Blurb for 029; tighten releasenotes sections.

2016-12-17 16:43:38 -05:00 · 2016-12-17 16:43:38 -05:00 · a708518ecb
parent 254b633604
commit a708518ecb
1 changed files with 98 additions and 116 deletions
--- a/ReleaseNotes.029
+++ b/ReleaseNotes.029
@ -3,11 +3,55 @@ into the ReleaseNotes file before stable.]
 [These are changes since 0.2.8.11]
  Tor 0.2.9.8 is the first stable release of Tor 0.2.9.
-  o Required libraries:
+  The Tor 0.2.9 series makes mandatory a number of security features
  that were formerly optional. It includes support for a new
  shared-randomness protocol that will form the basis for next
  generation hidden services, includes a single-hop hidden service
  mode for optimizing .onion services that don't actually want to be
  hidden, tries harder not to overload the directory authorities with
  excessive downloads, and supports a better protocol versioniing
  scheme for improved compatibility with other implementations of the
  Tor protocol.
  And of course, there are other bugfixes and improvements, listed
  here. Below are listed the changes since Tor 0.2.8.11.
  o New system requirements:
    - When building with OpenSSL, Tor now requires version 1.0.1 or
      later. OpenSSL 1.0.0 and earlier are no longer supported by the
      OpenSSL team, and should not be used. Closes ticket 20303.
    - Tor now requires Libevent version 2.0.10-stable or later. Older
      versions of Libevent have less efficient backends for several
      platforms, and lack the DNS code that we use for our server-side
      DNS support. This implements ticket 19554.
    - Tor now requires zlib version 1.2 or later, for security,
      efficiency, and (eventually) gzip support. (Back when we started,
      zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
      released in 2003. We recommend the latest version.)
  o Deprecated features:
    - A number of DNS-cache-related sub-options for client ports are now
      deprecated for security reasons, and may be removed in a future
      version of Tor. (We believe that client-side DNS cacheing is a bad
      idea for anonymity, and you should not turn it on.) The options
      are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
      UseIPv4Cache, and UseIPv6Cache.
    - A number of options are deprecated for security reasons, and may
      be removed in a future version of Tor. The options are:
      AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
      AllowSingleHopExits, ClientDNSRejectInternalAddresses,
      CloseHSClientCircuitsImmediatelyOnTimeout,
      CloseHSServiceRendCircuitsImmediatelyOnTimeout,
      ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
      UseNTorHandshake, and WarnUnsafeSocks.
    - The *ListenAddress options are now deprecated as unnecessary: the
      corresponding *Port options should be used instead. These options
      may someday be removed. The affected options are:
      ControlListenAddress, DNSListenAddress, DirListenAddress,
      NATDListenAddress, ORListenAddress, SocksListenAddress,
      and TransListenAddress.
  o Major features (build, hardening):
    - Tor now builds with -ftrapv by default on compilers that support
@ -91,22 +135,15 @@ into the ReleaseNotes file before stable.]
      releases of Tor itself. Closes ticket 19958; implements part of
      proposal 264.
  o Major features (user interface):
    - Tor now supports the ability to declare options deprecated, so
      that we can recommend that people stop using them. Previously,
      this was done in an ad-hoc way. Closes ticket 19820.
  o Major bugfixes (circuit building):
    - Hidden service client-to-intro-point and service-to-rendezvous-
      point cicruits use the TAP key supplied by the protocol, to avoid
      epistemic attacks. Fixes bug 19163; bugfix on 0.2.4.18-rc.
-  o Major bugfixes (directory downloads):
+  o Major bugfixes (download scheduling):
    - Avoid resetting download status for consensuses hourly, since we
      already have another, smarter retry mechanism. Fixes bug 8625;
      bugfix on 0.2.0.9-alpha.
  o Major bugfixes (download scheduling):
    - If a consensus expires while we are waiting for certificates to
      download, stop waiting for certificates.
    - If we stop waiting for certificates less than a minute after we
@ -125,13 +162,11 @@ into the ReleaseNotes file before stable.]
      ExitPolicyRejectLocalInterfaces is set. Fixes bug 18456; bugfix on
      0.2.7.2-alpha. Patch by teor.
-  o Major bugfixes (hidden service client):
+  o Major bugfixes (hidden services):
    - Allow Tor clients with appropriate controllers to work with
      FetchHidServDescriptors set to 0. Previously, this option also
      disabled descriptor cache lookup, thus breaking hidden services
      entirely. Fixes bug 18704; bugfix on 0.2.0.20-rc. Patch by "twim".
  o Major bugfixes (hidden services):
    - Clients now require hidden services to include the TAP keys for
      their intro points in the hidden service descriptor. This prevents
      an inadvertent upgrade to ntor, which a malicious hidden service
@ -276,23 +311,6 @@ into the ReleaseNotes file before stable.]
      we don't count them when we're generating test coverage data.
