Hi,
i like where this is going, let me allow to answer inline.
On Tue, 16 Oct 2018 09:19:08 +0200 (CEST) Niklas Edmundsson nikke@acc.umu.se wrote:
Hi!
I'm one of the mirror admins for ftp.acc.umu.se.
It's nice that the tor mirroring effort is seeing some attention from the project, but I'm still curious on what the plan/purpose/goal with the mirroring effort is from an end-user perspective.
Bear in mind that I'm mostly accustomed to "regular" open source projects and not fully updated on all the issues with a privacy-oriented project such as TOR.
Note that i am not announcing the official position of TPO, instead just my opinion as a volunteer stepping into the mirror component.
However, I see issues with the usefulness of providing a TOR mirror. One of the prime motivations for us to provide a mirror is the benefit for users in our local region, and this is especially true for other mirrors in bandwidth-starved regions. If there is more bandwidth consumption by mirroring a project than there are downloads it's kind of hard to motivate a mirror in the first place.
From what I have gathered it's today almost impossible for an end user to find and use a mirror...
- https://www.torproject.org/ -> Download brings you to
https://www.torproject.org/download/download-easy.html.en which seems hard-coded to download from dist.torproject.org ... No mirror usage there.
This is true for the current website and we are considering a better option for the coming one:
https://bugs.torproject.org/21222
- There is no list of alternative/mirror download locations. I can
google my way to https://www.torproject.org/getinvolved/mirrors.html.en but that's not updated with the latest mirrors nor sorted in a user-friendly manner (you want the list by country/region).
This is absolutely true and i'm glad you are pointing out what i thought myself updating the script. Filed and currently working on:
https://bugs.torproject.org/28083
- The TOR project itself doesn't seem to have much interest in
actually using its mirrors. For example https://trac.torproject.org/projects/tor/ticket/27586 discards using mirrorbits with "not needed at the moment", when the exact opposite is true. We mirror admins WANT the traffic, and the TOR project NEEDS something to enable that together with automatically monitoring/disabling broken mirrors for a useful end-user experience.
We need a solution for the following problem: 3rd party mirrors introduce privacy issues and TPO hesitates to automatically redirect away from its website. Mirrors not necessarily need to be malicious but can be out of sync or offline. Currently we have no set up that periodicaly monitors the state of mirrors and verifies files.
Also what if someone sets up mirrors to investigate who is interested in Tor? Obviously the answer can't be "use tor" here.
https://bugs.torproject.org/27998
- And finally, if all above is catered for, there is the question on
how to do download mirror redirect/selection in a clear yet useful manner for the end user. Should the user always be presented with a list of mirrors to choose from? Should that be generated on the server side or in-browser from a list of current mirrors (ie. json output from mirrorbits or similar)?
Is https://gettor.torproject.org/api/mirrors.json what you suggest?
I agree that we should make better use of it. https://bugs.torproject.org/16716
We are heading into privacy concerns here, but it needs to be addressed in a better way than just assuming that the three magic hosts serving dist.torproject.org is the best choice for a particular end-user...
The GetTor team dried out and needs your help! https://gettor.torproject.org/ https://trac.torproject.org/projects/tor/query?status=!closed&component=...
/Nikke
There's a big potential to think mirrors and gettor together and i'd like to inspire you to make suggestions how to go into this direction.
My answer could be more elaborate but i prefer to delve into code now :)