x86_64-unknown-linux-gnux32 no longer works with 0.4.5 #311
Comments
|
I see, #300 made a bad assumption that "x86_64" always uses 64-bit digits, when we actually follow |
Merged
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this issue
Nov 1, 2024
# Arti 1.3.0 - 31 October 2024
Arti 1.3.0 is a significant milestone: we have achieved parity on most
major client features with C Tor. The last big security feature needed for
Onion Services (resistance to out-of-memory DoS) landed in this release.
And, in Arti client 1.3.0, connecting to `.onion` domains is enabled by
default.
Much other major work is taking place, too! We have continued our work on
Arti Relay. The work-in-progress RPC system is significantly more clearly
defined and implementation is proceeding.
### Breaking changes
* **Reject (managed) pluggable transport on non-localhost address:** If a
pluggable transport we spawn tells us it is listening on a non-localhost
address, reject that transport, since this is almost certainly a
security risk. (The goal is to detect buggy PTs. We aren't aware of
any such PTs.) ([!2454], [#1636])
* **API:** Several methods (mostly in `tor-chanmgr` and `tor-proto`)
take new memory quota tracking arguments. If memory tracking is not
required, you can create a no-op memory quota account with
`SpecificAccount::new_noop()` or `Account::new_noop().
* **API:** New API for `tor-socksproto`, which is more robust and avoids
many kinds of misuse, including bugs like TROVE-2024-010. The old
`.handshake` method still available, but deprecated, and now part of the
new `Handshake` trait. ([#1590], [#1627], [#1592], [!2436])
* **API:** Many places where a `SleepProvider` bound was used now also
require `CoarseTimeProvider`. In-tree `SleepProvider`s all implement
`CoarseTimeProvider`, so for most callers this can be fixed by
propagating the bounds. ([!2482])
* **cargo features:** Some cargo features of lower-layer crates are no
longer enabled by implication by higher-layer crates. External callers
may need to add feature requesgts to `Cargo.toml`s. ([!2498])
### Major new features
* **Support memory quota tracking.** (Feature compiled in by default.)
Specifically: Arti can now try to limit the amount of memory it uses for
data that might be originated by untrusted parties. This is currently
useful as DoS resistance measure for Hidden Services (`.onion`
services). To actually enable this, a specific limit must be imposed in
the `[system]` section of of the Arti configuration. ([!2459], [!2461],
[!2484], [!2493], [!2508], [!2509], [!2518], [!2531], [!2536], [!2537], [!2545],
[!2555], [!2560], [!2569], [#1682], [#351])
* **Enabled connecting to `.onion` addresses (Hidden Services) by
default,** by making `allow_onion_addrs` default to `true` in the
configuration. (This is appropriate now that we have Vanguard support.)
[#1402], [!2506])
### Bugfixes
* Fixed the build of `arti-client` with just the features `experimental-api`
and `onion-service-client` enabled. ([!2457], [#1638])
* Fixed the build on FreeBSD. ([!2533], [#1686])
* Fixed the build on NetBSD. ([!2540], [rust-pwd-grp#4], [rust-pwd-grp!25])
* Fixed config file watching (file notifier) on non-Windows platforms
without inotify. ([!2547], [#1644], [notify-rs#644])
* Fixed a bug that rendered Arti unable to connect to the Tor network
when built with certain library combinations.
This could occur
when an out-of-tree user of the Arti libraries ends up enabling
`time-rs`'s `large-dates` cargo feature, by replacing `simple_asn1`
dependency with `der-parser` in `tor-llcrypto`. ([!2462], [#1632],
[simple_asn1#34], [simple_asn1!35], [time-rs#683])
* Fixed the logging of backtraces, when an internal error occurs.
(Bug first appeared in Arti 1.2.7.) [!2588], [#1713])
* Removed a false claim that we don't support pluggable transports. ([!2507])
* Documented the `vanguards` cargo feature flag. ([!2507])
### Other user-facing improvements
* Warn if we're configured to listen for SOCKS or DNS queries on a
non-localhost address, or if we're configured to use an
externally-managed pluggable transport with a non-localhost address,
These are very questionable configurations, but there may be unusual
situations where this is a sensible setup. ([!2454], [#1636])
* Use new "restricted discovery" terminology throughout (for Hidden
Services, aka `.onion` services), replacing previous (misleading)
"client authorization". ([!2495], [#1476])
* Experimental ability to read private keys from C Tor's on-disk keystore.
([!2481], [!2514])
* Experimental proof-of-work client-side support for Hidden Services
(`.onion` services). ([!2486], [!2026])
### New library and API features
* Added `general::SocketAddr` type for unifying IP and AF\_UNIX (and
potentially other) sockets. ([!2519], [#1681], [!2553], [!2554], [#1701],
[!2592])
* Added type-erased `DynTimeProvider` in `tor-rtcompat`. ([!2460], [!2500])
* Added `SinkTrySend` and `SinkCloseChannel` traits, making the
functionality of `mpsc::Sender::try_send` and `::close` available as a
trait method and implementable for other types. ([!2468], [!2485], [!2490])
* Added `SometimesUnboundedSink::as_inner` method. ([!2483])
* Guarantee that `Slug`s will never contain colons (`:`), and explain why.
([!2576])
* Moved `tor-config`'s `path` module to a new crate `tor-config-path`.
([!2590])
* Added `default-runtime` feature in `arti`, to simplify building without
default features. ([!2551])
### Relay development
* Support multiple channels for a single relay ID. ([!2442], [#1633])
* Improved channel selection code. ([!2477], [#1602], [!2544])
* Much other cleanup and refactoring in `tor-chanmgr`. ([!2523], [!2538],
[#1654], [!2566])
* Made `arti-relay` be a binary crate only, for now at least, and abolish
the `relay` subcommand of the main `arti` CLI. ([!2525], [#1674], [!2542])
### RPC system development
* Reorganised RPC documentation; soon it will be a mdbook. ([!2581])
* Improved documentation for writing RPC callers, including a new Python
tool to build RPC method and type documentation. ([!2479], [!2489]
[!2574])
* Finalised specifications for how RPC clients should find the Arti RPC
server, how the server should decide where to listen, and how
authentication will be done. ([!2439], [!2440], [!2439], [#1521], [!2563],
[#1702], [!2582], [#1711])
* Finalised specifications for version compatibility (interworking of
newer/older Arti with newer/older RPC clients). ([!2475], [#1634], [!2510],
[#1665], [!2511], [#1662], [!2512])
* Improvements to error handling, especially in the client library.
([!2556])
* Improved and clarified objectid/isolation rules in SOCKS interaction.
([!2474], [torspec!292], [proposal 351], [socks-extensions.md])
* Clarified (and weakened) guarantees provided on request cancellation.
([!2564], [#818])
* Changed `release` method to be a method on the object itself. ([!2573],
[#1663])
* Other specification fixes/improvements. ([#1678], [!2539])
* Fixed the shared library extension on OSX and Windows. ([!2469])
* Removed the `Echo` testing/demo method. ([!2549], [#1525])
* Started a Python client API, and adopted it for some integration
tests. ([!2515], [#1295], [!2567])
* Reduced the dependencies of the client library. ([!2522], [!2524])
* Internal cleanups. ([!2456], [#1587], [!2558])
### Documentation
* Clarified `launch_onion_service_with_hsid()`. ([!2494], [#1626])
* Use new "circuit stem" terminology. ([#1479], [!2410])
* Added missing docs for `keypair_specifier`. ([!2532])
### Testing
* Much better testing for the CircMgr. ([!2444], [!2513])
* Fixed the flaky `circuit::test::accept_valid_sendme` CI test. ([!2501])
* Added more miri tests. ([!2502])
* Avoid writing `_ => panic!()` even in tests. ([!2534])
* Allow more precise testing of conditional compilation which affects the
configuration reader. ([!2561])
* Updated to the latest version of Shadow. ([!2585], [shadow!3428], [!2587])
* Include more output from Shadow in CI artifacts. ([!2586])
* Pin the version of Chutney used in Shadow tests to make arti.git CI more
hermetic. ([!2596])
### Cleanups and housekeeping
* Updated the list of fallback directories. Clients use these to fetch
directory information when they have no cached directory or guard
nodes. ([!2589])
* Updated some previous entries in `CHANGELOG.md` to more fully document
changes in `tor-circmgr` 0.23.0.
