first draft of an 0.2.5.1-alpha changelog

ChangeLog

@@ -1,3 +1,192 @@
+Changes in version 0.2.5.1-alpha - 2012-10-0?
+  Tor 0.2.5.1-alpha [...]
+
+  This is the first alpha release in a new series, so expect there to
+  be bugs. Users who would rather test out a more stable branch should
+  stay with 0.2.4.x for now.
+
+  o Major features (security):
+    - Use the seccomp2 syscall filtering facility on Linux to limit
+      which system calls Tor can invoke. This is an experimental,
+      Linux-only feature to provide defense-in-depth against unknown
+      attacks. To try turning it on, set "Sandbox 1" in your torrc
+      file. Please be ready to report bugs. We hope to add support
+      for better sandboxing in the future, including more fine-grained
+      filters, better division of responsibility, and support for more
+      platforms. This work has been done by Cristian-Matei Toader for
+      Google Summer of Code.
+    - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
+      Resolves ticket 6055. (OpenSSL before 1.0.1 didn't have TLS 1.1 or
+      1.2, and OpenSSL from 1.0.1 through 1.0.1d had bugs that prevented
+      renegotiation from working with TLS 1.1 or 1.2, so we had disabled
+      them to solve bug 6033.)
+
+  o Major features (other):
+    - Add support for passing arguments to managed pluggable transport
+      proxies. Implements ticket 3594.
+    - Bridges now track GeoIP information and the number of their users
+      even when pluggable transports are in use, and report usage
+      statistics in their extra-info descriptors. Resolves tickets 4773
+      and 5040.
+    - Make testing Tor networks bootstrap better: lower directory fetch
+      retry schedules and maximum interval without directory requests,
+      and raise maximum download tries. Implements ticket 6752.
+    - Add make target 'test-network' to run tests on a Chutney network.
+      Implements ticket 8530.
+    - The ntor handshake is now on-by-default, no matter what the
+      directory authorities recommend. Implements ticket 8561.
+
+  o Major bugfixes:
+    - Instead of writing destroy cells directly to outgoing connection
+      buffers, queue them and intersperse them with other outgoing cells.
+      This can prevent a set of resource starvation conditions where too
+      many pending destroy cells prevent data cells from actually getting
+      delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
+      bugfix on 0.2.0.1-alpha.
+    - If we are unable to save a microdescriptor to the journal, do not
+      drop it from memory and then reattempt downloading it. Fixes bug
+      9645; bugfix on 0.2.2.6-alpha.
+
+  o Build features:
+    - Tor now builds each source file in two modes: a mode that avoids
+      exposing identifiers needlessly, and another mode that exposes
+      more identifiers for testing. This lets the compiler do better at
+      optimizing the production code, while enabling us to take more
+      radical measures to let the unit tests test things.
+    - The production builds no longer include functions used only in
+      the unit tests; all functions exposed from a module only for
+      unit-testing are now static in production builds.
+    - Add an --enable-coverage configuration option to make the unit
+      tests (and a new src/or/tor-cov target) to build with gcov test
+      coverage support.
+
+  o Testing:
+    - We now have rudimentary function mocking support that our unit
+      tests can use to test functions in isolation. Function mocking
+      lets the tests temporarily replace a function's dependencies with
+      stub functions, so that the tests can check the function without
+      invoking the other functions it calls.
+    - Add more unit tests for the <circid,channel>->circuit map, and
+      the destroy-cell-tracking code to fix bug 7912.
+    - Unit tests for failing cases of the TAP onion handshake.
+    - More unit tests for address-manipulation functions.
+
+  o Minor features (config options):
+    - Config (torrc) lines now handle fingerprints which are missing
+      their initial '$'. Resolves ticket 4341; improvement over 0.0.9pre5.
+    - Support a --dump-config option to print some or all of the
+      configured options. Mainly useful for debugging the command-line
+      option parsing code. Helps resolve ticket 4647.
+    - Raise awareness of safer logging: notify user of potentially
+      unsafe config options, like logging more verbosely than severity
+      "notice" or setting SafeLogging to 0. Resolves ticket 5584.
+    - Add a new configuration option TestingV3AuthVotingStartOffset
+      that bootstraps a network faster by changing the timing for
+      consensus votes. Addresses ticket 8532.
+    - Add a new torrc option "ServerTransportOptions" that allows
+      bridge operators to pass configuration parameters to their
+      pluggable transports. Resolves ticket 8929.
+    - The config (torrc) file now accepts bandwidth and space limits in
+      bits as well as bytes. (Anywhere that you can say "2 Kilobytes",
+      you can now say "16 kilobits", and so on.) Resolves ticket 9214.
+      Patch by CharlieB.
+
+  o Minor features (build):
+    - Add support for `--library-versions` flag. Implements ticket 6384.
