[or-cvs] r9418: break out 0.1.1 changelog entries (tor/trunk)

arma at seul.org arma at seul.org
Fri Jan 26 06:34:50 UTC 2007


Author: arma
Date: 2007-01-26 01:34:48 -0500 (Fri, 26 Jan 2007)
New Revision: 9418

Modified:
   tor/trunk/ChangeLog
Log:
break out 0.1.1 changelog entries


Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2007-01-26 06:08:05 UTC (rev 9417)
+++ tor/trunk/ChangeLog	2007-01-26 06:34:48 UTC (rev 9418)
@@ -871,418 +871,270 @@
 
 
 Changes in version 0.1.1.20 - 2006-05-23
-  o Crash and assert fixes from 0.1.0.17:
-    - Fix assert bug in close_logs() on exit: when we close and delete
-      logs, remove them all from the global "logfiles" list.
-    - Fix an assert error when we're out of space in the connection_list
-      and we try to post a hidden service descriptor (reported by Peter
-      Palfrader).
-    - Fix a rare assert error when we've tried all intro points for
-      a hidden service and we try fetching the service descriptor again:
-      "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed".
-    - Setconf SocksListenAddress kills Tor if it fails to bind. Now back
-      out and refuse the setconf if it would fail.
-    - If you specify a relative torrc path and you set RunAsDaemon in
-      your torrc, then it chdir()'s to the new directory. If you then
-      HUP, it tries to load the new torrc location, fails, and exits.
-      The fix: no longer allow a relative path to torrc when using -f.
-    - Check for integer overflows in more places, when adding elements
-      to smartlists. This could possibly prevent a buffer overflow
-      on malicious huge inputs.
+  o Bugfixes:
+    - Downgrade a log severity where servers complain that they're
+      invalid.
+    - Avoid a compile warning on FreeBSD.
+    - Remove string size limit on NEWDESC messages; solve bug 291.
+    - Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon
+      more thoroughly when we're running on windows.
 
-  o Security fixes, major:
-    - When we're printing strings from the network, don't try to print
-      non-printable characters. Now we're safer against shell escape
-      sequence exploits, and also against attacks to fool users into
-      misreading their logs.
-    - Implement entry guards: automatically choose a handful of entry
-      nodes and stick with them for all circuits. Only pick new guards
-      when the ones you have are unsuitable, and if the old guards
-      become suitable again, switch back. This will increase security
-      dramatically against certain end-point attacks. The EntryNodes
-      config option now provides some hints about which entry guards you
-      want to use most; and StrictEntryNodes means to only use those.
-      Fixes CVE-2006-0414.
-    - Implement exit enclaves: if we know an IP address for the
-      destination, and there's a running Tor server at that address
-      which allows exit to the destination, then extend the circuit to
-      that exit first. This provides end-to-end encryption and end-to-end
-      authentication. Also, if the user wants a .exit address or enclave,
-      use 4 hops rather than 3, and cannibalize a general circ for it
-      if you can.
-    - Obey our firewall options more faithfully:
-      . If we can't get to a dirserver directly, try going via Tor.
-      . Don't ever try to connect (as a client) to a place our
-        firewall options forbid.
-      . If we specify a proxy and also firewall options, obey the
-        firewall options even when we're using the proxy: some proxies
-        can only proxy to certain destinations.
-    - Make clients regenerate their keys when their IP address changes.
-    - For the OS X package's modified privoxy config file, comment
-      out the "logfile" line so we don't log everything passed
-      through privoxy.
-    - Our TLS handshakes were generating a single public/private
-      keypair for the TLS context, rather than making a new one for
-      each new connection. Oops. (But we were still rotating them
-      periodically, so it's not so bad.)
-    - When we were cannibalizing a circuit with a particular exit
-      node in mind, we weren't checking to see if that exit node was
-      already present earlier in the circuit. Now we are.
-    - Require server descriptors to list IPv4 addresses -- hostnames
-      are no longer allowed. This also fixes potential vulnerabilities
-      to servers providing hostnames as their address and then
-      preferentially resolving them so they can partition users.
-    - Our logic to decide if the OR we connected to was the right guy
-      was brittle and maybe open to a mitm for invalid routers.
 
-  o Security fixes, minor:
-    - Adjust tor-spec.txt to parameterize cell and key lengths. Now
-      Ian Goldberg can prove things about our handshake protocol more
-      easily.
-    - Make directory authorities generate a separate "guard" flag to
-      mean "would make a good entry guard". Clients now honor the
-      is_guard flag rather than looking at is_fast or is_stable.
-    - Try to list MyFamily elements by key, not by nickname, and warn
-      if we've not heard of a server.
-    - Start using RAND_bytes rather than RAND_pseudo_bytes from
-      OpenSSL. Also, reseed our entropy every hour, not just at
-      startup. And add entropy in 512-bit chunks, not 160-bit chunks.
-    - Refuse server descriptors where the fingerprint line doesn't match
-      the included identity key. Tor doesn't care, but other apps (and
-      humans) might actually be trusting the fingerprint line.
-    - We used to kill the circuit when we receive a relay command we
-      don't recognize. Now we just drop that cell.
-    - Fix a bug found by Lasse Overlier: when we were making internal
-      circuits (intended to be cannibalized later for rendezvous and
-      introduction circuits), we were picking them so that they had
-      useful exit nodes. There was no need for this, and it actually
-      aids some statistical attacks.
-    - Start treating internal circuits and exit circuits separately.
-      It's important to keep them separate because internal circuits
-      have their last hops picked like middle hops, rather than like
-      exit hops. So exiting on them will break the user's expectations.
-    - Fix a possible way to DoS dirservers.
-    - When the client asked for a rendezvous port that the hidden
-      service didn't want to provide, we were sending an IP address
-      back along with the end cell. Fortunately, it was zero. But stop
-      that anyway.
+Changes in version 0.1.1.19-rc - 2006-05-03
+  o Minor bugs:
+    - Regenerate our local descriptor if it's dirty and we try to use
+      it locally (e.g. if it changes during reachability detection).
+    - If we setconf our ORPort to 0, we continued to listen on the
+      old ORPort and receive connections.
+    - Avoid a second warning about machine/limits.h on Debian
+      GNU/kFreeBSD.
+    - Be willing to add our own routerinfo into the routerlist.
+      Now authorities will include themselves in their directories
+      and network-statuses.
+    - Stop trying to upload rendezvous descriptors to every
+      directory authority: only try the v1 authorities.
+    - Servers no longer complain when they think they're not
+      registered with the directory authorities. There were too many
+      false positives.
+    - Backport dist-rpm changes so rpms can be built without errors.
 
-  o Packaging improvements:
-    - Implement --with-libevent-dir option to ./configure. Improve
-      search techniques to find libevent, and use those for openssl too.
-    - Fix a couple of bugs in OpenSSL detection. Deal better when
-      there are multiple SSLs installed with different versions.
+  o Features:
+    - Implement an option, VirtualAddrMask, to set which addresses
+      get handed out in response to mapaddress requests. This works
+      around a bug in tsocks where 127.0.0.0/8 is never socksified.
+
+
+Changes in version 0.1.1.18-rc - 2006-04-10
+  o Major fixes:
+    - Work harder to download live network-statuses from all the
+      directory authorities we know about. Improve the threshold
+      decision logic so we're more robust to edge cases.
+    - When fetching rendezvous descriptors, we were willing to ask
+      v2 authorities too, which would always return 404.
+
+  o Minor fixes:
+    - Stop listing down or invalid nodes in the v1 directory. This will
+      reduce its bulk by about 1/3, and reduce load on directory
+      mirrors.
+    - When deciding whether a router is Fast or Guard-worthy, consider
+      his advertised BandwidthRate and not just the BandwidthCapacity.
+    - No longer ship INSTALL and README files -- they are useless now.
+    - Force rpmbuild to behave and honor target_cpu.
     - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
-    - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of
+    - Start to include translated versions of the tor-doc-*.html
+      files, along with the screenshots. Still needs more work.
+    - Start sending back 512 and 451 errors if mapaddress fails,
+      rather than not sending anything back at all.
+    - When we fail to bind or listen on an incoming or outgoing
+      socket, we should close it before failing. otherwise we just
+      leak it. (thanks to weasel for finding.)
+    - Allow "getinfo dir/status/foo" to work, as long as your DirPort
+      is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
+    - Make NoPublish (even though deprecated) work again.
+    - Fix a minor security flaw where a versioning auth dirserver
+      could list a recommended version many times in a row to make
+      clients more convinced that it's recommended.
+    - Fix crash bug if there are two unregistered servers running
+      with the same nickname, one of them is down, and you ask for
+      them by nickname in your EntryNodes or ExitNodes. Also, try
+      to pick the one that's running rather than an arbitrary one.
+    - Fix an infinite loop we could hit if we go offline for too long.
+    - Complain when we hit WSAENOBUFS on recv() or write() too.
+      Perhaps this will help us hunt the bug.
+    - If you're not a versioning dirserver, don't put the string
+      "client-versions \nserver-versions \n" in your network-status.
+    - Lower the minimum required number of file descriptors to 1000,
+      so we can have some overhead for Valgrind on Linux, where the
+      default ulimit -n is 1024.
+
+  o New features:
+    - Add tor.dizum.com as the fifth authoritative directory server.
+    - Add a new config option FetchUselessDescriptors, off by default,
+      for when you plan to run "exitlist" on your client and you want
+      to know about even the non-running descriptors.
+
+
+Changes in version 0.1.1.17-rc - 2006-03-28
+  o Major fixes:
+    - Clients and servers since 0.1.1.10-alpha have been expiring
+      connections whenever they are idle for 5 minutes and they *do*
+      have circuits on them. Oops. With this new version, clients will
+      discard their previous entry guard choices and avoid choosing
+      entry guards running these flawed versions.
+    - Fix memory leak when uncompressing concatenated zlib streams. This
+      was causing substantial leaks over time on Tor servers.
+    - The v1 directory was including servers as much as 48 hours old,
+      because that's how the new routerlist->routers works. Now only
+      include them if they're 20 hours old or less.
+
+  o Minor fixes:
+    - Resume building on irix64, netbsd 2.0, etc.
+    - On non-gcc compilers (e.g. solaris), use "-g -O" instead of
       "-Wall -g -O2".
-    - Make unit tests (and other invocations that aren't the real Tor)
-      run without launching listeners, creating subdirectories, and so on.
-    - The OS X installer was adding a symlink for tor_resolve but
-      the binary was called tor-resolve (reported by Thomas Hardly).
-    - Now we can target arch and OS in rpm builds (contributed by
-      Phobos). Also make the resulting dist-rpm filename match the
-      target arch.
-    - Apply Matt Ghali's --with-syslog-facility patch to ./configure
-      if you log to syslog and want something other than LOG_DAEMON.
-    - Fix the torify (tsocks) config file to not use Tor for localhost
-      connections.
-    - Start shipping socks-extensions.txt, tor-doc-unix.html,
-      tor-doc-server.html, and stylesheet.css in the tarball.
-    - Stop shipping tor-doc.html, INSTALL, and README in the tarball.
-      They are useless now.
-    - Add Peter Palfrader's contributed check-tor script. It lets you
-      easily check whether a given server (referenced by nickname)
-      is reachable by you.
-    - Add BSD-style contributed startup script "rc.subr" from Peter
-      Thoenen.
+    - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
+      and it is confusing some users.
+    - Mirrors stop caching the v1 directory so often.
+    - Make the max number of old descriptors that a cache will hold
+      rise with the number of directory authorities, so we can scale.
+    - Change our win32 uname() hack to be more forgiving about what
+      win32 versions it thinks it's found.
 
