[tor-commits] [bridgedb/develop] Update CHANGELOG for BridgeDB 0.3.3.
isis at torproject.org
isis at torproject.org
Sat Jul 25 01:16:33 UTC 2015
commit d05744c4b87be8f3d625c56c45b15eab47df2a35
Author: Isis Lovecruft <isis at torproject.org>
Date: Sat Jul 25 01:11:04 2015 +0000
Update CHANGELOG for BridgeDB 0.3.3.
---
CHANGELOG | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 101 insertions(+)
diff --git a/CHANGELOG b/CHANGELOG
index 4dc04f0..d99f3f7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,104 @@
+Changes in version 0.3.3 - 2015-07-25
+
+ * FIXES #12029 https://bugs.torproject.org/12029
+ BridgeDB now has an API for creating Bridge Distributors.
+ See the bridgedb.distribute module, or its developer documentation
+ at https://pythonhosted.org/bridgedb/bridgedb.distribute.html.
+
+ * FIXES PART OF #12506 https://bugs.torproject.org/12506
+ BridgeDB's two Distributors (HTTPS and Email) are now entirely
+ modularised and self-contained within separate subdirectories in
+ the source code. This is the first step to redesigning these
+ Distributors into their own separate processes, which will allow
+ the Distributors to remain functional while BridgeDB is reparsing
+ bridge descriptors.
+
+ * FIXES #15968 https://bugs.torproject.org/15968
+ BridgeDB now sends a Content-Security-Policy header which
+ explicitly allows Javascript, images, CSS, and fonts, from
+ https://bridges.torproject.org. All other types of content are
+ forbidden, including:
+ - embedding https://bridges.torproject.org within
+ <iframe>, <embed>, or <object>, and attempting to source
+ additional resources into its embedded context
+ - inline Javascript, including Javascript within SVG files
+ - inline CSS
+ - externally hosted fonts
+ - inline SVG, e.g. via the HTML5 <svg> tag
+ - any and all connections made via Javascript XMLHttpRequests,
+ WebSockets, sendBeacon(), and Web Workers
+ - plugins
+ - applets
+ BridgeDB's Content-Security-Policy does not yet make use of
+ certain newer, lesser supported, Content-Security-Policy v2.0
+ directives, such as "reflected-xss" and "frame-ancestors", but may
+ someday.
+
+ * FIXES #16273 https://bugs.torproject.org/16273
+ Several links to Tor Project gitweb URLs within the developer
+ documentation were outdated in that they still used the old gitweb
+ URL format. These are now updated.
+ Thanks to David Fifield for the bug report and patches.
+
+ * FIXES #16330 https://bugs.torproject.org/16330
+ BridgeDB can now handle bridge-server-descriptors with
+ extra-info-digest fields which have two values, as well as both
+ bridge-server-descriptors and bridge-extrainfo descriptors which
+ contain Ed25519 key material and signatures. See Tor proposals
+ #220 and #228 for more information on the changes to these
+ descriptors. Note that BridgeDB can now parse this information,
+ but does not yet make use of any Ed25519 cryptographic material
+ within bridge descriptors.
+ https://gitweb.torproject.org/torspec.git/tree/proposals/220-ecc-id-keys.txt
+ https://gitweb.torproject.org/torspec.git/tree/proposals/228-cross-certification-onionkeys.txt
+ Thanks to Atagar for patching Stem.
+
+ * FIXES #16616 https://bugs.torproject.org/16616
+ The HSDir flag can now be included within bridge-networkstatus
+ documents. BridgeDB now has unittests which guarantee that its
+ parsers safely ignore this flag, as well as any flags unknown to
+ BridgeDB which may appear in the future.
+ Thanks to Roger Dingledine for alerting me about the change.
+
+ * FIXES #16649 https://bugs.torproject.org/16649
+ Mobile users, and other users with small screen pixel ratios, will
+ find that the UI of BridgeDB's HTTPS Distributor has greatly
+ increased in usability and readability.
+
+
+And includes the following general changes:
+
+ * FIXES an error when requesting the non-HTML version of the
+ bridges page (e.g. https://bridges.torproject.org/bridges?format=plain)
+
+ * REMOVES the `bridgedb test` commandline option.
+ BridgeDB's tests can be run via `python setup.py test` or `make
+ test` (or `make coverage` for generating HTML test coverage
+ statistics).
+
+ * CHANGES the HTTPS Distributor to HTML-encode Bridge Lines.
+ Previously, a malicious Pluggable Transport Bridge could include
+ in its PT arguments something like "evil=<script>[…]</script>" and
+ if such a Bridge were to be distributed to a user, that user's web
+ browser would execute the script (if Javacript was enabled).
+ Other characters, including non-ASCII, control characters, double
+ quotes, and backslashes, are also sanitised from Bridge Lines.
+ Thanks to Robert Ransom for the patches.
+
+ * CHANGES BridgeDB's module/package version numbers to be
+ compliant with PEP440.
+
+ * CHANGES the layout of BridgeDB's source code directories.
+ Rather than storing BridgeDB's source in "lib/bridgedb/", it is
+ now kept in "bridgedb/". Similarly, the directory containing
+ BridgeDB's tests has been moved from "lib/bridgedb/test/" to
+ "test/", which means that the tests are no longer installed when
+ running `python setup.py install` or `make install`.
+
+ * ADDS several improvements to the developer documentation at
+ https://pythonhosted.org/bridgedb.
+
+
Changes in version 0.3.2 - 2015-05-01
* FIXES a problem with the calculation of Levenshtein distances
More information about the tor-commits
mailing list