      Update our coverage tools to understand this convention. Closes
      ticket 16792.
  o Minor features (testing, ipv6):
    - Add the hs-ipv6 chutney target to make test-network-all's IPv6
      tests. Remove bridges+hs, as it's somewhat redundant. This
      requires a recent chutney version that supports IPv6 clients,
      relays, and authorities. Closes ticket 20069; patch by teor.
    - Add the single-onion and single-onion-ipv6 chutney targets to
      "make test-network-all". This requires a recent chutney version
      with the single onion network flavours (git c72a652 or later).
      Closes ticket 20072; patch by teor.
  o Minor features (Tor2web):
    - Make Tor2web clients respect ReachableAddresses. This feature was
      inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
      0.2.8.7. Implements feature 20034. Patch by teor.
  o Minor features (unit tests):
    - Our link-handshake unit tests now check that when invalid
      handshakes fail, they fail with the error messages we expected.
    - Our unit testing code that captures log messages no longer
@ -311,6 +329,21 @@ into the ReleaseNotes file before stable.]
      assertion as a test failure.
    - We've done significant work to make the unit tests run faster.
  o Minor features (testing, ipv6):
    - Add the hs-ipv6 chutney target to make test-network-all's IPv6
      tests. Remove bridges+hs, as it's somewhat redundant. This
      requires a recent chutney version that supports IPv6 clients,
      relays, and authorities. Closes ticket 20069; patch by teor.
    - Add the single-onion and single-onion-ipv6 chutney targets to
      "make test-network-all". This requires a recent chutney version
      with the single onion network flavours (git c72a652 or later).
      Closes ticket 20072; patch by teor.
  o Minor features (Tor2web):
    - Make Tor2web clients respect ReachableAddresses. This feature was
      inadvertently enabled in 0.2.8.6, then removed by bugfix 19973 on
      0.2.8.7. Implements feature 20034. Patch by teor.
  o Minor features (unix domain sockets):
    - When configuring a unix domain socket for a SocksPort,
      ControlPort, or Hidden service, you can now wrap the address in
@ -318,6 +351,9 @@ into the ReleaseNotes file before stable.]
      domain socket paths to contain spaces.
  o Minor features (user interface):
    - Tor now supports the ability to declare options deprecated, so
      that we can recommend that people stop using them. Previously,
      this was done in an ad-hoc way. Closes ticket 19820.
    - There is a new --list-deprecated-options command-line option to
      list all of the deprecated options. Implemented as part of
      ticket 19820.
@ -358,12 +394,6 @@ into the ReleaseNotes file before stable.]
      certificates. This change improves bootstrapping performance.
      Fixes bug 18963; bugfix on 0.2.8.1-alpha.
  o Minor bugfixes (build):
    - The test-stem and test-network makefile targets now depend only on
      the tor binary that they are testing. Previously, they depended on
      "make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
      patch from "cypherpunks".
  o Minor bugfixes (circuits):
    - Make sure extend_info_from_router() is only called on servers.
      Fixes bug 19639; bugfix on 0.2.8.1-alpha.
@ -388,11 +418,11 @@ into the ReleaseNotes file before stable.]
    - When building with Clang, use a full set of GCC warnings.
      (Previously, we included only a subset, because of the way we
      detected them.) Fixes bug 19216; bugfix on 0.2.0.1-alpha.
  o Minor bugfixes (compilation, OpenBSD):
    - Detect Libevent2 functions correctly on systems that provide
      libevent2, but where libevent1 is linked with -levent. Fixes bug
      19904; bugfix on 0.2.2.24-alpha. Patch from Rubiate.
    - Run correctly when built on Windows build environments that
      require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
  o Minor bugfixes (configuration):
    - When parsing quoted configuration values from the torrc file,
@ -415,26 +445,6 @@ into the ReleaseNotes file before stable.]
      order to avoid comparing bytes out-of-bounds with a smaller digest
      length such as SHA1. Fixes bug 19066; bugfix on 0.2.2.6-alpha.
  o Minor bugfixes (documentation):
    - Document the --passphrase-fd option in the tor manpage. Fixes bug
      19504; bugfix on 0.2.7.3-rc.
    - Document the default PathsNeededToBuildCircuits value that's used
      by clients when the directory authorities don't set
      min_paths_for_circs_pct. Fixes bug 20117; bugfix on 02c320916e02
      in tor-0.2.4.10-alpha. Patch by teor, reported by Jesse V.