* Now we run a typechecker, linter, and autoformatter, on all our Python
scripts (and fix the issues identified). ([!2476], [!2578], [!2579],
[#1689], [!2584])
* Minor cleanups and reformatting in `tor-key-forge`. ([!2552])
* Commented out (temporarily) ill-shaped `RelaySigningKeySpecifier`. ([!2527])
* Reduced the number of "unused" warnings arising from conditional
compilation (eg, cargo features). ([!2431], [!2463], [#1645], [!2551])
* In `Cargo.toml`, avoid updating to a `typed-index-collections` which
would break our MSRV by requiring Rust 1.81. ([!2471], [#1647])
* Tidied up the sealing of a pair of traits. ([!2472])
* Use `{u64,usize}::div_ceil` where applicable. ([!2473])
* Now we avoid some warnings about certain elided lifetimes. ([!2478], [!2575])
* Fixed docs-rs cargo feature decorations on certain items. ([!2487])
* Forbid hard tabs (in most files) in tree. ([!2488])
* Fixed `no_default_features = true` typo in many `Cargo.toml`. ([!2498])
* Bumped dependency requirements for `futures-*` `notify`. ([!2499])
* Fixed indentation in a doc comment to address a new clippy lint. ([!2516],
[!2520])
* Changed to depend on `slotmap-careful` instead of `slotmap`. ([!2530],
[#1531])
* Abolished unneeded use of `python-is-python3` package in CI. ([!2535])
* Reinstated the `tor-proto` circuit hop check in `test_create()`. ([!2546])
* Updated download size numbers (for Project 101 Q3-2024). ([!2571])
* Simplified `tor-config` path handling by using `path` feature of
`shellexpand`. ([!2583])
* Work around a bug in `cargo license` by permitting a weird licence
string. ([!2591], [cargo-license#78])
* Removed an obsolete TODO. ([!2562])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Morgan, and Neel Chauhan.
Also, our welcome to Clara Engler as they join the team!
Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.8 — 1 October 2024
Arti 1.2.8 continues development on onion services,
the RPC subsystem, key management, and relay infrastructure.
It also includes fixes for two security issues in
handling the SOCKS protocol, the most severe of which is rated at
"medium" according to our [security policy].
Arti 1.2.8 also increases our MSRV (Minimum Supported Rust Version)
to 1.77, in accordance with our [MSRV policy].
### Breaking changes
- Arti now requires Rust 1.77 or later. ([!2421], [!2451])
- The `arti hsc` subcommand is now gated behind the experimental `hsc`
feature until it is ready for general use. ([ab41a9d330ed1db])
### Security fixes
- Temporarily reject attempts to send optimistic data before
the SOCKS handshake is complete.
Previously, we would discard data in this case,
which has the potential to cause mis-framing bugs that could enable
cross-protocol attacks under some circumstances.
This is tracked as TROVE-2024-010.
We intend to add full support for optimistic data soon;
this is a temporary workaround.
([#1627], [!2443])
- Prevent an infinite loop that could occur in our SOCKS code
if a local connection was closed at the wrong time.
This is tracked as TROVE-2024-011.
([#1635], [!2447])
### Breaking changes in lower-level crates
- The `tor-bytes` crate now reports `Incomplete` rather than `Truncated`
for most reader types. ([#1614], [!2407])
- Removed some deprecated code in `tor-hsservice`. ([7a838da0ff2359f9])
- The "ephemeral keystore" feature in `tor-keymgr` is now marked as
experimental, and available behind an `ephemeral-keystore` feature.
([!2426])
- The `tor-rtcompat` crate now supports AF_UNIX sockets,
and provides a more generic API
for opening and listening for network streams.
To this end, several of its APIs have been renamed or refactored,
and the `Runtime` trait now depends on more supertraits.
([#1152], [!2437])
- In `tor-rtcompat`, `TcpListener::accept()` no longer exists.
Use `NetStreamListener::incoming()` instead.
([168f55df05f4b56f])
- In `arti-client`, the type for `StorageConfig::keystore` has changed.
([5e4e7b69b8cd2791])
- In `tor-circmgr`, the `CircMgr` `reload_persistent_state`,
`store_persistent_state`, and `upgrade_to_owned_persistent_state` functions
have been removed. ([!2420])
- In `tor-circmgr`, the function `CircMgr::new` now returns a `CircMgr` rather
than an `Arc<CircMgr>`. ([!2420])
- In `tor-circmgr`, the deprecated `CircMgr::update_network_parameters`
function has been removed. ([!2420])
- In `tor-hsservice`, numerous types related to initialization and status
have been renamed or refactored.
([!2397], [!2413])
- In `tor-keymgr`, several types have been renamed.
([5e4e7b69b8cd279], [80095da1aa47978])
- In `tor-netdir`, several test-network construction callbacks
now take an extra parameter.
([b2b75302ab095bc])
### Onion service development
- Remove the number of cases in which an onion service needs to know
its secret identity key `KS_hs_id`.
This will help with implementing offline key support.
([#1194], [!2393])
- Add support for adding externally generated keys;
this will also help with offline key support.
([#1613], [!2396])
- Report onion service status correctly based on upload results.
This includes major refactoring to onion service status reporting,
and significant tests.
([#1572], [!2397])
- Remove setting for non-anonymous ("single onion") services.
We don't actually support them yet.
([!2413])
- Defer generating service identity keys (`K_hs_id`)
until the service is actually launched.
This allows tools like `onion-name` to check whether these keys are present.
([!2417])
- The `arti hss onion-name` subcommand now has support for generating
identity keys on demand. ([#1621], [!2419])
- Experimental support for launching onion service with user-provided
identity keys. ([#1612], [!2402])
- Allow arti to run with onion services only, and SOCKS/DNS ports disabled.
([#1569], [!2423])
- Move onion service client key management functionality
into a new `arti hsc key` sub-command,
which supports key inspection, rotation, and deletion.
The old `arti hsc get-key` subcommand is now deprecated.
([#1475], [!2432], [!2435])
- Support making an `InertTorClient` with an emphemeral key manager.
([#1610], [!2394])
- The "default" keystore has been renamed to "primary".
([!2438])
### Relay development
- Give `TorRelay` an instance of `ChanMgr` to keep track of open channels.
([!2361])
- Continued development on memory-quota support,
to prevent memory-based denial-of-service attacks
against relays and onion services. ([!2374], [!2404])
- New `tor-key-forge` crate
for defining specific key and keypair wrappers,
for use with relay keys.
([#1137], [#1619], [!2356], [!2430], [!2433])
- Define a set of high-level error wrappers for use by the `TorRelay` code.
([!2392])
- The channel manager now has (partial) support for receiving and handling
incoming channels. ([!2389])
- Initial key generation and management support for relays.
([#1604], [!2411])
- Move Arti's (in-progress) `relay` subcommand to its own module. ([!2455)
### RPC development
- Add support throughout the RPC stack
for opening data streams and registering them with the RPC system,
using the protocol developed in [proposal 351].
([#1524], [!2373], [!2401], [!2406], [!2409], [!2434], [!2452])
- Update RPC specification draft to match current reality and plans.
([!2386], [!2453])
- Refactor the way that the RPC service handles errors,
to ensure that framing errors are never silently tolerated,
and other errors are handled uniformly.
