Edit changelog a little for clarity and conciseness
This commit is contained in:
parent
c9b8d4c086
commit
8b1ea18961
155
ChangeLog
155
ChangeLog
|
@ -1,4 +1,4 @@
|
|||
Changes in version 0.2.9.1-alpha - 2016-08-0?
|
||||
Changes in version 0.2.9.1-alpha - 2016-08-08
|
||||
Tor 0.2.9.1-alpha is the first alpha release in the 0.2.9 development
|
||||
series. It improves our support for hardened builds and compiler
|
||||
warnings, deploys some critical infrastructure for improvements to
|
||||
|
@ -7,24 +7,28 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
log unexpected events, and contains other small improvements to
|
||||
security, correctness, and performance.
|
||||
|
||||
Below are the changes since 0.2.8.6.
|
||||
|
||||
o New system requirements:
|
||||
- Tor requires Libevent version 2.0.10-stable or later now. This
|
||||
implements ticket 19554.
|
||||
- We now require zlib version 1.2 or later. (Back when we started,
|
||||
- Tor now requires Libevent version 2.0.10-stable or later. Older
|
||||
versions of Libevent have less efficient backends for several
|
||||
platforms, and lack the DNS code that we use for our server-side
|
||||
DNS support. This implements ticket 19554.
|
||||
- Tor now requires zlib version 1.2 or later, for security,
|
||||
efficiency, and (eventually) gzip support. (Back when we started,
|
||||
zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
|
||||
released in 2003. We recommend the latest version.)
|
||||
|
||||
o Major features (build, hardening):
|
||||
- Tor now builds with -ftrapv by default on compilers that support
|
||||
it. This option detects signed integer overflow, and turns it into
|
||||
a hard-failure. We do not apply this option to code that needs to
|
||||
run in constant time to avoid side-channels; instead, we use
|
||||
-fwrapv. Closes ticket 17983.
|
||||
it. This option detects signed integer overflow (which C forbids),
|
||||
and turns it into a hard-failure. We do not apply this option to
|
||||
code that needs to run in constant time to avoid side-channels;
|
||||
instead, we use -fwrapv in that code. Closes ticket 17983.
|
||||
- When --enable-expensive-hardening is selected, stop applying the
|
||||
clang/gcc sanitizers to code that needs to run in constant-time to
|
||||
avoid side channels: although we are aware of no introduced side-
|
||||
channels, we are not able to prove that this is safe. Related to
|
||||
ticket 17983.
|
||||
clang/gcc sanitizers to code that needs to run in constant time.
|
||||
Although we are aware of no introduced side-channels, we are not
|
||||
able to prove that there are none. Related to ticket 17983.
|
||||
|
||||
o Major features (compilation):
|
||||
- Our big list of extra GCC warnings is now enabled by default when
|
||||
|
@ -33,23 +37,25 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
errors, pass --enable-fatal-warnings to configure. Closes
|
||||
ticket 19044.
|
||||
- Use the Autoconf macro AC_USE_SYSTEM_EXTENSIONS to automatically
|
||||
turn on C and POSIX extensions. Closes ticket 19139.
|
||||
turn on C and POSIX extensions. (Previously, we attempted to do
|
||||
this on an ad hoc basis.) Closes ticket 19139.
|
||||
|
||||
o Major features (directory authorities, hidden services):
|
||||
- Directory authorities can now perform the shared randomness
|
||||
protocol specified by proposal 250. Using this protocol, directory
|
||||
authorities can generate a global fresh random number every day.
|
||||
In the future, this global randomness will be used by hidden
|
||||
services to select their responsible HSDirs. This release only
|
||||
implements the directory authority feature; the hidden service
|
||||
side will be implemented in the future as part of proposal 224.
|
||||
Resolves ticket 16943; implements proposal 250.
|
||||
authorities generate a global fresh random value every day. In the
|
||||
future, this value will be used by hidden services to select
|
||||
HSDirs. This release implements the directory authority feature;
|
||||
the hidden service side will be implemented in the future as part
|
||||
of proposal 224. Resolves ticket 16943; implements proposal 250.
|
||||
|
||||
o Major features (downloading):
|
||||
- Use random exponential backoffs when retrying downloads from the
|
||||
dir servers. This prevents a group of Tor instances from becoming
|
||||
too synchronized, or a single Tor instance from becoming too
|
||||
predictable, in its download schedule. Closes ticket 15942.
|
||||
o Major features (downloading, random exponential backoff):
|
||||
- When we fail to download an object from a directory service, wait
|
||||
for an (exponentially increasing) randomized amount of time before
|
||||
retrying, rather than a fixed interval as we did before. This
|
||||
prevents a group of Tor instances from becoming too synchronized,
|
||||
or a single Tor instance from becoming too predictable, in its
|
||||
download schedule. Closes ticket 15942.
