|
@@ -20,6 +20,9 @@ K - Karsten claims
|
|
|
D Deferred
|
|
|
X Abandoned
|
|
|
|
|
|
+Temporary legend:
|
|
|
+
|
|
|
+
|
|
|
=======================================================================
|
|
|
|
|
|
Things Roger would be excited to see:
|
|
@@ -111,10 +114,9 @@ R - bridge communities
|
|
|
- man page entries for Alternate*Authority config options
|
|
|
|
|
|
Documentation for Tor 0.2.0.x:
|
|
|
- - Proposals:
|
|
|
- . 111: Prioritize local traffic over relayed.
|
|
|
-R - Merge into tor-spec.txt.
|
|
|
- - 113: mark as closed close.
|
|
|
+ o Proposals:
|
|
|
+ o 111: Prioritize local traffic over relayed.
|
|
|
+ o 113: mark as closed close.
|
|
|
o document the "3/4 and 7/8" business in the clients fetching consensus
|
|
|
documents timeline.
|
|
|
R - then document the bridge user download timeline.
|
|
@@ -155,27 +157,14 @@ For 0.2.1.x:
|
|
|
- Advertise availability of ipv6.
|
|
|
- Geoip support, if only to add a zone called "ipv6"
|
|
|
|
|
|
- - 118: Listen on and advertise multiple ports:
|
|
|
- - Tor should be able to have a pool of outgoing IP addresses that it is
|
|
|
- able to rotate through. (maybe. Possible overlap with proposal 118.)
|
|
|
- - config option to publish what ports you listen on, beyond
|
|
|
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
|
|
|
- - Need to figure out the right format for routerinfo_t on this.
|
|
|
K . 121: Hidden service authentication:
|
|
|
- missing: delayed descriptor publication for 'stealth' mode.
|
|
|
-R d 128: families of private bridges
|
|
|
- - 134: handle authority fragmentation.
|
|
|
+ - missing: delayed descriptor publication for 'stealth' mode.
|
|
|
+R o 128: families of private bridges
|
|
|
o 135: simplify configuration of private tor networks.
|
|
|
- - 140: Provide diffs betweeen consensuses
|
|
|
K - 143: Improvements of Distributed Hidden Service Descriptor Storage:
|
|
|
only easy parts for 0.2.1.x, defer complex ones to 0.2.2.x.
|
|
|
- - 147: Eliminate the need for v2 directories in generating v3 directories
|
|
|
-R - authorities should initiate a reachability test upon first
|
|
|
- glimpsing a new descriptor.
|
|
|
- 148: Stream end reasons from the client side should be uniform.
|
|
|
-K - 155: Four Improvements of Hidden Service Performance
|
|
|
-
|
|
|
- - Maybe:
|
|
|
+K o 155: Four Improvements of Hidden Service Performance
|
|
|
- 145: Separate "suitable from a guard" from "suitable as a new guard"
|
|
|
- 146: Adding new flag to reflect long-term stability
|
|
|
- 149: Using data from NETINFO cells
|
|
@@ -187,10 +176,6 @@ K - 155: Four Improvements of Hidden Service Performance
|
|
|
- Proposals to write:
|
|
|
- Fix voting to handle bug 608 case when multiple servers get
|
|
|
Named.
|
|
|
-R d Do we want to maintain our own set of entryguards that we use as
|
|
|
- next hop after the bridge?
|
|
|
- d Possibly: revise link protocol to allow big circuit IDs,
|
|
|
- variable-length cells, proposal-110 stuff, and versioned CREATES?
|
|
|
N . Draft proposal for GeoIP aggregation (see external constraints *)
|
|
|
. Figure out how to make good use of the fallback consensus file. Right
|
|
|
now many of the addresses in the fallback consensus will be stale,
|
|
@@ -201,54 +186,34 @@ N . Draft proposal for GeoIP aggregation (see external constraints *)
|
|
|
o Write the proposal.
|
|
|
- Patch our tor.spec rpm package so it knows where to put the fallback
|
|
|
consensus file.
|
|
|
- d Something for bug 469, to limit connections per IP.
|
|
|
. Put bandwidth weights in the networkstatus? So clients get weight
|
|
|
their choices even before they have the descriptors; and so
|
|
|
authorities can put in more accurate numbers in the future.
|
|
|
- d Fetch an updated geoip file from the directory authorities.
|
|
|
|
|
|
- Tiny designs to write:
|
|
|
- . Better estimate of clock skew; has anonymity implications. Clients
|
|
|
- should estimate their skew as median of skew from servers over last
|
|
|
- N seconds, but for servers this is not so easy, since a server does
|
|
|
- not choose who it connects to.
|
|
|
- - Do TLS connection rotation more often than "once a week" in the
|
|
|
- extra-stable case.
|
|
|
- (One reason not to do it more often is because the old TLS conn
|
|
|
- probably has a circuit on it, and we don't really want to build up
|
|
|
- dozens of TCP connections to all the other extra-stable relays.)
