TODO.021 16 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362
  1. $Id: TODO 16258 2008-07-30 13:04:38Z nickm $
  2. Legend:
  3. SPEC!! - Not specified
  4. SPEC - Spec not finalized
  5. N - nick claims
  6. R - arma claims
  7. P - phobos claims
  8. S - Steven claims
  9. E - Matt claims
  10. M - Mike claims
  11. J - Jeff claims
  12. I - ioerror claims
  13. W - weasel claims
  14. K - Karsten claims
  15. - Not done
  16. * Top priority
  17. . Partially done
  18. o Done
  19. d Deferrable
  20. D Deferred
  21. X Abandoned
  22. =======================================================================
  23. Things Roger would be excited to see:
  24. Nick
  25. - Finish buffer stuff in libevent; start using it in Tor.
  26. - Tors start believing the contents of NETINFO cells.
  27. . Work with Steven and Roger to decide which parts of Paul's project
  28. he wants to work on.
  29. - respond to Steven's red-team TLS testing (a.k.a, look at a packet
  30. dump and compare)
  31. Matt
  32. - Fit Vidalia in 640x480 again.
  33. - When user changes the language in Vidalia, have it change right then.
  34. - Vidalia should display/edit PlaintextPorts events/config.
  35. . Vidalia's GUI should let you specify an http proxy that it launches
  36. for you. Maybe in the general config window next to which Tor it
  37. launches for you.
  38. - Vidalia should avoid stomping on your custom exit policy lines
  39. just because you click on 'save' for a totally different config thing.
  40. - How much space do we save in TBB by stripping symbols from Vidalia
  41. first? Good idea or crazy idea?
  42. ioerror
  43. - gmail auto responder so you send us an email and we send you a Tor
  44. binary. Probably needs a proposal first.
  45. - document how it works / what its interface is
  46. - set it up so people can 'get tor' in many languages, and so the
  47. docs we send back are in many languages.
  48. - weather.torproject.org should go live.
  49. - Keep advocating new Tor servers and working with orgs like Mozilla
  50. to let them like Tor.
  51. - solve the huge green onion on check.tp.o
  52. - Start converting critical wiki pages into real Tor wml pages. E.g.,
  53. https://wiki.torproject.org/noreply/TheOnionRouter/VerifyingSignatures
  54. - Find out what happened to the buildbot and get it back up:
  55. http://tor-buildbot.freehaven.net:8010/
  56. - Learn about locking memory pages that have sensitive content. Get
  57. that started in Tor.
  58. - Translation portal
  59. - Vidalia html help files
  60. - should we i18nize polipo's error messages too?
  61. - Some of our translated wml files are very old -- so old that they
  62. are harmful to leave in place. We need some sort of way to notice
  63. this and disable them.
  64. Steven
  65. - Figure out (or give up on) how to run Tor Browser and ordinary
  66. Firefox side-by-side.
  67. - Enumerate and analyze traces left when running from USB
  68. - Write a list of research items Tor would like to see done, for the
  69. volunteer page. Pick a few you'd like to work on yourself.
  70. - Move proposal 131 or equivalent forward.
  71. - Keep bugging us about exploits on the .exit notation.
  72. - If relays have 100KB/s but set relaybandwidthrate to 10KB/s, do your
  73. interference attacks still work?
  74. - Mike's question #3 on https://www.torproject.org/volunteer#Research
  75. - Worthwhile shipping TBB with some local html help files that come
  76. as bookmarks?
  77. - Decide whether TBB should use Torbutton's "lock" feature.
  78. http://archives.seul.org/or/cvs/Jun-2008/msg00186.html
  79. Andrew
  80. - Which bundles include Torbutton? Change the docs/tor-doc-foo pages
  81. so they admit that Torbutton is in them too. Change the download
  82. page too.
  83. - The OS X bundle screenshots are from forever ago -- they don't
  84. include Torbutton, they still say it's tor.eff.org, etc.
  85. - Should we still be telling you how to use Safari on OS X for Tor,
  86. given all the holes that Torbutton-dev solves on Firefox?
