|
|
@@ -14,9 +14,8 @@ PHOBOS - phobos claims
|
|
|
|
|
|
Non-Coding, Soon:
|
|
|
N - contact umass folks
|
|
|
-N - Packaging logic and HOWTO for controller libs
|
|
|
N - Mention controller libs someplace.
|
|
|
- - FAQ entry: why gnutls is bad/not good for tor
|
|
|
+ D FAQ entry: why gnutls is bad/not good for tor
|
|
|
P - flesh out the rest of the section 6 of the faq
|
|
|
P - gather pointers to livecd distros that include tor
|
|
|
- put the logo on the website, in source form, so people can put it on
|
|
|
@@ -26,7 +25,7 @@ P - gather pointers to livecd distros that include tor
|
|
|
* clean up the places where our docs are redundant (or worse, obsolete in
|
|
|
one file and correct elsewhere). agl has a start on a global
|
|
|
list-of-tor-docs.
|
|
|
-P - update window's docs to clarify which versions of windows, and why a
|
|
|
+P - update windows docs to clarify which versions of windows, and why a
|
|
|
DOS window, how it's used, for the less technical users
|
|
|
NR- write a spec appendix for 'being nice with tor'
|
|
|
- tor-in-the-media page
|
|
|
@@ -34,16 +33,13 @@ NR- write a spec appendix for 'being nice with tor'
|
|
|
tor-0.1.0.7.rc
|
|
|
- Remove need for HACKING file.
|
|
|
|
|
|
-For 0.1.0.x:
|
|
|
- . Memory use on Linux: what's happening?
|
|
|
- - Is it threading? (Maybe, maybe not)
|
|
|
- - Is it the buf_shrink bug? (Quite possibly)
|
|
|
- - Instrument the 0.1.1 code to figure out where our memory is going;
|
|
|
- apply the results. (all platforms?)
|
|
|
+
|
|
|
|
|
|
for 0.1.1.x:
|
|
|
R - are dirservers auto-verifying duplicate nicknames?
|
|
|
+
|
|
|
N . Additional controller features
|
|
|
+ - Find a way to make event info more extensible
|
|
|
- change circuit status events to give more details, like purpose,
|
|
|
whether they're internal, etc.
|
|
|
. Expose more information via getinfo:
|
|
|
@@ -54,116 +50,92 @@ N . Additional controller features
|
|
|
download directories/network-status, and a way to force a download.
|
|
|
- It would be nice to request address lookups from the controller
|
|
|
without using SOCKS.
|
|
|
-N . helper nodes (Choose N nodes randomly; if a node dies (goes down for a
|
|
|
- long time), replace it. Store nodes on disk.
|
|
|
- o Implement (basic case)
|
|
|
- o Implement (persistence)
|
|
|
- o Document
|
|
|
- . Test, debug
|
|
|
- - On sighup, if usehelpernodes changed to 1, use new circs.
|
|
|
+
|
|
|
+ . Helper nodes
|
|
|
+ . More testing and debugging
|
|
|
+ - On sighup, if usehelpernodes changed to 1, use new circuits?
|
|
|
- If your helper nodes are unavailable, don't abandon them unless
|
|
|
other nodes *are* reachable.
|
|
|
R - If you think an OR conn is open but you can never establish a circuit
|
|
|
to it, reconsider whether it's actually open.
|
|
|
- - switch accountingmax to count total in+out, not either in or
|
|
|
- out. it's easy to move in this direction (not risky), but hard to
|
|
|
- back, out if we decide we prefer it the way it already is. hm.
|
|
|
- . Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
|
|
- logic for reading from TLS sockets is likely to overrun the bandwidth
|
|
|
- buckets under heavy load. (Really, the logic was never right in the
|
|
|
- first place.) Also, we should audit all users of get_pending_bytes().)
|
|
|
- - Make it harder to circumvent bandwidth caps: look at number of bytes
|
|
|
- sent across sockets, not number sent inside TLS stream.
|
|
|
- . Handle rendezvousing with unverified nodes.
|
|
|
- o Specify: Stick rendezvous point's address and port in INTRODUCE cell.
|
|
|
- o Handle new format.
|
|
|
- o Support to extend circuit/target circuit to a chosen combination of
|
|
|
- addr/port/ID/onionkey
|
|
|
- o Parse new format
|
|
|
- o Generate new format (#ifdef out the logic to generate it for now)
|
|
|
- o Specify: make service descriptors contain onion key and identity.
