release: ChangeLog for 0.4.8.1-alpha

ChangeLog

@@ -1,3 +1,174 @@
+Changes in version 0.4.8.1-alpha - 2023-06-01
+  This is the first alpha of the 0.4.8.x series. Two major features in this
+  version which are Conflux and onion service Proof-of-Work (PoW). There are
+  also many small features in particular, worth noting, the MetricsPort is now
+  exporting more relay and onion service metrics. Finally, there are
+  also numerous minor bugfixes included in this version.
+
+  o Major features (onion service, proof-of-work):
+    - Implement proposal 327 (Proof-Of-Work). This is aimed at thwarting
+      introduction flooding DoS attacks by introducing a dynamic Proof-Of-Work
+      protocol that occurs over introduction circuits. This introduces several
+      torrc options prefixed with "HiddenServicePoW" in order to control this
+      feature. By default, this is disabled. Closes ticket 40634.
+
+  o Major features (conflux):
+    - Implement Proposal 329 (conflux traffic splitting). Conflux splits
+      traffic across two circuits to Exits that support the protocol.
+      These circuits are pre-built only, which means that if the pre-
+      built conflux pool runs out, regular circuits will then be used.
+      When using conflux circuit pairs, clients choose the lower-latency
+      circuit to send data to the Exit. When the Exit sends data to the
+      client, it maximizes throughput, by fully utilizing both circuits
+      in a multiplexed fashion. Alternatively, clients can request that
+      the Exit optimize for latency when transmitting to them, by
+      setting the torrc option 'ConfluxClientUX latency'. Onion services
+      are not currently supported, but will be in arti. Many other
+      future optimizations will also be possible using this protocol.
+      Closes ticket 40593.
+
+  o Major features (dirauth):
+    - Directory authorities and relays now interact properly with
+      directory authorities if they change addresses. In the past, they
+      would continue to upload votes, signatures, descriptors, etc to
+      the hard-coded address in the configuration. Now, if the directory
+      authority is listed in the consensus at a different address, they
+      will direct queries to this new address. Implements ticket 40705.
+
+  o Minor feature (CI):
+    - Update CI to use Debian Bullseye for runners.
+
+  o Minor feature (client, IPv6):
+    - Make client able to pick IPv6 relays by default now meaning
+      ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
+
+  o Minor feature (compilation):
+    - Fix returning something other than "Unknown N/A" as libc version
+      if we build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD
+      or NetBSD.
+
+  o Minor feature (cpuworker):
+    - Always use the number of threads for our CPU worker pool to the
+      number of core available but cap it to a minimum of 2 in case of a
+      single core. Fixes bug 40713; bugfix on 0.3.5.1-alpha.
+
+  o Minor feature (lzma):
+    - Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
+
+  o Minor feature (MetricsPort, relay):
+    - Expose time until online keys expires on the MetricsPort. Closes
+      ticket 40546.
+
+  o Minor feature (MetricsPort, relay, onion service):
+    - Add metrics for the relay side onion service interactions counting
+      seen cells. Closes ticket 40797. Patch by "friendly73".
+
+  o Minor features (directory authorities):
+    - Directory authorities now include their AuthDirMaxServersPerAddr
+      config option in the consensus parameter section of their vote.
+      Now external tools can better predict how they will behave.
+      Implements ticket 40753.
+
+  o Minor features (directory authority):
+    - Add a new consensus method in which the "published" times on
+      router entries in a microdesc consensus are all set to a
+      meaningless fixed date. Doing this will make the download size for
+      compressed microdesc consensus diffs much smaller. Part of ticket
+      40130; implements proposal 275.
+
+  o Minor features (network documents):
+    - Clients and relays no longer track the "published on" time