-  o Directory improvements -- new directory protocol:
-    - See tor/doc/dir-spec.txt for all the juicy details. Key points:
-    - Authorities and caches publish individual descriptors (by
-      digest, by fingerprint, by "all", and by "tell me yours").
-    - Clients don't download or use the old directory anymore. Now they
-      download network-statuses from the directory authorities, and
-      fetch individual server descriptors as needed from mirrors.
-    - Clients don't download descriptors of non-running servers.
-    - Download descriptors by digest, not by fingerprint. Caches try to
-      download all listed digests from authorities; clients try to
-      download "best" digests from caches. This avoids partitioning
-      and isolating attacks better.
-    - Only upload a new server descriptor when options change, 18
-      hours have passed, uptime is reset, or bandwidth changes a lot.
-    - Directory authorities silently throw away new descriptors that
-      haven't changed much if the timestamps are similar. We do this to
-      tolerate older Tor servers that upload a new descriptor every 15
-      minutes. (It seemed like a good idea at the time.)
-    - Clients choose directory servers from the network status lists,
-      not from their internal list of router descriptors. Now they can
-      go to caches directly rather than needing to go to authorities
-      to bootstrap the first set of descriptors.
-    - When picking a random directory, prefer non-authorities if any
-      are known.
-    - Add a new flag to network-status indicating whether the server
-      can answer v2 directory requests too.
-    - Directory mirrors now cache up to 16 unrecognized network-status
-      docs, so new directory authorities will be cached too.
-    - Stop parsing, storing, or using running-routers output (but
-      mirrors still cache and serve it).
-    - Clients consider a threshold of "versioning" directory authorities
-      before deciding whether to warn the user that he's obsolete.
-    - Authorities publish separate sorted lists of recommended versions
-      for clients and for servers.
-    - Change DirServers config line to note which dirs are v1 authorities.
-    - Put nicknames on the DirServer line, so we can refer to them
-      without requiring all our users to memorize their IP addresses.
-    - Remove option when getting directory cache to see whether they
-      support running-routers; they all do now. Replace it with one
-      to see whether caches support v2 stuff.
-    - Stop listing down or invalid nodes in the v1 directory. This
-      reduces its bulk by about 1/3, and reduces load on mirrors.
-    - Mirrors no longer cache the v1 directory as often.
-    - If we as a directory mirror don't know of any v1 directory
-      authorities, then don't try to cache any v1 directories.
-
-  o Other directory improvements:
-    - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and
-      fifth authoritative directory servers.
-    - Directory authorities no longer require an open connection from
-      a server to consider him "reachable". We need this change because
-      when we add new directory authorities, old servers won't know not
-      to hang up on them.
-    - Dir authorities now do their own external reachability testing
-      of each server, and only list as running the ones they found to
-      be reachable. We also send back warnings to the server's logs if
-      it uploads a descriptor that we already believe is unreachable.
-    - Spread the directory authorities' reachability testing over the
-      entire testing interval, so we don't try to do 500 TLS's at once
-      every 20 minutes.
-    - Make the "stable" router flag in network-status be the median of
-      the uptimes of running valid servers, and make clients pay
-      attention to the network-status flags. Thus the cutoff adapts
-      to the stability of the network as a whole, making IRC, IM, etc
-      connections more reliable.
+  o New features:
+    - Add lefkada.eecs.harvard.edu as a fourth authoritative directory
+      server.
+    - When the controller's *setconf commands fail, collect an error
+      message in a string and hand it back to the controller.
     - Make the v2 dir's "Fast" flag based on relative capacity, just
       like "Stable" is based on median uptime. Name everything in the
       top 7/8 Fast, and only the top 1/2 gets to be a Guard.
-    - Retry directory requests if we fail to get an answer we like
-      from a given dirserver (we were retrying before, but only if
-      we fail to connect).
+    - Log server fingerprint on startup, so new server operators don't
+      have to go hunting around their filesystem for it.
     - Return a robots.txt on our dirport to discourage google indexing.
+    - Let the controller ask for GETINFO dir/status/foo so it can ask
+      directly rather than connecting to the dir port. Only works when
+      dirport is set for now.
 
-  o Controller protocol improvements:
-    - Revised controller protocol (version 1) that uses ascii rather
-      than binary: tor/doc/control-spec.txt. Add supporting libraries
-      in python and java and c# so you can use the controller from your
-      applications without caring how our protocol works.
-    - Allow the DEBUG controller event to work again. Mark certain log
-      entries as "don't tell this to controllers", so we avoid cycles.
-    - New controller function "getinfo accounting", to ask how
-      many bytes we've used in this time period.
-    - Add a "resetconf" command so you can set config options like
-      AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
-      a config option in the torrc with no value, then it clears it
-      entirely (rather than setting it to its default).
-    - Add a "getinfo config-file" to tell us where torrc is. Also
-      expose guard nodes, config options/names.
-    - Add a "quit" command (when when using the controller manually).
-    - Add a new signal "newnym" to "change pseudonyms" -- that is, to
-      stop using any currently-dirty circuits for new streams, so we
-      don't link new actions to old actions. This also occurs on HUP
-      or "signal reload".
-    - If we would close a stream early (e.g. it asks for a .exit that
-      we know would refuse it) but the LeaveStreamsUnattached config
-      option is set by the controller, then don't close it.
-    - Add a new controller event type "authdir_newdescs" that allows
-      controllers to get all server descriptors that were uploaded to
-      a router in its role as directory authority.
-    - New controller option "getinfo desc/all-recent" to fetch the
-      latest server descriptor for every router that Tor knows about.
-    - Fix the controller's "attachstream 0" command to treat conn like
-      it just connected, doing address remapping, handling .exit and
-      .onion idioms, and so on. Now we're more uniform in making sure
-      that the controller hears about new and closing connections.
-    - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
-      the controller. Also, rotate dns and cpu workers if the controller
-      changes options that will affect them; and initialize the dns
-      worker cache tree whether or not we start out as a server.
-    - Add a new circuit purpose 'controller' to let the controller ask
-      for a circuit that Tor won't try to use. Extend the "extendcircuit"
-      controller command to let you specify the purpose if you're starting
-      a new circuit.  Add a new "setcircuitpurpose" controller command to
-      let you change a circuit's purpose after it's been created.
-    - Let the controller ask for "getinfo dir/server/foo" so it can ask
-      directly rather than connecting to the dir port. "getinfo
-      dir/status/foo" also works, but currently only if your DirPort
-      is enabled.
-    - Let the controller tell us about certain router descriptors
-      that it doesn't want Tor to use in circuits. Implement
-      "setrouterpurpose" and modify "+postdescriptor" to do this.
-    - If the controller's *setconf commands fail, collect an error
-      message in a string and hand it back to the controller -- don't
-      just tell them to go read their logs.
+  o New config options rather than constants in the code:
+    - SocksTimeout: How long do we let a socks connection wait
+      unattached before we fail it?
+    - CircuitBuildTimeout: Cull non-open circuits that were born
+      at least this many seconds ago.
+    - CircuitIdleTimeout: Cull open clean circuits that were born
+      at least this many seconds ago.
 