+    - Return the "unexpected sendme" warnings to a warn severity, but make
+      them rate limited, to help diagnose ticket 8093.
+    - Detect a missing asciidoc, and warn the user about it, during
+      configure rather than at build time. Fixes issue 6506. Patch from
+      Arlo Breault.
+
+  o Minor features (other):
+    - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking
+      sockets in a single system call. Implements ticket 5129.
+    - Log current accounting state (bytes sent and received + remaining
+      time for the current accounting period) in the relay's heartbeat
+      message. Implements ticket 5526; patch from Peter Retzlaff.
+    - Implement the TRANSPORT_LAUNCHED control port event that
+      notifies controllers about new launched pluggable
+      transports. Resolves ticket 5609.
+    - If we're using the pure-C 32-bit curve25519_donna implementation
+      of curve25519, build it with the -fomit-frame-pointer option to
+      make it go faster on register-starved hosts. This improves our
+      handshake performance by about 6% on i386 hosts without nacl.
+      Closes ticket 8109.
+
+  o Minor bugfixes:
+    - Set the listen() backlog limit to the largest actually supported
+      on the system, not to the value in a header file. Fixes bug 9716;
+      bugfix on every released Tor.
+    - No longer accept malformed http headers when parsing urls from
+      headers. Now we reply with Bad Request ("400"). Fixes bug 2767;
+      bugfix on 0.0.6pre1.
+    - In munge_extrainfo_into_routerinfo(), check the return value of
+      memchr(). This would have been a serious issue if we ever passed
+      it a non-extrainfo. Fixes bug 8791; bugfix on 0.2.0.6-alpha. Patch
+      from Arlo Breault.
+    - On the chance that somebody manages to build Tor on a
+      platform where time_t is unsigned, correct the way that
+      microdesc_add_to_cache() handles negative time arguments.
+      Fixes bug 8042; bugfix on 0.2.3.1-alpha.
+    - Reject relative control socket paths and emit a warning. Previously,
+      single-component control socket paths would be rejected, but Tor
+      would not log why it could not validate the config. Fixes bug 9258;
+      bugfix on 0.2.3.16-alpha.
+
+  o Minor bugfixes (command line):
+    - Use a single command-line parser for parsing torrc options on the
+      command line and for finding special command-line options to avoid
+      inconsistent behavior for torrc option arguments that have the same
+      names as command-line options. Fixes bugs 4647 and 9578; bugfix on
+      0.0.9pre5.
+    - No longer allow 'tor --hash-password' with no arguments. Fixes bug
+      9573; bugfix on 0.0.9pre5.
+
+  o Minor fixes (build, auxiliary programs):
+    - Stop preprocessing the "torify" script with autoconf, since
+      it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
+      from Guilhem.
+    - The tor-fw-helper program now follows the standard convention and
+      exits with status code "0" on success. Fixes bug 9030; bugfix on
+      0.2.3.1-alpha. Patch by Arlo Breault.
+    - Corrected ./configure advice for what openssl dev package you should
+      install on Debian. Fixes bug 9207; bugfix on 0.2.0.1-alpha.
+
+  o Minor code improvements:
+    - Remove constants and tests for PKCS1 padding; it's insecure and
+      shouldn't be used for anything new. Fixes bug 8792; patch
+      from Arlo Breault.
+    - Remove instances of strcpy() from the unit tests. They weren't
+      hurting anything, since they were only in the unit tests, but it's
+      embarassing to have strcpy() in the code at all, and some analysis
+      tools don't like it. Fixes bug 8790; bugfix on 0.2.3.6-alpha and
+      0.2.3.8-alpha. Patch from Arlo Breault.
+
+  o Removed features:
+    - Remove migration code from when we renamed the "cached-routers"
+      file to "cached-descriptors" back in 0.2.0.8-alpha. This
+      incidentally resolves ticket 6502 by cleaning up the related code
+      a bit. Patch from Akshay Hebbar.
+
+  o Code simplification and refactoring:
+    - Extract the common duplicated code for creating a subdirectory
+      of the data directory and writing to a file in it. Fixes ticket
+      4282; patch from Peter Retzlaff.
+    - Since OpenSSL 0.9.7, the i2d_*() functions support allocating output
+      buffer. Avoid calling twice: i2d_RSAPublicKey(), i2d_DHparams(),
+      i2d_X509(), and i2d_PublicKey(). Resolves ticket 5170.
+    - Add a set of accessor functions for the circuit timeout data
+      structure. Fixes ticket 6153; patch from "piet".
+    - Clean up exit paths from connection_listener_new(). Closes ticket
+      8789. Patch from Arlo Breault.
+    - Since we rely on OpenSSL 0.9.8 now, we can use EVP_PKEY_cmp()
+      and drop our own custom pkey_eq() implementation. Fixes bug 9043.
+    - Use a doubly-linked list to implement the global circuit list.
+      Resolves ticket 9108. Patch from Marek Majkowski.
+    - Remove contrib/id_to_fp.c since it wasn't used anywhere.
+
+
 Changes in version 0.2.4.17-rc - 2013-09-05
   Tor 0.2.4.17-rc is the third release candidate for the Tor 0.2.4.x
   series. It adds an emergency step to help us tolerate the massive

