forward-port the 0.1.0.9 changelog

svn:r4365
2024-11-24 04:13:28 +01:00 · 2005-06-09 04:06:52 +00:00 · 2005-06-09 04:06:52 +00:00 · 47fe49c2a0
commit 47fe49c2a0
parent d922fa7b10
1 changed files with 259 additions and 369 deletions
--- a/600
+++ b/600
@ -1,146 +1,111 @@
-Changes in version 0.1.0.8-rc - 2005-05-23
+Changes in version 0.1.0.9 (first stable release of 0.1.0.x)
-  o Bugfixes:
+  o Fixes on Win32:
-    - It turns out that kqueue on OS X 10.3.9 was causing kernel
+    - Make NT services work and start on startup on Win32 (based on
-      panics. Disable kqueue on all OS X Tors.
+      patch by Matt Edman). See the FAQ entry for details.
-    - Fix RPM: remove duplicate line accidentally added to the rpm
+    - Make 'platform' string in descriptor more accurate for Win32
-      spec file.
+      servers, so it's not just "unknown platform".
-    - Disable threads on openbsd too, since its gethostaddr is not
+    - REUSEADDR on normal platforms means you can rebind to the port
-      reentrant either.
+      right after somebody else has let it go. But REUSEADDR on Win32
-    - Tolerate libevent 0.8 since it still works, even though it's
+      means you can bind to the port _even when somebody else already
-      ancient.
+      has it bound_! So, don't do that on Win32.
-    - Enable building on Red Hat 9.0 again.
+    - Clean up the log messages when starting on Win32 with no config
-    - Allow the middle hop of the testing circuit to be running any
+      file.
-      version, now that most of them have the bugfix to let them connect
+
-      to unknown servers. This will allow reachability testing to work
+  o Assert / crash bugs:
-      even when 0.0.9.7-0.0.9.9 become obsolete.
+    - Refuse relay cells that claim to have a length larger than the
-    - Handle relay cells with rh.length too large. This prevents
+      maximum allowed. This prevents a potential attack that could read
-      a potential attack that could read arbitrary memory (maybe even
+      arbitrary memory (e.g. keys) from an exit server's process.
-      keys) from the exit server's process.
+    - If unofficial Tor clients connect and send weird TLS certs, our
-    - We screwed up the dirport reachability testing when we don't yet
+      Tor server triggers an assert. Stop asserting, and start handling
-      have a cached version of the directory. Hopefully now fixed.
+      TLS errors better in other situations too.
-    - Clean up router_load_single_router() (used by the controller),
+    - Fix a race condition that can trigger an assert when we have a
-      so it doesn't seg fault on error.
+      pending create cell and an OR connection attempt fails.
  o Resource leaks:
    - Use pthreads for worker processes rather than forking. This was
      forced because when we forked, we ended up wasting a lot of
      duplicate ram over time.
      - Also switch to foo_r versions of some library calls to allow
        reentry and threadsafeness.
      - Implement --disable-threads configure option. Disable threads on
        netbsd and openbsd by default, because they have no reentrant
        resolver functions (!).
    - Fix possible bug on threading platforms (e.g. win32) which was
      leaking a file descriptor whenever a cpuworker or dnsworker died.
    - Fix a minor memory leak when somebody establishes an introduction
      point at your Tor server.
-    - If a socks connection ends because read fails, don't warn that
+    - Add ./configure --with-dmalloc option, to track memory leaks.
-      you're not sending a socks reply back.
+    - And try to free all memory on closing, so we can detect what
      we're leaking.
-  o Features:
+  o Protocol correctness:
-    - Add HttpProxyAuthenticator config option too, that works like
+    - When we've connected to an OR and handshaked but didn't like
-      the HttpsProxyAuthenticator config option.
+      the result, we were closing the conn without sending destroy
-    - Encode hashed controller passwords in hex instead of base64,
+      cells back for pending circuits. Now send those destroys.
-      to make it easier to write controllers.