-  o Scalability, resource management, and performance:
-    - Fix a major load balance bug: we were round-robin reading in 16 KB
-      chunks, and servers with bandwidthrate of 20 KB, while downloading
-      a 600 KB directory, would starve their other connections. Now we
-      try to be a bit more fair.
-    - Be more conservative about whether to advertise our DirPort.
-      The main change is to not advertise if we're running at capacity
-      and either a) we could hibernate ever or b) our capacity is low
-      and we're using a default DirPort.
-    - We weren't cannibalizing circuits correctly for
-      CIRCUIT_PURPOSE_C_ESTABLISH_REND and
-      CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
-      build those from scratch. This should make hidden services faster.
-    - Predict required circuits better, with an eye toward making hidden
-      services faster on the service end.
-    - Compress exit policies even more: look for duplicate lines and
-      remove them.
-    - Generate 18.0.0.0/8 address policy format in descs when we can;
-      warn when the mask is not reducible to a bit-prefix.
-    - There used to be two ways to specify your listening ports in a
-      server descriptor: on the "router" line and with a separate "ports"
-      line. Remove support for the "ports" line.
-    - Reduce memory requirements in our structs by changing the order
-      of fields. Replace balanced trees with hash tables. Inline
-      bottleneck smartlist functions. Add a "Map from digest to void*"
-      abstraction so we can do less hex encoding/decoding, and use it
-      in router_get_by_digest(). Many other CPU and memory improvements.
-    - Allow tor_gzip_uncompress to extract as much as possible from
-      truncated compressed data. Try to extract as many
-      descriptors as possible from truncated http responses (when
-      purpose is DIR_PURPOSE_FETCH_ROUTERDESC).
-    - Make circ->onionskin a pointer, not a static array. moria2 was using
-      125000 circuit_t's after it had been up for a few weeks, which
-      translates to 20+ megs of wasted space.
-    - The private half of our EDH handshake keys are now chosen out
-      of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
-    - Stop doing the complex voodoo overkill checking for insecure
-      Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
-    - Do round-robin writes for TLS of at most 16 kB per write. This
-      might be more fair on loaded Tor servers.
-    - Do not use unaligned memory access on alpha, mips, or mipsel.
-      It *works*, but is very slow, so we treat them as if it doesn't.
 
-  o Other bugfixes and improvements:
-    - Start storing useful information to $DATADIR/state, so we can
-      remember things across invocations of Tor. Retain unrecognized
-      lines so we can be forward-compatible, and write a TorVersion line
-      so we can be backward-compatible.
-    - If ORPort is set, Address is not explicitly set, and our hostname
-      resolves to a private IP address, try to use an interface address
-      if it has a public address. Now Windows machines that think of
-      themselves as localhost can guess their address.
-    - Regenerate our local descriptor if it's dirty and we try to use
-      it locally (e.g. if it changes during reachability detection).
-      This was causing some Tor servers to keep publishing the same
-      initial descriptor forever.
-    - Tor servers with dynamic IP addresses were needing to wait 18
-      hours before they could start doing reachability testing using
-      the new IP address and ports. This is because they were using
-      the internal descriptor to learn what to test, yet they were only
-      rebuilding the descriptor once they decided they were reachable.
-    - It turns out we couldn't bootstrap a network since we added
-      reachability detection in 0.1.0.1-rc. Good thing the Tor network
-      has never gone down. Add an AssumeReachable config option to let
-      servers and authorities bootstrap. When we're trying to build a
-      high-uptime or high-bandwidth circuit but there aren't enough
-      suitable servers, try being less picky rather than simply failing.
-    - Newly bootstrapped Tor networks couldn't establish hidden service
-      circuits until they had nodes with high uptime. Be more tolerant.
-    - Really busy servers were keeping enough circuits open on stable
-      connections that they were wrapping around the circuit_id
-      space. (It's only two bytes.) This exposed a bug where we would
-      feel free to reuse a circuit_id even if it still exists but has
-      been marked for close. Try to fix this bug. Some bug remains.
-    - When we fail to bind or listen on an incoming or outgoing
-      socket, we now close it before refusing, rather than just
-      leaking it. (Thanks to Peter Palfrader for finding.)
-    - Fix a file descriptor leak in start_daemon().
-    - On Windows, you can't always reopen a port right after you've
-      closed it. So change retry_listeners() to only close and re-open
-      ports that have changed.
-    - Workaround a problem with some http proxies that refuse GET
-      requests that specify "Content-Length: 0". Reported by Adrian.
-    - Recover better from TCP connections to Tor servers that are
-      broken but don't tell you (it happens!); and rotate TLS
-      connections once a week.
-    - Fix a scary-looking but apparently harmless bug where circuits
-      would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
-      servers, and never switch to state CIRCUIT_STATE_OPEN.
-    - Check for even more Windows version flags when writing the platform
-      string in server descriptors, and note any we don't recognize.
-    - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
-      get a better idea of why their circuits failed. Not used yet.
-    - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
-      We don't use them yet, but maybe one day our DNS resolver will be
-      able to discover them.
-    - Let people type "tor --install" as well as "tor -install" when they
-      want to make it an NT service.
-    - Looks like we were never delivering deflated (i.e. compressed)
-      running-routers lists, even when asked. Oops.
-    - We were leaking some memory every time the client changed IPs.
-    - Clean up more of the OpenSSL memory when exiting, so we can detect
-      memory leaks better.
-    - Never call free() on tor_malloc()d memory. This will help us
-      use dmalloc to detect memory leaks.
-    - Some Tor servers process billions of cells per day. These
-      statistics are now uint64_t's.
-    - Check [X-]Forwarded-For headers in HTTP requests when generating
-      log messages. This lets people run dirservers (and caches) behind
-      Apache but still know which IP addresses are causing warnings.
+Changes in version 0.1.1.16-rc - 2006-03-18
+  o Bugfixes on 0.1.1.15-rc:
+    - Fix assert when the controller asks to attachstream a connect-wait
+      or resolve-wait stream.
+    - Now do address rewriting when the controller asks us to attach
+      to a particular circuit too. This will let Blossom specify
+      "moria2.exit" without having to learn what moria2's IP address is.
+    - Make the "tor --verify-config" command-line work again, so people
+      can automatically check if their torrc will parse.
+    - Authoritative dirservers no longer require an open connection from
+      a server to consider him "reachable". We need this change because
+      when we add new auth dirservers, old servers won't know not to
+      hang up on them.
+    - Let Tor build on Sun CC again.
+    - Fix an off-by-one buffer size in dirserv.c that magically never
+      hit our three authorities but broke sjmurdoch's own tor network.
+    - If we as a directory mirror don't know of any v1 directory
+      authorities, then don't try to cache any v1 directories.
+    - Stop warning about unknown servers in our family when they are
+      given as hex digests.
+    - Stop complaining as quickly to the server operator that he
+      hasn't registered his nickname/key binding.
+    - Various cleanups so we can add new V2 Auth Dirservers.
+    - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
+      reflect the updated flags in our v2 dir protocol.
+    - Resume allowing non-printable characters for exit streams (both
+      for connecting and for resolving). Now we tolerate applications
+      that don't follow the RFCs. But continue to block malformed names
+      at the socks side.
+
+  o Bugfixes on 0.1.0.x:
+    - Fix assert bug in close_logs(): when we close and delete logs,
+      remove them all from the global "logfiles" list.
     - Fix minor integer overflow in calculating when we expect to use up
       our bandwidth allocation before hibernating.
-    - Lower the minimum required number of file descriptors to 1000,
-      so we can have some overhead for Valgrind on Linux, where the
-      default ulimit -n is 1024.
-    - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
-      and its existence is confusing some users.
+    - Fix a couple of bugs in OpenSSL detection. Also, deal better when
+      there are multiple SSLs installed with different versions.
+    - When we try to be a server and Address is not explicitly set and
+      our hostname resolves to a private IP address, try to use an
+      interface address if it has a public address. Now Windows machines
+      that think of themselves as localhost can work by default.
 
-  o Config option fixes:
-    - Add a new config option ExitPolicyRejectPrivate which defaults
-      to on. Now all exit policies will begin with rejecting private
-      addresses, unless the server operator explicitly turns it off.
-    - Bump the default bandwidthrate to 3 MB, and burst to 6 MB.
-    - Add new ReachableORAddresses and ReachableDirAddresses options
-      that understand address policies. FascistFirewall is now a synonym
-      for "ReachableORAddresses *:443", "ReachableDirAddresses *:80".
-    - Start calling it FooListenAddress rather than FooBindAddress,
-      since few of our users know what it means to bind an address
-      or port.
-    - If the user gave Tor an odd number of command-line arguments,
-      we were silently ignoring the last one. Now we complain and fail.
-      This wins the oldest-bug prize -- this bug has been present since
-      November 2002, as released in Tor 0.0.0.
-    - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
-      torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
-      it would silently ignore the 6668.
-    - If we get a linelist or linelist_s config option from the torrc,
-      e.g. ExitPolicy, and it has no value, warn and skip rather than
+  o New features:
+    - Let the controller ask for GETINFO dir/server/foo so it can ask
+      directly rather than connecting to the dir port.
+    - Let the controller tell us about certain router descriptors
+      that it doesn't want Tor to use in circuits. Implement
+      SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this.
+    - New config option SafeSocks to reject all application connections
+      using unsafe socks protocols. Defaults to off.
+
+
+Changes in version 0.1.1.15-rc - 2006-03-11
+  o Bugfixes and cleanups:
+    - When we're printing strings from the network, don't try to print
+      non-printable characters. This protects us against shell escape
+      sequence exploits, and also against attacks to fool humans into
+      misreading their logs.
+    - Fix a bug where Tor would fail to establish any connections if you
+      left it off for 24 hours and then started it: we were happy with
+      the obsolete network statuses, but they all referred to router
+      descriptors that were too old to fetch, so we ended up with no
+      valid router descriptors.
+    - Fix a seg fault in the controller's "getinfo orconn-status"
+      command while listing status on incoming handshaking connections.
+      Introduce a status name "NEW" for these connections.
+    - If we get a linelist or linelist_s config option from the torrc
+      (e.g. ExitPolicy) and it has no value, warn and skip rather than
       silently resetting it to its default.
-    - Setconf was appending items to linelists, not clearing them.
-    - Add MyFamily to torrc.sample in the server section, so operators
-      will be more likely to learn that it exists.
-    - Make ContactInfo mandatory for authoritative directory servers.
-    - MaxConn has been obsolete for a while now. Document the ConnLimit
-      config option, which is a *minimum* number of file descriptors
-      that must be available else Tor refuses to start.
-    - Get rid of IgnoreVersion undocumented config option, and make us
-      only warn, never exit, when we're running an obsolete version.
-    - Make MonthlyAccountingStart config option truly obsolete now.
-    - Correct the man page entry on TrackHostExitsExpire.
-    - Let directory authorities start even if they don't specify an
-      Address config option.
-    - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
-      reflect the updated flags in our v2 dir protocol.
+    - Don't abandon entry guards until they've been down or gone for
+      a whole month.
+    - Cleaner and quieter log messages.
 
