commit 99d39e937e43ddc79c0a089de2c3e436e055461b
Author: Nick Mathewson <nickm(a)torproject.org>
Date: Thu Nov 5 09:39:44 2015 -0500
Re-order and condense some ReleaseNotes items
---
ReleaseNotes | 243 ++++++++++++++++++++++++-----------------------------------
1 file changed, 100 insertions(+), 143 deletions(-)
diff --git a/ReleaseNotes b/ReleaseNotes
index 131d015..029dd61 100644
--- a/ReleaseNotes
+++ b/ReleaseNotes
@@ -6,6 +6,24 @@ each development snapshot, see the ChangeLog file.
Changes in version 0.2.7.5- 2015-11-??
XXXX WRITE A BLURB XXXX
+ o New system requirements:
+ - Tor no longer includes workarounds to support Libevent versions
+ before 1.3e. Libevent 2.0 or later is recommended. Closes
+ ticket 15248.
+ - Tor no longer supports copies of OpenSSL that are missing support
+ for Elliptic Curve Cryptography. (We began using ECC when
+ available in 0.2.4.8-alpha, for more safe and efficient key
+ negotiation.) In particular, support for at least one of P256 or
+ P224 is now required, with manual configuration needed if only
+ P224 is available. Resolves ticket 16140.
+ - Tor no longer supports versions of OpenSSL before 1.0. (If you are
+ on an operating system that has not upgraded to OpenSSL 1.0 or
+ later, and you compile Tor from source, you will need to install a
+ more recent OpenSSL to link Tor against.) These versions of
+ OpenSSL are still supported by the OpenSSL, but the numerous
+ cryptographic improvements in later OpenSSL releases makes them a
+ clear choice. Resolves ticket 16034.
+
o Major features (controller):
- Add the ADD_ONION and DEL_ONION commands that allow the creation
and management of hidden services via the controller. Closes
@@ -36,24 +54,43 @@ Changes in version 0.2.7.5- 2015-11-??
vary freely. Implements part of ticket 12498.
- Microdescriptors now include Ed25519 identity keys. Implements
part of ticket 12498.
+ - Add a --newpass option to allow changing or removing the
+ passphrase of an encrypted key with tor --keygen. Implements part
+ of ticket 16769.
+ - Add a new OfflineMasterKey option to tell Tor never to try loading
+ or generating a secret Ed25519 identity key. You can use this in
+ combination with tor --keygen to manage offline and/or encrypted
+ Ed25519 keys. Implements ticket 16944.
+ - On receiving a HUP signal, check to see whether the Ed25519
+ signing key has changed, and reload it if so. Closes ticket 16790.
+ - Significant usability improvements for Ed25519 key management. Log
+ messages are better, and the code can recover from far more
+ failure conditions. Thanks to "s7r" for reporting and diagnosing
+ so many of these!
- o Major features (Ed25519 keys, keypinning):
- - The key-pinning option on directory authorities is now advisory-
- only by default. In a future version, or when the AuthDirPinKeys
- option is set, pins are enforced again. Disabling key-pinning
- seemed like a good idea so that we can survive the fallout of any
- usability problems associated with Ed25519 keys. Closes
- ticket 17135.
-
- o Major features (Ed25519 performance):
+ o Major features (ECC performance):
- Improve the runtime speed of Ed25519 signature verification by
using Ed25519-donna's batch verification support. Implements
ticket 16533.
- Improve the speed of Ed25519 operations and Curve25519 keypair
generation when built targeting 32 bit x86 platforms with SSE2
available. Implements ticket 16535.
+ - Improve the runtime speed of Ed25519 operations by using the
+ public-domain Ed25519-donna by Andrew M. ("floodyberry").
+ Implements ticket 16467.
+ - Improve the runtime speed of the ntor handshake by using an
+ optimized curve25519 basepoint scalarmult implementation from the
+ public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
+ ideas by Adam Langley. Implements ticket 9663.
o Major features (Hidden services):
+ - Hidden services, if using the EntryNodes option, are required to
+ use more than one EntryNode, in order to avoid a guard discovery
+ attack. (This would only affect people who had configured hidden
+ services and manually specified the EntryNodes option with a
+ single entry-node. The impact was that it would be easy to
+ remotely identify the guard node used by such a hidden service.
