123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382 |
- $Id$
- Legend:
- SPEC!! - Not specified
- SPEC - Spec not finalized
- N - nick claims
- R - arma claims
- P - phobos claims
- S - Steven claims
- E - Matt claims
- M - Mike claims
- J - Jeff claims
- I - ioerror claims
- W - weasel claims
- K - Karsten claims
- - Not done
- * Top priority
- . Partially done
- o Done
- d Deferrable
- D Deferred
- X Abandoned
- =======================================================================
- Things Roger would be excited to see:
- Nick
- * Look at Roger's proposal 141 discussions on or-dev, and help us
- decide how to proceed.
- . Tors start believing the contents of NETINFO cells.
- - respond to Steven's red-team TLS testing (a.k.a, look at a packet
- dump and compare)
- Matt
- - Fit Vidalia in 640x480 again.
- - Vidalia should avoid stomping on your custom exit policy lines
- just because you click on 'save' for a totally different config thing.
- - How much space do we save in TBB by stripping symbols from Vidalia
- first? Good idea or crazy idea?
- ioerror
- * weather.torproject.org should go live.
- - Keep advocating new Tor servers and working with orgs like Mozilla
- to let them like Tor.
- - Find out what happened to the buildbot and get it back up:
- http://tor-buildbot.freehaven.net:8010/
- - Learn about locking memory pages that have sensitive content. Get
- that started in Tor.
- - Translation portal
- - Vidalia html help files
- - should we i18nize polipo's error messages too?
- - how to get our diagrams translated, and how to get our screenshots
- from the right language?
- - Some of our translated wml files are very old -- so old that they
- are harmful to leave in place. We need some sort of way to notice
- this and disable them.
- Steven
- - Move proposal 131 or equivalent forward.
- - Keep bugging us about exploits on the .exit notation.
- - Mike's question #3 on https://www.torproject.org/volunteer#Research
- - Worthwhile shipping TBB with some local html help files that come
- as bookmarks?
- Andrew
- Weasel
- - Figure out how to make Vidalia and Tor play nicely on Debian, make
- the necessary modifications, and make some Vidalia debs that pass
- muster.
- - Fix bug 393.
- - Get oftc to switch to Tor dns bulk exitlist. Or tell us why it's
- not suitable yet.
- - Move proposal 134 forward.
- - putting port predictions in state file
- - if tor hasn't been used in a while it stops fetching consensus
- documents. Retain that state over restarts.
- Roger
- - Finish tor-doc-bridge.wml
- . Fix FAQ entry on setting up private Tor network
- - Did we actually apply Steven's dkimproxy patch?
- - Brainstorm about safe but effective ways for vidalia to
- auto-update its user's bridges via Tor in the background.
- - it doesn't count as successfully opening a circuit if it's not
- an exit circuit.
- Mike:
- - Roger wants to get an email every time there's a blog change,
- e.g. a comment. That way spam doesn't go undetected for weeks.
- - Or, maybe just disable linking from blog comments entirely?
- =======================================================================
- Bugs/issues for Tor 0.2.0.x:
- . we should have an off-by-default way for relays to dump geoip data to
- a file in their data directory, for measurement purposes.
- o Basic implementation
- N - Include probability-of-selection
- R d let bridges set relaybandwidthrate as low as 5kb
- Documentation for Tor 0.2.0.x:
- o Proposals:
- o 111: Prioritize local traffic over relayed.
- o 113: mark as closed close.
- o document the "3/4 and 7/8" business in the clients fetching consensus
- documents timeline.
- R - then document the bridge user download timeline.
- - HOWTO for DNSPort. See tup's wiki page.
- . Document transport and natdport in a good HOWTO.
- - Quietly document NT Service options: revise (or create) FAQ entry
- =======================================================================
- For 0.2.1.x-alpha:
- R d bug: if we launch using bridges, and then stop using bridges, we
- still have our bridges in our entryguards section, and may use them.
- o add an event to report geoip summaries to vidalia for bridge relays,
- so vidalia can say "recent activity (1-8 users) from sa".
- R - investigate: it looks like if the bridge authority is unreachable,
- we're not falling back on querying bridges directly?
- o if "no running bridges known", an application request should make
- us retry all our bridges.
- For 0.2.1.x:
- - Proposals to do:
- o 110: avoid infinite-length circuits
- * Figure out the right value for max RELAY_EARLY cells (Bug 878)
- - 117: IPv6 Exits
- - Internal code support for ipv6:
- o Clone ipv6 functions (inet_ntop, inet_pton) where they don't exist.
- o Many address variables need to become tor_addr_t
- o addr in connection_t
- o n_addr in extend_info_t
- - Teach resolving code how to handle ipv6.
- . Teach exit policies about ipv6 (consider ipv4/ipv6 interaction!)
- o Use IPv6 in connect/connected/failed-exitpolicy cells
- o accept ipv6 from socks
- o Generate END_REASON_EXITPOLICY cells right
- . ... and parse them right
- . Generate new BEGIN cell types and parse them right
- - Detect availability of ipv6
- - Advertise availability of ipv6.