-  o Config option features:
-    - Add a new config option FastFirstHopPK (on by default) so clients
-      do a trivial crypto handshake for their first hop, since TLS has
-      already taken care of confidentiality and authentication.
-    - Let the user set ControlListenAddress in the torrc. This can be
+  o New features:
+    - New controller signal NEWNYM that makes new application requests
+      use clean circuits.
+    - Add a new circuit purpose 'controller' to let the controller ask
+      for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
+      controller command to let you specify the purpose if you're
+      starting a new circuit.  Add a new SETCIRCUITPURPOSE controller
+      command to let you change a circuit's purpose after it's been
+      created.
+    - Accept "private:*" in routerdesc exit policies; not generated yet
+      because older Tors do not understand it.
+    - Add BSD-style contributed startup script "rc.subr" from Peter
+      Thoenen.
+
+
+Changes in version 0.1.1.14-alpha - 2006-02-20
+  o Bugfixes on 0.1.1.x:
+    - Don't die if we ask for a stdout or stderr log (even implicitly)
+      and we're set to RunAsDaemon -- just warn.
+    - We still had a few bugs in the OR connection rotation code that
+      caused directory servers to slowly aggregate connections to other
+      fast Tor servers. This time for sure!
+    - Make log entries on Win32 include the name of the function again.
+    - We were treating a pair of exit policies if they were equal even
+      if one said accept and the other said reject -- causing us to
+      not always publish a new descriptor since we thought nothing
+      had changed.
+    - Retry pending server downloads as well as pending networkstatus
+      downloads when we unexpectedly get a socks request.
+    - We were ignoring the IS_FAST flag in the directory status,
+      meaning we were willing to pick trivial-bandwidth nodes for "fast"
+      connections.
+    - If the controller's SAVECONF command fails (e.g. due to file
+      permissions), let the controller know that it failed.
+
+  o Features:
+    - If we're trying to be a Tor server and running Windows 95/98/ME
+      as a server, explain that we'll likely crash.
+    - When we're a server, a client asks for an old-style directory,
+      and our write bucket is empty, don't give it to him. This way
+      small servers can continue to serve the directory *sometimes*,
+      without getting overloaded.
+    - Compress exit policies even more -- look for duplicate lines
+      and remove them.
+    - Clients now honor the "guard" flag in the router status when
+      picking entry guards, rather than looking at is_fast or is_stable.
+    - Retain unrecognized lines in $DATADIR/state file, so that we can
+      be forward-compatible.
+    - Generate 18.0.0.0/8 address policy format in descs when we can;
+      warn when the mask is not reducible to a bit-prefix.
+    - Let the user set ControlListenAddress in the torrc.  This can be
       dangerous, but there are some cases (like a secured LAN) where it
       makes sense.
+    - Split ReachableAddresses into ReachableDirAddresses and
+      ReachableORAddresses, so we can restrict Dir conns to port 80
+      and OR conns to port 443.
+    - Now we can target arch and OS in rpm builds (contributed by
+      Phobos). Also make the resulting dist-rpm filename match the
+      target arch.
     - New config options to help controllers: FetchServerDescriptors
       and FetchHidServDescriptors for whether to fetch server
       info and hidserv info or let the controller do it, and
@@ -1290,115 +1142,8 @@
     - Also let the controller set the __AllDirActionsPrivate config
       option if you want all directory fetches/publishes to happen via
       Tor (it assumes your controller bootstraps your circuits).
-    - Add "HardwareAccel" config option: support for crypto hardware
-      accelerators via OpenSSL. Off by default, until we find somebody
-      smart who can test it for us. (It appears to produce seg faults
-      in at least some cases.)
-    - New config option "AuthDirRejectUnlisted" for directory authorities
-      as a panic button: if we get flooded with unusable servers we can
-      revert to only listing servers in the approved-routers file.
-    - Directory authorities can now reject/invalidate by key and IP,
-      with the config options "AuthDirInvalid" and "AuthDirReject", or
-      by marking a fingerprint as "!reject" or "!invalid" (as its
-      nickname) in the approved-routers file. This is useful since
-      currently we automatically list servers as running and usable
-      even if we know they're jerks.
-    - Add a new config option TestSocks so people can see whether their
-      applications are using socks4, socks4a, socks5-with-ip, or
-      socks5-with-fqdn. This way they don't have to keep mucking
-      with tcpdump and wondering if something got cached somewhere.
-    - Add "private:*" as an alias in configuration for policies. Now
-      you can simplify your exit policy rather than needing to list
-      every single internal or nonroutable network space.
-    - Accept "private:*" in routerdesc exit policies; not generated yet
-      because older Tors do not understand it.
-    - Add configuration option "V1AuthoritativeDirectory 1" which
-      moria1, moria2, and tor26 have set.
-    - Implement an option, VirtualAddrMask, to set which addresses
-      get handed out in response to mapaddress requests. This works
-      around a bug in tsocks where 127.0.0.0/8 is never socksified.
-    - Add a new config option FetchUselessDescriptors, off by default,
-      for when you plan to run "exitlist" on your client and you want
-      to know about even the non-running descriptors.
-    - SocksTimeout: How long do we let a socks connection wait
-      unattached before we fail it?
-    - CircuitBuildTimeout: Cull non-open circuits that were born
-      at least this many seconds ago.
-    - CircuitIdleTimeout: Cull open clean circuits that were born
-      at least this many seconds ago.
-    - New config option SafeSocks to reject all application connections
-      using unsafe socks protocols. Defaults to off.
 
-  o Improved and clearer log messages:
-    - Reduce clutter in server logs. We're going to try to make
-      them actually usable now. New config option ProtocolWarnings that
-      lets you hear about how _other Tors_ are breaking the protocol. Off
-      by default.
-    - Divide log messages into logging domains. Once we put some sort
-      of interface on this, it will let people looking at more verbose
-      log levels specify the topics they want to hear more about.
-    - Log server fingerprint on startup, so new server operators don't
-      have to go hunting around their filesystem for it.
-    - Provide dire warnings to any users who set DirServer manually;
-      move it out of torrc.sample and into torrc.complete.
-    - Make the log message less scary when all the dirservers are
-      temporarily unreachable.
-    - When tor_socketpair() fails in Windows, give a reasonable
-      Windows-style errno back.
-    - Improve tor_gettimeofday() granularity on windows.
-    - We were printing the number of idle dns workers incorrectly when
-      culling them.
-    - Handle duplicate lines in approved-routers files without warning.
-    - We were whining about using socks4 or socks5-with-local-lookup
-      even when it's an IP address in the "virtual" range we designed
-      exactly for this case.
-    - Check for named servers when looking them up by nickname;
-      warn when we're calling a non-named server by its nickname;
-      don't warn twice about the same name.
-    - Downgrade the dirserver log messages when whining about
-      unreachability.
-    - Correct "your server is reachable" log entries to indicate that
-      it was self-testing that told us so.
-    - If we're trying to be a Tor server and running Windows 95/98/ME
-      as a server, explain that we'll likely crash.
-    - Provide a more useful warn message when our onion queue gets full:
-      the CPU is too slow or the exit policy is too liberal.
-    - Don't warn when we receive a 503 from a dirserver/cache -- this
-      will pave the way for them being able to refuse if they're busy.
-    - When we fail to bind a listener, try to provide a more useful
-      log message: e.g., "Is Tor already running?"
-    - Only start testing reachability once we've established a
-      circuit. This will make startup on dir authorities less noisy.
-    - Don't try to upload hidden service descriptors until we have
-      established a circuit.
-    - Tor didn't warn when it failed to open a log file.
-    - Warn when listening on a public address for socks. We suspect a
-      lot of people are setting themselves up as open socks proxies,
-      and they have no idea that jerks on the Internet are using them,
-      since they simply proxy the traffic into the Tor network.
-    - Give a useful message when people run Tor as the wrong user,
-      rather than telling them to start chowning random directories.
-    - Fix a harmless bug that was causing Tor servers to log
-      "Got an end because of misc error, but we're not an AP. Closing."
-    - Fix wrong log message when you add a "HiddenServiceNodes" config
-      line without any HiddenServiceDir line (reported by Chris Thomas).
-    - Directory authorities now stop whining so loudly about bad
-      descriptors that they fetch from other dirservers. So when there's
-      a log complaint, it's for sure from a freshly uploaded descriptor.
-    - When logging via syslog, include the pid whenever we provide
-      a log entry. Suggested by Todd Fries.
-    - When we're shutting down and we do something like try to post a
-      server descriptor or rendezvous descriptor, don't complain that
-      we seem to be unreachable. Of course we are, we're shutting down.
-    - Change log line for unreachability to explicitly suggest /etc/hosts
-      as the culprit. Also make it clearer what IP address and ports we're
-      testing for reachability.
-    - Put quotes around user-supplied strings when logging so users are
-      more likely to realize if they add bad characters (like quotes)
-      to the torrc.
-    - NT service patch from Matt Edman to improve error messages on Win32.
 