    - Fix manual for the User option: it takes a username, not a UID.
      Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
      a manpage!).
    - Fix the description of the --passphrase-fd option in the
      tor-gencert manpage. The option is used to pass the number of a
      file descriptor to read the passphrase from, not to read the file
      descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
  o Minor bugfixes (ephemeral hidden service):
    - When deleting an ephemeral hidden service, close its intro points
      even if they are not completely open. Fixes bug 18604; bugfix
      on 0.2.7.1-alpha.
  o Minor bugfixes (getpass):
    - Defensively fix a non-triggerable heap corruption at do_getpass()
      to protect ourselves from mistakes in the future. Fixes bug
@ -450,21 +460,20 @@ into the ReleaseNotes file before stable.]
      parameter is not provided. Fixes bug 17688; bugfix
      on 0.2.5.6-alpha.
-  o Minor bugfixes (hidden service client):
+  o Minor bugfixes (hidden services):
    - Increase the minimum number of internal circuits we preemptively
      build from 2 to 3, so a circuit is available when a client
      connects to another onion service. Fixes bug 13239; bugfix
      on 0.1.0.1-rc.
  o Minor bugfixes (hidden service):
    - Allow hidden services to run on IPv6 addresses even when the
      IPv6Exit option is not set. Fixes bug 18357; bugfix
      on 0.2.4.7-alpha.
  o Minor bugfixes (hidden services):
    - Stop logging intro point details to the client log on certain
      error conditions. Fixed as part of bug 20012; bugfix on
      0.2.4.8-alpha. Patch by teor.
    - When deleting an ephemeral hidden service, close its intro points
      even if they are not completely open. Fixes bug 18604; bugfix
      on 0.2.7.1-alpha.
    - When configuring hidden services, check every hidden service
      directory's permissions. Previously, we only checked the last
      hidden service. Fixes bug 20529; bugfix the work to fix 13942
@ -501,13 +510,9 @@ into the ReleaseNotes file before stable.]
    - When moving a signed descriptor object from a source to an
      existing destination, free the allocated memory inside that
      destination object. Fixes bug 20715; bugfix on tor-0.2.8.3-alpha.
  o Minor bugfixes (memory leak, use-after-free, linux seccomp2 sandbox):
    - Fix a memory leak and use-after-free error when removing entries
      from the sandbox's getaddrinfo() cache. Fixes bug 20710; bugfix on
      0.2.5.5-alpha. Patch from "cypherpunks".
  o Minor bugfixes (memory leaks):
    - Fix a small, uncommon memory leak that could occur when reading a
      truncated ed25519 key file. Fixes bug 18956; bugfix
      on 0.2.6.1-alpha.
@ -528,18 +533,9 @@ into the ReleaseNotes file before stable.]
      commits 51fc6799 in tor-0.1.1.16-rc and acda1735 in tor-0.2.4.3-
      alpha. Patch by teor.
-  o Minor bugfixes (portability):
+  o Minor bugfixes (relay):
    - Run correctly when built on Windows build environments that
      require _vcsprintf(). Fixes bug 20560; bugfix on 0.2.2.11-alpha.
    - Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
      removed the ECDH ciphers which caused the tests to fail on
      platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
  o Minor bugfixes (relay bootstrap):
    - Ensure relays don't make multiple connections during bootstrap.
      Fixes bug 20591; bugfix on 0.2.8.1-alpha.
  o Minor bugfixes (relay):
    - Avoid a small memory leak when informing worker threads about
      rotated onion keys. Fixes bug 20401; bugfix on 0.2.6.3-alpha.
    - Do not try to parallelize workers more than 16x without the user
@ -547,6 +543,10 @@ into the ReleaseNotes file before stable.]
      16 CPU cores. Fixes bug 19968; bugfix on 0.2.3.1-alpha.
  o Minor bugfixes (testing):
    - The test-stem and test-network makefile targets now depend only on
      the tor binary that they are testing. Previously, they depended on
      "make all". Fixes bug 18240; bugfix on 0.2.8.2-alpha. Based on a
      patch from "cypherpunks".
    - Allow clients to retry HSDirs much faster in test networks. Fixes
      bug 19702; bugfix on 0.2.7.1-alpha. Patch by teor.
    - Avoid a unit test failure on systems with over 16 detectable CPU
@ -558,6 +558,15 @@ into the ReleaseNotes file before stable.]
    - Fix the test-network-all target on out-of-tree builds by using the
      correct path to the test driver script. Fixes bug 19421; bugfix
      on 0.2.7.3-rc.