|
|
|
- o Implement new service desc format
|
|
|
- o Think: are we okay with the partitioning? (Yes. It's a simple
|
|
|
- migration issue.)
|
|
|
- o Implement new directory code
|
|
|
- o Implement new server code (Don't enable till directory code is deployed)
|
|
|
- o Implement new client code (Don't enable till directory code is deployed)
|
|
|
- o Look for v1 descriptor if available, else look for v0 descriptor.
|
|
|
- o Use new INTRODUCE protocol if allowed.
|
|
|
-N . Verify that new code works.
|
|
|
- - Enable the new code
|
|
|
- - christian grothoff's attack of infinite-length circuit.
|
|
|
+
|
|
|
+ - Miscellaneous cleanups
|
|
|
+ - switch accountingmax to count total in+out, not either in or
|
|
|
+ out. it's easy to move in this direction (not risky), but hard to
|
|
|
+ back, out if we decide we prefer it the way it already is. hm.
|
|
|
+ . Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
|
|
+ logic for reading from TLS sockets is likely to overrun the bandwidth
|
|
|
+ buckets under heavy load. (Really, the logic was never right in the
|
|
|
+ first place.) Also, we should audit all users of get_pending_bytes().)
|
|
|
+ - Make it harder to circumvent bandwidth caps: look at number of bytes
|
|
|
+ sent across sockets, not number sent inside TLS stream.
|
|
|
+R - remove the warnings from rendezvous stuff that shouldn't be warnings.
|
|
|
+
|
|
|
+N . Handle rendezvousing with unverified nodes.
|
|
|
+ o Implement everything
|
|
|
+ . Enable the new code
|
|
|
+ . Verify that new code works.
|
|
|
+
|
|
|
+ - Christian Grothoff's attack of infinite-length circuit.
|
|
|
the solution is to have a separate 'extend-data' cell type
|
|
|
which is used for the first N data cells, and only
|
|
|
extend-data cells can be extend requests.
|
|
|
- Specify, including thought about
|
|
|
- Implement
|
|
|
+
|
|
|
N - Destroy and truncated cells should have reasons.
|
|
|
N - Add private:* alias in exit policies to make it easier to ban all the
|
|
|
fiddly little 192.168.foo addresses.
|
|
|
(AGL had a patch; consider applying it.)
|
|
|
- - recommended-versions for client / server ?
|
|
|
+
|
|
|
N - warn if listening for SOCKS on public IP.
|
|
|
+
|
|
|
- cpu fixes:
|
|
|
- see if we should make use of truncate to retry
|
|
|
o hardware accelerator support (configure engines.)
|
|
|
- hardware accelerator support (use instead of aes.c when reasonable)
|
|
|
R - kill dns workers more slowly
|
|
|
-R - remove the warnings from rendezvous stuff that shouldn't be warnings.
|
|
|
- - continue decentralizing the directory
|
|
|
- o Specify and design all of the below before implementing any.
|
|
|
- - Figure out what to do about hidden service descriptors.
|
|
|
- X have two router descriptor formats
|
|
|
-R . dirservers verify reachability claims
|
|
|
- o basic reachability testing, influencing network-status list.
|
|
|
-R - rate-limiting the reporting of trouble servers
|
|
|
-R - check reachability as soon as you hear about a new server
|
|
|
- - find 10 dirservers. (what are criteria to be a dirserver?)
|
|
|
- - some back-out mechanism?
|
|
|
+
|
|
|
+ . Directory changes
|
|
|
+ o recommended-versions for client / server ?
|
|
|
+ - Some back-out mechanism for auto-approval
|
|
|
- dirservers have blacklist of IPs they hate
|
|
|
- a way of rolling back approvals to before a timestamp
|
|
|
- have new people be in limbo and need to demonstrate usefulness
|
|
|
before we approve them
|
|
|
- other?
|
|
|
-N . Authoritative dirservers publish very compressed network-status objects.
|
|
|
- o Generate format
|
|
|
- o Publish it
|
|
|
-N . Everyone downloads network-status objects
|
|
|
- - From all directories, round-robin
|
|
|
- - Cache them, reload on restart
|
|
|
- o Serve cached directories
|
|
|
- - If DirPort, act as a cache.
|
|
|
-N - Directories expose individual descriptors
|
|
|
- o By server ID
|
|
|
- o By 'all'
|
|
|
- - By 'if-newer-than' (Does the spec require this??)