|
|
|
- If a relay publishes a new descriptor with a significantly lower
|
|
|
uptime or with a new IP address, then we should consider its current
|
|
|
"running" interval to have ended even if it hadn't yet failed its
|
|
|
third reachability test. the interval ended when the new descriptor
|
|
|
appeared, and a new interval began then too.
|
|
|
|
|
|
- - Use less RAM *
|
|
|
- - Optimize cell pool allocation.
|
|
|
- d Support (or just always use) jemalloc (if it helps)
|
|
|
- - mmap more files.
|
|
|
- - Look into pulling serverdescs off buffers as they arrive.
|
|
|
+ - Authority improvements:
|
|
|
+R - authorities should initiate a reachability test upon first
|
|
|
+ glimpsing a new descriptor.
|
|
|
+
|
|
|
- Use less bandwidth
|
|
|
- Use if-modified-since to download consensuses
|
|
|
- - Handle multi-core cpus better
|
|
|
- - Split circuit AES across cores?
|
|
|
- - Split TLS across cores? This will be harder.
|
|
|
+
|
|
|
- Testing
|
|
|
- Better unit test coverage
|
|
|
- - Refactor unit tests into multiple files
|
|
|
- Verify that write limits to linked connections work.
|
|
|
- - Use more mid-level and high-level libevent APIs
|
|
|
- - For dns?
|
|
|
- - For http?
|
|
|
- - For buffers?
|
|
|
- - Tool improvements:
|
|
|
- - Get IOCP patch into libevent *
|
|
|
|
|
|
- Security improvements
|
|
|
- - make is-consensus-fresh-enough check way tighter.
|
|
|
+ - make is-consensus-fresh-enough check tighter.
|
|
|
- If we haven't tried downloading a consensus for ages since we're tired,
|
|
|
try getting a new one before we use old descriptors for a circuit.
|
|
|
Related to bug 401. [What does "since we're tired" mean? -RD]
|
|
|
+ [I don't know. -NM]
|
|
|
|
|
|
- Feature removals and deprecations:
|
|
|
- Get rid of the v1 directory stuff (making, serving, and caching)
|
|
@@ -257,19 +222,22 @@ N . Draft proposal for GeoIP aggregation (see external constraints *)
|
|
|
. perhaps replace it with a "this is a tor server" stock webpage.
|
|
|
- Get the debs to set DirPortFrontPage in the default.
|
|
|
- Decide how to handle DirPortFrontPage files with image links.
|
|
|
- - The v2dir flag isn't used for anything anymore, right? If so, dump it.
|
|
|
- - Even clients run rep_hist_load_mtbf_data(). Does this waste memory?
|
|
|
- Dump it?
|
|
|
- - Unless we start using ftime functions, dump them.
|
|
|
- - can we deprecate 'getinfo network-status'?
|
|
|
- - can we deprecate the FastFirstHopPK config option?
|
|
|
- Can we deprecate controllers that don't use both features?
|
|
|
- - Dump most uint32_t addr functions.
|
|
|
+ - Both TorK and Vidalia use VERBOSE_NAMES.
|
|
|
+ - TorK uses EXTENDED_EVENTS. Vidalia does not. (As of 9 Dec.)
|
|
|
+ - Matt is checking whether Vidalia would break if we started to use
|
|
|
+ EXTENDED_EVENTS by default.
|
|
|
+
|
|
|
+External tool improvements:
|
|
|
+ - Get IOCP patches into libevent
|
|
|
|
|
|
Nice to have for 0.2.1.x:
|
|
|
- - Proposals to write
|
|
|
- - steven's plan for replacing check.torproject.org with a built-in
|
|
|
- answer by tor itself.
|
|
|
+ - Proposals, time permitting
|
|
|
+ - 134: handle authority fragmentation.
|
|
|
+ - 140: Provide diffs betweeen consensuses
|
|
|
+
|
|
|
+ - Handle multi-core cpus better
|
|
|
+ - Split circuit AES across cores
|
|
|
|
|
|
- Documentation
|
|
|
P - Make documentation realize that location of system configuration file
|
|
@@ -278,7 +246,7 @@ P - Make documentation realize that location of system configuration file
|
|
|
- Small controller features
|
|
|
- A status event for when tor decides to stop fetching directory info
|
|
|
if the client hasn't clicked recently: then make the onion change too.
|
|
|
- - Add a status event when new consensus arrives
|
|
|
+ o Add a status event when new consensus arrives
|
|
|
|
|
|
- Windows build
|
|
|
P - Figure out why dll's compiled in mingw don't work right in WinXP.
|
|
@@ -288,16 +256,84 @@ P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
|
|
|
- Refactor the HTTP logic so the functions aren't so large.
|
|
|
- Refactor buf_read and buf_write to have sensible ways to return
|
|
|
error codes after partial writes
|
|
|
+ - deprecate router_digest_is_trusted_dir() in favor of
|
|
|
+ router_get_trusteddirserver_by_digest()
|
|
|
+
|
|
|
+ - Should be trivial
|
|
|
+ - Tor logs the libevent version on startup, for debugging purposes.
|
|
|
+ This is great. But it does this before configuring the logs, so
|
|
|
+ it only goes to stdout and is then lost.