  87. Karsten
  88. o Make a hidden services explanation page with the hidden service
  89. diagrams. See img/THS-[1-6].png. These need some text to go along
  90. with them though, so people can follow what's going on.
  91. - We should consider a single config option TorPrivateNetwork that
  92. turns on all the config options for running a private test tor
  93. network. having to keep updating all the tools, and the docs,
  94. just isn't working.
  95. Weasel
  96. - Figure out how to make Vidalia and Tor play nicely on Debian, make
  97. the necessary modifications, and make some Vidalia debs that pass
  98. muster.
  99. - Fix bug 393.
  100. - Get oftc to switch to Tor dns bulk exitlist. Or tell us why it's
  101. not suitable yet.
  102. o Take non-Running entries out of the networkstatus consensus.
  103. [proposal 138]
  104. - Move proposal 134 forward.
  105. - putting port predictions in state file
  106. - if tor hasn't been used in a while it stops fetching consensus
  107. documents. Retain that state over restarts.
  108. Roger
  109. - Finish tor-doc-bridge.wml
  110. . Fix FAQ entry on setting up private Tor network
  111. - Review Karsten's hidden service diagrams
  112. - Roger should visit Internews DC sometime.
  113. - Did we actually apply Steven's dkimproxy patch?
  114. - Brainstorm about safe but effective ways for vidalia to
  115. auto-update its user's bridges via Tor in the background.
  116. Mike:
  117. - Roger wants to get an email every time there's a blog change,
  118. e.g. a comment. That way spam doesn't go undetected for weeks.
  119. - Or, maybe just disable linking from blog comments entirely?
  120. - Get blog.torproject.org a favico
  121. =======================================================================
  122. Bugs/issues for Tor 0.2.0.x:
  123. . we should have an off-by-default way for relays to dump geoip data to
  124. a file in their data directory, for measurement purposes.
  125. o Basic implementation
  126. N - Include probability-of-selection
  127. R d let bridges set relaybandwidthrate as low as 5kb
  128. R - bridge communities
  129. . spec
  130. . deploy
  131. - man page entries for Alternate*Authority config options
  132. Documentation for Tor 0.2.0.x:
  133. - Proposals:
  134. . 111: Prioritize local traffic over relayed.
  135. R - Merge into tor-spec.txt.
  136. - 113: mark as closed close.
  137. o document the "3/4 and 7/8" business in the clients fetching consensus
  138. documents timeline.
  139. R - then document the bridge user download timeline.
  140. - HOWTO for DNSPort. See tup's wiki page.
  141. . Document transport and natdport in a good HOWTO.
  142. - Quietly document NT Service options: revise (or create) FAQ entry
  143. =======================================================================
  144. For 0.2.1.2-alpha:
  145. R d bug: if we launch using bridges, and then stop using bridges, we
  146. still have our bridges in our entryguards section, and may use them.
  147. R d add an event to report geoip summaries to vidalia for bridge relays,
  148. so vidalia can say "recent activity (1-8 users) from sa".
  149. R - investigate: it looks like if the bridge authority is unreachable,
  150. we're not falling back on querying bridges directly?
  151. R - if "no running bridges known", an application request should make
  152. us retry all our bridges.
  153. R - get matt to make vidalia do a getinfo status/bootstrap-phase to
  154. get caught up after it connects.
  155. R d Setting DirPort when acting as bridge will give false Warnings
  156. For 0.2.1.x:
  157. - Proposals to do:
  158. o 110: avoid infinite-length circuits
  159. - 117: IPv6 Exits
  160. - Internal code support for ipv6:
  161. o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
  162. o Many address variables need to become tor_addr_t
  163. o addr in connection_t
  164. o n_addr in extend_info_t
  165. - Teach resolving code how to handle ipv6.
  166. . Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
  167. o Use IPv6 in connect/connected/failed-exitpolicy cells
  168. o accept ipv6 from socks
  169. o Generate END_REASON_EXITPOLICY cells right
  170. . ... and parse them right
  171. . Generate new BEGIN cell types and parse them right
  172. - Detect availability of ipv6
  173. - Advertise availability of ipv6.