+ See ticket for more information.) Fixes ticket 14917.
- Add the torrc option HiddenServiceNumIntroductionPoints, to
specify a fixed number of introduction points. Its maximum value
is 10 and default is 3. Using this option can increase a hidden
@@ -72,44 +109,6 @@ Changes in version 0.2.7.5- 2015-11-??
of this change, microdescriptors will no longer need to include
RSA identity keys. Implements proposal 228; closes ticket 12499.
- o Major features (performance testing):
- - The test-network.sh script now supports performance testing.
- Requires corresponding chutney performance testing changes. Patch
- by "teor". Closes ticket 14175.
-
- o Major features (performance):
- - Improve the runtime speed of Ed25519 operations by using the
- public-domain Ed25519-donna by Andrew M. ("floodyberry").
- Implements ticket 16467.
- - Improve the runtime speed of the ntor handshake by using an
- optimized curve25519 basepoint scalarmult implementation from the
- public-domain Ed25519-donna by Andrew M. ("floodyberry"), based on
- ideas by Adam Langley. Implements ticket 9663.
-
- o Major features (relay, Ed25519):
- - Add a --newpass option to allow changing or removing the
- passphrase of an encrypted key with tor --keygen. Implements part
- of ticket 16769.
- - Add a new OfflineMasterKey option to tell Tor never to try loading
- or generating a secret Ed25519 identity key. You can use this in
- combination with tor --keygen to manage offline and/or encrypted
- Ed25519 keys. Implements ticket 16944.
- - On receiving a HUP signal, check to see whether the Ed25519
- signing key has changed, and reload it if so. Closes ticket 16790.
- - Significant usability improvements for Ed25519 key management. Log
- messages are better, and the code can recover from far more
- failure conditions. Thanks to "s7r" for reporting and diagnosing
- so many of these!
-
- o Major features (security, hidden services):
- - Hidden services, if using the EntryNodes option, are required to
- use more than one EntryNode, in order to avoid a guard discovery
- attack. (This would only affect people who had configured hidden
- services and manually specified the EntryNodes option with a
- single entry-node. The impact was that it would be easy to
- remotely identify the guard node used by such a hidden service.
- See ticket for more information.) Fixes ticket 14917.
-
o Major bugfixes (client-side privacy, also in 0.2.6.9):
- Properly separate out each SOCKSPort when applying stream
isolation. The error occurred because each port's session group
@@ -168,7 +167,7 @@ Changes in version 0.2.7.5- 2015-11-??
service while a NEWNYM is in progress. Fixes bug 16013; bugfix
on 0.1.0.1-rc.
- o Minor features (client):
+ o Minor features (client, SOCKS):
- Add GroupWritable and WorldWritable options to unix-socket based
SocksPort and ControlPort options. These options apply to a single
socket, and override {Control,Socks}SocketsGroupWritable. Closes
@@ -206,6 +205,9 @@ Changes in version 0.2.7.5- 2015-11-??
o Minor features (compilation):
- Give a warning as early as possible when trying to build with an
unsupported OpenSSL version. Closes ticket 16901.
+ - Use C99 variadic macros when the compiler is not GCC. This avoids
+ failing compilations on MSVC, and fixes a log-file-based race
+ condition in our old workarounds. Original patch from Gisle Vanem.
o Minor features (control protocol):
- Support network-liveness GETINFO key and NETWORK_LIVENESS event in
@@ -242,18 +244,9 @@ Changes in version 0.2.7.5- 2015-11-??
introductions, by blocking multiple introduction requests on the
same circuit. Resolves ticket 15515.
- o Minor features (geoIP):
+ o Minor features (geoip):
- Update geoip and geoip6 to the October 9 2015 Maxmind GeoLite2
Country database.