- - Geoip support, if only to add a zone called "ipv6"
- K . 121: Hidden service authentication:
- - missing: delayed descriptor publication for 'stealth' mode.
- o 128: families of private bridges
- o 135: simplify configuration of private tor networks.
- K - 143: Improvements of Distributed Hidden Service Descriptor Storage:
- only easy parts for 0.2.1.x, defer complex ones to 0.2.2.x.
- o 148: Stream end reasons from the client side should be uniform.
- K o 155: Four Improvements of Hidden Service Performance
- - 145: Separate "suitable from a guard" from "suitable as a new guard"
- - 146: Adding new flag to reflect long-term stability
- - 149: Using data from NETINFO cells
- o Don't extend a circuit over a noncanonical connection with
- mismatched address.
- o Apply rovv's bugfixes wrt preferring canonical connections.
- o Make sure that having a non-canonical connection doesn't count
- as _having_ a connection for the purpose of connecting to others,
- and that when no canonical connection exists, we make one.
- - Learn our outgoing IP address from netinfo cells?
- - Learn skew from netinfo cells?
- o 157: Make certificate downloads specific.
- - Proposals to write:
- - Fix voting to handle bug 608 case when multiple servers get
- Named.
- N . Draft proposal for GeoIP aggregation (see external constraints *)
- . Figure out how to make good use of the fallback consensus file. Right
- now many of the addresses in the fallback consensus will be stale,
- so it will take dozens of minutes to bootstrap from it. This is a
- bad first Tor experience. But if we check the fallback consensus
- file *after* we fail to connect to any authorities, then it may
- still be valuable as a blocking-resistance step.
- o Write the proposal.
- - Patch our tor.spec rpm package so it knows where to put the fallback
- consensus file.
- . Put bandwidth weights in the networkstatus? So clients get weight
- their choices even before they have the descriptors; and so
- authorities can put in more accurate numbers in the future.
- - Spec compliance:
- * Make sure that clients could do the new handshake without sending any
- certs, if they wanted.
- - Tiny designs to write:
- - If a relay publishes a new descriptor with a significantly lower
- uptime or with a new IP address, then we should consider its current
- "running" interval to have ended even if it hadn't yet failed its
- third reachability test. the interval ended when the new descriptor
- appeared, and a new interval began then too.
- - Authority improvements:
- R - authorities should initiate a reachability test upon first
- glimpsing a new descriptor.
- - Use less bandwidth
- - Use if-modified-since to download consensuses
- - Testing
- - Better unit test coverage
- - Verify that write limits to linked connections work.
- - Security improvements
- - make is-consensus-fresh-enough check tighter.
- - If we haven't tried downloading a consensus for ages since we're tired,
- try getting a new one before we use old descriptors for a circuit.
- Related to bug 401. [What does "since we're tired" mean? -RD]
- [I don't know. -NM]
- - Feature removals and deprecations:
- - Get rid of the v1 directory stuff (making, serving, and caching)
- . First verify that the caches won't flip out?
- o If they will, just stop the caches from caching for now
- . perhaps replace it with a "this is a tor server" stock webpage.
- - Get the debs to set DirPortFrontPage in the default.
- - Decide how to handle DirPortFrontPage files with image links.
- - Can we deprecate controllers that don't use both features?
- - Both TorK and Vidalia use VERBOSE_NAMES.
- - TorK uses EXTENDED_EVENTS. Vidalia does not. (As of 9 Dec.)
- - Matt is checking whether Vidalia would break if we started to use
- EXTENDED_EVENTS by default. He says no.
- External tool improvements:
- - Get IOCP patches into libevent
- Nice to have for 0.2.1.x:
- - Proposals, time permitting
- - 134: handle authority fragmentation.
- - 140: Provide diffs betweeen consensuses
- - Handle multi-core cpus better
- - Split circuit AES across cores
- - Split cell_queue_t into a new structure with a processed subqueue,
- an unprocessed subqueue, and a symmetric key.
- - Write a function to pull cells from the unprocessed subqueue,
- en/decrypt them, and place them on the processed subqueue.
- - When a cell is added to a queue that previously had no
- unprocessed cells, put that queue into a set of queues that
- need to be processed. When the last cell is processed in a
- queue, remove it from the set of queues that need to be
- processed.
- - Worker code to process queues in round-robin fashion.
- - Think about how to be fair to differet circuits _and_ about to get
- CPU-affinity, if that matters.
- - When a cell is processed and placed onto a processed subqueue
- that was previously empty, _and_ the or_conn output buffer
- that the queue is targetting is empty, stick the buffer onto a
- list of buffers that need attention and notify the main
- thread if it was not already on the list.
- - When the main thread gets notified, it pumps those buffers.
- (i.e., it puts cells onto them from some of their circuits).
- - To free a queue that is not currently processing, grab its lock
- and free it.
- - To free a queue that _is_ processing, .... ?