([#1591], [!2400])
- Expose a list of object delegation types,
to make it possible to generate full documentation
of which objects support which methods.
([#1624], [!2418])
- Add a (work-in-progress! unstable! experimental!) Python wrapper
for our similarly unstable RPC client library.
([!2446])
### Testing
- Partially fix test nondeterminism in the `reload_cfg::watch_single_file` test.
([#1549], [!2375], [!2391])
- Improve performance for the `reload_cfg::watch_multiple` test.
([#1589], [!2387])
- [Chutney] network integration tests are now
run inside the [Shadow] discrete event simulator.
([!2427])
### Documentation
- Typo fixes in our documentation. ([!2403])
- Improved documentation for onion service descriptor publication.
([#1216], [b87b9f44ae05d4f0])
- Clean up documentation for `InertTorClient`. ([!2414])
- Clarify behavior of `ArtiEphemeralKeystore`. ([!2424])
- New example: running an axum router as an onion service.
([!2445])
- Add an example for an onion service's `reject` option to our
sample configuration ([!2458])
### Infrastructure
- Clean-ups to CI jobs that generate debian packages.
([!2368])
- Adjust exceptions for `downgrade-dependencies` script.
([!2398], [!2451], [cf7f25851ac0319f])
### Cleanups, minor features, and bugfixes
- Move Arti's `proxy` subcommand to its own module. ([!2416])
- Clean up needless abstraction, and add smarter abstraction,
to make `tor-circmgr` easier to test.
([!2412], [!2420])
- When encountering truncated data, the `tor-bytes` crates now
gives a lower-bound estimate for how much more data would be needed
in order produce a successful parse. ([!2390])
- The `tor-bytes` crate now tracks whether its inputs are possibly
incomplete, and only reports "Truncated" data as a recoverable error
on a possibly incomplete data.
This helps to prevent a category of bug
(which it appears our code doesn't actually have)
where we might erroneously
keep reading more data without limit.
([#1614], [!2407])
- Fix a bug in our SOCKS handling
that would cause us to exceed the bounds of a buffer,
causing the SOCKS task to exit with a panic.
([dceeb82f7d115489])
- Upgrade to the latest versions of `float-cmp` and `derive-more`.
([!2450])
- Keystore configuration options have been significantly revised;
there is now a `keystore.primary.kind` option
to configure the primary keystore.
([!2441])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Adam Joseph, Alexander Hansen Færøy, Anonym, Morgan,
Pier Angelo Vendrame, Steven Engler, tidely, and Wesley Aptekar-Cassels.
Also, our welcome to Wesley Aptekar-Cassels as they join the team!
Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.7 — 3 September 2024
Arti 1.2.7 continues development on onion service client authorization,
the RPC subsystem, and relay infrastructure.
### Breaking changes in lower-level crates
- In [`tor-hsservice`],
`OnionServiceProxyConfigBuilder` no longer derives `Eq` and `PartialEq`,
and `DescEncryptionConfig`, `DescEncryptionConfig`,
`AuthorizedClientConfig,` and `AuthorizedClientParseError` are removed.
([!2266])
- In [`tor-ptmgr`], `PtClientMethod` is now exported from the top-level.
([5774dd456265ef4cb8771342538a07ba76e5a5d9])
### RPC development
- Expose the OS errno of the FFI error types that have one. ([!2311])
- Fix typos in an FFI comment. ([!2310])
- Always re-encode requests and responses, and preserve unrecognized struct fields.
([#1491], [!2312])
- Expose the object ID for the session object. ([!2318])
- Use `JsonValue` to re-encode responses and requests.
([#1512], [#1511], [!2315])
- Add support for request handles in our FFI code. ([!2317])
- Add an unstable RPC method to list every RPC method. ([!2332])
- Build [`arti-rpc-client-core`] as a C dynamic library. ([!2331])
- Use more sophisticated handling for `ConnectionError`s in `arti-rpcserver`.
([#1517], [!2335])
- New `slotmap-careful` crate to use when we mustn't re-use keys. ([!2298])
- Rename various identifiers in our FFI code. ([!2344])
- Use the new `slotmap-careful` instead of `generational-arena` in
`arti-rpcserver`. ([#1282], [!2343])
- Implement RPC method delegation support. ([#1523], [!2342])
- Allow simultaneous calls to `arti_rpc_handle_wait()`.
([#1532], [!2360])
- Add experimental method to list SOCKS proxy addresses. ([#1523], [!2359])
### Relay development
- Add initial support for relay configuration. ([#1534], [!2352])
### Internal cleanup and refactoring
- Major refactoring to the `tor-proto` circuit reactor code,
which simplifies the implementation and will enable us to support
opportunistic packing for [proposal 340].
Introduce `StreamPollSet` for polling streams in priority order.
([!2285], [#1513], [!2319], [!2334])
- Refactoring in our key management code to prevent accidental misuse
of relative key paths. ([#1494], [!2291])
- Refactor `KeyedFuturesUnordered` so that the underlying futures
are accessible. ([!2321])
- Allow access to the inner streams of `StreamPollSet`,
refactor `StreamMap` ([#1421], [!2326], [!2333]).
- Make `GuardMgr` mandatory throughout our circuit management code.
([#1465], [!2339], [!2347])
- Encapsulate flow-control into a separate object,
abstracting away the difference between window-based (legacy) flow control and
xon-based ([proposal 324]) flow control. ([!2340], [!2358])
- Introduce a `PeekableStream` trait to get rid of redundant buffering.
([!2345])
### Onion service development
- Implement hidden service restricted discovery mode (previously known as
"client authorization"). ([#1292], [!2266], [!2336], [!2316])
- Add support for live-reloading the restricted discovery configuration.
([#1505], [!2329], [!2353], [!2369])
- Provide an MPSC queue with memory quota tracking. ([#351], [!2292])
- Make arrangements in `tor-memquota` for memory tracking to be optional,
and gate `MemoryQuotaTracker::new` behind the `memquota` feature.
([!2351])
### Minor features
- Stop requiring the TRANSPORT key in pluggable transport STATUS messages.
([#1488], [!2307])
- In [`fs-mistrust`], add a `CheckedDir::metadata()` function
for retrieving file metadata.
([72c3a1a661284844806b34e9ca5e81a43b8d0913], [!2324])
- In [`tor-ptmgr`], make managed pluggable transports optional.
([#1334], [!2354])
- Add an `InertTorClient` for accessing client state. ([#1496], [!2370],
[!2314])
- Move `tor_async_utils::oneshot` into a new [`oneshot-fused-workaround`] crate.
([!2371], [!2383])
### Testing
- Make the `hsc` subcommand documentation serve as a test case. ([!2304])
- In the expected output of the CLI tests,
match any number of lines in the `-c` help.
([#1509], [!2313])
- Fix broken reference to `apt-install` script in the Shadow integration tests.
([!2309])
- Add a Shadow integration test for restricted discovery mode. ([#1292],
[!2272])
- Don't explicitly set `storage.keystore.enabled` in the Shadow CI tests.
([222b0eae48ae88d1a64cf5f0c11e662bf61dda4d])
- Test `cbindgen` correctness in CI. ([#1502], [!2320], [!2322], [!2330])
- Add `LogState` tests in `tor-log-ratelim`. ([!2349])
- Fix `arti_socket_closed` RPC test, which was previously flakey on OSX.
([#1510], [!2348])
- Add an arti obfs4 managed pluggable transport client and a tor obfs4
server to the Shadow CI tests ([#1538], [!2355]).
- Temporarily disable a flaky configuration watcher test. ([!2364])
- Add circuit reactor test for stream handling fairness. ([!2365])
- Rewrite the `hsc` tests using `InertTorClient`.
([#1496], [1d3e59f2e9572a9710de2c2a9c925c5c38a6874c])
- Set the `COLUMNS` env var in the CLI tests.