|
||||
|
||||
o Major bugfixes (exit policies):
|
||||
- Avoid disclosing exit outbound bind addresses, configured port
|
||||
|
@ -63,47 +69,47 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
- Allow Tor clients with appropriate controllers to work with
|
||||
FetchHidServDescriptors set to 0. Previously, this option also
|
||||
disabled descriptor cache lookup, thus breaking hidden services
|
||||
entirely when it was set. Fixes bug 18704; bugfix on 0.2.0.20-rc.
|
||||
Patch by "twim".
|
||||
entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
|
||||
|
||||
o Minor features (build, hardening):
|
||||
- Detect and work around a libclang_rt problem that prevents clang
|
||||
from finding __mulodi4() on some 32-bit platforms. This clang bug
|
||||
would keep -ftrapv from linking on those systems. Closes
|
||||
ticket 19079.
|
||||
- When building on a system without runtime support for some of the
|
||||
runtime hardening options, try to log a useful warning at
|
||||
configuration time, rather than an incomprehensible warning at
|
||||
link time. If expensive hardening was requested, this warning
|
||||
becomes an error. Closes ticket 18895.
|
||||
- Detect and work around a libclang_rt problem that would prevent
|
||||
clang from finding __mulodi4() on some 32-bit platforms, and thus
|
||||
keep -ftrapv from linking on those systems. Closes ticket 19079.
|
||||
- When building on a system without runtime support for the runtime
|
||||
hardening options, try to log a useful warning at configuration
|
||||
time, rather than an incomprehensible warning at link time. If
|
||||
expensive hardening was requested, this warning becomes an error.
|
||||
Closes ticket 18895.
|
||||
|
||||
o Minor features (code safety):
|
||||
- In our integer-parsing functions, check that the maxiumum value
|
||||
given is no smaller than the minimum value. Closes ticket 19063;
|
||||
- In our integer-parsing functions, ensure that maxiumum value we
|
||||
give is no smaller than the minimum value. Closes ticket 19063;
|
||||
patch from U+039b.
|
||||
|
||||
o Minor features (controller):
|
||||
- Implement new GETINFO queries for all downloads using
|
||||
download_status_t to schedule retries. Closes ticket 19323.
|
||||
- Add support for configuring basic client authorization on hidden
|
||||
services created with the ADD_ONION control command. Implements
|
||||
ticket 15588. Patch by "special".
|
||||
- Fire a `STATUS_SERVER` event whenever the hibernation status
|
||||
changes between "awake"/"soft"/"hard". Closes ticket 18685.
|
||||
- Implement new GETINFO queries for all downloads that use
|
||||
download_status_t to schedule retries. This allows controllers to
|
||||
examine the schedule for pending downloads. Closes ticket 19323.
|
||||
- Allow controllers to configure basic client authorization on
|
||||
hidden services when they create them with the ADD_ONION control
|
||||
command. Implements ticket 15588. Patch by "special".
|
||||
- Fire a STATUS_SERVER controller event whenever the hibernation
|
||||
status changes between "awake"/"soft"/"hard". Closes ticket 18685.
|
||||
|
||||
o Minor features (directory authority):
|
||||
- Directory authorities now only give the Guard flag to a relay if
|
||||
they are also giving it the Stable flag. This change allows us to
|
||||
simplify path selection for clients, and it should have minimal
|
||||
effect in practice since >99% of Guards already have the Stable
|
||||
flag. Implements ticket 18624.
|
||||
- Make directory authorities write the v3-status-votes file out to
|
||||
disk earlier in the consensus process, so we have the votes even
|
||||
if we abort the consensus process later. Resolves ticket 19036.
|
||||
simplify path selection for clients. It should have minimal effect
|
||||
in practice, since >99% of Guards already have the Stable flag.
|
||||
Implements ticket 18624.
|
||||
- Directory authorities now write their v3-status-votes file out to
|
||||
disk earlier in the consensus process, so we have a record of the
|
||||
votes even if we abort the consensus process. Resolves
|
||||
ticket 19036.
|
||||
|
||||
o Minor features (hidden service):
|
||||
- Stop being so strict about the payload length of "rendezvous1"
|
||||
cells. We used to be locked in to the "tap" handshake length, and
|
||||
cells. We used to be locked in to the "TAP" handshake length, and
|
||||
now we can handle better handshakes like "ntor". Resolves
|
||||
ticket 18998.
|
||||
|
||||
|
@ -123,15 +129,22 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
- Provide a more useful warning message when configured with an
|
||||
invalid Nickname. Closes ticket 18300; patch from "icanhasaccount".
|
||||
- When dumping unparseable router descriptors, optionally store them
|
||||
in separate filenames by hash, up to a configurable limit. Closes
|
||||
ticket 18322.
|
||||
in separate files, named by digest, up to a configurable size
|
||||
limit. You can change the size limit by setting the
|
||||
MaxUnparseableDescSizeToLog option, and disable this feature by
|
||||
setting that option to 0. Closes ticket 18322.
|
||||
- Add a set of macros to check nonfatal assertions, for internal
|
||||
use. Migrating more of our checks to these should help us avoid
|
||||
needless crash bugs. Closes ticket 18613.