- - Update geoip and geoip6 to the September 3 2015 Maxmind GeoLite2
- Country database.
- - Update geoip to the April 8 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the April 8 2015 Maxmind GeoLite2
- Country database.
-
- o Minor features (geoip, also in 0.2.6.10):
- - Update geoip to the June 3 2015 Maxmind GeoLite2 Country database.
- - Update geoip6 to the June 3 2015 Maxmind GeoLite2 Country database.
o Minor features (hidden services):
- Add the new options "HiddenServiceMaxStreams" and
@@ -274,8 +267,6 @@ Changes in version 0.2.7.5- 2015-11-??
track only of the fraction of traffic used by hidden services, and
the total number of hidden services in existence.) Closes
ticket 15254.
-
- o Minor features (HS popularity countermeasure):
- To avoid leaking HS popularity, don't cycle the introduction point
when we've handled a fixed number of INTRODUCE2 cells but instead
cycle it when a random number of introductions is reached, thus
@@ -299,34 +290,6 @@ Changes in version 0.2.7.5- 2015-11-??
can be used by implementations to detect this new behavior.
Resolves ticket 15435.
- o Minor features (portability):
- - Use C99 variadic macros when the compiler is not GCC. This avoids
- failing compilations on MSVC, and fixes a log-file-based race
- condition in our old workarounds. Original patch from Gisle Vanem.
-
- o Minor features (testing):
- - Add a test to verify that the compiler does not eliminate our
- memwipe() implementation. Closes ticket 15377.
- - Add make rule `check-changes` to verify the format of changes
- files. Closes ticket 15180.
- - Add unit tests for control_event_is_interesting(). Add a compile-
- time check that the number of events doesn't exceed the capacity
- of control_event_t.event_mask. Closes ticket 15431, checks for
- bugs similar to 13085. Patch by "teor".
- - Command-line argument tests moved to Stem. Resolves ticket 14806.
- - Integrate the ntor, backtrace, and zero-length keys tests into the
- automake test suite. Closes ticket 15344.
- - Remove assertions during builds to determine Tor's test coverage.
- We don't want to trigger these even in assertions, so including
- them artificially makes our branch coverage look worse than it is.
- This patch provides the new test-stem-full and coverage-html-full
- configure options. Implements ticket 15400.
-
- o Minor features (testing, authorities, documentation):
- - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
- explicitly manage consensus flags in testing networks. Patch by
- "robgjansen", modified by "teor". Implements part of ticket 14882.
-
o Minor bugfixes (torrc exit policies):
- In each instance above, usage advice is provided to avoid the
message. Resolves ticket 16069. Patch by "teor". Fixes part of bug
@@ -351,6 +314,10 @@ Changes in version 0.2.7.5- 2015-11-??
on 0.2.3.3-alpha.
- When complaining about bad arguments to "--dump-config", use
stderr, not stdout.
+ - Print usage information for --dump-config when it is used without
+ an argument. Also, fix the error message to use different wording
+ and add newline at the end. Fixes bug 15541; bugfix
+ on 0.2.5.1-alpha.
o Minor bugfixes (compilation):
- Fix compilation of sandbox.c with musl-libc. Fixes bug 17347;
@@ -397,19 +364,6 @@ Changes in version 0.2.7.5- 2015-11-??
its own PRNG. Fixes bug 16360; bugfix on 0.2.5.2-alpha, introduced
when implementing ticket 4900. Patch by "teor".
- o Minor bugfixes (documentation):
- - Advise users on how to configure separate IPv4 and IPv6 exit
- policies in the manpage and sample torrcs. Related to ticket 16069.
- - Fix an error in the manual page and comments for
- TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
- required "ORPort connectivity". While this is true, it is in no
- way unique to the HSDir flag. Of all the flags, only HSDirs need a
- DirPort configured in order for the authorities to assign that
- particular flag. Patch by "teor". Fixed as part of 14882; bugfix
- on 0.2.6.3-alpha.