([#1574], [f1779cfbb3e27b04ba3cca9206170f1e1ea904db])
### Documentation
- Remove obsolete documentation from [`tor-proto`]. ([!2366])
- Discourage use of `tor_rtmock_test_with_*` macros. ([!2372])
### Infrastructure
- Add a few more Tor employees to exclude from our acknowledgments. ([!2306])
- Remove the no-longer-necessary `--cfg docsrs` flag from our rustdoc invocation.
([!2308])
- Fix handling of items ending in `;` in `check_doc_features`
maintenance script. ([!2316])
- Use the `via-cargo-install-in-ci` maintenance script to cache `grcov`
in the `coverage-aggregated` job. ([!2325])
- Add initial support for building an Arti deb package. ([!2323], [!2367])
- Add script for testing without any features enabled.
([7a9bf49870533cc052b12680336f067f77d87b34])
- Run tests of every crate, with all features disabled. ([!2350])
- Explicitly specify the deployment target of macOS to 10.7
to fix the failing `build-repro-macos` job.
([#1394], [#1507], [!2377], [!2346])
- Rename "Sponsor 101" to "Project 101". ([!2379])
### Cleanups, minor features, and bugfixes
- Make `arti hss onion-name` return a non-zero status if the service doesn't
exist. ([!2305])
- Use `std::backtrace` instead of the [`backtrace`] crate. ([!2301])
- Add missing `docsrs` `cfg_attr` to fix a `cargo doc` warning. ([!2337])
- Resolve `unreachable_patterns` warnings from nightly. ([!2338])
- Make `blind_keypair` build without the `hsv3-client` feature.
([#1504], [!2341])
- Move `Qty` to [`tor-basic-utils`] as `ByteQty` and significantly improve it.
([!2363])
- Move `stream_peek` to [`tor-async-utils`]. ([!2362], [!2357])
- Various typo fixes in comments and messages. ([!2380])
### Acknowledgments
Thanks to everybody who's contributed to this release, including Alexander
Hansen Færøy, ambiso, Dimitris Apostolou, kn0sys, Kunal Mehta, NoisyCoil, opara,
Robin Leander Schröder, and Steven Engler.
Also, our welcome to Steven Engler as he joins the team!
Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.6 — 1 August 2024
Arti 1.2.6 continues development on onion service client authorization,
the RPC subsystem, and relay infrastructure.
### Security fixes
- Update `openssl` to avoid undefined behavior in `MemBio::get_buf`.
([RUSTSEC-2024-0357], [TROVE-2024-009], [#1495], [!2276])
### Major bugfixes
- When opening a SQLite directory cache in read-only mode, do not attempt to
create it. This bug would sometimes prevent Arti from starting correctly
when running multiple processes at once.
([#1497], [!2283])
### RPC development
- Initial work on a [wrapper library][arti-rpc-client-core]
for invoking Arti RPC functionality from other processes.
([!2270], [!2277], [!2279])
- Initial work on [FFI support][arti-rpc-client-core-header]
for invoking Arti RPC functionality from other languages.
([#737], [!2273])
- Clean up the RPC method dispatch implementation,
remove some unneeded functions, and refactor the syntax
for declaring error types. ([!2284])
### Relay development
- Infrastructure work for out-of-memory prevention.
([#351], [!2280], [!2281])
### Onion service development
- New `arti hsc` command for managing client state and keys for connecting
to onion services. ([#1281], [#1291], [!2212], [!2257])
- Support parsing client restricted discovery (a.k.a. "client authorization") keys
from C Tor's `descriptor:x25519:<base32-encoded-x25519-public-key>` key format.
([!2246])
- Ensure that `hsc` subcommand can build correctly with unusual combinations
of features. ([!2254])
- Remove some unused code for publishing and authentication support.
([!2251])
- Add an `OnionServiceBuilder` API; deprecate `OnionService::new()`.
([#1490], [!2262])
### Minor features
- The obsolete and unused "TAP" keys are now optional
when parsing network documents.
This is phase one of [our plan][prop350] to eventually remove them entirely.
([!2227], [prop350])
- New `TorClient::wait_for_stop` method, for code that needs to wait
until a TorClient instance has definitely shut down.
([#1418], [!2259], [!2278])
- In `tor-netdoc`, expose fields from `AnnotatedRouterDesc` and
`RouterAnnotation` when `dangerous-expose-struct-fields is set.
([#1469], [!2213])
### Testing
- Exclude `maint` and `examples` from coverage reports. ([!2256])
- More tests throughout RPC codebase. ([!2264])
- Improvements and clean-ups to circuit reactor tests. ([!2287])
- CLI tests for the `arti hss` and `arti hsc` subcommands. ([#1250], [!2275])
### Documentation
- Clarify meaning of `peer_cert` in `UnverifiedChannel`. ([!2260])
- Improve documentation for mocked time in `tor-rtmock`. ([!2286])
### Infrastructure
- Improvements in release process and utilities for managing the changelog.
([!2240])
- Fix gitlab CI to always use `amd64` architecture images.
Previously, it would sometimes choose a docker image for the wrong
architecture. ([!2249])
- Split and refactor reproducible-build CI job. ([!2252])
- Improvements to script for detecting crate ownership problems.
([#1485], [!2255])
- Script to make sure that every crate has a valid set of crates.io
categories. ([#1481], [!2256])
- Move our commonly used rust maintenance scripts to a separate repository,
imported with `git-subtree`. ([#1300], [!2267])
- In gitlab CI, pin the compiler version we use to build cargo-audit
and some other tools. ([!2289], [!2290])
### Cleanups, minor features, and bugfixes
- Remove an unused constant from `equix`. ([!2243])
- Suppress and resolve a few warnings about documentation and dead code.
([!2244])
- Fix parsing time-periods from "key slug" identifiers. ([!2248])
- Fix error messages related to filesystem access failures,
so that they do not all erroneously claim to be permissions failures.
([#1473], [!2253])
- Return correct error type when trying to extend a circuit via `ntor` to a
relay with no known RSA identity. ([!2261])
- Fix a bug in the implementation of
`ArtiNativeKeystore::contains()` that caused it to always return false.
([#1492], [!2274])
- Fixes for various new warnings from the nightly version of `clippy`.
([!2288])
- Disallow the error-prone `Path::exists()` function in our code,
and use `try_exists()` instead. ([#1493], [!2293])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Alexander Færøy, Clara Engler, Jim Newsome, and trinity-1686a!
Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.5 — 27 June 2024
### Breaking
- `TorClientBuilder::create_*` now take `&self`.
([!2198])
- Stop publishing the obsolete `arti-hyper` crate.
([!2225], [#1204])
### Security fixes
- Update curve25519-dalek to avoid a low-severity timing vulnerability.
([TROVE-2024-007], [#1468], [!2211])
- With full vanguards, client rendezvous circuits
do not reuse the final vanguard as the rendezvous point.
([TROVE-2024-008], [#1474], [!2230])
### RPC development
- New overview document, at the crate root for `tor-rpcbase`.
([!2210])
- Much improvement to method invocation arrangements.
([!2190])
- Change approach to method invocation on data-stream-like objects.
([!2192])
### Relay development
- Add skeleton, including (experimental): arti-relay crate,
`relay` cargo feature in `arti-client`,
`relay` command line argument to `arti`.
([!2182])
- Add a key material export facility for some of our TLS implementations.
([IETF RFC 5705], [#1432], [!2185])
### Bugfixes
- Tolerate removal of files from Arti's cache directory.
Fixes
`Bad permissions in cache directory: File or directory ${HOME}/.cache/arti/dir_blobs/... not found`.
([#1466], [!2200])
- Ensure that obsolete files are removed from Arti's cache directory.
([!2200])
### New features and other improvements
- Add `TorClientBuilder::local_resource_timeout` feature,
asking Arti to wait (a short while) for a previous instance to exit.
