[tor-bugs] #21530 [Core Tor/Tor]: Make ExitRelay 0 the default when there is no exit policy

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Sep 13 19:21:28 UTC 2018 

#21530: Make ExitRelay 0 the default when there is no exit policy
-------------------------------------------------+-------------------------
 Reporter:  teor                                 |          Owner:  neel
     Type:  defect                               |         Status:
                                                 |  merge_ready
 Priority:  Medium                               |      Milestone:  Tor:
                                                 |  0.3.5.x-final
Component:  Core Tor/Tor                         |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tor-exit tor-relay configuration     |  Actual Points:
  usability expectations                         |
Parent ID:                                       |         Points:  1
 Reviewer:  mikeperry                            |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by arma):

 Right, hm. I think the main scenario we want to try to handle is the one
 where a relay operator intends to be running an exit relay, and even
 checked the exit policy on their relay and confirmed that it was what they
 wanted, but they haven't messed with the ExitRelay config option. In this
 case, when they upgrade, their exit policy will silently become something
 different than it used to be, and it would be smart for us to think
 through how they're supposed to learn about this surprise.

 One option would be to make it very obvious in the ChangeLog, like turn it
 into a Major thing rather than a Minor thing. That's good but not enough
 imo.

 Another option would be some log lines to help them know what's happening.
 I think there's a lot to be said for a notice-level log explaining *why*
 we decided to set the exit policy to reject-all.

 We could imagine fancier approaches, like looking at the TorVersion line
 in the state file and giving them a warning if they have the right
 combination of config settings. But doing that warning only once (before
 the TorVersion in the state file gets updated, that is) is risky since
 it's so easy to miss warnings. So I think this approach wouldn't be worth
 building.

 Another option would be to have some script that looks at the network for
 relays that used to be exits using the default exit policy, and then
 stopped being exits when they moved to this new version. Then we contact
 those people to let them know about the potential surprise. That option
 would be a winner except: what do we do about the people who don't set a
 usable ContactInfo?

 Summary: my suggestion would be to add the notice-level log explaining why
 we're opting not to be an exit relay (that log line will be helpful to
 relay operators forever), and then also monitor the network and reach out
 to relays that look like they got hit with this surprise.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21530#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list