From 8b1ea189610f4a96d1029f7ecc0fa4c321cd71e5 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 8 Aug 2016 12:28:29 -0400 Subject: Edit changelog a little for clarity and conciseness --- ChangeLog | 157 ++++++++++++++++++++++++++++++++++---------------------------- 1 file changed, 86 insertions(+), 71 deletions(-) diff --git a/ChangeLog b/ChangeLog index 088286c5cf..5d91f82118 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,4 @@ -Changes in version 0.2.9.1-alpha - 2016-08-0? +Changes in version 0.2.9.1-alpha - 2016-08-08 Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9 development series. It improves our support for hardened builds and compiler warnings, deploys some critical infrastructure for improvements to @@ -7,24 +7,28 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? log unexpected events, and contains other small improvements to security, correctness, and performance. + Below are the changes since 0.2.8.6. + o New system requirements: - - Tor requires Libevent version 2.0.10-stable or later now. This - implements ticket 19554. - - We now require zlib version 1.2 or later. (Back when we started, + - Tor now requires Libevent version 2.0.10-stable or later. Older + versions of Libevent have less efficient backends for several + platforms, and lack the DNS code that we use for our server-side + DNS support. This implements ticket 19554. + - Tor now requires zlib version 1.2 or later, for security, + efficiency, and (eventually) gzip support. (Back when we started, zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was released in 2003. We recommend the latest version.) o Major features (build, hardening): - Tor now builds with -ftrapv by default on compilers that support - it. This option detects signed integer overflow, and turns it into - a hard-failure. We do not apply this option to code that needs to - run in constant time to avoid side-channels; instead, we use - -fwrapv. Closes ticket 17983. + it. This option detects signed integer overflow (which C forbids), + and turns it into a hard-failure. We do not apply this option to + code that needs to run in constant time to avoid side-channels; + instead, we use -fwrapv in that code. Closes ticket 17983. - When --enable-expensive-hardening is selected, stop applying the - clang/gcc sanitizers to code that needs to run in constant-time to - avoid side channels: although we are aware of no introduced side- - channels, we are not able to prove that this is safe. Related to - ticket 17983. + clang/gcc sanitizers to code that needs to run in constant time. + Although we are aware of no introduced side-channels, we are not + able to prove that there are none. Related to ticket 17983. o Major features (compilation): - Our big list of extra GCC warnings is now enabled by default when @@ -33,23 +37,25 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? errors, pass --enable-fatal-warnings to configure. Closes ticket 19044. - Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically - turn on C and POSIX extensions. Closes ticket 19139. + turn on C and POSIX extensions. (Previously, we attempted to do + this on an ad hoc basis.) Closes ticket 19139. o Major features (directory authorities, hidden services): - Directory authorities can now perform the shared randomness protocol specified by proposal 250. Using this protocol, directory - authorities can generate a global fresh random number every day. - In the future, this global randomness will be used by hidden - services to select their responsible HSDirs. This release only - implements the directory authority feature; the hidden service - side will be implemented in the future as part of proposal 224. - Resolves ticket 16943; implements proposal 250. - - o Major features (downloading): - - Use random exponential backoffs when retrying downloads from the - dir servers. This prevents a group of Tor instances from becoming - too synchronized, or a single Tor instance from becoming too - predictable, in its download schedule. Closes ticket 15942. + authorities generate a global fresh random value every day. In the + future, this value will be used by hidden services to select + HSDirs. This release implements the directory authority feature; + the hidden service side will be implemented in the future as part + of proposal 224. Resolves ticket 16943; implements proposal 250. + + o Major features (downloading, random exponential backoff): + - When we fail to download an object from a directory service, wait + for an (exponentially increasing) randomized amount of time before + retrying, rather than a fixed interval as we did