([#1464], [!2198])
- Improve memory usage by disabling built-in X.509 root certificates
when building `tor-rtcompat` with openssl.
([!2203], [#1027])
- Improve memory usage by limiting the batch size
when reading directory information from the on-disk cache.
([!2202], [#1027])
### Documentation
- Documentation tweaks in `tor_persist::StorageConfig`.
([!2197])
### Testing
- Use a new version of [Shadow].
([!2195])
- Improvements to the tests to prevent a recurrence of
[TROVE-2024-003] /
[TROVE-2024-006].
([!2199])
- Stop build-testing the `gsoc2023/download-manager` example
(it uses an obsolete version of `hyper` and the obsolete `arti-hyper` crate).
([!2225], [#1471])
- Fixes to test builds on MacOS,
([#1394], [!2226], [#1472], [!2234])
- Disable test builds on x32 (the not-widely-used Linux x86_64 32-bit hybrid ABI)
([#1480], [!2235], [!2236],
[num-bigint#311](https://github.com/rust-num/num-bigint/issues/311))
### Internal cleanup and refactoring
- Improve the path construction logic to try to help avoid future bugs like
[TROVE-2024-003] and
[TROVE-2024-004].
([#1459], [!2199], [!2205])
- Refactoring in the circuit reactor, including new `SometimesUnboundedSink`.
([!2172])
- Refactoring in the arti command line utility,
pursuant to client support for hidden services with restricted discovery
(previously misleadingly known as "client authorisation").
([!2206])
- Rename the internal type `OptTimestamp` to `AtomicOptTimestamp` in `tor-proto`.
([!2218], [#1412])
- Fix a rustdoc warning.
([!2215])
- Update to new syntax for [`derive-deftly`] 0.12.1.
([!2209])
### Infrastructure and support
- Portability improvement to the script for maintaining links in this changelog.
([!2194], [#1460])
- New script for checking crate ownership on crates.io.
([!2196], [!2201], [!2220], [#1462])
- Try to work around bugs where container systems
use images of the wrong architecture.
([!2207],
[docker](https://github.com/docker/cli/issues/2590),
[podman](https://github.com/containers/podman/issues/22998))
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, pinkforest, and trinity-1686a!
Also, our deep thanks to
[Zcash Community Grants],
the [Bureau of Democracy, Human Rights and Labor],
and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.4 — 5 June 2024
Arti 1.2.4 continues development on onion services,
and on the RPC subsystem.
This release restores the `faravahar` directory authority, which has a new
location and keys.
We have also fixed two-medium security issues, tracked as [TROVE-2024-005]
and [TROVE-2024-006], respectively, and a number of other, smaller bugs.
[TROVE-2024-005] affects hidden service circuits using non-default vanguard
configurations (where the vanguard mode is set to 'disabled' or 'full'),
causing hidden service circuits to be built from circuit stubs that are
incompatible with the circuit target, and to have an incorrect length.
[TROVE-2024-006] affects hidden services and clients using non-default
vanguard configurations, where the vanguard mode is set to 'disabled', or that
have the `vanguards` feature compiled out. In some circumstances, this bug can
lead to building hidden service circuits that contain the same relay in
multiple positions.
Both issues make users of this code more vulnerable to traffic analysis when
running or accessing onion services.
### Network updates
- Restore the `faravahar` directory authority, with new location and keys.
([!2175])
### Major bugfixes
- Ensure that `DataWriter::close()` actually closes its associated stream.
Previously, this `close()` method would have no effect until the
`DataReader` was also dropped. ([#1368], [!2170])
- Fix a bug where the vanguard circuit stub selection code would fail to ensure
that the last two hops of the selected circuit stub are different from the
circuit target. ([#1417], [!2167], [!2181])
- Fix a medium-severity issue causing the hidden service circuit pool code to
ignore the configured vanguard mode.
This is also tracked as [TROVE-2024-005]. ([#1424], [!2168])
- Use `HasRelayIds::has_any_relay_id_from` to check for relay equality
when checking if a circuit contains duplicate relays. ([!2181])
- Fix a medium-severity issue, which would, in some circumstances, cause
hidden service circuits to be built without applying the necessary same-hop
restrictions.
This is also tracked as [TROVE-2024-006]. ([#1425], [!2179])
### Breaking changes in lower-level crates
- The `Channel` type in `tor-proto` has been significantly refactored:
it is now always wrapped in an explicit `Arc`, it no longer implements
`Sink` on its own, and it can no longer be used to send raw cells
from outside the `tor-proto` crate. ([!2163])
- `HsCircPool::reconfigure` has been removed
- `VanguardConfig` and `VanguardConfigBuilder` are now reexported from
the root of the `tor-guardmgr` crate. ([!2146])
- `SshKeyData` is now an opaque type
- `SshKeyData::into_public` and `SshKeyData::into_private` have been removed
### Deprecated functionality
- The `arti-hyper` example crate is now deprecated and unmaintained.
([!2127])
### Onion service development
- Major refactoring to reduce technical debt in key manager code.
([#1362], [#1367], [!2131], [!2141])
- Address various pending "TODO" items in the vanguard code.
([!2139])
- Adjust terminology for vanguard stub circuits. ([#1339], [!2161])
- Add tests for vanguard configuration, and configuration backend logic as
needed to simplify some of the vanguard configuration code. ([!2146])
### RPC development
- Expose methods on TorClient to get and observe the status of the client
object. ([#1384], [!2110], [!2130])
- Infrastructure to allow the RPC system to interact with SOCKS streams,
provide them with context, and name them as RPC objects.
([!2143])
- Based on difficulties encountered with earlier RPC development,
add an improved facility for RPC methods that can be invoked internally
without serializing their inputs and outputs ([#1403], [!2152])
- Enforce consistent style and formatting on RPC method names. ([#823], [!2149])
- Other miscellaneous lower-level improvements to the RPC type
system. ([!2124], [!2140], [!2142])
### Other major features
- If the circuit manager has retired all of its circuits,
unconditionally retire all the circuits from the hidden service circuit pool.
([!2168])
### Testing
- Improved test layout in `tor-keymgr`. ([#1363], [!2125])
- Automate enforcement of our convention that scripts not be named with
their implementation languages. ([!2153])
- Include script needed to generate `keymgr` test data. ([!2121])
- Add tests for vanguard state file serialization. ([!2167])
- Add a [Shadow] CI test involving an onion service that uses full vanguards.
([!2167])
- Add a test that ensures the hidden service circuit pool reads the vanguard mode
from the configuration. ([!2168])
- Make the Shadow CI tests fail if any internal errors are reported in the logs.
([!2186])
### Documentation
- New example in arti-client for creating a one-hop circuit. ([!2148])
- Recommend `cargo --locked` in our examples, to encourage people
to get audited versions of our dependencies. ([!2157])
- Clean up old changelogs to have a more uniform style, based on
our updated `gen_md_links` script. ([!2126], [!2165])
### Infrastructure
- Disable automated Chutney tests in coverage CI. ([#1299], [!2120])
- Improve our `add_warning` script so that it can adjust our warnings during
CI. Previously we used a compiler `--cfg` flag for conditional warnings,
but unrecognized `cfg` flags now provoke a warning. ([#1395], [!2129])
- Use `add_warning` to maintain the list of lints in our examples. ([!2132])
- Improved scripts to list our crates, and publish our crates,
to make accidents less likely while
we're trying to release. ([#1390], [!2118], [!2138], [!2158])
- Improve our `gen_md_links` script to provide more uniform output,
and generate its results in a more useful format. ([#1388], [!2126], [!2169])
- Ensure that our CI scripts delete unnecessary data on completion.
(This helps keep us from running our infrastructure out of disk space
and making the other gitlab users sad.) ([!2159])
- Adjust our license-checking code to accommodate
license clarifications in `priority-queue` and `tinystr`.