+    - Start sending 'truncated' cells back rather than destroy cells
      if the circuit closes in front of you. This means we won't have
      to abandon partially built circuits.
    - Handle changed router status correctly when dirserver reloads
      fingerprint file. We used to be dropping all unverified descriptors
      right then. The bug was hidden because we would immediately
      fetch a directory from another dirserver, which would include the
      descriptors we just dropped.
    - Revise tor-spec to add more/better stream end reasons.
    - Revise all calls to connection_edge_end to avoid sending 'misc',
      and to take errno into account where possible.
    - Client now retries when streams end early for 'hibernating' or
      'resource limit' reasons, rather than failing them.
    - Try to be more zealous about calling connection_edge_end when
      things go bad with edge conns in connection.c.
-
+  o Robustness improvements:
-Changes in version 0.1.0.7-rc - 2005-05-17
+    - Better handling for heterogeneous / unreliable nodes:
-  o Bugfixes:
+      - Annotate circuits with whether they aim to contain high uptime
-    - Fix a bug in the OS X package installer that prevented it from
+        nodes and/or high capacity nodes. When building circuits, choose
-      installing on Tiger.
+        appropriate nodes.
-    - Fix a script bug in the OS X package installer that made it
+      - This means that every single node in an intro rend circuit,
-      complain during installation.
+        not just the last one, will have a minimum uptime.
-    - Find libevent even if it's hiding in /usr/local/ and your
+      - New config option LongLivedPorts to indicate application streams
-      CFLAGS and LDFLAGS don't tell you to look there.
+        that will want high uptime circuits.
-    - Be able to link with libevent as a shared library (the default
+      - Servers reset uptime when a dir fetch entirely fails. This
-      after 1.0d), even if it's hiding in /usr/local/lib and even
+        hopefully reflects stability of the server's network connectivity.
-      if you haven't added /usr/local/lib to your /etc/ld.so.conf,
+      - If somebody starts his tor server in Jan 2004 and then fixes his
-      assuming you're running gcc. Otherwise fail and give a useful
+        clock, don't make his published uptime be a year.
-      error message.
+      - Reset published uptime when we wake up from hibernation.
-    - Fix a bug in the RPM packager: set home directory for _tor to
+    - Introduce a notion of 'internal' circs, which are chosen without
-      something more reasonable when first installing.
+      regard to the exit policy of the last hop. Intro and rendezvous
-    - Free a minor amount of memory that is still reachable on exit.
+      circs must be internal circs, to avoid leaking information. Resolve
-
+      and connect streams can use internal circs if they want.
-
+    - New circuit pooling algorithm: keep track of what destination ports
-Changes in version 0.1.0.6-rc - 2005-05-14
+      we've used recently (start out assuming we'll want to use 80), and
-  o Bugfixes:
+      make sure to have enough circs around to satisfy these ports. Also
-    - Implement --disable-threads configure option. Disable threads on
+      make sure to have 2 internal circs around if we've required internal
-      netbsd by default, because it appears to have no reentrant resolver
+      circs lately (and with high uptime if we've seen that lately too).
-      functions.
+    - Turn addr_policy_compare from a tristate to a quadstate; this should
-    - Apple's OS X 10.4.0 ships with a broken kqueue. The new libevent
+      help address our "Ah, you allow 1.2.3.4:80. You are a good choice
-      release (1.1) detects and disables kqueue if it's broken.
+      for google.com" problem.
-    - Append default exit policy before checking for implicit internal
+    - When a client asks us for a dir mirror and we don't have one,
-      addresses. Now we don't log a bunch of complaints on startup
+      launch an attempt to get a fresh one.
      when using the default exit policy.
    - Some people were putting "Address  " in their torrc, and they had
      a buggy resolver that resolved " " to 0.0.0.0. Oops.
    - If DataDir is ~/.tor, and that expands to /.tor, then default to
      LOCALSTATEDIR/tor instead.
    - Fix fragmented-message bug in TorControl.py.
    - Resolve a minor bug which would prevent unreachable dirports
      from getting suppressed in the published descriptor.