+      declared for relays in any consensus documents. When reporting
+      this time on the control port, they instead report a fixed date in
+      the future. Part of ticket 40130.
+
+  o Minor features (fallbackdir):
+    - Regenerate fallback directories generated on June 01, 2023.
+
+  o Minor features (geoip data):
+    - Update the geoip files to match the IPFire Location Database, as
+      retrieved on 2023/06/01.
+
+  o Minor features (hs, metrics):
+    - Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
+      histograms to measure hidden service rend/intro circuit build time
+      durations. Part of ticket 40757.
+
+  o Minor features (metrics):
+    - Add a `reason` label to the HS error metrics. Closes ticket 40758.
+    - Add service side metrics for REND and introduction request
+      failures. Closes ticket 40755.
+    - Add support for histograms. Part of ticket 40757.
+
+  o Minor features (pluggable transports):
+    - Automatically restart managed Pluggable Transport processes when
+      their process terminate. Resolves ticket 33669.
+
+  o Minor features (portability, compilation):
+    - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5
+      compatibility. Fixes issue 40630; patch by Alex Xu (Hello71).
+
+  o Minor features (relay):
+    - Do not warn about configuration options that may expose a non-
+      anonymous onion service. Closes ticket 40691.
+
+  o Minor features (relays):
+    - Trigger OOS when bind fails with EADDRINUSE. This improves
+      fairness when a large number of exit connections are requested,
+      and properly signals exhaustion to the network. Fixes issue 40597;
+      patch by Alex Xu (Hello71).
+
+  o Minor features (tests):
+    - Avoid needless key reinitialization with OpenSSL during unit
+      tests, saving significant time. Patch from Alex Xu.
+
+  o Minor bugfix (relay, logging):
+    - The wrong max queue cell size was used in a protocol warning
+      logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
+
+  o Minor bugfixes (logging):
+    - Avoid ""double-quoting"" strings in several log messages. Fixes
+      bug 22723; bugfix on 0.1.2.2-alpha.
+    - Correct a log message when cleaning microdescriptors. Fixes bug
+      40619; bugfix on 0.2.5.4-alpha.
+
+  o Minor bugfixes (metrics):
+    - Decrement hs_intro_established_count on introduction circuit
+      close. Fixes bug 40751; bugfix on 0.4.7.12.
+
+  o Minor bugfixes (pluggable transports, windows):
+    - Remove a warning `BUG()` that could occur when attempting to
+      execute a non-existing pluggable transport on Windows. Fixes bug
+      40596; bugfix on 0.4.0.1-alpha.
+
+  o Minor bugfixes (relay):
+    - Remove a "BUG" warning for an acceptable race between a circuit
+      close and considering that circuit active. Fixes bug 40647; bugfix
+      on 0.3.5.1-alpha.
+    - Remove a harmless "Bug" log message that can happen in
+      relay_addr_learn_from_dirauth() on relays during startup. Finishes
+      fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.
+
+  o Minor bugfixes (sandbox):
+    - Allow membarrier for the sandbox. And allow rt_sigprocmask when
+      compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
+    - Fix sandbox support on AArch64 systems. More "*at" variants of
+      syscalls are now supported. Signed 32 bit syscall parameters are
+      checked more precisely, which should lead to lower likelihood of
+      breakages with future compiler and libc releases. Fixes bug 40599;
+      bugfix on 0.4.4.3-alpha.
+
+  o Minor bugfixes (state file):
+    - Avoid a segfault if the state file doesn't contains TotalBuildTimes
+      along CircuitBuildAbandonedCount being above 0. Fixes bug 40437;
+      bugfix on 0.3.5.1-alpha.
+
+  o Removed features:
+    - Remove the RendPostPeriod option. This was primarily used in
+      Version 2 Onion Services and after its deprecation isn't needed
+      anymore. Closes ticket 40431. Patch by Neel Chauhan.
+
+
 Changes in version 0.4.7.13 - 2023-01-12
   This version contains three major bugfixes, two for relays and one for
   client being a security fix, TROVE-2022-002. We have added, for Linux, the

