[tor-dev] shipping with fallbackdir sources

Jacob Appelbaum jacob at appelbaum.net
Fri Apr 17 18:31:00 UTC 2015

On 4/17/15, Peter Palfrader <weasel at torproject.org> wrote:
> On Fri, 17 Apr 2015, Jacob Appelbaum wrote:
>> On 4/17/15, Peter Palfrader <weasel at torproject.org> wrote:
>> > so, Tor has included a feature to fetch the initial consensus from
>> > nodes
>> > other than the authorities for a while now.  We just haven't shipped a
>> > list of alternate locations for clients to go to yet.
>> >
>> > Reasons why we might want to ship tor with a list of additional places
>> > where clients can find the consensus is that it makes authority
>> > reachability and BW less important.
>> >
>> > At the last Tor dev meeting we came up with a list of arbitrary
>> > requirements that nodes should meet to be included in this list.
>> >
>> > We want them to have been around and using their current key, address,
>> > and port for a while now (120 days), and have been running, a guard,
>> > and
>> > a v2 directory mirror for most of that time.
>> Is there a way to make the Tor Dir Auths produce that file as a
>> verifiable consensus every hour? Or is there a way to make the client
>> set that list of constraints and then we can just use a normal
>> consensus file?
> I think this list would be created at release time and ship with the
> tor binaries/source.

That gives a build person a lot of power - should we expect each
distro to do it correctly? I trust that you will do a fine job but I'm
not sure about others...

It gives an attacker an opportunity to segment or partition a view of
the network, I think. If the document is a strict signed subset
produced by the current Dir Auths, I think we'd not have that concern.

All the best,

More information about the tor-dev mailing list