    - When the controller gave us a new descriptor, we weren't resolving
      it immediately, so Tor would think its address was 0.0.0.0 until
      we fetched a new directory.
    - Fix an uppercase/lowercase case error in suppressing a bogus
      libevent warning on some Linuxes.
  o Features:
    - Begin scrubbing sensitive strings from logs by default. Turn off
      the config option SafeLogging if you need to do debugging.
    - Switch to a new buffer management algorithm, which tries to avoid
      reallocing and copying quite as much. In first tests it looks like
      it uses *more* memory on average, but less cpu.
    - First cut at support for "create-fast" cells. Clients can use
      these when extending to their first hop, since the TLS already
      provides forward secrecy and authentication. Not enabled on
      clients yet.
    - When dirservers refuse a router descriptor, we now log its
      contactinfo, platform, and the poster's IP address.
    - Call tor_free_all instead of connections_free_all after forking, to
      save memory on systems that need to fork.
    - Whine at you if you're a server and you don't set your contactinfo.
    - Implement --verify-config command-line option to check if your torrc
      is valid without actually launching Tor.
    - Rewrite address "serifos.exit" to "externalIP.serifos.exit"
      rather than just rejecting it.
  o Reachability testing.
    - Your Tor server will automatically try to see if its ORPort and
      DirPort are reachable from the outside, and it won't upload its
      descriptor until it decides at least ORPort is reachable (when
      DirPort is not yet found reachable, publish it as zero).
    - When building testing circs for ORPort testing, use only
      high-bandwidth nodes, so fewer circuits fail.
    - Notice when our IP changes, and reset stats/uptime/reachability.
    - Authdirservers don't do ORPort reachability detection, since
      they're in clique mode, so it will be rare to find a server not
      already connected to them.
    - Authdirservers now automatically approve nodes running 0.1.0.2-rc
      or later.
-Changes in version 0.1.0.5-rc - 2005-04-27
+  o Dirserver fixes:
  o Bugfixes:
    - Stop trying to print a null pointer if an OR conn fails because
      we didn't like its cert.
  o Features:
    - Switch our internal buffers implementation to use a ring buffer,
      to hopefully improve performance for fast servers a lot.
    - Add HttpsProxyAuthenticator support (basic auth only), based
      on patch from Adam Langley.
    - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
      the fast servers that have been joining lately.
    - Give hidden service accesses extra time on the first attempt,
      since 60 seconds is often only barely enough. This might improve
      robustness more.
    - Improve performance for dirservers: stop re-parsing the whole
      directory every time you regenerate it.
    - Add more debugging info to help us find the weird dns netbsd
      pthreads bug; cleaner debug messages to help track future issues.
 Changes in version 0.1.0.4-rc - 2005-04-23
  o Bugfixes:
    - If unofficial Tor clients connect and send weird TLS certs, our
      Tor server triggers an assert. Stop asserting, and start handling
      TLS errors better in other situations too.
    - When the controller asks us to tell it about all the debug-level
      logs, it turns out we were generating debug-level logs while
      telling it about them, which turns into a bad loop. Now keep
      track of whether you're sending a debug log to the controller,
      and don't log when you are.
    - Fix the "postdescriptor" feature of the controller interface: on
      non-complete success, only say "done" once.
  o Features:
    - Clients are now willing to load balance over up to 2mB, not 1mB,
      of advertised bandwidth capacity.
    - Add a NoPublish config option, so you can be a server (e.g. for
      testing running Tor servers in other Tor networks) without
      publishing your descriptor to the primary dirservers.
 Changes in version 0.1.0.3-rc - 2005-04-08
  o Improvements on 0.1.0.2-rc:
    - Client now retries when streams end early for 'hibernating' or
      'resource limit' reasons, rather than failing them.
    - More automated handling for dirserver operators:
      - Automatically approve nodes running 0.1.0.2-rc or later,
        now that the the reachability detection stuff is working.
    - Now we allow two unverified servers with the same nickname
      but different keys. But if a nickname is verified, only that
      nickname+key are allowed.