changes/6153_circuittime_accessor

@@ -1,4 +0,0 @@
-  o Code simplification and refactoring:
-
-    - Add a set of accessor functions for the circuit timeout data
-      structure. Fixes ticket 6153; patch from "piet".

changes/address_tests

@@ -1,2 +0,0 @@
-  o New unit tests:
-    - More unit tests for address-manipulation functions.

changes/bug2767

@@ -1,2 +0,0 @@
-  o Minor bugfixes:
-    - No longer accepting malformed http headers when parsing urls from headers, replies with Bad Request(400). Fixes #2767.

changes/bug3594

@@ -1,3 +0,0 @@
-  o Major bugfixes:
-    - Add support for passing arguments to managed pluggable transport
-      proxies. Implements ticket #3594.

changes/bug4282

@@ -1,4 +0,0 @@
-  o Code simplifications and refactoring:
-    - Extract the common duplicated code for creating a subdirectory
-      of the data directory and writing to a file in it. Fixes ticket
-      4282; patch from Peter Retzlaff.

changes/bug4341

@@ -1,2 +0,0 @@
-o Minor bugfix:
-    - Config now handles fingerprints which are missing their initial '$'

changes/bug4647

@@ -1,18 +0,0 @@
-  o Minor bugfixes:
-
-    - Use a single command-line parser for parsing torrc options on the
-      command line and for finding special command-line options to avoid
-      inconsistent behavior for torrc option arguments that have the same
-      names as command-line options. Fixes bugs 4647 and 9578; bugfix on
-      0.0.9pre5.
-
-    - No longer allow 'tor --hash-password' with no arguments. Fixes bug
-      9573; bugfix on 0.0.9pre5.
-
-  o Minor features:
-
-    - Support a --dump-config optoin to dump some or all of the configured
-      options. Mainly useful for debugging the command-line option parsing
-      code.
-
-

changes/bug5040

@@ -1,8 +0,0 @@
-  o Minor features:
-    - Bridges now track GeoIP information and the number of their
-      users even when pluggable transports are in use. These
-      statistics are reported in their extra-info descriptors like
-      normal bridges do. Resolves ticket 4773.
-    - Bridges now track the usage of their pluggable transports and
-      report statistics in their extra-info descriptors. Resolves
-      ticket 5040.

changes/bug5170

@@ -1,5 +0,0 @@
-  o Code simplification and refactoring:
-    - Remove contrib/id_to_fp.c since it wasn't used anywhere.
-    - Since OpenSSL 0.9.7 i2d_* functions support allocating output
-      buffer. Avoid calling twice: i2d_RSAPublicKey, i2d_DHparams,
-      i2d_X509, i2d_PublicKey. Fixes #5170.

changes/bug5505

@@ -1,5 +0,0 @@
-  o Minor fixes (build):
-    - Stop preprocessing the "torify" script with autoconf, since
-      it no longer refers to LOCALSTATEDIR. Fixes bug 5505; patch
-      from Guilhem.
-

changes/bug5584

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Raise awareness of safer logging - notice user of potentially
-      unsafe configuration options: logging above "notice" or
-      clearning SafeLogging flag. Fixes #5584.

changes/bug5609

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Implement the TRANSPORT_LAUNCHED control port event that
-      notifies controllers about new launched pluggable
-      transports. Resolves ticket 5609.

changes/bug6055

@@ -1,6 +0,0 @@
-  o Major enhancements:
-    - Re-enable TLS 1.1 and 1.2 when built with OpenSSL 1.0.1e or later.
-      (OpenSSL before 1.0.1 didn't have TLS 1.1 or 1.2. OpenSSL from 1.0.1
-      through 1.0.1d had bugs that prevented renegotiation from working
-      with TLS 1.1 or 1.2, so we disabled them to solve bug 6033.) Fix for
-      issue #6055.