|
||||
|
||||
o Minor features (performance):
|
||||
- When fetching a consensus for the first time, use optimistic data.
|
||||
This saves a round-trip during startup. Closes ticket 18815.
|
||||
- Changer the "optimistic data" extension from "off by default" to
|
||||
"on by default". The default was ordinarily overridden by a
|
||||
consensus option, but when clients were bootstrapping for the
|
||||
first time, they would not have a consensus to get the option
|
||||
from. Changing this default When fetching a consensus for the
|
||||
first time, use optimistic data. This saves a round-trip during
|
||||
startup. Closes ticket 18815.
|
||||
|
||||
o Minor features (relay, usability):
|
||||
- When the directory authorities refuse a bad relay's descriptor,
|
||||
|
@ -154,30 +167,31 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
o Minor bugfixes (bootstrap):
|
||||
- Remember the directory we fetched the consensus or previous
|
||||
certificates from, and use it to fetch future authority
|
||||
certificates. Fixes bug 18963; bugfix on 0.2.8.1-alpha.
|
||||
certificates. This change improves bootstrapping performance.
|
||||
Fixes bug 18963; bugfix on 0.2.8.1-alpha.
|
||||
|
||||
o Minor bugfixes (build):
|
||||
- Make the test-stem and test-network targets depend only on the tor
|
||||
binary that they will be testing. Previously, they depended on
|
||||
- The test-stem and test-network makefile targets now depend only on
|
||||
the tor binary that they are testing. Previously, they depended on
|
||||
"make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
|
||||
patch from "cypherpunks".
|
||||
|
||||
o Minor bugfixes (circuits):
|
||||
- Make sure extend_info_from_router is only called on servers. Fixes
|
||||
bug 19639; bugfix on 0.2.8.1-alpha.
|
||||
- Make sure extend_info_from_router() is only called on servers.
|
||||
Fixes bug 19639; bugfix on 0.2.8.1-alpha.
|
||||
|
||||
o Minor bugfixes (compilation):
|
||||
- When building with Clang, include our full array of GCC warnings.
|
||||
- When building with Clang, use a full set of GCC warnings.
|
||||
(Previously, we included only a subset, because of the way we
|
||||
detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
|
||||
|
||||
o Minor bugfixes (directory authority):
|
||||
- Authorities now sort the "package" lines in their votes, for ease
|
||||
of debugging. (They are already sorted in the consensus
|
||||
documents.) Fixes bug 18840; bugfix on 0.2.6.3-alpha.
|
||||
- When parsing detached signature, make sure we use the length of
|
||||
of debugging. (They are already sorted in consensus documents.)
|
||||
Fixes bug 18840; bugfix on 0.2.6.3-alpha.
|
||||
- When parsing a detached signature, make sure we use the length of
|
||||
the digest algorithm instead of an hardcoded DIGEST256_LEN in
|
||||
order to avoid comparing bytes out of bound with a smaller digest
|
||||
order to avoid comparing bytes out-of-bounds with a smaller digest
|
||||
length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
|
||||
|
||||
o Minor bugfixes (documentation):
|
||||
|
@ -190,7 +204,7 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
|
||||
o Minor bugfixes (ephemeral hidden service):
|
||||
- When deleting an ephemeral hidden service, close its intro points
|
||||
even if they are not in the open state. Fixes bug 18604; bugfix
|
||||
even if they are not completely open. Fixes bug 18604; bugfix
|
||||
on 0.2.7.1-alpha.
|
||||
|
||||
o Minor bugfixes (guard selection):
|
||||
|
@ -204,8 +218,9 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
|
||||
o Minor bugfixes (hidden service client):
|
||||
- Increase the minimum number of internal circuits we preemptively
|
||||
build from 2 to 3 so they are available when a client connects to
|
||||
another onion service. Fixes bug 13239; bugfix on 0.1.0.1-rc.
|
||||
build from 2 to 3, so a circuit is available when a client
|
||||
connects to another onion service. Fixes bug 13239; bugfix
|
||||
on 0.1.0.1-rc.
|
||||
|
||||
o Minor bugfixes (logging):
|
||||
- When logging a directory ownership mismatch, log the owning
|
||||
|
@ -241,8 +256,8 @@ Changes in version 0.2.9.1-alpha - 2016-08-0?
|
|||
in the counter. Now, if the number of messages hits a maximum, the
|
||||
rate-limiter doesn't count any further. Fixes bug 19435; bugfix
|
||||
on 0.2.4.11-alpha.
|
||||
- Fix a typo in the getting passphrase prompt for the ed25519
|
||||
identity key. Fixes bug 19503; bugfix on 0.2.7.2-alpha.
|
||||
- Fix a typo in the passphrase prompt for the ed25519 identity key.
|
||||
Fixes bug 19503; bugfix on 0.2.7.2-alpha.
|
||||
|
||||
o Code simplification and refactoring:
|
||||
- Remove redundant declarations of the MIN macro. Closes
|
||||
|
|
Loading…
Reference in New Issue