([!2177])
### Cleanups, minor features, and bugfixes
- Resolve several Clippy warnings from the latest version of Rust. ([!2128])
- Clarify control-flow in our (currently convoluted) circuit reactor code.
([!2122])
- Refactor to avoid most use of `cfg(fuzzing)`. ([#1395], [!2134])
- The `DataStream` type now has a method to wait for a connection to
complete. ([489aa72d1eee8a56])
- Clarify or resolve several dead-code warnings. ([#1383], [!2151])
- Explicitly enforce maxima on SENDME windows. (Formerly, we did this
implicitly.) ([#1383], [!2150])
- Avoid the appearance of an infinite loop in
`engage_padding_activities`. ([!2164])
- Refactor the `Channel` type to be more explicitly `Arc`,
better documented, and to have less information shared between its
front-end and reactor pieces. ([!2163])
- Refactor the `poll_ready` method on `ChannelSender` to
have a more conventional interface. ([!2171])
- Replace debug assertions with internal errors
in the post-build checks for vanguard circuits,
to prevent issues such as [TROVE-2024-003] and [TROVE-2024-004].
([!2167])
- When building vanguard circuits, ensure the target relay does not occur
as one of the last two hops. ([!2186]]
- Upgrade to the latest versions of [priority-queue]. ([!2177])
- Validate the properties of the circuits retrieved
from the hidden service circuit pool. ([97868349ed695ec8])
- Fix hidden service circuit stubs sometimes being unnecessarily extended
when lite vanguards are in use. ([#1458], [!2183])
- Refactor vanguards configuration handling to be less error-prone.
([#1456], [!2183])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Alexander Færøy, Gaba, Jim Newsome, juga, and pinkforest!
Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.3 — 15 May 2024
Arti 1.2.3 fixes a high-severity issue affecting onion services and clients
connecting to onion services with 'lite' vanguards (the default) enabled:
when building anonymizing circuits to or from an onion service
the circuit manager code would build the circuits with one hop too few.
This makes users of this code more vulnerable to some kinds of traffic analysis
when they run or visit onion services.
This release also fixes a medium-severity issue affecting 'full' vanguards.
With 'full' vanguards enabled, client HsDir circuits, client introduction
circuits and service rendezvous-circuits are extended with an extra hop to
minimize the linkability of the guard nodes.
In some circumstances, the circuit manager would build circuits with one
hop too few, making it easier for an adversary to discover the L2 and L3
guards of the affected clients and services.
In Arti 1.2.1 and earlier, vanguards were still an experimental feature, or
absent, so those versions are classified as "not affected", even though
downgrading does not fix the security problem.
### Major bugfixes
- Fix a high-severity issue affecting onion service circuits using 'lite'
vanguards. Previously, with 'lite' vanguards enabled, any circuit to or from
an onion service was one hop too short, making clients and services vulnerable
to certain types of traffic analysis. This is also tracked as
[TROVE-2024-003]. ([#1409])
- Fix a medium-severity issue affecting onion service circuits using 'full'
vanguards. Previously, with 'full' vanguards enabled, *some* circuits to or from
an onion service were one hop too short, making linkability attacks more
likely to succeed.
[TROVE-2024-004]. ([#1400])
[#1400]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1400
[#1409]: https://gitlab.torproject.org/tpo/core/arti/-/issues/1409
[TROVE-2024-003]: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
[TROVE-2024-004]: https://gitlab.torproject.org/tpo/core/team/-/wikis/NetworkTeam/TROVE
# Arti 1.2.2 — 30 April 2024
Arti 1.2.2 continues improvements on previous releases,
by improving onion service security with [Vanguards].
This release also includes an as-yet-unused backend
to help resist memory-exhaustion attacks,
and numerous other smaller improvements.
### Breaking changes in lower-level crates
- Refactor our [`Relay`] code to move low-level information
into a [`RelayDetails`] type.
([#504], [!2057], [!2073])
- The internal API for the RPC object system has been greatly revised.
([!2079])
### Network updates
- Update to use the new identity key
for the `tor26` directory authority.
([!2080])
### Major bugfixes
- Fix an inadvertent recursion bug when converting
` TorAddrError` to `arti_client::Error`.
([#1379], [3f2dcaca31992018f825])
- Improve reliability of bootstrap status reporting.
([!2107])
### Onion service development
- Arti now supports [Vanguards] for improved security
against guard discovery for onion service circuits.
By default, we use the `vanguards-lite` algorithm;
the `vanguards-full` algorithm can be configured.
([#1272], [#1273], [#1275], [#1340], [#1353], [#1364], [#1366],
[!2075], [!2082], [!2083], [!2088], [!2090], [!2093], [!2099],
[!2102], [!2104], [!2105], [!2109], [!2111])
- Export `KeyMgrBuilderError` as a public type,
to help external code construct its own [`KeyMgr`].
([!2078])
- Initial implementation for
an in-memory ephemeral key store, which will be useful
in implementing ephemeral onion services.
([#1358], [!2076])
- Fix a bug that prevented reporting of onion service status updates.
([#1361], [!2086])
- Fix a bug that would cause onion service circuit pools
to pre-build fewer circuits than actually desired.
([!2101])
### RPC development
- The RPC object system has been refactored to use `derive-deftly`
and an improved system of method invocation.
Together, these changes make it easier to write RPC methods,
and allow support for RPC methods on generic types.
([#838], [#1380], [!2079], [!2084], [!2103])
### Other major features
- Convert to use [`figment`] instead of [`config-rs`]
as our configuration backend,
for improved error messages.
([#1267], [#1268], [!2041])
- New `tor-memquota` backend crate to keep track of our memory usage,
and to help us react appropriately when we are out of memory.
We will use this as part of our DoS-resistance system.
([#1381], [!2091], [!2100])
### Documentation
- Add cross-references to explain limitations of [`NetDir::by_ids`].
([#1365], [!2081])
- Fix a link to our Code of Conduct.
([!2085])
- Miscellaneous documentation fixes.
([!2087])
- Document some tricky assumptions and requirements in `tor-proto`'s
circuit reactor code.
([#1373], [!2089])
- Improve documentation and license presence for our two
LGPL-licensed crates.
([#1375], [!2094], [!2106])
### Testing
- Add high-level tests for pluggable transport configuration.
([#1333])
### Infrastructure
- Adjust our license-checking code to accommodate
license clarifications in `rustls-webpki` and `option-ext`.
([!2070])
- Fix compilation breakage in our relaymsg fuzzing code.
([#1349], [!2069])
- Add an option to the `fuzz_it_all` script
for it to run only against the static corups.
([#1350], [!2071])
### Cleanups, minor features, and bugfixes
- Remove unused dependencies from several crates.
([!2068])
- Expose `BridgesConfig` from `TorClientConfig`
so it can be inspected by other modules.
([c5a91130fff6af25])
- Refactor code for scheduling events in onion service code.
([#1259], [!2064])
- Update our code to use [`derive-deftly`],
formerly called `derive-adhoc`.
([!2066])
- Refactor `same_relay_ids` to be automatically derived.
([!2072])
- Refactor `StreamMap`'s stream-counting code to be less
error-prone.
([#1344], [!2058])
- Add an experimental method to expose the HS circuit pool
from `TorClient`.
([!2077])
- Clean up new warnings from the nightly version of Clippy.
([!2096], [!2097])
- Upgrade to rustls version 0.23.
([#1377], [!2095])
- Suppress or resolve some dead-code warnings. ([!2098])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, Richard Pospesel, trinity-1686a,
Wiktor Kwapisiewicz, and VaiTon.
Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.1 — 2 April 2024
Arti 1.2.1 continues development on onion services,
and adds several important security features.
More such improvements are on the way.
See [`doc/OnionService.md`] for instructions and caveats about running
onion services with Arti today.
This release also adds support for
[unmanaged pluggable transports][#755],
and begins work to improve Tor's relay cell protocol
with support for [packed and fragmented messages][prop340].