- - Fix the usage message of tor-resolve(1) so that it no longer lists
- the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
-
o Minor bugfixes (hidden service):
- Fix an out-of-bounds read when parsing invalid INTRODUCE2 cells on
a client authorized hidden service. Fixes bug 15823; bugfix
@@ -417,17 +371,14 @@ Changes in version 0.2.7.5- 2015-11-??
- Remove an extraneous newline character from the end of hidden
service descriptors. Fixes bug 15296; bugfix on 0.2.0.10-alpha.
- o Minor bugfixes (interface):
- - Print usage information for --dump-config when it is used without
- an argument. Also, fix the error message to use different wording
- and add newline at the end. Fixes bug 15541; bugfix
- on 0.2.5.1-alpha.
-
o Minor bugfixes (Linux seccomp2 sandbox):
- Use the sandbox in tor_open_cloexec whether or not O_CLOEXEC is
defined. Patch by "teor". Fixes bug 16515; bugfix on 0.2.3.1-alpha.
- Allow bridge authorities to run correctly under the seccomp2
sandbox. Fixes bug 16964; bugfix on 0.2.5.1-alpha.
+ - Add the "hidserv-stats" filename to our sandbox filter for the
+ HiddenServiceStatistics option to work properly. Fixes bug 17354;
+ bugfix on tor-0.2.6.2-alpha. Patch from David Goulet.
o Minor bugfixes (Linux seccomp2 sandbox, also in 0.2.6.10):
- Allow pipe() and pipe2() syscalls in the seccomp2 sandbox: we need
@@ -443,7 +394,7 @@ Changes in version 0.2.7.5- 2015-11-??
syscalls. Fixes bug 16244; bugfix on 0.2.6.1-alpha. Patch by
Peter Palfrader.
- o Minor bugfixes (logs):
+ o Minor bugfixes (logging):
- When building Tor under Clang, do not include an extra set of
parentheses in log messages that include function names. Fixes bug
15269; bugfix on every released version of Tor when compiled with
@@ -481,11 +432,6 @@ Changes in version 0.2.7.5- 2015-11-??
predictable scheduling behavior. Fixes bug 16644; bugfix
on 0.2.6.3-alpha.
- o Minor bugfixes (sandbox):
- - Add the "hidserv-stats" filename to our sandbox filter for the
- HiddenServiceStatistics option to work properly. Fixes bug 17354;
- bugfix on tor-0.2.6.2-alpha. Patch from David Goulet.
-
o Minor bugfixes (security, exit policies):
- ExitPolicyRejectPrivate now also rejects the relay's published
IPv6 address (if any), and any publicly routable IPv4 or IPv6
@@ -513,16 +459,6 @@ Changes in version 0.2.7.5- 2015-11-??
not. Fixes bug 15771; bugfix on 0.2.6.1-alpha. Patch by "teor",
issue discovered by CJ Ess.
- o Minor bugfixes (testing):
- - Check for matching value in server response in ntor_ref.py. Fixes
- bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
- by "joelanders".
- - Set the severity correctly when testing
- get_interface_addresses_ifaddrs() and
- get_interface_addresses_win32(), so that the tests fail gracefully
- instead of triggering an assertion. Fixes bug 15759; bugfix on
- 0.2.6.3-alpha. Reported by Nicolas Derive.
-
o Minor bugfixes (tests, also in 0.2.6.9):
- Fix a crash in the unit tests when built with MSVC2013. Fixes bug
16030; bugfix on 0.2.6.2-alpha. Patch from "NewEraCracker".
@@ -594,11 +530,17 @@ Changes in version 0.2.7.5- 2015-11-??
- Standardize on the term "server descriptor" in the manual page.
Previously, we had used "router descriptor", "server descriptor",
and "relay descriptor" interchangeably. Part of ticket 14987.
-
- o New system requirements:
- - Tor no longer includes workarounds to support Libevent versions
- before 1.3e. Libevent 2.0 or later is recommended. Closes
- ticket 15248.
+ - Advise users on how to configure separate IPv4 and IPv6 exit
+ policies in the manpage and sample torrcs. Related to ticket 16069.