|
|
|
- - Support compression.
|
|
|
- o Expose "own most recent descriptor".
|
|
|
-N - Alice acts on network-status objects, downloading descriptors as needed.
|
|
|
- o Servers publish new descriptors when:
|
|
|
- o options change
|
|
|
- o when 12-24 hours have passed
|
|
|
- o when uptime is reset
|
|
|
- o When bandwidth changes a lot.
|
|
|
- - alices avoid duplicate class C nodes.
|
|
|
- o everybody with a dirport will give you his descriptor.
|
|
|
- - config option, on by default, to cache all descriptors.
|
|
|
- - Compress router desc sets before transmitting them
|
|
|
- M Analyze how bad the partitioning is or isn't.
|
|
|
- - Naming:
|
|
|
- - Specify and design all of the below before implementing any.
|
|
|
- - some dirservers announce that they manage bindings (a flag in
|
|
|
- router-status).
|
|
|
- - other dirservers mention a binding if there is no conflict for
|
|
|
- that binding among the dirservers that manage it.
|
|
|
- no conflict == any of them bind it and no disagreement.
|
|
|
- - alice can specify a nickname and it will record that name in her
|
|
|
- datadir along with the key *if* it is bound. otherwise her specifying
|
|
|
- will fail (loudly we hope).
|
|
|
- - thus when a binding vanishes (e.g. conflict) alice will keep using
|
|
|
- the one she meant.
|
|
|
- - if the binding changes keys, the entry in her datadir will silently
|
|
|
- get corrected.
|
|
|
+
|
|
|
+R . Dirservers verify reachability claims
|
|
|
+ o basic reachability testing, influencing network-status list.
|
|
|
+R - rate-limiting the reporting of trouble servers
|
|
|
+R - check reachability as soon as you hear about a new server
|
|
|
+
|
|
|
+ - Decentralization
|
|
|
+ - Figure out what to do about hidden service descriptors.
|
|
|
+ - find 10 dirservers.
|
|
|
+ - (what are criteria to be a dirserver?)
|
|
|
+N . Dirservers publish compressed network-status objects.
|
|
|
+ - Support several-at-once
|
|
|
+N . Everyone downloads network-status objects
|
|
|
+ - From all directories, round-robin
|
|
|
+ - Cache them, reload on restart
|
|
|
+ o Serve cached directories
|
|
|
+N . Directories expose individual descriptors
|
|
|
+ X By 'if-newer-than' (Does the spec require this??)
|
|
|
+ - Support compression.
|
|
|
+N - Alice acts on network-status objects
|
|
|
+ - Alice downloads descriptors as needed.
|
|
|
+ - Alice sets descriptor status from networks-status
|
|
|
+
|
|
|
+ - Security
|
|
|
+ - Alices avoid duplicate class C nodes.
|
|
|
+ - Analyze how bad the partitioning is or isn't.
|
|
|
+
|
|
|
+N - Naming:
|
|
|
+ - Separate naming from validation in authdirs.
|
|
|
+ - Clients choose names based on network-status options.
|
|
|
+ - Names are remembered in client status.
|
|
|
+
|
|
|
- packaging and ui stuff:
|
|
|
. multiple sample torrc files
|
|
|
- uninstallers
|
|
|
@@ -175,15 +147,18 @@ N - Alice acts on network-status objects, downloading descriptors as needed.
|
|
|
N - Vet all pending installer patches
|
|
|
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
|
|
- Vet win32 systray helper code
|
|
|
- o Make logs go into platform default locations.
|
|
|
- o OSX
|
|
|
- X Windows. (?)
|
|
|
|
|
|
Reach (deferrable) items for 0.1.1.x:
|
|
|
- Start using create-fast cells as clients
|
|
|
o Let more config options (e.g. ORPort) change dynamically.
|
|
|
- start handling server descriptors without a socksport?
|
|
|
|
|
|
+ . Research memory use on Linux: what's happening?
|
|
|
+ - Is it threading? (Maybe, maybe not)
|
|
|
+ - Is it the buf_shrink bug? (Quite possibly)
|
|
|
+ - Instrument the 0.1.1 code to figure out where our memory is going;
|
|
|
+ apply the results. (all platforms?)
|
|
|
+
|
|
|
For 0.1.1.x, if we can figure out how:
|
|
|
- rewrite how libevent does select() on win32 so it's not so very slow.
|
|
|
o enclaves (at least preliminary)
|
Nick Mathewson