### New versioning policy
Starting with this version,
we are no longer independently tracking
breaking and non-breaking version changes
for the `arti-client` crate and each of the `tor-*` crates below it.
Instead, we will _assume_
that every release of these crates breaks API compatibility
with the one before, and update our semantic versioning accordingly.
(We will continue not to make gratuitous API compatiblity breaks
on purpose.)
Previously, our efforts to track
which changes in these crates were breaking
and which were not
created a great deal of overhead in our development process,
and tended to be somewhat error-prone.
This change affects developers only; users should not be affected.
This does not affect crates already at version `1.x` or higher,
or published utility crates whose names don't start with `tor-` or `arti-`.
See [`doc/Semver.md`] for more information on this policy.
([#1005], [!2051])
### Breaking changes in lower-level crates
- Refactored `tor-config` to hide implementation details.
This will eventually allow us to migrate from `config-rs`
to a configuration provider with better error handling.
([!2040])
- Renamed several types in `tor-ptmgr`
to reflect new support for unmanaged pluggable transports.
([d63d966d79f0f988])
- The `tor_circmgr::path` module is now crate-private.
([4c1eb94173521bc5])
- The [`Runtime`] trait now includes functionality for "coarse" time,
backed (by default) by the [`coarsetime`] crate.
We use these timestamps in cases
where we need fast time checking more than precision.
Putting them into `Runtime` lets us replace them with mock functions
for testing purposes.
([!2050], [!2052])
- The `tor-cell` relay cell API is significantly revised.
([!2034], [!2045], [prop340])
- The `allow_stream_requests()` method in `tor-proto`
now takes an extra argument.
([!2047])
### Onion service development
- Reorganize onion service code,
to remove an unnecessary (and inconsistently used) internal module,
to simplify needless imports,
and to generally tidy up the implementation.
([#1212], [!2020])
- Avoid using `futures::oneshot`:
our own `tor_basic_utils::oneshot` is safer to use
when `select!` may be involved.
([95ed432c13c2c4b2])
- Design work for out-of-memory handling,
which is necessary for onion service security.
([!1997])
- Onion services have now support a `max_concurrent_streams_per_circuit` option.
([#1124], [!2047])
- Initial implementation work
for onion service [vanguards],
which are needed to improve onion service security.
This is not yet complete.
([#1272], [#1275], [#1276], [#1277], [#1340],
[!2035], [!2038], [!2046], [!2049], [!2053])
### Other major features
- New relay cell decoding API, in order to eventually handle
packed and fragmented messages.
([!2034], [!2045], [prop340])
- We now support unmanaged pluggable transports.
Previously, Arti only supported _managed_ pluggable transports:
that is, ones that it launched itself.
Now you can configure Arti to use a pluggable transport
running at a known SOCKS port.
([#755], [!2043])
### Documentation and examples
- Improve windows documentation in `fslock-guard` and `test-temp-dir`.
([!2011])
- More documentation for our internal build and release tools.
([!2028])
- Fixed broken links in the documentation for `NetParameters`.
([!2054])
- Fixed the disclaimer about onion services in our configuration file.
([!2055])
### Testing
- More unit tests in `fslock-guard`.
([!2013])
- More tests for `arti_client::address`.
([!2029])
### Cleanups, minor features, and bugfixes
- We've fixed a bug in our arguments parser
that previously caused `arti` to panic when run without arguments.
([#1311], [!2021])
- The `tor-checkable` module now uses checked time arithmetic,
to avoid overflows or panics when extending tolerances.
([!2031])
- We now enforce Clippy's [`unchecked_duration_subtraction`] lint by default.
([#1304], [!2008])
- Refactor configuration watcher to receive a `Runtime`.
Previously it took an entire `TorClient`, unnecessarily.
([!2017])
- We now ban `std::Path::display`,
since it is lossy in an easy-to-overlook way.
We've given it a `PathExt::display_lossy` implementation
to be used instead.
([!2027])
- The `tor-bytes` module now behaves more sensibly
(typically panicking)
if someone tries to use `write_zeros` to extend a buffer beyond `usize::MAX`.
Previously it might truncate its buffer.
([!2033])
- Refactoring and improvements on the `BackoffSchedule` logic.
([#1259], [!2024])
- Moved logic for picking relays into a new `tor-relay-selection` crate,
to avoid duplicated code
and the risk of missing necessary checks when picking or examining relays.
([#504], [#789], [!2002])
- Clarify implementation of onion service timeout calculation logic,
to avoid possible confusion about the `hs_hops` variable.
([#1332], [!2044])
- Simplified logic and API for creating relay encryption layers.
([!2048])
- Various typo fixes in comments and messages. ([!2030], [!2032], [!2036])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Alexander Færøy, Brady Fomegne, Dimitris Apostolou, Jim Newsome,
Neel Chauhan, Tobias Stoeckmann, and trinity-1686a.
Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!
# Arti 1.2.0 — 4 March 2024
Arti 1.2.0 continues work on support for running onion services.
You can now launch an onion service and expect it to run,
although you may well encounter bugs.
We have fixed a number of bugs and security issues,
and have made the `onion-service-service` feature non-experimental.
In the next releases, we will focus on implementing
the missing security features and on improving stability.
Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.
See [`doc/OnionService.md`] for instructions and caveats.
### Major bugfixes
- Empty DATA messages are a way to inject an undetected traffic signal, so we
now reject empty DATA messages, and prevent them from being constructed
through the [`tor-cell`] API. This is tracked as [TROVE-2024-001].
([!1981], [#1269])
### Breaking changes in lower-level crates
- In [`tor-circmgr`], `Error::GuardNotUsable`, `Error::CircTimeout`,
and `Error::Protocol` now contain the process-unique identifier of the circuit
that caused the error. ([!2003])
- In [`tor-hsclient`], remove `HsClientNickname` and the nickname argument from
`HsClientDescEncKeypairSpecifier::new`. ([!1998], [#1283])
- In [`tor-hsrproxy`], add a `String` representing the error message to
`ProxyConfigError::UnrecognizedTargetType`,
`ProxyConfigError::InvalidTargetAddr`, `ProxyConfigError::InvalidPort`
([!1973], [#1266])
- In [`tor-hsservice`], remove the unimplemented `max_concurrent_streams_per_circuit`
configuration option from `OnionServiceConfigBuilder`. We may implement and
reinstate it in a future release. ([!1996])
- In [`tor-keymgr`], rename `KeyInfoExtractor` to `KeyPathInfoExtractor`.
([bd85bffd0a388f57])
- In [`tor-keymgr`], rename `{to,from}_component()` to `{to,from}_slug()`.
([1040df929f643a2f])
### Onion service development
- Improve the key manager APIs. ([!1952], [#1115])
- Add more context to [`tor-hsrproxy`] configuration error messages. ([!1973])
- Design an API for vanguards. ([!1970])
- Make the descriptor publisher conform with the specification, by periodically
republishing the hidden service descriptor. This fixes a serious reachability
bug. ([!1971], [#1241], [#1280])
- Rotate old introduction point relays even if they are not working.