changes/aarch64_sandbox

@@ -1,5 +0,0 @@
-  o Minor bugfixes (sandbox):
-    - Fix sandbox support on AArch64 systems. More "*at" variants of syscalls
-      are now supported. Signed 32 bit syscall parameters are checked more
-      precisely, which should lead to lower likelihood of breakages with future
-      compiler and libc releases. Fixes bug 40599; bugfix on 0.4.4.3-alpha.

changes/bsd_libc

@@ -1,3 +0,0 @@
-  o Minor feature (compilation):
-    - Fix returning something other than "Unknown N/A" as libc version if we
-      build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD or NetBSD.

changes/bug40431

@@ -1,4 +0,0 @@
-  o Removed features:
-    - Remove the RendPostPeriod option. This was primarily used in Version 2
-      Onion Services and after its deprecation isn't needed anymore. Closes
-      ticket 40431. Patch by Neel Chauhan.

changes/bug40523

@@ -1,4 +0,0 @@
-  o Minor bugfixes (relay):
-    - Remove a harmless "Bug" log message that can happen in
-      relay_addr_learn_from_dirauth() on relays during startup. Finishes
-      fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.

changes/bug40563

@@ -1,8 +0,0 @@
-  o Major bugfixes (relay):
-    - When opening a channel because of a circuit request that did not
-      include an Ed25519 identity, record the Ed25519 identity that we
-      actually received, so that we can use the channel for other circuit
-      requests that _do_ list an Ed25519 identity.
-      (Previously we had code to record this identity, but a logic bug
-      caused it to be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha.
-      Patch from "cypherpunks".

changes/bug40603

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Demote a harmless warn log message about finding a second hop to from
-      warn level to info level, if we do not have enough descriptors yet.
-      Leave it at notice level for other cases. Fixes bug 40603;
-      bugfix on 0.4.7.1-alpha.

changes/bug40612

@@ -1,5 +0,0 @@
-  o Minor bugfixes (logging):
-    - Demote a notice log message about "Unexpected path length" to info
-      level. These cases seem to happen arbitrarily, and we likely will
-      never find all of them before the switch to arti. Fixes bug 40612;
-      bugfix on 0.4.7.5-alpha.

changes/bug40619

@@ -1,3 +0,0 @@
-  o Minor bugfixes (logging):
-    - Correct a log message when cleaning microdescriptors.
-      Fixes bug 40619; bugfix on 0.2.5.4-alpha.

changes/bug40620

@@ -1,3 +0,0 @@
-  o Minor bugfixes (relay, logging):
-    - Demote a harmless XOFF log message to from notice level to info level.
-      Fixes bug 40620; bugfix on 0.4.7.5-alpha.

changes/bug40626

@@ -1,6 +0,0 @@
-  o Major bugfixes (congestion control, TROVE-2022-001):
-    - Fix a scenario where RTT estimation can become wedged, seriously
-      degrading congestion control performance on all circuits. This impacts
-      clients, onion services, and relays, and can be triggered remotely by a
-      malicious endpoint. Tracked as CVE-2022-33903. Fixes bug 40626; bugfix
-      on 0.4.7.5-alpha.

changes/bug40639

@@ -1,5 +0,0 @@
-  o Major bugfixes (vanguards):
-    - We had omitted some checks for whether our vanguards (second layer
-      guards from proposal 333) overlapped. Now make sure to pick each
-      of them to be independent. Also, change the design to allow them to
-      come from the same family. Fixes bug 40639; bugfix on 0.4.7.1-alpha.

changes/bug40642

@@ -1,9 +0,0 @@
-  o Major bugfixes (congestion control):
-    - Implement RFC3742 Limited Slow Start. Congestion control was
-      overshooting the congestion window during slow start, particularly for
-      onion service activity. With this fix, we now update the congestion
-      window more often during slow start, as well as dampen the exponential
-      growth when the congestion window grows above a capping parameter.
-      This should reduce the memory increases guard relays were seeing, as
-      well as allow us to set lower queue limits to defend against
-      ongoing DoS attacks. Fixes bug 40642; bugfix on 0.4.7.5-alpha.

changes/bug40644

@@ -1,8 +0,0 @@
-  o Minor bugfixes (congestion control):
-    - Add a check for an integer underflow condition that might
-      happen in cases where the system clock is stopped, the
-      ORconn is blocked, and the endpoint sends more than a
-      congestion window worth of non-data control cells at once.
-      This would cause a large congestion window to be calculated
-      instead of a small one. No security impact. Fixes bug 40644;
-      bugfix on 0.4.7.5-alpha.