@ -152,101 +117,132 @@ Changes in version 0.1.0.3-rc - 2005-04-08
      Corollary: only whine about clock skew from the dirserver if
      he's a trusted dirserver (since now even verified servers could
      have quite wrong clocks).
-    - Adjust maximum skew and age for rendezvous descriptors: let skew
+
-      be 48 hours rather than 90 minutes.
+  o Code efficiency improvements:
-    - Efficiency improvements:
+    - Use libevent. Now we can use faster async cores (like epoll, kpoll,
      and /dev/poll), and hopefully work better on Windows too.
      - Apple's OS X 10.4.0 ships with a broken kqueue API, and using
        kqueue on 10.3.9 causes kernel panics. Don't use kqueue on OS X.
      - Find libevent even if it's hiding in /usr/local/ and your
        CFLAGS and LDFLAGS don't tell you to look there.
      - Be able to link with libevent as a shared library (the default
        after 1.0d), even if it's hiding in /usr/local/lib and even
        if you haven't added /usr/local/lib to your /etc/ld.so.conf,
        assuming you're running gcc. Otherwise fail and give a useful
        error message.
    - Switch to a new buffer management algorithm, which tries to avoid
      reallocing and copying quite as much. In first tests it looks like
      it uses *more* memory on average, but less cpu.
    - Switch our internal buffers implementation to use a ring buffer,
      to hopefully improve performance for fast servers a lot.
    - Improve performance for dirservers: stop re-parsing the whole
      directory every time you regenerate it.
    - Keep a big splay tree of (circid,orconn)->circuit mappings to make
      it much faster to look up a circuit for each relay cell.
    - Remove most calls to assert_all_pending_dns_resolves_ok(),
      since they're eating our cpu on exit nodes.
    - Stop wasting time doing a case insensitive comparison for every
      dns name every time we do any lookup. Canonicalize the names to
-        lowercase and be done with it.
+      lowercase when you first see them.
-    - Start sending 'truncated' cells back rather than destroy cells,
+
-      if the circuit closes in front of you. This means we won't have
+  o Hidden services:
-      to abandon partially built circuits.
+    - Handle unavailable hidden services better. Handle slow or busy
-    - Only warn once per nickname from add_nickname_list_to_smartlist
+      hidden services better.
-      per failure, so an entrynode or exitnode choice that's down won't
+    - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
-      yell so much.
+      circ as necessary, if there are any completed ones lying around
-    - Put a note in the torrc about abuse potential with the default
+      when we try to launch one.
-      exit policy.
+    - Make hidden services try to establish a rendezvous for 30 seconds
      after fetching the descriptor, rather than for n (where n=3)
      attempts to build a circuit.
    - Adjust maximum skew and age for rendezvous descriptors: let skew
      be 48 hours rather than 90 minutes.
  o Controller:
    - More Tor controller support. See
      http://tor.eff.org/doc/control-spec.txt for all the new features,
      including signals to emulate unix signals from any platform;
      redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
      closestream; closecircuit; etc.
    - Encode hashed controller passwords in hex instead of base64,
      to make it easier to write controllers.
    - Revise control spec and implementation to allow all log messages to
      be sent to controller with their severities intact (suggested by
-      Matt Edman). Update TorControl to handle new log event types.
+      Matt Edman). Disable debug-level logs while delivering a debug-level
-    - Provide better explanation messages when controller's POSTDESCRIPTOR
+      log to the controller, to prevent loop. Update TorControl to handle
-      fails.
+      new log event types.
    - Stop putting nodename in the Platform string in server descriptors.
      It doesn't actually help, and it is confusing/upsetting some people.
-  o Bugfixes on 0.1.0.2-rc:
+  o New config options/defaults:
-    - We were printing the host mask wrong in exit policies in server
+    - Begin scrubbing sensitive strings from logs by default. Turn off
-      descriptors. This isn't a critical bug though, since we were still
+      the config option SafeLogging if you need to do debugging.