  174. - Geoip support, if only to add a zone called "ipv6"
  175. - 118: Listen on and advertise multiple ports:
  176. - Tor should be able to have a pool of outgoing IP addresses that it is
  177. able to rotate through. (maybe. Possible overlap with proposal 118.)
  178. - config option to publish what ports you listen on, beyond
  179. ORPort/DirPort. It should support ranges and bit prefixes (?) too.
  180. - Need to figure out the right format for routerinfo_t on this.
  181. - 121: Hidden service authentication
  182. R d 128: families of private bridges
  183. - 134: handle authority fragmentation.
  184. o 135: simplify configuration of private tor networks. Th
  185. - 140: Provide diffs betweeen consensuses
  186. - 147: Eliminate the need for v2 directories in generating v3 directories
  187. - 148: Stream end reasons from the client side should be uniform.
  188. - Maybe:
  189. - 145: Separate "suitable from a guard" from "suitable as a new guard"
  190. - 146: Adding new flag to reflect long-term stability
  191. - 149: Using data from NETINFO cells
  192. - Proposals to write:
  193. - Fix voting to handle bug 608 case when multiple servers get
  194. Named.
  195. R d Do we want to maintain our own set of entryguards that we use as
  196. next hop after the bridge?
  197. X Add an 'exit-address' line in the descriptor for servers that exit
  198. from something that isn't their published address.
  199. [I think tordnsel solved this. -RD]
  200. d Possibly: revise link protocol to allow big circuit IDs,
  201. variable-length cells, proposal-110 stuff, and versioned CREATES?
  202. o Eliminate use of v2 networkstatus documents in v3 authority
  203. decision-making.
  204. N . Draft proposal for GeoIP aggregation (see external constraints *)
  205. o Separate Guard flags for "pick this as a new guard" and "keep this
  206. as an existing guard". First investigate if we want this.
  207. . Figure out how to make good use of the fallback consensus file. Right
  208. now many of the addresses in the fallback consensus will be stale,
  209. so it will take dozens of minutes to bootstrap from it. This is a
  210. bad first Tor experience. But if we check the fallback consensus
  211. file *after* we fail to connect to any authorities, then it may
  212. still be valuable as a blocking-resistance step.
  213. o Write the proposal.
  214. - Patch our tor.spec rpm package so it knows where to put the fallback
  215. consensus file.
  216. d Something for bug 469, to limit connections per IP.
  217. . Put bandwidth weights in the networkstatus? So clients get weight
  218. their choices even before they have the descriptors; and so
  219. authorities can put in more accurate numbers in the future.
  220. d Fetch an updated geoip file from the directory authorities.
  221. - Tiny designs to write:
  222. . Better estimate of clock skew; has anonymity implications. Clients
  223. should estimate their skew as median of skew from servers over last
  224. N seconds, but for servers this is not so easy, since a server does
  225. not choose who it connects to.
  226. - Do TLS connection rotation more often than "once a week" in the
  227. extra-stable case.
  228. (One reason not to do it more often is because the old TLS conn
  229. probably has a circuit on it, and we don't really want to build up
  230. dozens of TCP connections to all the other extra-stable relays.)
  231. - If a relay publishes a new descriptor with a significantly lower
  232. uptime or with a new IP address, then we should consider its current
  233. "running" interval to have ended even if it hadn't yet failed its
  234. third reachability test. the interval ended when the new descriptor
  235. appeared, and a new interval began then too.
  236. - Use less RAM *
  237. - Optimize cell pool allocation.
  238. d Support (or just always use) jemalloc (if it helps)
  239. - mmap more files.
  240. - Look into pulling serverdescs off buffers as they arrive.
  241. - Use less bandwidth
  242. - Use if-modified-since to download consensuses
  243. - Handle multi-core cpus better
  244. - Split circuit AES across cores?
  245. - Split TLS across cores? This will be harder.
  246. - Use information from NETINFO cells
  247. - Don't extend a circuit over a noncanonical connection with
  248. mismatched address.