changes/bug40645

@@ -1,5 +0,0 @@
-  o Minor bugfixes (defense in depth):
-    - Change a test in the netflow padding code to make it more
-      _obviously_ safe against remotely triggered crashes.
-      (It was safe against these before, but not obviously so.)
-      Fixes bug 40645; bugfix on 0.3.1.1-alpha.

changes/bug40673

@@ -1,7 +0,0 @@
-  o Minor bugfixes (relay overload statistics):
-    - Count total create cells vs dropped create cells properly, when
-      assessing if our fraction of dropped cells is too high. We only
-      count non-client circuits in the denominator, but we would include
-      client circuits in the numerator, leading to surprising log lines
-      claiming that we had dropped more than 100% of incoming create
-      cells. Fixes bug 40673; bugfix on 0.4.7.1-alpha.

changes/bug40684

@@ -1,6 +0,0 @@
-  o Major bugfixes (OSX):
-    - Fix coarse-time computation on Apple platforms (like Mac M1) where
-      the Mach absolute time ticks do not correspond directly to
-      nanoseconds.  Previously, we computed our shift value wrong, which
-      led us to give incorrect timing results.
-      Fixes bug 40684; bugfix on 0.3.3.1-alpha.

changes/bug40698

@@ -1,11 +0,0 @@
-  o Minor bugfixes (dirauth):
-    - Directory authorities stop voting a consensus "Measured" weight
-      for relays with the Authority flag. Now these relays will be
-      considered unmeasured, which should reserve their bandwidth
-      for their dir auth role and minimize distractions from other
-      roles. In place of the "Measured" weight, they now include a
-      "MeasuredButAuthority" weight (not used by anything) so the
-      bandwidth authority's opinion on this relay can be recorded for
-      posterity. Lastly, remove the AuthDirDontVoteOnDirAuthBandwidth
-      torrc option which never worked right. Fixes bugs 40698 and 40700;
-      bugfix on 0.4.7.2-alpha.

changes/bug40732

@@ -1,7 +0,0 @@
-  o Major bugfixes (congestion control):
-    - Avoid incrementing the congestion window when the window is not
-      fully in use. Thia prevents overshoot in cases where long periods
-      of low activity would allow our congestion window to grow, and
-      then get followed by a burst, which would cause queue overload.
-      Also improve the increment checks for RFC3742. Fixes bug 40732;
-      bugfix on 0.4.7.5-alpha.

changes/bug40751

@@ -1,3 +0,0 @@
-  o Minor bugfixes (metrics):
-    - Decrement hs_intro_established_count on introduction circuit close. Fixes
-      bug 40751; bugfix on 0.4.7.12.

changes/fallbackdirs-2022-08-11

@@ -1,2 +0,0 @@
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories generated on August 11, 2022.

changes/fallbackdirs-2022-11-10

@@ -1,2 +0,0 @@
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories generated on November 10, 2022.

changes/fallbackdirs-2022-12-06

@@ -1,2 +0,0 @@
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories generated on December 06, 2022.

changes/fallbackdirs-2023-01-12

@@ -1,2 +0,0 @@
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories generated on January 12, 2023.

changes/fallbackdirs-2023-06-01

@@ -1,2 +0,0 @@
-  o Minor features (fallbackdir):
-    - Regenerate fallback directories generated on June 01, 2023.

changes/faster_tests

@@ -1,3 +0,0 @@
-  o Minor features (tests):
-    - Avoid needless key reinitialization with OpenSSL during unit tests,
-      saving significant time.  Patch from Alex Xu.

changes/geoip-2022-08-11

@@ -1,3 +0,0 @@
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2022/08/11.

changes/geoip-2022-08-12

@@ -1,5 +0,0 @@
-  o Major bugfixes (geoip data):
-    - IPFire informed us on August 12th that databases generated after
-      (including) August 10th did not have proper ARIN network allocations. We
-      are updating the database to use the one generated on August 9th, 2022.
-      Fixes bug 40658; bugfix on 0.4.5.13.