|
|
|
+
|
|
|
+ - Deprecations
|
|
|
+ - Even clients run rep_hist_load_mtbf_data(). This doesn't waste memory
|
|
|
+ unless they had previously been non-clients collecting MTBF data.
|
|
|
+ Dump it anyway?
|
|
|
+ - Unless we start using ftime functions, dump them.
|
|
|
+ - can we deprecate the FastFirstHopPK config option?
|
|
|
+ - The v2dir flag isn't used for anything anymore, right? If so, dump it.
|
|
|
+ - can we deprecate 'getinfo network-status'?
|
|
|
+ - Dump most uint32_t addr functions.
|
|
|
+
|
|
|
+
|
|
|
+Defer:
|
|
|
+ - Proposals
|
|
|
+ - 118: Listen on and advertise multiple ports:
|
|
|
+ - Tor should be able to have a pool of outgoing IP addresses that it is
|
|
|
+ able to rotate through. (maybe. Possible overlap with proposal 118.)
|
|
|
+ - config option to publish what ports you listen on, beyond
|
|
|
+ ORPort/DirPort. It should support ranges and bit prefixes (?) too.
|
|
|
+ - Need to figure out the right format for routerinfo_t on this.
|
|
|
+ - 147: Eliminate the need for v2 directories in generating v3 directories
|
|
|
+
|
|
|
+ - Proposals to write.
|
|
|
+ d Something for bug 469, to limit connections per IP.
|
|
|
+R d Do we want to maintain our own set of entryguards that we use as
|
|
|
+ next hop after the bridge?
|
|
|
+ d Possibly: revise link protocol to allow big circuit IDs,
|
|
|
+ variable-length cells, proposal-110 stuff, and versioned CREATES?
|
|
|
+ d Fetch an updated geoip file from the directory authorities.
|
|
|
+
|
|
|
+
|
|
|
+ - Tiny designs to write
|
|
|
+ - Better estimate of clock skew; has anonymity implications. Clients
|
|
|
+ should estimate their skew as median of skew from servers over last
|
|
|
+ N seconds, but for servers this is not so easy, since a server does
|
|
|
+ not choose who it connects to.
|
|
|
+ - Do TLS connection rotation more often than "once a week" in the
|
|
|
+ extra-stable case.
|
|
|
+ (One reason not to do it more often is because the old TLS conn
|
|
|
+ probably has a circuit on it, and we don't really want to build up
|
|
|
+ dozens of TCP connections to all the other extra-stable relays.)
|
|
|
+
|
|
|
+
|
|
|
+ - Use less RAM
|
|
|
+ - Optimize cell pool allocation.
|
|
|
+ - Support (or just always use) jemalloc (if it helps)
|
|
|
+ - mmap more files.
|
|
|
+ - Pull serverdescs off buffers as they arrive.
|
|
|
+ - Allocate routerstatus_t objects on a per-networkstatus memchunk.
|
|
|
+
|
|
|
+ - Split TLS across multiple cores
|
|
|
+
|
|
|
+ - Use more mid-level and high-level libevent APIs
|
|
|
+ - For dns?
|
|
|
+ - For http?
|
|
|
+ - For buffers?
|
|
|
+
|
|
|
+ - Proposals to write
|
|
|
+ - steven's plan for replacing check.torproject.org with a built-in
|
|
|
+ answer by tor itself.
|
|
|
+
|
|
|
+ - Refactor bad code:
|
|
|
- Streamline how we pick entry nodes: Make choose_random_entry() have
|
|
|
less magic and less control logic.
|
|
|
- - Don't call time(NULL) so much; instead have a static time_t field
|
|
|
- that gets updated only a handful of times per second.
|
|
|
- Move all status info out of routerinfo into local_routerstatus. Make
|
|
|
"who can change what" in local_routerstatus explicit. Make
|
|
|
local_routerstatus (or equivalent) subsume all places to go for "what
|
|
|
router is this?"
|
|
|
- - deprecate router_digest_is_trusted_dir() in favor of
|
|
|
- router_get_trusteddirserver_by_digest()
|
|
|
+ - Don't call time(NULL) so much; instead have a static time_t field
|
|
|
+ that gets updated only a handful of times per second.
|
|
|
+ - Refactor unit tests into multiple files
|
|
|
|
|
|
- Make Tor able to chroot itself
|
|
|
o allow it to load an entire config file from control interface
|
|
@@ -308,9 +344,6 @@ P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
|
|
|
|
|
|
- Should be trivial:
|
|
|
- Base relative control socket paths (and other stuff in torrc) on datadir.
|
|
|
- - Tor logs the libevent version on startup, for debugging purposes.
|
|
|
- This is great. But it does this before configuring the logs, so
|
|
|
- it only goes to stdout and is then lost.
|
|
|
- enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout.
|
|
|
- Make 'safelogging' extend to info-level logs too.
|
|
|
- don't do dns hijacking tests if we're reject *:* exit policy?
|
|
@@ -320,4 +353,3 @@ P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
|
|
|
|
|
|
d Interface for letting SOAT modify flags that authorities assign.
|
|
|
(How to keep the authority from clobbering them afterwards?
|
|
|
-
|