-
 Changes in version 0.1.0.17 - 2006-02-17
   o Crash bugfixes on 0.1.0.x:
     - When servers with a non-zero DirPort came out of hibernation,
@@ -1425,6 +1170,227 @@
       from 20 minutes to 1 hour.
 
 
+Changes in version 0.1.1.13-alpha - 2006-02-09
+  o Crashes in 0.1.1.x:
+    - When you tried to setconf ORPort via the controller, Tor would
+      crash. So people using TorCP to become a server were sad.
+    - Solve (I hope) the stack-smashing bug that we were seeing on fast
+      servers. The problem appears to be something do with OpenSSL's
+      random number generation, or how we call it, or something. Let me
+      know if the crashes continue.
+    - Turn crypto hardware acceleration off by default, until we find
+      somebody smart who can test it for us. (It appears to produce
+      seg faults in at least some cases.)
+    - Fix a rare assert error when we've tried all intro points for
+      a hidden service and we try fetching the service descriptor again:
+      "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed"
+
+  o Major fixes:
+    - Fix a major load balance bug: we were round-robining in 16 KB
+      chunks, and servers with bandwidthrate of 20 KB, while downloading
+      a 600 KB directory, would starve their other connections. Now we
+      try to be a bit more fair.
+    - Dir authorities and mirrors were never expiring the newest
+      descriptor for each server, causing memory and directory bloat.
+    - Fix memory-bloating and connection-bloating bug on servers: We
+      were never closing any connection that had ever had a circuit on
+      it, because we were checking conn->n_circuits == 0, yet we had a
+      bug that let it go negative.
+    - Make Tor work using squid as your http proxy again -- squid
+      returns an error if you ask for a URL that's too long, and it uses
+      a really generic error message. Plus, many people are behind a
+      transparent squid so they don't even realize it.
+    - On platforms that don't have getrlimit (like Windows), we were
+      artificially constraining ourselves to a max of 1024
+      connections. Now just assume that we can handle as many as 15000
+      connections. Hopefully this won't cause other problems.
+    - Add a new config option ExitPolicyRejectPrivate which defaults to
+      1. This means all exit policies will begin with rejecting private
+      addresses, unless the server operator explicitly turns it off.
+
+  o Major features:
+    - Clients not longer download descriptors for non-running
+      descriptors.
+    - Before we add new directory authorities, we should make it
+      clear that only v1 authorities should receive/publish hidden
+      service descriptors.
+
+  o Minor features:
+    - As soon as we've fetched some more directory info, immediately
+      try to download more server descriptors. This way we don't have
+      a 10 second pause during initial bootstrapping.
+    - Remove even more loud log messages that the server operator can't
+      do anything about.
+    - When we're running an obsolete or un-recommended version, make
+      the log message more clear about what the problem is and what
+      versions *are* still recommended.
+    - Provide a more useful warn message when our onion queue gets full:
+      the CPU is too slow or the exit policy is too liberal.
+    - Don't warn when we receive a 503 from a dirserver/cache -- this
+      will pave the way for them being able to refuse if they're busy.
+    - When we fail to bind a listener, try to provide a more useful
+      log message: e.g., "Is Tor already running?"
+    - Adjust tor-spec to parameterize cell and key lengths. Now Ian
+      Goldberg can prove things about our handshake protocol more
+      easily.
+    - MaxConn has been obsolete for a while now. Document the ConnLimit
+      config option, which is a *minimum* number of file descriptors
+      that must be available else Tor refuses to start.
+    - Apply Matt Ghali's --with-syslog-facility patch to ./configure
+      if you log to syslog and want something other than LOG_DAEMON.
+    - Make dirservers generate a separate "guard" flag to mean,
+      "would make a good entry guard". Make clients parse it and vote
+      on it. Not used by clients yet.
+    - Implement --with-libevent-dir option to ./configure. Also, improve
+      search techniques to find libevent, and use those for openssl too.
+    - Bump the default bandwidthrate to 3 MB, and burst to 6 MB
+    - Only start testing reachability once we've established a
+      circuit. This will make startup on dirservers less noisy.
+    - Don't try to upload hidden service descriptors until we have
+      established a circuit.
+    - Fix the controller's "attachstream 0" command to treat conn like
+      it just connected, doing address remapping, handling .exit and
+      .onion idioms, and so on. Now we're more uniform in making sure
+      that the controller hears about new and closing connections.
+
+
+Changes in version 0.1.1.12-alpha - 2006-01-11
+  o Bugfixes on 0.1.1.x:
+    - The fix to close duplicate server connections was closing all
+      Tor client connections if they didn't establish a circuit
+      quickly enough. Oops.
+    - Fix minor memory issue (double-free) that happened on exit.
+
+  o Bugfixes on 0.1.0.x:
+    - Tor didn't warn when it failed to open a log file.
+
+
+Changes in version 0.1.1.11-alpha - 2006-01-10
+  o Crashes in 0.1.1.x:
+    - Include all the assert/crash fixes from 0.1.0.16.
+    - If you start Tor and then quit very quickly, there were some
+      races that tried to free things that weren't allocated yet.
+    - Fix a rare memory stomp if you're running hidden services.
+    - Fix segfault when specifying DirServer in config without nickname.
+    - Fix a seg fault when you finish connecting to a server but at
+      that moment you dump his server descriptor.
+    - Extendcircuit and Attachstream controller commands would
+      assert/crash if you don't give them enough arguments.
+    - Fix an assert error when we're out of space in the connection_list
+      and we try to post a hidden service descriptor (reported by weasel).
+    - If you specify a relative torrc path and you set RunAsDaemon in
+      your torrc, then it chdir()'s to the new directory. If you HUP,
+      it tries to load the new torrc location, fails, and exits.
+      The fix: no longer allow a relative path to torrc using -f.
+
+  o Major features:
+    - Implement "entry guards": automatically choose a handful of entry
+      nodes and stick with them for all circuits. Only pick new guards
+      when the ones you have are unsuitable, and if the old guards
+      become suitable again, switch back. This will increase security
+      dramatically against certain end-point attacks. The EntryNodes
+      config option now provides some hints about which entry guards you
+      want to use most; and StrictEntryNodes means to only use those.
+    - New directory logic: download by descriptor digest, not by
+      fingerprint. Caches try to download all listed digests from
+      authorities; clients try to download "best" digests from caches.
+      This avoids partitioning and isolating attacks better.
+    - Make the "stable" router flag in network-status be the median of
+      the uptimes of running valid servers, and make clients pay
+      attention to the network-status flags. Thus the cutoff adapts
+      to the stability of the network as a whole, making IRC, IM, etc
+      connections more reliable.
+
+  o Major fixes:
+    - Tor servers with dynamic IP addresses were needing to wait 18
+      hours before they could start doing reachability testing using
+      the new IP address and ports. This is because they were using
+      the internal descriptor to learn what to test, yet they were only
+      rebuilding the descriptor once they decided they were reachable.
+    - Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients
+      to download certain server descriptors, throw them away, and then
+      fetch them again after 30 minutes. Now mirrors throw away these
+      server descriptors so clients can't get them.
+    - We were leaving duplicate connections to other ORs open for a week,
+      rather than closing them once we detect a duplicate. This only
+      really affected authdirservers, but it affected them a lot.
+    - Spread the authdirservers' reachability testing over the entire
+      testing interval, so we don't try to do 500 TLS's at once every
+      20 minutes.
+
+  o Minor fixes:
+    - If the network is down, and we try to connect to a conn because
+      we have a circuit in mind, and we timeout (30 seconds) because the
+      network never answers, we were expiring the circuit, but we weren't
+      obsoleting the connection or telling the entry_guards functions.
+    - Some Tor servers process billions of cells per day. These statistics
+      need to be uint64_t's.
+    - Check for integer overflows in more places, when adding elements
+      to smartlists. This could possibly prevent a buffer overflow
+      on malicious huge inputs. I don't see any, but I haven't looked
+      carefully.
+    - ReachableAddresses kept growing new "reject *:*" lines on every
+      setconf/reload.
+    - When you "setconf log" via the controller, it should remove all
+      logs. We were automatically adding back in a "log notice stdout".
+    - Newly bootstrapped Tor networks couldn't establish hidden service
+      circuits until they had nodes with high uptime. Be more tolerant.
+    - We were marking servers down when they could not answer every piece
+      of the directory request we sent them. This was far too harsh.
+    - Fix the torify (tsocks) config file to not use Tor for localhost
+      connections.
+    - Directory authorities now go to the proper authority when asking for
+      a networkstatus, even when they want a compressed one.
+    - Fix a harmless bug that was causing Tor servers to log
+      "Got an end because of misc error, but we're not an AP. Closing."
+    - Authorities were treating their own descriptor changes as cosmetic,
+      meaning the descriptor available in the network-status and the
+      descriptor that clients downloaded were different.
+    - The OS X installer was adding a symlink for tor_resolve but
+      the binary was called tor-resolve (reported by Thomas Hardly).
+    - Workaround a problem with some http proxies where they refuse GET
+      requests that specify "Content-Length: 0" (reported by Adrian).
+    - Fix wrong log message when you add a "HiddenServiceNodes" config
+      line without any HiddenServiceDir line (reported by Chris Thomas).
+
+  o Minor features:
+    - Write the TorVersion into the state file so we have a prayer of
+      keeping forward and backward compatibility.
+    - Revive the FascistFirewall config option rather than eliminating it:
+      now it's a synonym for ReachableAddresses *:80,*:443.
+    - Clients choose directory servers from the network status lists,
+      not from their internal list of router descriptors. Now they can
+      go to caches directly rather than needing to go to authorities
+      to bootstrap.
+    - Directory authorities ignore router descriptors that have only
+      cosmetic differences: do this for 0.1.0.x servers now too.
+    - Add a new flag to network-status indicating whether the server
+      can answer v2 directory requests too.
+    - Authdirs now stop whining so loudly about bad descriptors that
+      they fetch from other dirservers. So when there's a log complaint,
+      it's for sure from a freshly uploaded descriptor.
+    - Reduce memory requirements in our structs by changing the order
+      of fields.
+    - There used to be two ways to specify your listening ports in a
+      server descriptor: on the "router" line and with a separate "ports"
+      line. Remove support for the "ports" line.
+    - New config option "AuthDirRejectUnlisted" for auth dirservers as
+      a panic button: if we get flooded with unusable servers we can
+      revert to only listing servers in the approved-routers file.
+    - Auth dir servers can now mark a fingerprint as "!reject" or
+      "!invalid" in the approved-routers file (as its nickname), to
+      refuse descriptors outright or include them but marked as invalid.
+    - Servers store bandwidth history across restarts/crashes.
+    - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
+      get a better idea of why their circuits failed. Not used yet.
+    - Directory mirrors now cache up to 16 unrecognized network-status
+      docs. Now we can add new authdirservers and they'll be cached too.
+    - When picking a random directory, prefer non-authorities if any
+      are known.
+    - New controller option "getinfo desc/all-recent" to fetch the
+      latest server descriptor for every router that Tor knows about.
+
+
 Changes in version 0.1.0.16 - 2006-01-02
   o Crash bugfixes on 0.1.0.x:
     - On Windows, build with a libevent patch from "I-M Weasel" to avoid
@@ -1467,6 +1433,281 @@
       reset its failure count so we can try again and get all three tries.
 