before. This + prevents a group of Tor instances from becoming too synchronized, + or a single Tor instance from becoming too predictable, in its + download schedule. Closes ticket 15942. o Major bugfixes (exit policies): - Avoid disclosing exit outbound bind addresses, configured port @@ -63,47 +69,47 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? - Allow Tor clients with appropriate controllers to work with FetchHidServDescriptors set to 0. Previously, this option also disabled descriptor cache lookup, thus breaking hidden services - entirely when it was set. Fixes bug 18704; bugfix on 0.2.0.20-rc. - Patch by "twim". + entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim". o Minor features (build, hardening): - - Detect and work around a libclang_rt problem that prevents clang - from finding __mulodi4() on some 32-bit platforms. This clang bug - would keep -ftrapv from linking on those systems. Closes - ticket 19079. - - When building on a system without runtime support for some of the - runtime hardening options, try to log a useful warning at - configuration time, rather than an incomprehensible warning at - link time. If expensive hardening was requested, this warning - becomes an error. Closes ticket 18895. + - Detect and work around a libclang_rt problem that would prevent + clang from finding __mulodi4() on some 32-bit platforms, and thus + keep -ftrapv from linking on those systems. Closes ticket 19079. + - When building on a system without runtime support for the runtime + hardening options, try to log a useful warning at configuration + time, rather than an incomprehensible warning at link time. If + expensive hardening was requested, this warning becomes an error. + Closes ticket 18895. o Minor features (code safety): - - In our integer-parsing functions, check that the maxiumum value - given is no smaller than the minimum value. Closes ticket 19063; + - In our integer-parsing functions, ensure that maxiumum value we + give is no smaller than the minimum value. Closes ticket 19063; patch from U+039b. o Minor features (controller): - - Implement new GETINFO queries for all downloads using - download_status_t to schedule retries. Closes ticket 19323. - - Add support for configuring basic client authorization on hidden - services created with the ADD_ONION control command. Implements - ticket 15588. Patch by "special". - - Fire a `STATUS_SERVER` event whenever the hibernation status - changes between "awake"/"soft"/"hard". Closes ticket 18685. + - Implement new GETINFO queries for all downloads that use + download_status_t to schedule retries. This allows controllers to + examine the schedule for pending downloads. Closes ticket 19323. + - Allow controllers to configure basic client authorization on + hidden services when they create them with the ADD_ONION control + command. Implements ticket 15588. Patch by "special". + - Fire a STATUS_SERVER controller event whenever the hibernation + status changes between "awake"/"soft"/"hard". Closes ticket 18685. o Minor features (directory authority): - Directory authorities now only give the Guard flag to a relay if they are also giving it the Stable flag. This change allows us to - simplify path selection for clients, and it should have minimal - effect in practice since >99% of Guards already have the Stable - flag. Implements ticket 18624. - - Make directory authorities write the v3-status-votes file out to - disk earlier in the consensus process, so we have the votes even - if we abort the consensus process later. Resolves ticket 19036. + simplify path selection for clients. It should have minimal effect + in practice, since >99% of Guards already have the Stable flag. + Implements ticket 18624. + - Directory authorities now write their v3-status-votes file out to + disk earlier in the consensus process, so we have a record of the + votes even if we abort the consensus process. Resolves + ticket 19036. o Minor features (hidden service): - Stop being so strict about the payload length of "rendezvous1" - cells. We used to be locked in to the "tap" handshake length, and + cells. We used to be locked in to the "TAP" handshake length, and now we can handle better handshakes like "ntor". Resolves ticket 18998. @@ -123,15 +129,22 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? - Provide a more useful warning message when configured with an invalid Nickname. Closes ticket 18300; patch from "icanhasaccount". - When dumping unparseable router descriptors, optionally store them - in separate filenames by hash, up to a configurable limit. Closes - ticket 18322. + in separate files, named