-      obeying the exit policy internally.
+    - New exit policy: accept most low-numbered ports, rather than
-    - Fix Tor when compiled with libevent but without pthreads: move
+      rejecting most low-numbered ports.
-      connection_unregister() from _connection_free() to
+    - Put a note in the torrc about abuse potential with the default
-      connection_free().
+      exit policy.
-    - Fix an assert trigger (already fixed in 0.0.9.x): when we have
+    - Add support for CONNECTing through https proxies, with "HttpsProxy"
-      the rare mysterious case of accepting a conn on 0.0.0.0:0, then
+      config option.
-      when we look through the connection array, we'll find any of the
+    - Add HttpProxyAuthenticator and HttpsProxyAuthenticator support
-      cpu/dnsworkers. This is no good.
+      based on patch from Adam Langley (basic auth only).
    - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
      the fast servers that have been joining lately. (Clients are now
      willing to load balance over up to 2 MB of advertised bandwidth
      capacity too.)
    - New config option MaxAdvertisedBandwidth which lets you advertise
      a low bandwidthrate (to not attract as many circuits) while still
      allowing a higher bandwidthrate in reality.
    - Require BandwidthRate to be at least 20kB/s for servers.
    - Add a NoPublish config option, so you can be a server (e.g. for
      testing running Tor servers in other Tor networks) without
      publishing your descriptor to the primary dirservers.
    - Add a new AddressMap config directive to rewrite incoming socks
      addresses. This lets you, for example, declare an implicit
      required exit node for certain sites.
    - Add a new TrackHostExits config directive to trigger addressmaps
      for certain incoming socks addresses -- for sites that break when
      your exit keeps changing (based on patch from Mike Perry).
    - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
      which describes how often we retry making new circuits if current
      ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
      how long we're willing to make use of an already-dirty circuit.
    - Change compiled-in SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to
      a config option "ShutdownWaitLength" (when using kill -INT on
      servers).
    - Fix an edge case in parsing config options: if they say "--"
      on the commandline, it's not a config option (thanks weasel).
    - New config option DirAllowPrivateAddresses for authdirservers.
      Now by default they refuse router descriptors that have non-IP or
      private-IP addresses.
    - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
      smart" default value: low for servers and high for clients.
    - Some people were putting "Address  " in their torrc, and they had
      a buggy resolver that resolved " " to 0.0.0.0. Oops.
    - If DataDir is ~/.tor, and that expands to /.tor, then default to
      LOCALSTATEDIR/tor instead.
    - Implement --verify-config command-line option to check if your torrc
      is valid without actually launching Tor.
-  o Bugfixes on 0.0.9.x:
+  o Logging improvements:
-    - Fix possible bug on threading platforms (e.g. win32) which was
+    - When dirservers refuse a server descriptor, we now log its
-      leaking a file descriptor whenever a cpuworker or dnsworker died.
+      contactinfo, platform, and the poster's IP address.
-    - When using preferred entry or exit nodes, ignore whether the
+    - Only warn once per nickname from add_nickname_list_to_smartlist()
-      circuit wants uptime or capacity. They asked for the nodes, they
+      per failure, so an entrynode or exitnode choice that's down won't
-      get the nodes.
+      yell so much.
    - chdir() to your datadirectory at the *end* of the daemonize process,
      not the beginning. This was a problem because the first time you
      run tor, if your datadir isn't there, and you have runasdaemon set
      to 1, it will try to chdir to it before it tries to create it. Oops.
    - Handle changed router status correctly when dirserver reloads
      fingerprint file. We used to be dropping all unverified descriptors
      right then. The bug was hidden because we would immediately
      fetch a directory from another dirserver, which would include the
      descriptors we just dropped.
    - When we're connecting to an OR and he's got a different nickname/key
      than we were expecting, only complain loudly if we're an OP or a
      dirserver. Complaining loudly to the OR admins just confuses them.
-    - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
+    - Whine at you if you're a server and you don't set your contactinfo.
-      artificially capped at 500kB.