changes/bug6384

@@ -1,2 +0,0 @@
-  o Minor features:
-    - Add support for `--library-versions` flag. Implements ticket #6384.

changes/bug6506

@@ -1,4 +0,0 @@
-  o Minor features (build):
-    - Detect a missing asciidoc, and warn the user about it, during
-      configure, rather than at build time. Fixes issue 6506. Patch
-      from Arlo Breault.

changes/bug6520

@@ -1,5 +0,0 @@
-  o Removed features:
-    - Remove migration code from when we renamed the "cached-routers"
-      file to "cached-descriptors" back in 0.2.0.8-alpha. This
-      incidentally resolves #6502 by cleaning up the related code
-      a bit. Patch from Akshay Hebbar.

changes/bug6752

@@ -1,5 +0,0 @@
- o Minor features:
-   - Lower directory fetch retry schedules and maximum interval without
-     directory requests, and raise maximum download tries in testing
-     networks. Implements #6752.
-

changes/bug7912

@@ -1,8 +0,0 @@
-  o Major bugfixes:
-    - Instead of writing destroy cells directly to outgoing connection
-      buffers, queue them and intersperse them with other outgoing cells.
-      This can prevent a set of resource starvation conditions where too
-      many pending destroy cells prevent data cells from actually getting
-      delivered. Reported by "oftc_must_be_destroyed". Fixes bug 7912;
-      bugfix on 0.2.0.1-alpha.
-

changes/bug8093.part2

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Return the "unexpected sendme" warnings to a warn severity, but make
-      them rate limited. Related to ticket #8093.

changes/bug8530

@@ -1,3 +0,0 @@
-  o Enhancements
-    - Add make target 'test-network' running tests on a Chutney
-      network.

changes/bug8532

@@ -1,4 +0,0 @@
-  o Minor features
-    - Add support for offsetting the voting interval in order to
-      bootstrap a network faster by adding configuration option
-      TestingV3AuthVotingStartOffset. Addresses #8532.

changes/bug8561

@@ -1,3 +0,0 @@
-  o Major features:
-    - The ntor handshake is now on-by-default, no matter what the
-      directory authorities recommend. Implements ticket 8561.

changes/bug8789

@@ -1,3 +0,0 @@
-   o Code simplifications and refactoring:
-     - Clean up exit path from connection_listener_new. Closes bug
-       8789. Patch from Arlo Breault.

changes/bug8790

@@ -1,6 +0,0 @@
-  o Minor code improvements:
-    - Remove instances of strcpy from the unit tests. They weren't
-      hurting anything, since they were only in the unit tests, but
-      it's embarassing to have strcpy() in the code at all, and some
-      analysis tools don't like it. Fixes 8790. Patch from Arlo Breault.
-

changes/bug8791

@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - In the function munge_extrainfo_into_routerinfo(), check the return
-      value of memchr(). This would have been a serious issue if we ever
-      passed a non-extrainfo to munge_extrainfo_into_routerinfo. Fixes
-      bug 8791; bugfix on 0.2.0.6-alpha. Patch from Arlo Breault.

changes/bug8792

@@ -1,4 +0,0 @@
-  o Removed code
-    - Remove constants and tests for PKCS1 padding; it's insecure and
-      shouldn't be used for anything new. Fixes bug #8792; patch
-      from Arlo Breault.

changes/bug8929

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Add a new torrc option "ServerTransportOptions" that allows
-      bridge operators to pass configuration parameters to their
-      pluggable transports. Resolves ticket 8929.

changes/bug9030

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - The tor-fw-helper program now follows the standard convention and
-      exits with status code "0" on success. Fixes bug 9030; bugfix on
-      0.2.3.1-alpha. Patch by Arlo Breault.

changes/bug9043

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring:
-    - Since OpenSSL 0.9.8 we can use EVP_PKEY_cmp instead of
-      implementing the same thing as pkey_eq. Fixes #9043.

changes/bug9108

@@ -1,3 +0,0 @@
-  o Code simplifications and refactoring:
-    - Make global_circuitlist data structure in circuitlist.c
-      a doubly-linked list. Bug #9108.

changes/bug9207

@@ -1,2 +0,0 @@
-  o Minor Bugfixes:
-    - Updated configuration advice for installing openssl on Debian. Fixes #9207.

changes/bug9258

@@ -1,6 +0,0 @@
-  o Minor bugfixes:
-    - Reject relative control socket paths and emit a warning.
-      Previously single-component control socket paths would be rejected,
-      but Tor would not log why it could not validate the config.
-      Now we reject all relative control socket paths and print a warning.
-      Fixes bug 9047; bugfix on 0.2.2.6-alpha.