    - Stop spurious failures in the local interface address discovery
      unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
      Neel Chauhan.
    - Use ECDHE ciphers instead of ECDH in tortls tests. LibreSSL has
      removed the ECDH ciphers which caused the tests to fail on
      platforms which use it. Fixes bug 20460; bugfix on 0.2.8.1-alpha.
    - The tor_tls_server_info_callback unit test no longer crashes when
      debug-level logging is turned on. Fixes bug 20041; bugfix
      on 0.2.8.1-alpha.
  o Minor bugfixes (time):
    - Improve overflow checks in tv_udiff and tv_mdiff. Fixes bug 19483;
@ -572,14 +581,6 @@ into the ReleaseNotes file before stable.]
      are not anonymous due to the one-hop client paths. Fixes bug
      19678. Patch by teor.
  o Minor bugfixes (unit tests):
    - Stop spurious failures in the local interface address discovery
      unit tests. Fixes bug 20634; bugfix on 0.2.8.1-alpha; patch by
      Neel Chauhan.
    - The tor_tls_server_info_callback unit test no longer crashes when
      debug-level logging is turned on. Fixes bug 20041; bugfix
      on 0.2.8.1-alpha.
  o Minor bugfixes (user interface):
    - Display a more accurate number of suppressed messages in the log
      rate-limiter. Previously, there was a potential integer overflow
@ -597,28 +598,6 @@ into the ReleaseNotes file before stable.]
    - Split the 600-line directory_handle_command_get function into
      separate functions for different URL types. Closes ticket 16698.
  o Deprecated features:
    - A number of DNS-cache-related sub-options for client ports are now
      deprecated for security reasons, and may be removed in a future
      version of Tor. (We believe that client-side DNS cacheing is a bad
      idea for anonymity, and you should not turn it on.) The options
      are: CacheDNS, CacheIPv4DNS, CacheIPv6DNS, UseDNSCache,
      UseIPv4Cache, and UseIPv6Cache.
    - A number of options are deprecated for security reasons, and may
      be removed in a future version of Tor. The options are:
      AllowDotExit, AllowInvalidNodes, AllowSingleHopCircuits,
      AllowSingleHopExits, ClientDNSRejectInternalAddresses,
      CloseHSClientCircuitsImmediatelyOnTimeout,
      CloseHSServiceRendCircuitsImmediatelyOnTimeout,
      ExcludeSingleHopRelays, FastFirstHopPK, TLSECGroup,
      UseNTorHandshake, and WarnUnsafeSocks.
    - The *ListenAddress options are now deprecated as unnecessary: the
      corresponding *Port options should be used instead. These options
      may someday be removed. The affected options are:
      ControlListenAddress, DNSListenAddress, DirListenAddress,
      NATDListenAddress, ORListenAddress, SocksListenAddress,
      and TransListenAddress.
  o Documentation:
    - Add module-level internal documentation for 36 C files that
      previously didn't have a high-level overview. Closes ticket #20385.
@ -630,16 +609,19 @@ into the ReleaseNotes file before stable.]
      ticket 19153. Patch from "U+039b".
    - Module-level documentation for several more modules. Closes
      tickets 19287 and 19290.
-
+    - Document the --passphrase-fd option in the tor manpage. Fixes bug
-  o New system requirements:
+      19504; bugfix on 0.2.7.3-rc.
-    - Tor now requires Libevent version 2.0.10-stable or later. Older
+    - Document the default PathsNeededToBuildCircuits value that's used
-      versions of Libevent have less efficient backends for several
+      by clients when the directory authorities don't set
-      platforms, and lack the DNS code that we use for our server-side
+      min_paths_for_circs_pct. Fixes bug 20117; bugfix on 02c320916e02
-      DNS support. This implements ticket 19554.
+      in tor-0.2.4.10-alpha. Patch by teor, reported by Jesse V.
-    - Tor now requires zlib version 1.2 or later, for security,
+    - Fix manual for the User option: it takes a username, not a UID.
-      efficiency, and (eventually) gzip support. (Back when we started,
+      Fixes bug 19122; bugfix on 0.0.2pre16 (the first version to have
-      zlib 1.1 and zlib 1.0 were still found in the wild. 1.2 was
+      a manpage!).
-      released in 2003. We recommend the latest version.)
+    - Fix the description of the --passphrase-fd option in the
      tor-gencert manpage. The option is used to pass the number of a
      file descriptor to read the passphrase from, not to read the file
      descriptor from. Fixes bug 19505; bugfix on 0.2.0.20-alpha.
  o Removed code:
    - We no longer include the (dead, deprecated) bufferevent code in