+    - Warn when exit policy implicitly allows local addresses.
    - Give a better warning when some other server advertises an
      ORPort that is actually an apache running ssl.
    - If we get an incredibly skewed timestamp from a dirserver mirror
      that isn't a verified OR, don't warn -- it's probably him that's
      wrong.
    - When a dirserver causes you to give a warn, mention which dirserver
      it was.
-
+  o New contrib scripts:
-Changes in version 0.1.0.2-rc - 2005-04-01
+    - New experimental script tor/contrib/exitlist: a simple python
-  o Bugfixes on 0.1.0.1-rc:
+      script to parse directories and find Tor nodes that exit to listed
-    - Fixes on reachability detection:
+      addresses/ports.
      - Don't check for reachability while hibernating.
      - If ORPort is reachable but DirPort isn't, still publish the
        descriptor, but zero out DirPort until it's found reachable.
      - When building testing circs for ORPort testing, use only
        high-bandwidth nodes, so fewer circuits fail.
      - Complain about unreachable ORPort separately from unreachable
        DirPort, so the user knows what's going on.
      - Make sure we only conclude ORPort reachability if we didn't
        initiate the conn. Otherwise we could falsely conclude that
        we're reachable just because we connected to the guy earlier
        and he used that same pipe to extend to us.
      - Authdirservers shouldn't do ORPort reachability detection,
        since they're in clique mode, so it will be rare to find a
        server not already connected to them.
      - When building testing circuits, always pick middle hops running
        Tor 0.0.9.7, so we avoid the "can't extend to unknown routers"
        bug. (This is a kludge; it will go away when 0.0.9.x becomes
        obsolete.)
      - When we decide we're reachable, actually publish our descriptor
        right then.
    - Fix bug in redirectstream in the controller.
    - Fix the state descriptor strings so logs don't claim edge streams
      are in a different state than they actually are.
    - Use recent libevent features when possible (this only really affects
      win32 and osx right now, because the new libevent with these
      features hasn't been released yet). Add code to suppress spurious
      libevent log msgs.
    - Prevent possible segfault in connection_close_unattached_ap().
    - Fix newlines on torrc in win32.
    - Improve error msgs when tor-resolve fails.
  o Improvements on 0.0.9.x:
    - New experimental script tor/contrib/ExerciseServer.py (needs more
      work) that uses the controller interface to build circuits and
      fetch pages over them. This will help us bootstrap servers that
@ -255,166 +251,60 @@ Changes in version 0.1.0.2-rc - 2005-04-01
      that uses the controller interface to let you choose whole paths
      via addresses like
      "<hostname>.<path,separated by dots>.<length of path>.path"
-    - When we've connected to an OR and handshaked but didn't like
+    - New contributed script "privoxy-tor-toggle" to toggle whether
-      the result, we were closing the conn without sending destroy
+      Privoxy uses Tor. Seems to be configured for Debian by default.
      cells back for pending circuits. Now send those destroys.
  o Misc bugfixes:
    - chdir() to your datadirectory at the *end* of the daemonize process,
      not the beginning. This was a problem because the first time you
      run tor, if your datadir isn't there, and you have runasdaemon set
      to 1, it will try to chdir to it before it tries to create it. Oops.
    - Fix several double-mark-for-close bugs, e.g. where we were finding
      a conn for a cell even if that conn is already marked for close.
    - Stop most cases of hanging up on a socks connection without sending
      the socks reject.
    - Fix a bug in the RPM package: set home directory for _tor to
      something more reasonable when first installing.
    - Stop putting nodename in the Platform string in server descriptors.
      It doesn't actually help, and it is confusing/upsetting some people.
    - When using preferred entry or exit nodes, ignore whether the
      circuit wants uptime or capacity. They asked for the nodes, they
      get the nodes.
    - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
      artificially capped at 500kB.
    - Cache local dns resolves correctly even when they're .exit
      addresses.
    - If we're hibernating and we get a SIGINT, exit immediately.