changes/bug9267

@@ -1,4 +0,0 @@
-  o Minor bugfixes:
-    - Added optional parameter to contrib/coverage script to specify directory
-      to put gcov files in, and added reset-gcov target to top-level makefile.
-      Fixes bug #9267.

changes/bug9645a

@@ -1,5 +0,0 @@
-  o Minor bugfixes:
-    - If we are unable to save a microdescriptor to the journal, do not
-      drop it from memory and then reattempt downloading it. Fixes bug
-      9645; bugfix on 0.2.2.6-alpha.
-

changes/bug9716

@@ -1,4 +0,0 @@
-  o Bugfixes (performance):
-    - Set the listen() backlog limit to the largest actually supported
-      on the system, not to the value in a header file. Fixes bug 9716;
-      bugfix on every released Tor.

changes/fancy_testing

@@ -1,27 +0,0 @@
-  o Build features:
-
-    - Tor now builds each source file in two modes: a mode that avoids
-      exposing identifiers needlessly, and another mode that exposes
-      more identifiers for testing. This lets the compiler do better at
-      optimizing the production code, while enabling us to take more
-      radical measures to let the unit tests test things.
-
-    - The production builds no longer include functions used only
-      in the unit tests; all functions exposed from a module for
-      unit-testing only are now static in production builds.
-
-    - Add an --enable-coverage configuration option to make the unit
-      tests (and a new src/or/tor-cov target) to build with gcov test
-      coverage support.
-
-  o Testing:
-
-    - We now have rudimentary function mocking support that our unit
-      tests can use to test functions in isolation. Function mocking
-      lets the tests temporarily replace a function's dependencies with
-      stub functions, so that the tests can check the function without
-      invoking the other functions it calls.
-
-    - Add more unit tests for the <circid,channel>->circuit map, and
-      the destroy-cell-tracking code to fix bug 7912.
-

changes/fomit-frame-pointer

@@ -1,6 +0,0 @@
-  o Minor features (performance):
-    - If we're using the pure-C 32-bit curve25519_donna implementation
-      of curve25519, build it with the -fomit-frame-pointer option to
-      make it go faster on register-starved hosts. This improves our
-      handshake performance by about 6% on i386 hosts without nacl.
-      Closes ticket 8109.

changes/onion_tap_tests

@@ -1,2 +0,0 @@
-  o New unit tests:
-    - Unit tests for failing cases of the TAP onion handshake.

changes/seccomp2_sandbox

@@ -1,12 +0,0 @@
-  o Major features (security):
-    - Use the seccomp2 syscall filtering facility on Linux to limit
-      which system calls Tor can invoke. This is an experimental,
-      Linux-only feature to provide defense-in-depth against unknown
-      attacks. To try turning it on, set "Sandbox 1" in your torrc
-      file. This is an experimental feature, however, and some things
-      may break, so please be ready to report bugs. We hope to add
-      support for better sandboxing in the future,
-      including more fine-grained filters, better division of
-      responsibility, and support for more platforms. This work has
-      been done by Cristian-Matei Toader for Google Summer of Code.
-

changes/ticket5129

@@ -1,3 +0,0 @@
-  o Minor features:
-    - Use the SOCK_NONBLOCK socket type, if supported, to open nonblocking 
-      sockets in a single system call. Implements ticket #5129.

changes/ticket5526

@@ -1,4 +0,0 @@
-  o Minor features:
-    - Log current accounting state (bytes sent and received + remaining
-      time for the current accounting period) in the server's
-      heartbeat message. Implements ticket 5526; patch from Peter Retzlaff.

changes/ticket9108

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring:
-    - Use a doubly-linked list to implement the global circuit list.
-      Fix for ticket 9108. Patch from Marek Majkowski.

changes/ticket_9214

@@ -1,6 +0,0 @@
-  o Minor features:
-    - Accept bandwidth and space limits in bits as well as bytes.
-      (Anywhere in the configuration file that you can say "2 Kilobytes",
-      you can now say "16 kilobits", and so on.) Resolves ticket 9214.
-      Patch by CharlieB.
-

changes/warn-unsigned-time_t

@@ -1,11 +0,0 @@
-  o Minor bugfixes (portability):
-    - On the chance that somebody manages to build Tor on a
-      platform where time_t is unsigned, correct the way that
-      microdesc_add_to_cache handles negative time arguments. Fix for
-      bug 8042; bugfix on 0.2.3.1-alpha.
-
-  o Build improvements:
-    - Warn if building on a platform with an unsigned time_t: there
-      are too many places where Tor currently assumes that time_t can
-      hold negative values. We'd like to fix them all, but probably
-      some will remain.