changes/geoip-2022-11-10

@@ -1,3 +0,0 @@
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2022/11/10.

changes/geoip-2022-12-06

@@ -1,3 +0,0 @@
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2022/12/06.

changes/geoip-2023-01-12

@@ -1,3 +0,0 @@
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2023/01/12.

changes/geoip-2023-06-01

@@ -1,3 +0,0 @@
-  o Minor features (geoip data):
-    - Update the geoip files to match the IPFire Location Database,
-      as retrieved on 2023/06/01.

changes/ip_bind_address_no_port

@@ -1,5 +0,0 @@
-  o Minor features (relays):
-    - Set the Linux-specific IP_BIND_ADDRESS_NO_PORT option on outgoing
-      sockets, allowing relays using OutboundBindAddress to make more outgoing
-      connections than ephemeral ports, as long as they are to separate
-      destinations. Related to issue 40597; patch by Alex Xu (Hello71).

changes/issue40597

@@ -1,4 +0,0 @@
-  o Minor features (relays):
-    - Trigger OOS when bind fails with EADDRINUSE. This improves fairness when
-      a large number of exit connections are requested, and properly signals
-      exhaustion to the network. Fixes issue 40597; patch by Alex Xu (Hello71).

changes/issue40613

@@ -1,3 +0,0 @@
-  o Code simplifications and refactoring:
-    - Rely on actual error returned by the kernel when choosing what resource
-      exhaustion to log. Fixes issue 40613; Fix on tor-0.4.6.1-alpha.

changes/issue40630

@@ -1,3 +0,0 @@
-  o Minor features (portability, compilation):
-    - Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5 compatibility.
-      Fixes issue 40630; patch by Alex Xu (Hello71).

changes/log-quotes

@@ -1,3 +0,0 @@
-  o Minor bugfixes (logging):
-    - Avoid ""double-quoting"" strings in several log messages.
-      Fixes bug 22723; bugfix on 0.1.2.2-alpha.

changes/prop275

@@ -1,12 +0,0 @@
-  o Minor features (directory authority):
-    - Add a new consensus method in which the "published" times on router
-      entries in a microdesc consensus are all set to a meaningless fixed
-      date.  Doing this will make the download size for compressed microdesc
-      consensus diffs much smaller.
-      Part of ticket 40130; implements proposal 275.
-
-  o Minor features (network documents):
-    - Clients and relays no longer track the "published on" time declared
-      for relays in any consensus documents.  When reporting this time on
-      the control port, they instead report a fixed date in the future.
-      Part of ticket 40130.

changes/ticket33669

@@ -1,3 +0,0 @@
-  o Minor features (pluggable transports):
-    - Automatically restart managed Pluggable Transport processes when their
-      process terminate. Resolves ticket 33669.

changes/ticket40194

@@ -1,9 +0,0 @@
-  o Minor feature (relay, metrics):
-    - Add counters to the MetricsPort how many connections, per type, are
-      currently opened and how many were created. Part of ticket 40194.
-    - Add total number of streams seen by an Exit to the MetricsPort.
-    - Add congestion control RTT reset counter to MetricsPort.
-    - Add DoS defenses counter to MetricsPort.
-    - Add relay flags from the consensus to the MetricsPort.
-    - Add total number of opened circuits to MetricsPort.
-    - Add traffic stats as in number of read/written bytes in total.

changes/ticket40437

@@ -1,4 +0,0 @@
-  o Minor bugfixes (state file):
-    - Avoid a segfault if the state file doesn't contains TotalBuildTimes along
-      CircuitBuildAbandonedCount being above 0. Fixes bug 40437; bugfix on
-      0.3.5.1-alpha.

changes/ticket40546

@@ -1,3 +0,0 @@
-  o Minor feature (MetricsPort, relay):
-    - Expose time until online keys expires on the MetricsPort. Closes ticket
-      40546.

