #17906 (dannenberg new key)
    * #17923 (configure.ac mistake means we don't find in6_addr.s6_addr32)
    * #17675 (avoid sandbox error when using offline ed25519 relay identity keys)
    * #17819 (fix compile on netbsd 6.x)
    * #17827 (freebsd compile fix)
    * #17818, 01a9575ad0, 670affa7 (support ancient automake versions)

Here they are, rearranged into categories:

Directory authority keys (should include in 0.2.7.7):

    * #19728, #19690 (replace bridge authority)
    * #19271 (remove urras from authority list)
    * #17906 (dannenberg new key)

Crashes and security bulletproofing (should include in 0.2.7.7):

    * #16248 (rare assert when using DNSPort)
    * #15221 (allow more syscalls without crashing when Sandbox 1 is set)
    * #18162 (difficult-to-trigger heap corruption attack for enormous smartlists)
    * #18089 (runtime error calling memwipe(NULL) when built with hardened)
    * #17675 (avoid sandbox error when using offline ed25519 relay identity keys)

Build issues with weird platforms (we might want to backport these if the patches look easy):

    * #19213 (build problems on mingw-w64)
    * #18490 (unit-test fail to cross-compile for aarch64)
    * #14821 (let hardened builds work when built with clang)
    * #17923 (configure.ac mistake means we don't find in6_addr.s6_addr32)
    * #17819 (fix compile on netbsd 6.x)
    * #17827 (freebsd compile fix)
    * #17818, 01a9575ad0, 670affa7 (support ancient automake versions)

Issues with unit tests (would like to leave these out if possible):

    * #18977 (unit test problems on Windows)
    * #18841 (obscure unit test failure on gentoo)
    * #19008 (test-network-all can stall at ping6)

Behavior that doesn't seem so bad really for oldoldoldstable (no backport):

    * #18570 (bug in an unused codepath in cell queueing)
    * #18050 (sometimes on startup a relay briefly lists a dirport of 0)

Things that only directory authorities do (so no backport):

    * #19032 (directory authority crash, not triggerable until 0.2.8)
    * #17668, #18318, #18368 (directory authorities generate v3 vote wrong and then don't vote)
    * #17702 (directory authorities look at ed25519 identity keys)

Looking at the open tickets in milestone 0.2.7, we have:

Crashes, probably should backport:

• legacy/trac#18710 (moved) (assert on surprising input to local DNSPort)
• legacy/trac#19152 (moved) (difficult-to-trigger crash when openssl runs out of memory)

Probably no need to backport:

• legacy/trac#19150 (moved) (pointer arithmetic issue, not thought exploitable)
• legacy/trac#19203 (moved) (tor might not warn if you reference an unNamed relay by nickname)

And then there is this one, which isn't listed anywhere as pending on 0.2.7, but I think we want it:

• legacy/trac#20384 (moved) (prevent remote crash)

Open question: did I miss any that we should want to backport, or that we thought we had backported?

I an expecting that we will discard the current release-0.2.7 branch (archiving it somewhere of course), and make a fresh new one with the commits we decide to include.

For the ones that I think we should backport, I have collected the actual commits here, so we can have a chance of somebody noticing that we're doing it wrong. :)

Directory authority keys (should include in 0.2.7.7):

    * #19728, #19690 (replace bridge authority)

41ab23be, f60da192

    * #19271 (remove urras from authority list)

7ae34e72, 6b8c3d2b

    * #17906 (dannenberg new key)

11f63d26

Crashes and security bulletproofing (should include in 0.2.7.7):

    * #16248 (rare assert when using DNSPort)

91d7cf50, 307b8635, e79da626

    * #15221 (allow more syscalls without crashing when Sandbox 1 is set)

725e0c76

    * #18162 (difficult-to-trigger heap corruption attack for enormous smartlists)

c2fd6484, bca7083e

    * #18089 (runtime error calling memwipe(NULL) when built with hardened)

db815653, e2efa9e3

    * #17675 (avoid sandbox error when using offline ed25519 relay identity keys)

2cbaf39a

Build issues with weird platforms (we might want to backport these if the patches look easy):

    * #19213 (build problems on mingw-w64)

5854b198

    * #18490 (unit-test fail to cross-compile for aarch64)

1a065cea

    * #14821 (let hardened builds work when built with clang)

67e5d49d

    * #17923 (configure.ac mistake means we don't find in6_addr.s6_addr32)

d0c209c5

    * #17819 (fix compile on netbsd 6.x)

33b5bfb9

    * #17827 (freebsd compile fix)

07cca627, e0aa4f83, 784e9fff (maybe we skip this one because it is messy?)

    * #17818, 01a9575ad0, 670affa7 (support ancient automake versions)

670affa7, 01a9575a, ff843ed3, 254d63da (maybe we skip this one because it is messy?)

Crashes, probably should backport:

• legacy/trac#18710 (moved) (assert on surprising input to local DNSPort)

0ca3f495

• legacy/trac#19152 (moved) (difficult-to-trigger crash when openssl runs out of memory)

c4c4380a

• legacy/trac#20384 (moved) (prevent remote crash)

3cea86eb

And, there is also a mystery commit:

7d1fe7c9: "Try to fix address tests on FreeBSD", which says "Bugfix not on any released Tor" despite being a commit on release-0.2.7. What's the story there: is it a bugfix on 0.2.7.6 or not?

And lastly, let's not forget to update the GeoIP file(s) while we're there!

Here's how I suggest we proceed. I suggest that we start a maint-0.2.7-v2 branch, in the master Tor repository, starting from 0.2.7.6 as a point of divergence, and merging maint-0.2.6, but nothing from the old maint-0.2.7. Then I suggest that we go through the things above, seeing what (if anything) should be backported even earlier than 0.2.7.

This makes sense except in the case where we believe that one of the things already backported to 0.2.6 or earlier is a mistake that we should reverse. Is that the case? If not, I'll go ahead and start there.

I've started a "maint-0.2.7-redux" branch for this, tracking work on this (and other backports) at https://docs.google.com/spreadsheets/d/1YtiqX1aX6fjSN6a7-5AYhWm29kO76YihZB9yu8Kk2qA/edit?usp=sharing

Once maint-0.2.7-redux is looking ok, I'll be putting it into the master repository.

maint-0.2.7-redux and release-0.2.7-redux are now real repositories on our official tor repository.

Trac:
Keywords: N/A deleted, TorCoreTeam201702 TorCoreTeam201703 added

We put out an 0.2.7.7 release based on release-0.2.7-redux back in March.

Trac:
Status: new to closed
Resolution: N/A to fixed

closed

mentioned in issue legacy/trac#21579 (moved)

moved from legacy/trac#20512 (moved)

added Task label and removed 1 deleted label

removed 1 deleted label