    - tor-resolve requests were ignoring .exit if there was a working circuit
      they could use instead.
-Changes in version 0.1.0.1-rc - 2005-03-28
+  o Misc features:
-  o New features:
+    - Rewrite address "serifos.exit" to "externalIP.serifos.exit"
-    - Add reachability testing. Your Tor server will automatically try
+      rather than just rejecting it.
-      to see if its ORPort and DirPort are reachable from the outside,
+    - If our clock jumps forward by 100 seconds or more, assume something
-      and it won't upload its descriptor until it decides they are.
+      has gone wrong with our network and abandon all not-yet-used circs.
    - Handle unavailable hidden services better. Handle slow or busy
      hidden services better.
    - Add support for CONNECTing through https proxies, with "HttpsProxy"
      config option.
    - New exit policy: accept most low-numbered ports, rather than
      rejecting most low-numbered ports.
    - More Tor controller support (still experimental). See
      http://tor.eff.org/doc/control-spec.txt for all the new features,
      including signals to emulate unix signals from any platform;
      redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
      closestream; closecircuit; etc.
    - Make nt services work and start on startup on win32 (based on
      patch by Matt Edman).
    - Add a new AddressMap config directive to rewrite incoming socks
      addresses. This lets you, for example, declare an implicit
      required exit node for certain sites.
    - Add a new TrackHostExits config directive to trigger addressmaps
      for certain incoming socks addresses -- for sites that break when
      your exit keeps changing (based on patch from Mike Perry).
    - Redo the client-side dns cache so it's just an addressmap too.
    - Notice when our IP changes, and reset stats/uptime/reachability.
    - When an application is using socks5, give him the whole variety of
      potential socks5 responses (connect refused, host unreachable, etc),
      rather than just "success" or "failure".
    - A more sane version numbering system. See
      http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
    - New contributed script "exitlist": a simple python script to
      parse directories and find Tor nodes that exit to listed
      addresses/ports.
    - New contributed script "privoxy-tor-toggle" to toggle whether
      Privoxy uses Tor. Seems to be configured for Debian by default.
    - Report HTTP reasons to client when getting a response from directory
      servers -- so you can actually know what went wrong.
    - New config option MaxAdvertisedBandwidth which lets you advertise
      a low bandwidthrate (to not attract as many circuits) while still
      allowing a higher bandwidthrate in reality.
  o Robustness/stability fixes:
    - Make Tor use Niels Provos's libevent instead of its current
      poll-but-sometimes-select mess.  This will let us use faster async
      cores (like epoll, kpoll, and /dev/poll), and hopefully work better
      on Windows too.
    - pthread support now too. This was forced because when we forked,
      we ended up wasting a lot of duplicate ram over time. Also switch
      to foo_r versions of some library calls to allow reentry and
      threadsafeness.
    - Better handling for heterogeneous / unreliable nodes:
      - Annotate circuits w/ whether they aim to contain high uptime nodes
        and/or high capacity nodes. When building circuits, choose
        appropriate nodes.
      - This means that every single node in an intro rend circuit,
        not just the last one, will have a minimum uptime.
      - New config option LongLivedPorts to indicate application streams
        that will want high uptime circuits.
      - Servers reset uptime when a dir fetch entirely fails. This
        hopefully reflects stability of the server's network connectivity.
      - If somebody starts his tor server in Jan 2004 and then fixes his
        clock, don't make his published uptime be a year.
      - Reset published uptime when you wake up from hibernation.
    - Introduce a notion of 'internal' circs, which are chosen without
      regard to the exit policy of the last hop. Intro and rendezvous
      circs must be internal circs, to avoid leaking information. Resolve
      and connect streams can use internal circs if they want.
    - New circuit pooling algorithm: make sure to have enough circs around
      to satisfy any predicted ports, and also make sure to have 2 internal
      circs around if we've required internal circs lately (and with high
      uptime if we've seen that lately too).
    - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
      which describes how often we retry making new circuits if current
      ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
      how long we're willing to make use of an already-dirty circuit.
    - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
      circ as necessary, if there are any completed ones lying around
      when we try to launch one.
    - Make hidden services try to establish a rendezvous for 30 seconds,
      rather than for n (where n=3) attempts to build a circuit.
    - Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option
      "ShutdownWaitLength".
    - Try to be more zealous about calling connection_edge_end when
      things go bad with edge conns in connection.c.
    - Revise tor-spec to add more/better stream end reasons.
    - Revise all calls to connection_edge_end to avoid sending "misc",
      and to take errno into account where possible.
  o Bug fixes:
    - Fix a race condition that can trigger an assert, when we have a
      pending create cell and an OR connection fails right then.
    - Fix several double-mark-for-close bugs, e.g. where we were finding
      a conn for a cell even if that conn is already marked for close.
    - Make sequence of log messages when starting on win32 with no config
      file more reasonable.
    - When choosing an exit node for a new non-internal circ, don't take
      into account whether it'll be useful for any pending x.onion
      addresses -- it won't.
    - Turn addr_policy_compare from a tristate to a quadstate; this should
      help address our "Ah, you allow 1.2.3.4:80. You are a good choice
      for google.com" problem.
    - Make "platform" string in descriptor more accurate for Win32 servers,
      so it's not just "unknown platform".
    - Fix an edge case in parsing config options (thanks weasel).
      If they say "--" on the commandline, it's not an option.
    - Reject odd-looking addresses at the client (e.g. addresses that
      contain a colon), rather than having the server drop them because
      they're malformed.
    - tor-resolve requests were ignoring .exit if there was a working circuit
      they could use instead.
    - REUSEADDR on normal platforms means you can rebind to the port
      right after somebody else has let it go. But REUSEADDR on win32
      means to let you bind to the port _even when somebody else
      already has it bound_! So, don't do that on Win32.
    - Change version parsing logic: a version is "obsolete" if it is not
      recommended and (1) there is a newer recommended version in the
      same series, or (2) there are no recommended versions in the same
      series, but there are some recommended versions in a newer series.
      A version is "new" if it is newer than any recommended version in
      the same series.
-    - Stop most cases of hanging up on a socks connection without sending
+    - Report HTTP reasons to client when getting a response from directory
-      the socks reject.
+      servers -- so you can actually know what went wrong.
-
+    - Reject odd-looking addresses at the client (e.g. addresses that
-  o Helpful fixes:
+      contain a colon), rather than having the server drop them because
-    - Require BandwidthRate to be at least 20kB/s for servers.
+      they're malformed.
    - When a dirserver causes you to give a warn, mention which dirserver
      it was.
    - New config option DirAllowPrivateAddresses for authdirservers.
      Now by default they refuse router descriptors that have non-IP or
      private-IP addresses.
    - Stop publishing socksport in the directory, since it's not
      actually meant to be public. For compatibility, publish a 0 there
      for now.
    - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
      smart" value, that is low for servers and high for clients.
    - If our clock jumps forward by 100 seconds or more, assume something
      has gone wrong with our network and abandon all not-yet-used circs.
    - Warn when exit policy implicitly allows local addresses.
    - If we get an incredibly skewed timestamp from a dirserver mirror
      that isn't a verified OR, don't warn -- it's probably him that's
      wrong.
    - Since we ship our own Privoxy on OS X, tweak it so it doesn't write
      cookies to disk and doesn't log each web request to disk. (Thanks
      to Brett Carrington for pointing this out.)
    - When a client asks us for a dir mirror and we don't have one,
      launch an attempt to get a fresh one.
    - If we're hibernating and we get a SIGINT, exit immediately.
    - Add --with-dmalloc ./configure option, to track memory leaks.
    - And try to free all memory on closing, so we can detect what
      we're leaking.
    - Cache local dns resolves correctly even when they're .exit
      addresses.
    - Give a better warning when some other server advertises an
      ORPort that is actually an apache running ssl.
    - Add "opt hibernating 1" to server descriptor to make it clearer
      whether the server is hibernating.