 
+Changes in version 0.1.1.10-alpha - 2005-12-11
+  o Correctness bugfixes on 0.1.0.x:
+    - On Windows, build with a libevent patch from "I-M Weasel" to avoid
+      corrupting the heap, losing FDs, or crashing when we need to resize
+      the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
+    - Stop doing the complex voodoo overkill checking for insecure
+      Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
+    - When we were closing connections, there was a rare case that
+      stomped on memory, triggering seg faults and asserts.
+    - We were neglecting to unlink marked circuits from soon-to-close OR
+      connections, which caused some rare scribbling on freed memory.
+    - When we're deciding whether a stream has enough circuits around
+      that can handle it, count the freshly dirty ones and not the ones
+      that are so dirty they won't be able to handle it.
+    - Recover better from TCP connections to Tor servers that are
+      broken but don't tell you (it happens!); and rotate TLS
+      connections once a week.
+    - When we're expiring old circuits, we had a logic error that caused
+      us to close new rendezvous circuits rather than old ones.
+    - Fix a scary-looking but apparently harmless bug where circuits
+      would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
+      servers, and never switch to state CIRCUIT_STATE_OPEN.
+    - When building with -static or on Solaris, we sometimes needed to
+      build with -ldl.
+    - Give a useful message when people run Tor as the wrong user,
+      rather than telling them to start chowning random directories.
+    - We were failing to inform the controller about new .onion streams.
+
+  o Security bugfixes on 0.1.0.x:
+    - Refuse server descriptors if the fingerprint line doesn't match
+      the included identity key. Tor doesn't care, but other apps (and
+      humans) might actually be trusting the fingerprint line.
+    - We used to kill the circuit when we receive a relay command we
+      don't recognize. Now we just drop it.
+    - Start obeying our firewall options more rigorously:
+      . If we can't get to a dirserver directly, try going via Tor.
+      . Don't ever try to connect (as a client) to a place our
+        firewall options forbid.
+      . If we specify a proxy and also firewall options, obey the
+        firewall options even when we're using the proxy: some proxies
+        can only proxy to certain destinations.
+    - Fix a bug found by Lasse Overlier: when we were making internal
+      circuits (intended to be cannibalized later for rendezvous and
+      introduction circuits), we were picking them so that they had
+      useful exit nodes. There was no need for this, and it actually
+      aids some statistical attacks.
+    - Start treating internal circuits and exit circuits separately.
+      It's important to keep them separate because internal circuits
+      have their last hops picked like middle hops, rather than like
+      exit hops. So exiting on them will break the user's expectations.
+
+  o Bugfixes on 0.1.1.x:
+    - Take out the mis-feature where we tried to detect IP address
+      flapping for people with DynDNS, and chose not to upload a new
+      server descriptor sometimes.
+    - Try to be compatible with OpenSSL 0.9.6 again.
+    - Log fix: when the controller is logging about .onion addresses,
+      sometimes it didn't include the ".onion" part of the address.
+    - Don't try to modify options->DirServers internally -- if the
+      user didn't specify any, just add the default ones directly to
+      the trusted dirserver list. This fixes a bug where people running
+      controllers would use SETCONF on some totally unrelated config
+      option, and Tor would start yelling at them about changing their
+      DirServer lines.
+    - Let the controller's redirectstream command specify a port, in
+      case the controller wants to change that too.
+    - When we requested a pile of server descriptors, we sometimes
+      accidentally launched a duplicate request for the first one.
+    - Bugfix for trackhostexits: write down the fingerprint of the
+      chosen exit, not its nickname, because the chosen exit might not
+      be verified.
+    - When parsing foo.exit, if foo is unknown, and we are leaving
+      circuits unattached, set the chosen_exit field and leave the
+      address empty. This matters because controllers got confused
+      otherwise.
+    - Directory authorities no longer try to download server
+      descriptors that they know they will reject.
+
+  o Features and updates:
+    - Replace balanced trees with hash tables: this should make stuff
+      significantly faster.
+    - Resume using the AES counter-mode implementation that we ship,
+      rather than OpenSSL's. Ours is significantly faster.
+    - Many other CPU and memory improvements.
+    - Add a new config option FastFirstHopPK (on by default) so clients
+      do a trivial crypto handshake for their first hop, since TLS has
+      already taken care of confidentiality and authentication.
+    - Add a new config option TestSocks so people can see if their
+      applications are using socks4, socks4a, socks5-with-ip, or
+      socks5-with-hostname. This way they don't have to keep mucking
+      with tcpdump and wondering if something got cached somewhere.
+    - Warn when listening on a public address for socks. I suspect a
+      lot of people are setting themselves up as open socks proxies,
+      and they have no idea that jerks on the Internet are using them,
+      since they simply proxy the traffic into the Tor network.
+    - Add "private:*" as an alias in configuration for policies. Now
+      you can simplify your exit policy rather than needing to list
+      every single internal or nonroutable network space.
+    - Add a new controller event type that allows controllers to get
+      all server descriptors that were uploaded to a router in its role
+      as authoritative dirserver.
+    - Start shipping socks-extensions.txt, tor-doc-unix.html,
+      tor-doc-server.html, and stylesheet.css in the tarball.
+    - Stop shipping tor-doc.html in the tarball.
+
+
+Changes in version 0.1.1.9-alpha - 2005-11-15
+  o Usability improvements:
+    - Start calling it FooListenAddress rather than FooBindAddress,
+      since few of our users know what it means to bind an address
+      or port.
+    - Reduce clutter in server logs. We're going to try to make
+      them actually usable now. New config option ProtocolWarnings that
+      lets you hear about how _other Tors_ are breaking the protocol. Off
+      by default.
+    - Divide log messages into logging domains. Once we put some sort
+      of interface on this, it will let people looking at more verbose
+      log levels specify the topics they want to hear more about.
+    - Make directory servers return better http 404 error messages
+      instead of a generic "Servers unavailable".
+    - Check for even more Windows version flags when writing the platform
+      string in server descriptors, and note any we don't recognize.
+    - Clean up more of the OpenSSL memory when exiting, so we can detect
+      memory leaks better.
+    - Make directory authorities be non-versioning, non-naming by
+      default. Now we can add new directory servers without requiring
+      their operators to pay close attention.
+    - When logging via syslog, include the pid whenever we provide
+      a log entry. Suggested by Todd Fries.
+
+  o Performance improvements:
+    - Directory servers now silently throw away new descriptors that
+      haven't changed much if the timestamps are similar. We do this to
+      tolerate older Tor servers that upload a new descriptor every 15
+      minutes. (It seemed like a good idea at the time.)
+    - Inline bottleneck smartlist functions; use fast versions by default.
+    - Add a "Map from digest to void*" abstraction digestmap_t so we
+      can do less hex encoding/decoding. Use it in router_get_by_digest()
+      to resolve a performance bottleneck.
+    - Allow tor_gzip_uncompress to extract as much as possible from
+      truncated compressed data. Try to extract as many
+      descriptors as possible from truncated http responses (when
+      DIR_PURPOSE_FETCH_ROUTERDESC).
+    - Make circ->onionskin a pointer, not a static array. moria2 was using
+      125000 circuit_t's after it had been up for a few weeks, which
+      translates to 20+ megs of wasted space.
+    - The private half of our EDH handshake keys are now chosen out
+      of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
+
+  o Security improvements:
+    - Start making directory caches retain old routerinfos, so soon
+      clients can start asking by digest of descriptor rather than by
+      fingerprint of server.
+    - Add half our entropy from RAND_poll in OpenSSL.  This knows how
+      to use egd (if present), openbsd weirdness (if present), vms/os2
+      weirdness (if we ever port there), and more in the future.
+
+  o Bugfixes on 0.1.0.x:
+    - Do round-robin writes of at most 16 kB per write. This might be
+      more fair on loaded Tor servers, and it might resolve our Windows
+      crash bug. It might also slow things down.
+    - Our TLS handshakes were generating a single public/private
+      keypair for the TLS context, rather than making a new one for
+      each new connections. Oops. (But we were still rotating them
+      periodically, so it's not so bad.)
+    - When we were cannibalizing a circuit with a particular exit
+      node in mind, we weren't checking to see if that exit node was
+      already present earlier in the circuit. Oops.
+    - When a Tor server's IP changes (e.g. from a dyndns address),
+      upload a new descriptor so clients will learn too.
+    - Really busy servers were keeping enough circuits open on stable
+      connections that they were wrapping around the circuit_id
+      space. (It's only two bytes.) This exposed a bug where we would
+      feel free to reuse a circuit_id even if it still exists but has
+      been marked for close. Try to fix this bug. Some bug remains.
+    - If we would close a stream early (e.g. it asks for a .exit that
+      we know would refuse it) but the LeaveStreamsUnattached config
+      option is set by the controller, then don't close it.
+
+  o Bugfixes on 0.1.1.8-alpha:
+    - Fix a big pile of memory leaks, some of them serious.
+    - Do not try to download a routerdesc if we would immediately reject
+      it as obsolete.
+    - Resume inserting a newline between all router descriptors when
+      generating (old style) signed directories, since our spec says
+      we do.
+    - When providing content-type application/octet-stream for
+      server descriptors using .z, we were leaving out the
+      content-encoding header. Oops. (Everything tolerated this just
+      fine, but that doesn't mean we need to be part of the problem.)
+    - Fix a potential seg fault in getconf and getinfo using version 1
+      of the controller protocol.
+    - Avoid crash: do not check whether DirPort is reachable when we
+      are suppressing it because of hibernation.
+    - Make --hash-password not crash on exit.
+
+
+Changes in version 0.1.1.8-alpha - 2005-10-07
+  o New features (major):
+    - Clients don't download or use the directory anymore. Now they
+      download and use network-statuses from the trusted dirservers,
+      and fetch individual server descriptors as needed from mirrors.
+      See dir-spec.txt for all the gory details.
+    - Be more conservative about whether to advertise our DirPort.
+      The main change is to not advertise if we're running at capacity
+      and either a) we could hibernate or b) our capacity is low and
+      we're using a default DirPort.
+    - Use OpenSSL's AES when OpenSSL has version 0.9.7 or later.
+
+  o New features (minor):
+    - Try to be smart about when to retry network-status and
+      server-descriptor fetches. Still needs some tuning.
+    - Stop parsing, storing, or using running-routers output (but
+      mirrors still cache and serve it).
+    - Consider a threshold of versioning dirservers (dirservers who have
+      an opinion about which Tor versions are still recommended) before
+      deciding whether to warn the user that he's obsolete.
+    - Dirservers can now reject/invalidate by key and IP, with the
+      config options "AuthDirInvalid" and "AuthDirReject". This is
+      useful since currently we automatically list servers as running
+      and usable even if we know they're jerks.
+    - Provide dire warnings to any users who set DirServer; move it out
+      of torrc.sample and into torrc.complete.
+    - Add MyFamily to torrc.sample in the server section.
+    - Add nicknames to the DirServer line, so we can refer to them
+      without requiring all our users to memorize their IP addresses.
+    - When we get an EOF or a timeout on a directory connection, note
+      how many bytes of serverdesc we are dropping. This will help
+      us determine whether it is smart to parse incomplete serverdesc
+      responses.
+    - Add a new function to "change pseudonyms" -- that is, to stop
+      using any currently-dirty circuits for new streams, so we don't
+      link new actions to old actions. Currently it's only called on
+      HUP (or SIGNAL RELOAD).
+    - On sighup, if UseHelperNodes changed to 1, use new circuits.
+    - Start using RAND_bytes rather than RAND_pseudo_bytes from
+      OpenSSL. Also, reseed our entropy every hour, not just at
+      startup. And entropy in 512-bit chunks, not 160-bit chunks.
+
+  o Fixes on 0.1.1.7-alpha:
+    - Nobody ever implemented EVENT_ADDRMAP for control protocol
+      version 0, so don't let version 0 controllers ask for it.
+    - If you requested something with too many newlines via the
+      v1 controller protocol, you could crash tor.
+    - Fix a number of memory leaks, including some pretty serious ones.
+    - Re-enable DirPort testing again, so Tor servers will be willing
+      to advertise their DirPort if it's reachable.
+    - On TLS handshake, only check the other router's nickname against
+      its expected nickname if is_named is set.
+
+  o Fixes forward-ported from 0.1.0.15:
+    - Don't crash when we don't have any spare file descriptors and we
+      try to spawn a dns or cpu worker.
+    - Make the numbers in read-history and write-history into uint64s,
+      so they don't overflow and publish negatives in the descriptor.
+
+  o Fixes on 0.1.0.x:
+    - For the OS X package's modified privoxy config file, comment
+      out the "logfile" line so we don't log everything passed
+      through privoxy.
+    - We were whining about using socks4 or socks5-with-local-lookup
+      even when it's an IP in the "virtual" range we designed exactly
+      for this case.
+    - We were leaking some memory every time the client changes IPs.
+    - Never call free() on tor_malloc()d memory. This will help us
+      use dmalloc to detect memory leaks.
+    - Check for named servers when looking them up by nickname;
+      warn when we'recalling a non-named server by its nickname;
+      don't warn twice about the same name.
+    - Try to list MyFamily elements by key, not by nickname, and warn
+      if we've not heard of the server.
+    - Make windows platform detection (uname equivalent) smarter.
+    - It turns out sparc64 doesn't like unaligned access either.
+
+
 Changes in version 0.1.0.15 - 2005-09-23
   o Bugfixes on 0.1.0.x:
     - Reject ports 465 and 587 (spam targets) in default exit policy.
@@ -1484,6 +1725,175 @@
     - Clean up log entries that pointed to old URLs.
 