  249. - Learn our outgoing IP address from netinfo cells?
  250. - Learn skew from netinfo cells?
  251. - Testing
  252. - Better unit test coverage
  253. - Refactor unit tests into multiple files
  254. - Verify that write limits to linked connections work.
  255. - Use more mid-level and high-level libevent APIs
  256. - For dns?
  257. - For http?
  258. - For buffers?
  259. - Tool improvements:
  260. - Get IOCP patch into libevent *
  261. - Security improvements
  262. - make is-consensus-fresh-enough check way tighter.
  263. - If we haven't tried downloading a consensus for ages since we're tired,
  264. try getting a new one before we use old descriptors for a circuit.
  265. Related to bug 401.
  266. - Feature removals and deprecations:
  267. - Get rid of the v1 directory stuff (making, serving, and caching)
  268. - First verify that the caches won't flip out?
  269. - If they will, just stop the caches from caching for now
  270. - perhaps replace it with a "this is a tor server" stock webpage.
  271. - The v2dir flag isn't used for anything anymore, right? If so, dump it.
  272. - Even clients run rep_hist_load_mtbf_data(). Does this waste memory?
  273. Dump it?
  274. - Unless we start using ftime functions, dump them.
  275. - can we deprecate 'getinfo network-status'?
  276. - can we deprecate the FastFirstHopPK config option?
  277. - Can we deprecate controllers that don't use both features?
  278. - Dump most uint32_t addr functions.
  279. Nice to have for 0.2.1.x:
  280. - Proposals to write
  281. - steven's plan for replacing check.torproject.org with a built-in
  282. answer by tor itself.
  283. - Documentation
  284. P - Make documentation realize that location of system configuration file
  285. will depend on location of system defaults, and isn't always /etc/torrc.
  286. - Small controller features
  287. - A status event for when tor decides to stop fetching directory info
  288. if the client hasn't clicked recently: then make the onion change too.
  289. - Add a status event when new consensus arrives
  290. - Windows build
  291. P - Figure out why dll's compiled in mingw don't work right in WinXP.
  292. P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
  293. - Refactor bad code:
  294. - Refactor the HTTP logic so the functions aren't so large.
  295. - Refactor buf_read and buf_write to have sensible ways to return
  296. error codes after partial writes
  297. o Router_choose_random_node() has a big pile of args. make it "flags".
  298. - Streamline how we pick entry nodes: Make choose_random_entry() have
  299. less magic and less control logic.
  300. - Don't call time(NULL) so much; instead have a static time_t field
  301. that gets updated only a handful of times per second.
  302. - Move all status info out of routerinfo into local_routerstatus. Make
  303. "who can change what" in local_routerstatus explicit. Make
  304. local_routerstatus (or equivalent) subsume all places to go for "what
  305. router is this?"
  306. - deprecate router_digest_is_trusted_dir() in favor of
  307. router_get_trusteddirserver_by_digest()
  308. - Make Tor able to chroot itself
  309. o allow it to load an entire config file from control interface
  310. - document LOADCONF
  311. - log rotation (and FD passing) via control interface
  312. - chroot yourself, including inhibit trying to read config file
  313. and reopen logs, unless they are under datadir.
  314. - Should be trivial:
  315. - Base relative control socket paths (and other stuff in torrc) on datadir.
  316. - Tor logs the libevent version on startup, for debugging purposes.
  317. This is great. But it does this before configuring the logs, so
  318. it only goes to stdout and is then lost.
  319. - Make TrackHostExits expire TrackHostExitsExpire seconds after their
  320. *last* use, not their *first* use.
  321. - enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout.
  322. - Make 'safelogging' extend to info-level logs too.
  323. - don't do dns hijacking tests if we're reject *:* exit policy?
  324. (deferred until 0.1.1.x is less common)
  325. - More consistent error checking in router_parse_entry_from_string().
  326. I can say "banana" as my bandwidthcapacity, and it won't even squeak.
  327. - Interface for letting SOAT modify flags that authorities assign.
  328. (How to keep the authority from clobbering them afterwards?