[tor-bugs] #33336 [Circumvention/Snowflake]: Trial deployment of Snowflake with Turbo Tunnel

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 24 19:08:28 UTC 2020 

#33336: Trial deployment of Snowflake with Turbo Tunnel
-------------------------------------+--------------------------
 Reporter:  dcf                      |          Owner:  dcf
     Type:  task                     |         Status:  accepted
 Priority:  Medium                   |      Milestone:
Component:  Circumvention/Snowflake  |        Version:
 Severity:  Normal                   |     Resolution:
 Keywords:  turbotunnel              |  Actual Points:
Parent ID:                           |         Points:
 Reviewer:                           |        Sponsor:
-------------------------------------+--------------------------

Comment (by dcf):

 Replying to [comment:18 cohosh]:
 > Replying to [comment:15 dcf]:
 > > Overall, it's making me feel more and more meh about deploying quic-
 go; it and QUIC are still changing fast and I foresee maintenance and
 compatibility difficulties.
 > >
 > Ugh, is KCP likely to be more stable?

 It's slower-moving at least. kcp-go and smux together have had 30 commits
 since January 1, while quic-go has had 181.
 {{{
 kcp-go$ git log --oneline --since 2020-01-01 96f67cd | wc -l
 17
 smux$ git log --oneline --since 2020-01-01 c6969d8 | wc -l
 13
 quic-go$ git log --oneline --since 2020-01-01 ca469eb0 | wc -l
 181
 }}}
 We still haven't had a tone of experience with either library, but there
 were 3 API breaks in quic-go that
 [https://gitweb.torproject.org/user/dcf/snowflake.git/commit/?h=turbotunnel&id=42c07f2c140e4c6f1f752329a67fdf15cd6bd8c5
 affected our code] when I did the upgrade: `IdleTimeout`→`MaxIdleTimeout`,
 removal of `Session.Close`, and `Accept` functions taking a `Context`. On
 the other hand, smux also
 [https://gitweb.torproject.org/user/dcf/snowflake.git/commit/?h=turbotunnel&id=9a7cd996ea54ff21b4635ef0fd5df708d43ab187
 broke its import path] during that time.

 > The dependency problem applies to KCP too, right? Your
 [https://lists.torproject.org/pipermail/anti-censorship-
 team/2020-February/000069.html earlier mail] suggested that KCP would add
 ~16 new dependencies. Though this seems much less of an issue compared to
 what quic-go now requires.

 9 of those (the [https://gitweb.torproject.org/user/dcf/tor-browser-
 build.git/diff/projects/goxcrypto/config?h=snowflake-
 turbotunnel&id=a0c7ffa70f09ca4d86e18a93483c1a378c3067b4 /x/crypto] and
 [https://gitweb.torproject.org/user/dcf/tor-browser-
 build.git/diff/projects/goxnet/config?h=snowflake-
 turbotunnel&id=a0c7ffa70f09ca4d86e18a93483c1a378c3067b4 /x/net] ones) are
 not completely new dependencies, just new sub-packages in existing
 projects. Almost all the new dependencies are for features we don't
 actually use, so it leaves open the possibility of making a fork (ugh) or
 a tor-browser-build patch that removes the need for them. gogmsm,
 goxcrypto, go-templexxx-xorsimd, and go-templexxx-cpu are for the optional
 crypto feature that is
 [https://github.com/net4people/bbs/issues/14#issue-501300899 symmetric-key
 only] and therefore useless in a shared-bridge environment with untrusted
 clients. goreedsolomon and gocpuid are only for the
 [https://github.com/xtaci/kcp-go#faq forward error-correction] feature,
 which may be useful in certain contexts but which we aren't using now.
 That would leave only the /x/net ones, which aren't really full new
 dependencies.


 > I wonder whether pion-webrtc will eventually force us to upgrade to this
 dependency-heavy version of quic-go anyway.

 Yeah, possibly. I'm not actually sure what pion-webrtc uses pion-quic for
 anyway.

 The massive dependency increase in quic-go is entirely due to the
 [https://github.com/lucas-clemente/quic-
 go/commit/572ef44cf2d1197428f493e90cdfdd161e584f2c addition of the GoJay
 package] for faster JSON encoding. It's
 [https://github.com/francoispqt/gojay/blob/v1.2.13/go.mod GoJay's go.mod]
 that brings in all the gunk, including stuff like cloud.google.com/go
 which brings in its
 [https://code.googlesource.com/gocloud/+/refs/tags/v0.37.0/go.mod own
 dependencies]. Now it's probable that not all of those new dependencies
 actually need to be packaged—they may be used only in tests or could be
 easily hacked out as in the kcp-go case. It was just more than I wanted to
 deal with, when all I really wanted was a newer quic-go with some bugs
 fixed.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33336#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list