changes/ticket40593

@@ -1,16 +0,0 @@
-  o Major features (conflux):
-    - Implement Proposal 329 (conflux traffic splitting). Conflux splits
-      traffic across two circuits to Exits that support the protocol.
-      These circuits are pre-built only, which means that if the pre-built
-      conflux pool runs out, regular circuits will then be used.
-
-      When using conflux circuit pairs, clients choose the lower-latency
-      circuit to send data to the Exit. When the Exit sends data to the
-      client, it maximizes throughput, by fully utilizing both circuits in a
-      multiplexed fashion. Alternatively, clients can request that the Exit
-      optimize for latency when transmitting to them, by setting the torrc
-      option 'ConfluxClientUX latency'.
-
-      Onion services are not currently supported, but will be in arti. Many
-      other future optimizations will also be possible using this protocol.
-      Closes ticket 40593.

changes/ticket40596

@@ -1,4 +0,0 @@
-  o Minor bugfixes (pluggable transports, windows):
-    - Remove a warning `BUG()` that could occur when attempting to execute a
-      non-existing pluggable transport on Windows. Fixes bug 40596; bugfix on
-      0.4.0.1-alpha.

changes/ticket40601

@@ -1,4 +0,0 @@
-  o Minor bugfixes (linux seccomp2 sandbox):
-    - Allow the rseq system call in the sandbox. This solves a crash issue with
-      glibc 2.35 on Linux.  Patch from pmu-ipf. Fixes bug 40601; bugfix on
-      0.3.5.11. 

changes/ticket40604

@@ -1,5 +0,0 @@
-  o Major bugfixes (relay):
-    - Remove OR connections btrack subsystem entries when the connections
-      closes normally. Before this, we would only close it on error and thus
-      leaking memory for each normal OR connections. Fixes bug 40604; bugfix
-      on 0.4.0.1-alpha.

changes/ticket40623

@@ -1,4 +0,0 @@
-  o Major bugfixes (relay):
-    - Stop sending TRUNCATED cell and instead close the circuits which sends a
-      DESTROY cell so every relay in the circuit path can stop queuing cells.
-      Fixes bug 40623; bugfix on 0.1.0.2-rc.

changes/ticket40634

@@ -1,3 +0,0 @@
-  o Major features (onion services):
-    - Proof-of-work client puzzles for DoS mitigation, from proposal 327.
-      Closes ticket 40634.

changes/ticket40647

@@ -1,4 +0,0 @@
-  o Minor bugfixes (relay):
-    - Remove a "BUG" warning for an acceptable race between a circuit close
-      and considering that circuit active. Fixes bug 40647; bugfix on
-      0.3.5.1-alpha.

changes/ticket40648

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring (bridges):
-    - Remove unused code related to ExtPort connection ID. Fixes bug 40648;
-      bugfix on 0.3.5.1-alpha.

changes/ticket40649

@@ -1,4 +0,0 @@
-  o Minor bugfixes (relay):
-    - Do not propagate either forward or backward a DESTROY remote reason when
-      closing a circuit so to avoid a possible side channel. Fixes bug 40649;
-      bugfix on 0.1.2.4-alpha.

changes/ticket40652

@@ -1,10 +0,0 @@
-  o Minor features (dirauth):
-    - Add an AuthDirVoteGuard torrc option that can allow authorities to
-      assign the Guard flag to the given fingerprints/country code/IPs. This
-      is a needed feature mostly for defense purposes in case a DoS hits the
-      network and relay start losing the Guard flags too fast.
-    - Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
-      TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable from
-      torrc.
-    - Add a torrc option to control the Guard flag bandwidth threshold
-      percentile. Closes ticket 40652.

changes/ticket40663

@@ -1,3 +0,0 @@
-  o Minor bugfixes (authorities, sandbox):
-    - Allow to write file my-consensus-<flavor-name> to disk when sandbox is
-      activated. Fixes bug 40663; bugfix on 0.3.5.1-alpha.