([72c021555e1095f1])
- Expire old on-disk introduction point state. ([!1977], [!1982], [#1198])
- Expose `HsNickname::new`. ([f3720ac2c0f16883])
- Design the client and service configuration, and a CLI subcommand, for hidden
service client authorization. ([!1987])
- Improve the ergonomics of our key listing and removal APIs. ([!1988], [#1271])
- Include the `ArtiPath` in key path errors. ([!1960], [#1115])
- Improve circuit error logging by including the process-unique identifier of
the circuit in error messages. ([!2003], [#1297])
- Improve status reporting from onion services. ([!1966], [#1083])
- Design an API for bandwidth rate limiting. ([!1965])
- Improve descriptor publisher error reporting. ([!1991])
- Remove the client nickname from onion service client key specifiers. ([!1998],
[#1283])
- When reconfiguring an onion service, reject any changes that are inappropriate
or would put the service in a bad state. ([!1996], [#1209])
- Remove the keystore directory configuration option, pending design work
relating to RPC and multi-user Arti. ([!1995], [#1202])
- Mark `onion-service-service` and every feature it depends on as
non-experimental. ([!1993], [#1182])
- Fix a bug that prevented the descriptor publisher from fully processing the
results of publish tasks, causing it to republish the descriptor unnecessarily
in some circumstances. ([!1983])
### Other major new features in our Rust APIs
- [`tor-persist`] now provides new `state_dir` APIs for instance iteration and
expiry needed for onion service state expiry. ([!1968], [#1163])
### Documentation and examples
- Fix the casing of our recognized key paths. ([1a900081e945679e])
- Minor updates to the release process. ([!1959], [!1963])
- Fix typos in the [`tor-guardmgr`] README. ([!1980])
- Reword the [`tor-keymgr`] README for clarity. ([489a2555f28daa6d])
- Update onion service documentation. ([!1994], [#1287])
- Clarify the onion service configuration instructions from
`doc/OnionService.md`, remove unsupported "unix:" example ([!1972], [#1266])
### Testing
- Improve replay log fork test. ([!1974], [!2010], [#1264])
- In the introduction point manager tests, avoid reusing the RNG seed.
([b515baf27f194470])
- Our [Shadow] CI tests now use the latest versions of `shadow` and `tgen`, and
no longer pull `libigraph` from bullseye. ([!1958])
- Upgrade docker image for reproducible builds. ([!2016])
- Fix several tests on Windows. ([!2015])
### Cleanups, minor features, and bugfixes
- Allow overriding `cargo` in [`semver-checks`]. ([83c29b0d805f908e])
- Introduce a [`list_crates_publish`] script. ([b03e5d5e11c52faf])
- Fix compilation with musl. ([!1961], [#1264])
- Add `fixup-features` to the main workspace, make various improvements to
`fixup-features`, `check_toposort`, `list_crates` ([!1969], [#1263])
- Use `std::default::Default` instead of [educe]'s `Default` in a number of
places in preparation for the upgrade to educe 0.5. ([!1975], [#1257])
- Require the Fast and Stable flags as appropriate. ([!1976], [#1100])
- Refactor and improve error hinting in [`arti`] and [`arti-client`]. ([!1986],
[#1165])
- Do not output ANSI escape codes when logging to file. ([!1999], [#1298])
- Upgrade our dependency on [curve25519-dalek] from 4.1.1 to 4.1.2 ([!2000])
- Upgrade to the latest versions of [event-listener], [rusqlite],
[async-broadcast], [signature], [config]. ([!2001], [!2004], [!2451])
- Fix `ArtiPath` creation on Windows. ([!2012])
- Fix compilation and warnings on Windows. ([!2014], [!2009])
- Gate `RpcConfig` behind `rpc` feature. ([6c9e70e39ab279aa]])
### Acknowledgments
Thanks to everybody who's contributed to this release, including
Alexander Færøy, Jim Newsome, Tobias Stoeckmann, and trinity-1686a.
Also, our deep thanks to [Zcash Community Grants] and our [other sponsors]
for funding the development of Arti!
# Arti 1.1.13 — 5 February 2024
Arti 1.1.13 continues work on support for running onion services.
You can now launch an onion service and expect it to run.
We have fixed a number of bugs. The user experience is still not
great, and the onion-service-service feature is still experimental.
We have reorganised the on-disk state and key storage, to make it more
sensible; we hope (but don't promise!) it's now the final layout.
Don't rely on this onion service implementation for security yet;
there are a number of [missing security features]
we will need to develop before we can recommend them
for actual use.
See `doc/OnionService.md` for instructions and caveats.
### Breaking changes in lower-level crates
- [`tor-hsclient`]\: Replaced `HsClientKeyRole`,
`HsClientSecretKeySpecifier` with `HsClientDescEncKeypairSpecifier`.
Renamed `HsClientSpecifier` to `HsClientNickname`.
([!1864], [!1931])
- [`tor-hscrypto`]\: `AesOpeKey::encrypt` now takes a
`SrvPeriodOffset`; Replaced `TimePeriodOffset` with
`SrvPeriodOffset`; Removed `TimePeriod::offset_within_period`.
([!1904], [#1166])
- [`tor-netdir`]\: `hs_dirs_download` parameters changed;
`hs_intro_*_lifetime` parameters renamed.
([!1903], [!1904], [#1254])
### Onion service development
- Complete overhaul of the way the hidden service code stores non-key
persistent state. Pathnames have changed as a result.
([!1853], [#1183], [!1941])
- Many improvements to keystore, key and `KeySpecifier` handling,
including incompatible changes to on-disk key paths.
([!1864], [!1863], [!1883], [#1260], [!1949], [#1074], [!1948])
- Fix "service fails after approx 12 hours" bug.
([#1242], [!1901])
- Fix time period processing bugs including `HSS: "internal error"
"current wallclock time not within TP?!"`.
([#1155], [#1166], [#1254], [!1903], [!1904], [!1914])
- Correctly rate-limit descriptor publication.
([!1951])
- Fixes to services shutdown.
([!1875], [!1895], [!1897], [#1236], [!1899], [!1917], [!1921])
- Improve error and corner case handling in descriptor publisher.
([!1861])
- Work on expiring keys: we expire descriptor keys now (although we
don't actually properly delete all keys when we need to, yet).
([!1909])
- Only choose Stable relays for introduction points.
([!1884], [#1240], [#1211])
- Better handling of introduction point establishment failures.
([!1889], [!1915])
- Better handling of anomalous situations (including excessive
requests) on introduction circuits.
([#1188], [#1189], [!1892], [!1916])
- Tolerate `INTRO_ESTABLISHED` messages with (unknown) extensions.
([!1898])
- Correct and improve various timing and tuning parameters.
([!1911], [!1924])
- Improve status reporting from hidden services.
([!1902])
- Public API of `tor-hsservice` crate overhauled.
([#1227], [#1220], [!1887])
- Mark lower-level hs-service features non-experimental.
([!1908])
- Defend against partial writes of introduction point replay log
entries.
([!1920])
- Corrections to error handling, including to handling of introduction
point failures, and attempts to launch the same service
concurrently.
([!1906], [#1237], [#1225], [#1255])
- Detect and reject configurations with onion services, when
onion-service-server support has been compiled out.
([!1885], [#1184])
- Temporarily disable parsing of AF_UNIX socket addresses (which
aren't implemented right now anyway).
([!1886])
- Rate limit one log message, downgrade one, and remove another.
([!1871], [!1951])
- Add higher-level documentation to tor-hsservice (and fix a broken
docs link).
([!1918], [!1945])
- Hide the `OnionServiceState` type.
([!1946], [#1261])
- Many internal cleanups including much triage of TODO comments in the code.
([!1859], [!1862], [!1861], [!1868], [!1866], [!1863], [!1870], [!1874])
([!1872], [!1869], [!1876] !1867 [!1873], [!1877], [!1878], [!1875])
([!1879], [!1882], [!1881], [!1880], [!1894], [!1888], [!1887], [!1896])
([!1864], [!1951])
### Other major new features in our Rust APIs
- New `fslock-guard` crate for on-disk lockfiles which can be deleted,
and which have a Rust API that returns a guard object.
[fslock!15](https://github.com/brunoczim/fslock/pull/15)
!1900 !1910
- `tor-persist` has a `Slug` type which is used for nicknames, key
paths, etc., un…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
x86_64-unknown-linux-gnux32compiled fine with 0.4.4, but no longer does 0.4.5.I don't actually use that target, but it happened to be in our CI, so i'm letting you know.
The text was updated successfully, but these errors were encountered: