- tor-packagers - lists.torproject.org

Vanguards v0.2.1 is available for packaging
by Mike Perry 13 Aug '18

13 Aug '18

Vanguards v0.2.1 is tagged on github at https://github.com/mikeperry-tor/vanguards. The tag is signed with the gpg key that signed this mail, and all of my other mails. Again, the preferred interpreter for vanguards is pypy, but you must use either stem 1.5.4 (or below), or stem 1.6.0 with this patch: https://gitweb.torproject.org/stem.git/commit/?id=c52db04 The tests will fail on pypy with an affected stem (which is how I discovered the stem issue). If you previously had issues with the tests, please see: https://github.com/mikeperry-tor/vanguards/blob/master/README_TESTS.md Hopefully the new test README can help you ensure that you have working versions of everything. Iain also wrote a systemd service wrapper that may be useful: https://salsa.debian.org/pkg-privacy-team/vanguards/blob/master/debian/vang… I want to write a Tor blog post announcing this new version, but I want to mention distribution packages in that blog post, since that was a FAQ in the comments of the initial blogpost. If you are packaging this addon, please let me know which repositories it will appear at, and give me a link to instructions for how users can add or enable them on their systems. I haven't heard anything from Fedora/RPM people. That would be super useful. :) Overall, I think this release is a significant improvement over v0.1.1. Here's the changelog: - Read ExcludeNodes from Tor and don't pick layer2 or layer3 guards in this set. #11 - Add --one_shot_vanguards and --disable_vanguards options (to enable OnionBalance synchronization). #12 - Don't write to torrc by default. #18 - Keep attempting to reconnect if the control port dies. #19 - Support tighter bounds on dropped data to defend against DropMark, and change circ_max_dropped_bytes_percent to circ_max_dropped_cells. However, leave these at NOTICE pending Tor patch #25573. #20. - Limit rend requests from relays that are not in our consensus. #22. - Added connectivity accounting: WARN if we're disconnected or can't build circuits for more than 'conn_max_disconnected_secs' and 'circ_max_disconnected_secs'. Also emit a NOTICE if a connection dies while there are live circuits on it. #23 - Fix several false positive cases in rendguard. More may remain, so demote logline to NOTICE for now. #24 - Change rendguard params to lower the false positive rate. If you use a conf file, be sure to update the values there, if specified. #24. - Standardize using WARN for messages that we're confident represent serious issues, and use NOTICE for heuristics that may need more tuning. -- Mike Perry

1 1

Request for Packaging: vanguards
by Mike Perry 08 Aug '18

08 Aug '18

Hella howdy yall, The vanguards Tor Controller addon is getting close to another release. It lives at: https://github.com/mikeperry-tor/vanguards The addon is written in python, and uses the Tor Control Protocol (via stem) to alter how Tor behaves. It provides protection to onion services and onion service clients against a variety of attacks. It implements experimental defenses that need to be tuned to perform optimally for a variety of different deployment scenarios, known and unknown, that may exist in the wild. For more details about what the addon does, see: https://github.com/mikeperry-tor/vanguards/blob/master/README_TECHNICAL.md For a comprehensive treatment of the known attacks against onion services, including how this addon fits in, see: https://github.com/mikeperry-tor/vanguards/blob/master/README_SECURITY.md The ultimate goal is to merge these defenses into Tor itself, but they will take time to study. Because of this, the lifespan of this addon will be measured in years, especially if your distribution uses the "Tor Long Term Stable" release by default. During this time, it is important that this addon is easy to install and update securely, so that onion service operators can run it in order to give us feedback on how parameters perform with their particular setups, in addition to allowing them to benefit from the additional security we believe that it provides. The addon does not have to be available in your distribution's official repositories. It is sufficient that it is available either via a backports repository, or via one of the torproject package sources for your distribution. The important thing is that it is authenticated by a secure GPG key that can be imported into a distribution's package manager, and that you keep up with updates. The addon has 98% unit test coverage of its lines under python2.7, python3.5, and pypy. pypy is the preferred python interpreter for the addon, because it provides a JIT that improves performance for high traffic onion services. The addon has two dependencies: ipaddress, and stem. ipaddress is included in python3 distributions, and that version is sufficient. For python2 and pypy, the version in requirements.txt is preferred. Unfortunately, however, Stem 1.6.0 broke compatibility with pypy: https://trac.torproject.org/projects/tor/ticket/26207 A fix is available here, but is not present in any stem release: https://gitweb.torproject.org/stem.git/commit/?id=c52db04 Your distribution will need to backport this fix, if it uses Stem 1.6.0 with pypy. Stem versions prior to 1.6.0 do not have this issue. The forthcoming stem 1.7.0 will include the fix. Iain Learmonth (irl) has been working on the packages for debian. Hopefully he can report any additional issues here. Please respond to this mail on or off list if you intend to package this addon for your distribution, for either official repositories or for torproject ones, so that we may mention this fact in an upcoming blogpost for the release. Please also ask me any questions you may have about packaging, on list or off. I'm also on #tor-dev on irc.oftc.net as mikeperry. The release tags are signed with the following GPG key, which has also signed this mail, and also signs all of my other mails to tor mailinglists: pub 8192R/29846B3C683686CC 2013-09-11 Key fingerprint = C963 C21D 6356 4E2B 10BB 335B 2984 6B3C 6836 86CC uid Mike Perry <mikeperry(a)endarken.info> uid Mike Perry <mikeperry(a)unencrypted.info> uid Mike Perry (Regular use key) <mikeperry(a)fscked.org> uid Mike Perry (Regular use key) <mikeperry(a)torproject.org> -- Mike Perry

4 4

Tor 0.3.4.6-rc available for packaging
by Nick Mathewson 07 Aug '18

07 Aug '18

Hi! You can get Tor 0.3.4.6 from the usual place at: https://dist.torproject.org/ The website should update shortly. Since this is a release candidate, bug reports would be greatly appreciated. Changelog at: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.4.6-rc cheers, -- Nick

1 0

Four new Tor releases: 0.2.9.16, 0.3.2.11, 0.3.3.9, 0.3.4.5-rc
by Roger Dingledine 13 Jul '18

13 Jul '18

The main change is that we've retired the old bridge authority, and replaced it with a new one that we are optimistic will get more consistent maintenance attention. So the main people who need to upgrade are people who operate a bridge relay -- so their bridge address can resume being given out to censored users, and so their stats can resume being included in the metrics pages. You can get the tarballs and signatures here: https://dist.torproject.org/ I've also made git tags for each, and pushed those to git. You can find the changelogs here: https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.2.9.16 https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.3.2.11 https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.3.3.9 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.4.5-rc Thanks! --Roger

1 0

Two new releases: 0.3.3.8 and 0.3.4.4-rc
by Nick Mathewson 09 Jul '18

09 Jul '18

Hi! Two new releases are out: 0.3.3.8 (stable) and 0.3.4.4-rc (a release candidate). You can get them both, along with their signatures, at https://dist.torproject.org/ . Official announcements will follow after the website has updated. You can find the changelogs at: https://gitweb.torproject.org/tor.git/tree/ChangeLog?id=99f9816efa08ab83f90… https://gitweb.torproject.org/tor.git/tree/ChangeLog?id=ab57cf6493f502abf7c… Other notes: * 0.3.1.x is no longer supported. If this comes as a surprise, please have a look at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… , where we try to predict this kind of thing in advance. * 0.3.4.x is almost ready for release (as you can tell from its release-candidate status). Please make sure that you can build and package it, even if you don't usually distribute alphas: the time to find and fix problems is *now*. * We've decided that the next long-term support (LTS) release will be 0.3.5.x. If you need to distribute a tor version that will stay patched for a few years, that's the one for you (once it's stable). cheers, and best wishes, -- Nick

1 0

New alpha release: Tor 0.3.4.3-alpha
by Nick Mathewson 26 Jun '18

26 Jun '18

Hi! Tor 0.3.4.3-alpha is now available at https://dist.torproject.org/ . I'll be sending out the official announcement after the website has updated. The changelog is at https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.4.3-alpha I expect to be putting out a new 0.3.3.x stable with minor changes some time next week; I'm thinking that (if stuff doesn't get exciting) we'll put out the next 0.3.4.x release as a release candidate. Also, a reminder: Tor 0.3.1 will no longer be supported after July 1. If you need a Tor version with long-term support, please stick with 0.2.9 for now. Our release schedule is at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… cheers, -- Nick

1 0

Tor 0.3.3.7 and 0.3.4.2-alpha are available
by Nick Mathewson 12 Jun '18

12 Jun '18

Hi! There is a new stable release (0.3.3.7) and a new alpha release (0.3.4.2-alpha). Both are available on https://dist.torproject.org/. I'll be sending out the official announcement once the download page has updated. The changelogs are here: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.3.7 https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.4.2-alpha Also, I have a request for all of you: If you are maintaining any patches on Tor, please make sure we know about them, and think about submitting them upstream! We're going to be refactoring a bunch of stuff over the upcoming releases, and we want to make sure that any downstream patches don't break. best wishes, -- Nick

1 0

There's a new stable series: 0.3.3.6
by Nick Mathewson 22 May '18

22 May '18

You can get Tor 0.3.3.6 source at the usual place at https://dist.torproject.org/ . For a list of changes since Tor 0.3.3.5-rc, see the changelog: https://gitweb.torproject.org/tor.git/tree/ChangeLog?h=tor-0.3.3.6 For a list of changes since Tor 0.3.2.x, see the releasenotes: https://gitweb.torproject.org/tor.git/tree/ReleaseNotes?h=tor-0.3.3.6 Remember, Tor release series are not supported forever. For a schedule of how long each series will receive support, see https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… I'll be sending out official announcements once the website has updated and I've done some other post-release tasks. Happy packaging! -- Nick

1 0

Tor 0.3.4.1-alpha is available, 0.3.3.6 is coming soon
by Nick Mathewson 17 May '18

17 May '18

Hi! Tor 0.3.4.1-alpha is available on https://dist.torproject.org. For a list of changes since 0.3.3.5-rc, see the ChangeLog file included in the distribution, or online at https://gitweb.torproject.org/tor.git/tree/ChangeLog I'll be posting official announcements once the website is updated. Please expect a stable 0.3.3.x release next week. cheers, -- Nick

1 0

Tor 0.3.4.1-alpha to be released later this week
by Nick Mathewson 14 May '18

14 May '18

Hi! I'm planning to release 0.3.4.1-alpha some time later this week -- no sooner than Wednesday, and probably no later than Friday. Once it's seen some testing, I hope we can release some more stable releases some time before the 29th. -- Nick

1 0