 
+Changes in version 0.1.1.7-alpha - 2005-09-14
+  o Fixes on 0.1.1.6-alpha:
+    - Exit servers were crashing when people asked them to make a
+      connection to an address not in their exit policy.
+    - Looking up a non-existent stream for a v1 control connection would
+      cause a segfault.
+    - Fix a seg fault if we ask a dirserver for a descriptor by
+      fingerprint but he doesn't know about him.
+    - SETCONF was appending items to linelists, not clearing them.
+    - SETCONF SocksBindAddress killed Tor if it fails to bind. Now back
+      out and refuse the setconf if it would fail.
+    - Downgrade the dirserver log messages when whining about
+      unreachability.
+
+  o New features:
+    - Add Peter Palfrader's check-tor script to tor/contrib/
+      It lets you easily check whether a given server (referenced by
+      nickname) is reachable by you.
+    - Numerous changes to move towards client-side v2 directories. Not
+      enabled yet.
+
+  o Fixes on 0.1.0.x:
+    - If the user gave tor an odd number of command-line arguments,
+      we were silently ignoring the last one. Now we complain and fail.
+      [This wins the oldest-bug prize -- this bug has been present since
+       November 2002, as released in Tor 0.0.0.]
+    - Do not use unaligned memory access on alpha, mips, or mipsel.
+      It *works*, but is very slow, so we treat them as if it doesn't.
+    - Retry directory requests if we fail to get an answer we like
+      from a given dirserver (we were retrying before, but only if
+      we fail to connect).
+    - When writing the RecommendedVersions line, sort them first.
+    - When the client asked for a rendezvous port that the hidden
+      service didn't want to provide, we were sending an IP address
+      back along with the end cell. Fortunately, it was zero. But stop
+      that anyway.
+    - Correct "your server is reachable" log entries to indicate that
+      it was self-testing that told us so.
+
+
+Changes in version 0.1.1.6-alpha - 2005-09-09
+  o Fixes on 0.1.1.5-alpha:
+    - We broke fascistfirewall in 0.1.1.5-alpha. Oops.
+    - Fix segfault in unit tests in 0.1.1.5-alpha. Oops.
+    - Fix bug with tor_memmem finding a match at the end of the string.
+    - Make unit tests run without segfaulting.
+    - Resolve some solaris x86 compile warnings.
+    - Handle duplicate lines in approved-routers files without warning.
+    - Fix bug where as soon as a server refused any requests due to his
+      exit policy (e.g. when we ask for localhost and he tells us that's
+      127.0.0.1 and he won't do it), we decided he wasn't obeying his
+      exit policy using him for any exits.
+    - Only do openssl hardware accelerator stuff if openssl version is
+      at least 0.9.7.
+
+  o New controller features/fixes:
+    - Add a "RESETCONF" command so you can set config options like
+      AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
+      a config option in the torrc with no value, then it clears it
+      entirely (rather than setting it to its default).
+    - Add a "GETINFO config-file" to tell us where torrc is.
+    - Avoid sending blank lines when GETINFO replies should be empty.
+    - Add a QUIT command for the controller (for using it manually).
+    - Fix a bug in SAVECONF that was adding default dirservers and
+      other redundant entries to the torrc file.
+
+  o Start on the new directory design:
+    - Generate, publish, cache, serve new network-status format.
+    - Publish individual descriptors (by fingerprint, by "all", and by
+      "tell me yours").
+    - Publish client and server recommended versions separately.
+    - Allow tor_gzip_uncompress() to handle multiple concatenated
+      compressed strings. Serve compressed groups of router
+      descriptors. The compression logic here could be more
+      memory-efficient.
+    - Distinguish v1 authorities (all currently trusted directories)
+      from v2 authorities (all trusted directories).
+    - Change DirServers config line to note which dirs are v1 authorities.
+    - Add configuration option "V1AuthoritativeDirectory 1" which
+      moria1, moria2, and tor26 should set.
+    - Remove option when getting directory cache to see whether they
+      support running-routers; they all do now. Replace it with one
+      to see whether caches support v2 stuff.
+
+  o New features:
+    - Dirservers now do their own external reachability testing of each
+      Tor server, and only list them as running if they've been found to
+      be reachable. We also send back warnings to the server's logs if
+      it uploads a descriptor that we already believe is unreachable.
+    - Implement exit enclaves: if we know an IP address for the
+      destination, and there's a running Tor server at that address
+      which allows exit to the destination, then extend the circuit to
+      that exit first. This provides end-to-end encryption and end-to-end
+      authentication. Also, if the user wants a .exit address or enclave,
+      use 4 hops rather than 3, and cannibalize a general circ for it
+      if you can.
+    - Permit transitioning from ORPort=0 to ORPort!=0, and back, from the
+      controller. Also, rotate dns and cpu workers if the controller
+      changes options that will affect them; and initialize the dns
+      worker cache tree whether or not we start out as a server.
+    - Only upload a new server descriptor when options change, 18
+      hours have passed, uptime is reset, or bandwidth changes a lot.
+    - Check [X-]Forwarded-For headers in HTTP requests when generating
+      log messages. This lets people run dirservers (and caches) behind
+      Apache but still know which IP addresses are causing warnings.
+
+  o Config option changes:
+    - Replace (Fascist)Firewall* config options with a new
+      ReachableAddresses option that understands address policies.
+      For example, "ReachableAddresses *:80,*:443"
+    - Get rid of IgnoreVersion undocumented config option, and make us
+      only warn, never exit, when we're running an obsolete version.
+    - Make MonthlyAccountingStart config option truly obsolete now.
+
+  o Fixes on 0.1.0.x:
+    - Reject ports 465 and 587 in the default exit policy, since
+      people have started using them for spam too.
+    - It turns out we couldn't bootstrap a network since we added
+      reachability detection in 0.1.0.1-rc. Good thing the Tor network
+      has never gone down. Add an AssumeReachable config option to let
+      servers and dirservers bootstrap. When we're trying to build a
+      high-uptime or high-bandwidth circuit but there aren't enough
+      suitable servers, try being less picky rather than simply failing.
+    - Our logic to decide if the OR we connected to was the right guy
+      was brittle and maybe open to a mitm for unverified routers.
+    - We weren't cannibalizing circuits correctly for
+      CIRCUIT_PURPOSE_C_ESTABLISH_REND and
+      CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
+      build those from scratch. This should make hidden services faster.
+    - Predict required circuits better, with an eye toward making hidden
+      services faster on the service end.
+    - Retry streams if the exit node sends back a 'misc' failure. This
+      should result in fewer random failures. Also, after failing
+      from resolve failed or misc, reset the num failures, so we give
+      it a fair shake next time we try.
+    - Clean up the rendezvous warn log msgs, and downgrade some to info.
+    - Reduce severity on logs about dns worker spawning and culling.
+    - When we're shutting down and we do something like try to post a
+      server descriptor or rendezvous descriptor, don't complain that
+      we seem to be unreachable. Of course we are, we're shutting down.
+    - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
+      We don't use them yet, but maybe one day our DNS resolver will be
+      able to discover them.
+    - Make ContactInfo mandatory for authoritative directory servers.
+    - Require server descriptors to list IPv4 addresses -- hostnames
+      are no longer allowed. This also fixes some potential security
+      problems with people providing hostnames as their address and then
+      preferentially resolving them to partition users.
+    - Change log line for unreachability to explicitly suggest /etc/hosts
+      as the culprit. Also make it clearer what IP address and ports we're
+      testing for reachability.
+    - Put quotes around user-supplied strings when logging so users are
+      more likely to realize if they add bad characters (like quotes)
+      to the torrc.
+    - Let auth dir servers start without specifying an Address config
+      option.
+    - Make unit tests (and other invocations that aren't the real Tor)
+      run without launching listeners, creating subdirectories, and so on.
+
+
+Changes in version 0.1.1.5-alpha - 2005-08-08
+  o Bugfixes included in 0.1.0.14.
+
+  o Bugfixes on 0.1.0.x:
+    - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
+      torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
+      it would silently using ignore the 6668.
+
+
 Changes in version 0.1.0.14 - 2005-08-08
   o Bugfixes on 0.1.0.x:
       - Fix the other half of the bug with crypto handshakes
@@ -1492,6 +1902,16 @@
         controller when it's listening for 'event info' messages.
 
 
+Changes in version 0.1.1.4-alpha - 2005-08-04
+  o Bugfixes included in 0.1.0.13.
+
+  o Features:
+    - Improve tor_gettimeofday() granularity on windows.
+    - Make clients regenerate their keys when their IP address changes.
+    - Implement some more GETINFO goodness: expose helper nodes, config
+      options, getinfo keys.
+
+
 Changes in version 0.1.0.13 - 2005-08-04
   o Bugfixes on 0.1.0.x:
     - Fix a critical bug in the security of our crypto handshakes.
@@ -1505,6 +1925,35 @@
       not-broken.
 
 
+Changes in version 0.1.1.3-alpha - 2005-07-23
+  o Bugfixes on 0.1.1.2-alpha:
+    - Fix a bug in handling the controller's "post descriptor"
+      function.
+    - Fix several bugs in handling the controller's "extend circuit"
+      function.
+    - Fix a bug in handling the controller's "stream status" event.
+    - Fix an assert failure if we have a controller listening for
+      circuit events and we go offline.
+    - Re-allow hidden service descriptors to publish 0 intro points.
+    - Fix a crash when generating your hidden service descriptor if
+      you don't have enough intro points already.
+
+  o New features on 0.1.1.2-alpha:
+    - New controller function "getinfo accounting", to ask how
+      many bytes we've used in this time period.
+    - Experimental support for helper nodes: a lot of the risk from
+      a small static adversary comes because users pick new random
+      nodes every time they rebuild a circuit. Now users will try to
+      stick to the same small set of entry nodes if they can. Not
+      enabled by default yet.
+
+  o Bugfixes on 0.1.0.12:
+    - If you're an auth dir server, always publish your dirport,
+      even if you haven't yet found yourself to be reachable.
+    - Fix a size_t underflow in smartlist_join_strings2() that made
+      it do bad things when you hand it an empty smartlist.
+
+
 Changes in version 0.1.0.12 - 2005-07-18
   o New directory servers:
       - tor26 has changed IP address.
@@ -1520,6 +1969,46 @@
       Edman for the fix.
 
 
+Changes in version 0.1.1.2-alpha - 2005-07-15
+  o New directory servers:
+    - tor26 has changed IP address.
+
+  o Bugfixes on 0.1.0.x, crashes/leaks:
+    - Port the servers-not-obeying-their-exit-policies fix from
+      0.1.0.11.
+    - Fix an fd leak in start_daemon().
+    - On Windows, you can't always reopen a port right after you've
+      closed it. So change retry_listeners() to only close and re-open
+      ports that have changed.
+    - Fix a possible double-free in tor_gzip_uncompress().
+
+  o Bugfixes on 0.1.0.x, usability:
+    - When tor_socketpair() fails in Windows, give a reasonable
+      Windows-style errno back.
+    - Let people type "tor --install" as well as "tor -install" when
+      they
+      want to make it an NT service.
+    - NT service patch from Matt Edman to improve error messages.
+    - When the controller asks for a config option with an abbreviated
+      name, give the full name in our response.
+    - Correct the man page entry on TrackHostExitsExpire.
+    - Looks like we were never delivering deflated (i.e. compressed)
+      running-routers lists, even when asked. Oops.
+    - When --disable-threads is set, do not search for or link against
+      pthreads libraries.
+
+  o Bugfixes on 0.1.1.x:
+    - Fix a seg fault with autodetecting which controller version is
+      being used.
+
+  o Features:
+    - New hidden service descriptor format: put a version in it, and
+      let people specify introduction/rendezvous points that aren't
+      in "the directory" (which is subjective anyway).
+    - Allow the DEBUG controller event to work again. Mark certain log
+      entries as "don't tell this to controllers", so we avoid cycles.
+
+
 Changes in version 0.1.0.11 - 2005-06-30
   o Bugfixes on 0.1.0.x:
     - Fix major security bug: servers were disregarding their
@@ -1530,6 +2019,29 @@
     - The MAPADDRESS control command was broken.
 
 
+Changes in version 0.1.1.1-alpha - 2005-06-29
+  o Bugfixes:
+    - Make OS X init script check for missing argument, so we don't
+      confuse users who invoke it incorrectly.
+    - Fix a seg fault in "tor --hash-password foo".
+    - Fix a possible way to DoS dirservers.
+    - When we complain that your exit policy implicitly allows local or
+      private address spaces, name them explicitly so operators can
+      fix it.
+    - Make the log message less scary when all the dirservers are
+      temporarily unreachable.
+    - We were printing the number of idle dns workers incorrectly when
+      culling them.
+
+  o Features:
+    - Revised controller protocol (version 1) that uses ascii rather
+      than binary. Add supporting libraries in python and java so you
+      can use the controller from your applications without caring how
+      our protocol works.
+    - Spiffy new support for crypto hardware accelerators. Can somebody
+      test this?
+
+
 Changes in version 0.0.9.10 - 2005-06-16
   o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
     - Refuse relay cells that claim to have a length larger than the
@@ -2181,7 +2693,7 @@
       now that we're shipping binary distributions more regularly.
 
 
-Changes in version 0.0.9.1 - 2004-12-16
+Changes in version 0.0.9.1 - 2004-12-15
   o Bugfixes on 0.0.9:
     - Make hibernation actually work.
     - Make HashedControlPassword config option work.



More information about the tor-commits mailing list