- - Documentation
- P - Make documentation realize that location of system configuration file
- will depend on location of system defaults, and isn't always /etc/torrc.
- - Small controller features
- - A status event for when tor decides to stop fetching directory info
- if the client hasn't clicked recently: then make the onion change too.
- o Add a status event when new consensus arrives
- - Windows build
- P - create a "make win32-bundle" for vidalia-privoxy-tor-torbutton bundle
- - Is this obsolete with msi bundle coming soon asks phobos
- - Refactor bad code:
- - connection_or_get_by_identity_digest() and connection_good_enough_for
- _extend() could be merged into a smarter variant, perhaps.
- - Refactor the HTTP logic so the functions aren't so large.
- - Refactor buf_read and buf_write to have sensible ways to return
- error codes after partial writes
- - deprecate router_digest_is_trusted_dir() in favor of
- router_get_trusteddirserver_by_digest()
- - Should be trivial
- - Tor logs the libevent version on startup, for debugging purposes.
- This is great. But it does this before configuring the logs, so
- it only goes to stdout and is then lost.
- - Deprecations
- - Even clients run rep_hist_load_mtbf_data(). This doesn't waste memory
- unless they had previously been non-clients collecting MTBF data.
- Dump it anyway?
- - Unless we start using ftime functions, dump them.
- - can we deprecate the FastFirstHopPK config option?
- - The v2dir flag isn't used for anything anymore, right? If so, dump it.
- - can we deprecate 'getinfo network-status'?
- - Dump most uint32_t addr functions.
- - do the part of the "abandon .exit" proposal that involves isolating
- circuits which have used a .exit stream from those that haven't
- Defer:
- - Proposals
- - 118: Listen on and advertise multiple ports:
- - Tor should be able to have a pool of outgoing IP addresses that it is
- able to rotate through. (maybe. Possible overlap with proposal 118.)
- - config option to publish what ports you listen on, beyond
- ORPort/DirPort. It should support ranges and bit prefixes (?) too.
- - Need to figure out the right format for routerinfo_t on this.
- - 147: Eliminate the need for v2 directories in generating v3 directories
- - Proposals to write.
- d Something for bug 469, to limit connections per IP.
- d Do we want to maintain our own set of entryguards that we use as
- next hop after the bridge?
- d Possibly: revise link protocol to allow big circuit IDs,
- variable-length cells, proposal-110 stuff, and versioned CREATES?
- d Fetch an updated geoip file from the directory authorities.
- R - bridge communities (revive proposal 128)
- . spec
- . deploy
- - man page entries for Alternate*Authority config options
- - Tiny designs to write
- - Better estimate of clock skew; has anonymity implications. Clients
- should estimate their skew as median of skew from servers over last
- N seconds, but for servers this is not so easy, since a server does
- not choose who it connects to.
- - Do TLS connection rotation more often than "once a week" in the
- extra-stable case.
- (One reason not to do it more often is because the old TLS conn
- probably has a circuit on it, and we don't really want to build up
- dozens of TCP connections to all the other extra-stable relays.)
- - Use less RAM
- - Optimize cell pool allocation.
- - Support (or just always use) jemalloc (if it helps)
- - mmap more files.
- - Pull serverdescs off buffers as they arrive.
- - Allocate routerstatus_t objects on a per-networkstatus memchunk.
- - Split TLS across multiple cores
- - "In the future, we should migrate to LOCAL_APPDATA entirely."
- - Use more mid-level and high-level libevent APIs
- - For dns?
- - For http?
- - For buffers?
- - Proposals to write
- - steven's plan for replacing check.torproject.org with a built-in
- answer by tor itself.
- - Refactor bad code:
- - Streamline how we pick entry nodes: Make choose_random_entry() have
- less magic and less control logic.
- - Move all status info out of routerinfo into local_routerstatus. Make
- "who can change what" in local_routerstatus explicit. Make
- local_routerstatus (or equivalent) subsume all places to go for "what
- router is this?"
- o Don't call time(NULL) so much; instead have a static time_t field
- that gets updated only a handful of times per second.
- - Refactor unit tests into multiple files
- - Make Tor able to chroot itself
- o allow it to load an entire config file from control interface
- - document LOADCONF
- - log rotation (and FD passing) via control interface
- - chroot yourself, including inhibit trying to read config file
- and reopen logs, unless they are under datadir.
- - Should be trivial:
- - Base relative control socket paths (and other stuff in torrc) on datadir.
- o enforce a lower limit on MaxCircuitDirtiness and CircuitBuildTimeout.
- - Make 'safelogging' extend to info-level logs too.
- - don't do dns hijacking tests if we're reject *:* exit policy?
- (deferred until 0.1.1.x is less common)
- - More consistent error checking in router_parse_entry_from_string().
- I can say "banana" as my bandwidthcapacity, and it won't even squeak.
- d Interface for letting SOAT modify flags that authorities assign.
- (How to keep the authority from clobbering them afterwards?
|