by digest, up to a configurable size + limit. You can change the size limit by setting the + MaxUnparseableDescSizeToLog option, and disable this feature by + setting that option to 0. Closes ticket 18322. - Add a set of macros to check nonfatal assertions, for internal use. Migrating more of our checks to these should help us avoid needless crash bugs. Closes ticket 18613. o Minor features (performance): - - When fetching a consensus for the first time, use optimistic data. - This saves a round-trip during startup. Closes ticket 18815. + - Changer the "optimistic data" extension from "off by default" to + "on by default". The default was ordinarily overridden by a + consensus option, but when clients were bootstrapping for the + first time, they would not have a consensus to get the option + from. Changing this default When fetching a consensus for the + first time, use optimistic data. This saves a round-trip during + startup. Closes ticket 18815. o Minor features (relay, usability): - When the directory authorities refuse a bad relay's descriptor, @@ -154,30 +167,31 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? o Minor bugfixes (bootstrap): - Remember the directory we fetched the consensus or previous certificates from, and use it to fetch future authority - certificates. Fixes bug 18963; bugfix on 0.2.8.1-alpha. + certificates. This change improves bootstrapping performance. + Fixes bug 18963; bugfix on 0.2.8.1-alpha. o Minor bugfixes (build): - - Make the test-stem and test-network targets depend only on the tor - binary that they will be testing. Previously, they depended on + - The test-stem and test-network makefile targets now depend only on + the tor binary that they are testing. Previously, they depended on "make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a patch from "cypherpunks". o Minor bugfixes (circuits): - - Make sure extend_info_from_router is only called on servers. Fixes - bug 19639; bugfix on 0.2.8.1-alpha. + - Make sure extend_info_from_router() is only called on servers. + Fixes bug 19639; bugfix on 0.2.8.1-alpha. o Minor bugfixes (compilation): - - When building with Clang, include our full array of GCC warnings. + - When building with Clang, use a full set of GCC warnings. (Previously, we included only a subset, because of the way we detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha. o Minor bugfixes (directory authority): - Authorities now sort the "package" lines in their votes, for ease - of debugging. (They are already sorted in the consensus - documents.) Fixes bug 18840; bugfix on 0.2.6.3-alpha. - - When parsing detached signature, make sure we use the length of + of debugging. (They are already sorted in consensus documents.) + Fixes bug 18840; bugfix on 0.2.6.3-alpha. + - When parsing a detached signature, make sure we use the length of the digest algorithm instead of an hardcoded DIGEST256_LEN in - order to avoid comparing bytes out of bound with a smaller digest + order to avoid comparing bytes out-of-bounds with a smaller digest length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha. o Minor bugfixes (documentation): @@ -190,7 +204,7 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? o Minor bugfixes (ephemeral hidden service): - When deleting an ephemeral hidden service, close its intro points - even if they are not in the open state. Fixes bug 18604; bugfix + even if they are not completely open. Fixes bug 18604; bugfix on 0.2.7.1-alpha. o Minor bugfixes (guard selection): @@ -204,8 +218,9 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? o Minor bugfixes (hidden service client): - Increase the minimum number of internal circuits we preemptively - build from 2 to 3 so they are available when a client connects to - another onion service. Fixes bug 13239; bugfix on 0.1.0.1-rc. + build from 2 to 3, so a circuit is available when a client + connects to another onion service. Fixes bug 13239; bugfix + on 0.1.0.1-rc. o Minor bugfixes (logging): - When logging a directory ownership mismatch, log the owning @@ -241,8 +256,8 @@ Changes in version 0.2.9.1-alpha - 2016-08-0? in the counter. Now, if the number of messages hits a maximum, the rate-limiter doesn't count any further. Fixes bug 19435; bugfix on 0.2.4.11-alpha. - - Fix a typo in the getting passphrase prompt for the ed25519 - identity key. Fixes bug 19503; bugfix on 0.2.7.2-alpha. + - Fix a typo in the passphrase prompt for the ed25519 identity key. + Fixes bug 19503; bugfix on 0.2.7.2-alpha. o Code simplification and refactoring: - Remove redundant declarations of the MIN macro. Closes -- cgit v1.2.3-54-g00ecf