+ - Fix an error in the manual page and comments for
+ TestingDirAuthVoteHSDir[IsStrict], which suggested that a HSDir
+ required "ORPort connectivity". While this is true, it is in no
+ way unique to the HSDir flag. Of all the flags, only HSDirs need a
+ DirPort configured in order for the authorities to assign that
+ particular flag. Patch by "teor". Fixed as part of 14882; bugfix
+ on 0.2.6.3-alpha.
+ - Fix the usage message of tor-resolve(1) so that it no longer lists
+ the removed -F option. Fixes bug 16913; bugfix on 0.2.2.28-beta.
o Removed code:
- Remove `USE_OPENSSL_BASE64` and the corresponding fallback code
@@ -636,21 +578,11 @@ Changes in version 0.2.7.5- 2015-11-??
that didn't know about microdescriptors.
- Tor no longer contains workarounds for stat files generated by
super-old versions of Tor that didn't choose guards sensibly.
- - Tor no longer supports copies of OpenSSL that are missing support
- for Elliptic Curve Cryptography. (We began using ECC when
- available in 0.2.4.8-alpha, for more safe and efficient key
- negotiation.) In particular, support for at least one of P256 or
- P224 is now required, with manual configuration needed if only
- P224 is available. Resolves ticket 16140.
- - Tor no longer supports versions of OpenSSL before 1.0. (If you are
- on an operating system that has not upgraded to OpenSSL 1.0 or
- later, and you compile Tor from source, you will need to install a
- more recent OpenSSL to link Tor against.) These versions of
- OpenSSL are still supported by the OpenSSL, but the numerous
- cryptographic improvements in later OpenSSL releases makes them a
- clear choice. Resolves ticket 16034.
o Testing:
+ - The test-network.sh script now supports performance testing.
+ Requires corresponding chutney performance testing changes. Patch
+ by "teor". Closes ticket 14175.
- Add a new set of callgraph analysis scripts that use clang to
produce a list of which Tor functions are reachable from which
other Tor functions. We're planning to use these to help simplify
@@ -693,8 +625,33 @@ Changes in version 0.2.7.5- 2015-11-??
(if any) using the 'tor-cov' coverage binary.
- When running test-network or test-stem, check for the absence of
stem/chutney before doing any build operations.
-
-
+ - Add a test to verify that the compiler does not eliminate our
+ memwipe() implementation. Closes ticket 15377.
+ - Add make rule `check-changes` to verify the format of changes
+ files. Closes ticket 15180.
+ - Add unit tests for control_event_is_interesting(). Add a compile-
+ time check that the number of events doesn't exceed the capacity
+ of control_event_t.event_mask. Closes ticket 15431, checks for
+ bugs similar to 13085. Patch by "teor".
+ - Command-line argument tests moved to Stem. Resolves ticket 14806.
+ - Integrate the ntor, backtrace, and zero-length keys tests into the
+ automake test suite. Closes ticket 15344.
+ - Remove assertions during builds to determine Tor's test coverage.
+ We don't want to trigger these even in assertions, so including
+ them artificially makes our branch coverage look worse than it is.
+ This patch provides the new test-stem-full and coverage-html-full
+ configure options. Implements ticket 15400.
+ - New TestingDirAuthVote{Exit,Guard,HSDir}IsStrict flags to
+ explicitly manage consensus flags in testing networks. Patch by
+ "robgjansen", modified by "teor". Implements part of ticket 14882.
+ - Check for matching value in server response in ntor_ref.py. Fixes
+ bug 15591; bugfix on 0.2.4.8-alpha. Reported and fixed
+ by "joelanders".
+ - Set the severity correctly when testing
+ get_interface_addresses_ifaddrs() and
+ get_interface_addresses_win32(), so that the tests fail gracefully
+ instead of triggering an assertion. Fixes bug 15759; bugfix on
+ 0.2.6.3-alpha. Reported by Nicolas Derive.
Changes in version 0.2.6.10 - 2015-07-12