changes/ticket40664

@@ -1,3 +0,0 @@
-  o Minor feature (authority):
-    - Reject 0.4.6.x series at the authority level. Closes ticket 40664.
-

changes/ticket40674

@@ -1,3 +0,0 @@
-  o Major bugfixes (relay):
-    - Improve security of our DNS cache by randomly clipping the TTL value.
-      TROVE-2021-009. Fixes bug 40674; bugfix on 0.3.5.1-alpha.

changes/ticket40680

@@ -1,6 +0,0 @@
-  o Minor feature (relay, DoS):
-    - Apply circuit creation anti-DoS defenses if the outbound circuit max cell
-      queue size is reached too many times. This introduces two new consensus
-      parameters to control the queue size limit and number of times allowed to
-      go over that limit. Close ticket 40680.
-

changes/ticket40683

@@ -1,6 +0,0 @@
-  o Minor feature (Mac and iOS build):
-    - Change how combine_libs works on Darwin like platforms to
-      make sure we don't include any `__.SYMDEF` and `__.SYMDEF SORTED`
-      symbols on the archive before we repack and run ${RANLIB} on the
-      archive. This fixes a build issue with recent Xcode versions on
-      Mac Silicon and iOS. Closes ticket 40683.

changes/ticket40687

@@ -1,2 +0,0 @@
-  o Directory authority changes (dizum):
-    - Change dizum IP address. Closes ticket 40687.

changes/ticket40688

@@ -1,3 +0,0 @@
-  o Directory authority changes (Faravahar):
-    - Remove Faravahar until its operator, Sina, set it back up online outside
-      of Team Cymru network. Closes ticket 40688.

changes/ticket40691

@@ -1,3 +0,0 @@
-  o Minor features (relay):
-    - Do not warn about configuration options that may expose a non-anonymous
-      onion service. Closes ticket 40691.

changes/ticket40692

@@ -1,3 +0,0 @@
-  o Minor bugfixes (onion service client):
-    - A collapsing onion service circuit should be seen as an "unreachable"
-      error so it can be retried. Fixes bug 40692; bugfix on 0.3.5.1-alpha.

changes/ticket40694

@@ -1,5 +0,0 @@
-  o Major bugfixes (onion service):
-    - Set a much higher circuit build timeout for opened client rendezvous
-      circuit. Before this, tor would time them out very quickly leading to many
-      unnecessary retries and thus more load on the network. Fixes bug 40694;
-      bugfix on 0.3.5.1-alpha.

changes/ticket40696

@@ -1,3 +0,0 @@
-  o Minor bugfixes (onion service):
-    - Make the service retry a rendezvous if the circuit is being repurposed for
-      measurements. Fixes bug 40696; bugfix on 0.3.5.1-alpha.

changes/ticket40703

@@ -1,4 +0,0 @@
-  o Minor feature (performance):
-    - Bump the maximum amount of CPU to use from 16 to 128. Note that NumCPUs
-      torrc option overrides this hardcoded maximum. Fixes bug 40703; bugfix on
-      0.3.5.1-alpha.

changes/ticket40704

@@ -1,6 +0,0 @@
-  o Minor feature (relay):
-    - Two new consensus parameters are added to control the wait time in queue
-      of the onionskins. One of them is the torrc MaxOnionQueueDelay options
-      which supersedes the consensus parameter. Closes ticket 40704.
-    - Change a hardcoded value for the maximum of per CPU tasks into a
-      consensus parameter.

changes/ticket40705

@@ -1,7 +0,0 @@
-  o Major features (dirauth):
-    - Directory authorities and relays now interact properly with
-      directory authorities if they change addresses. In the past, they
-      would continue to upload votes, signatures, descriptors, etc to
-      the hard-coded address in the configuration. Now, if the directory
-      authority is listed in the consensus at a different address, they
-      will direct queries to this new address. Implements ticket 40705.

changes/ticket40708

@@ -1,3 +0,0 @@
-  o Minor feature (metrics):
-    - Add various congestion control counters to the MetricsPort. Closes ticket
-      40708.

changes/ticket40713

@@ -1,4 +0,0 @@
-  o Minor feature (cpuworker):
-    - Always use the number of threads for our CPU worker pool to the number of
-      core available but cap it to a minimum of 2 in case of a single core.
-      Fixes bug 40713; bugfix on 0.3.5.1-alpha.

changes/ticket40719

@@ -1,3 +0,0 @@
-  o Minor bugfixes (cpuworker, relay):
-    - Fix an off by one overload calculation on the number of CPUs being used by
-      our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha.

changes/ticket40722

@@ -1,5 +0,0 @@
-  o Directory authority changes (moria1):
-    - Rotate the relay identity key and v3 identity key for moria1. They
-      have been online for more than a decade and refreshing keys
-      periodically is good practice. Advertise new ports too, to avoid
-      confusion. Closes ticket 40722.

changes/ticket40724

@@ -1,3 +0,0 @@
-  o Minor feature (Congestion control metrics):
-    - Add additional metricsport relay metrics for congestion control.
-      Closes ticket 40724.

changes/ticket40727

@@ -1,3 +0,0 @@
-  o Minor bugfixes (relay, metrics):
-    - Fix typo in a congestion control label on the MetricsPort. Fixes bug
-      40727; bugfix on 0.4.7.12.

changes/ticket40729

@@ -1,3 +0,0 @@
-  o Minor bugfixes (sandbox, authority):
-    - With the sandbox enabled, allow to write "my-consensus-{ns|microdesc}" and
-      to rename them as well. Fixes bug 40729; bugfix on 0.3.5.1-alpha.

changes/ticket40730

@@ -1,5 +0,0 @@
-  o Major bugfixes (TROVE-2022-002, client):
-    - The SafeSocks option had its logic inverted for SOCKS4 and SOCKS4a. It
-      would let the unsafe SOCKS4 pass but not the safe SOCKS4a one. This is
-      TROVE-2022-002 which was reported on Hackerone by "cojabo". Fixes bug
-      40730; bugfix on 0.3.5.1-alpha.

changes/ticket40741

@@ -1,2 +0,0 @@
-  o Minor feature (lzma):
-    - Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.

changes/ticket40745

@@ -1,3 +0,0 @@
-  o Minor bugfix (relay, logging):
-    - The wrong max queue cell size was used in a protocol warning logging
-      statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.

changes/ticket40753

@@ -1,5 +0,0 @@
-  o Minor features (directory authorities):
-    - Directory authorities now include their AuthDirMaxServersPerAddr
-      config option in the consensus parameter section of their vote. Now
-      external tools can better predict how they will behave. Implements
-      ticket 40753.

changes/ticket40755

@@ -1,3 +0,0 @@
-  o Minor features (metrics):
-    - Add service side metrics for REND and introduction request failures.
-      Closes ticket 40755.

changes/ticket40757

@@ -1,8 +0,0 @@
-  o Minor features (metrics):
-    - Add support for histograms.
-      Part of ticket 40757.
-  o Minor features (hs, metrics):
-    - Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
-      histograms to measure hidden service rend/intro circuit build time
-      durations.
-      Part of ticket 40757.

changes/ticket40758

@@ -1,3 +0,0 @@
-  o Minor features (metrics):
-    - Add a `reason` label to the HS error metrics.
-      Closes ticket 40758.

changes/ticket40760

@@ -1,3 +0,0 @@
-  o Minor feature (authority):
-    - Reject 0.4.5.x series at the authority level. Closes ticket 40760.
-

changes/ticket40785

@@ -1,4 +0,0 @@
-  o Minor feature (client, IPv6):
-    - Make client able to pick IPv6 relays by default now meaning ClientUseIPv6
-      option now defaults to 1. Closes ticket 40785.
-

changes/ticket40797

@@ -1,4 +0,0 @@
-  o Minor feature (MetricsPort, relay, onion service):
-    - Add metrics for the relay side onion service interactions counting
-      seen cells. Closes ticket 40797. Patch by "friendly73".
-

changes/ticket40799

@@ -1,6 +0,0 @@
-  o Minor bugfixes (sandbox):
-    - Allow membarrier for the sandbox. And allow rt_sigprocmask when compiled
-      with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
-
-  o Minor feature (CI):
-    - Update CI to use Debian Bullseye for runners.