mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-10 13:13:44 +01:00
First cut at cleaning 0.1.1.x TODO
svn:r4879
This commit is contained in:
Nick Mathewson
parent
2e7de08fbf
commit
c6c403e156
171
doc/TODO
171
doc/TODO
@ -14,9 +14,8 @@ PHOBOS - phobos claims
|
||||
|
||||
Non-Coding, Soon:
|
||||
N - contact umass folks
|
||||
N - Packaging logic and HOWTO for controller libs
|
||||
N - Mention controller libs someplace.
|
||||
- FAQ entry: why gnutls is bad/not good for tor
|
||||
D FAQ entry: why gnutls is bad/not good for tor
|
||||
P - flesh out the rest of the section 6 of the faq
|
||||
P - gather pointers to livecd distros that include tor
|
||||
- put the logo on the website, in source form, so people can put it on
|
||||
@ -26,7 +25,7 @@ P - gather pointers to livecd distros that include tor
|
||||
* clean up the places where our docs are redundant (or worse, obsolete in
|
||||
one file and correct elsewhere). agl has a start on a global
|
||||
list-of-tor-docs.
|
||||
P - update window's docs to clarify which versions of windows, and why a
|
||||
P - update windows docs to clarify which versions of windows, and why a
|
||||
DOS window, how it's used, for the less technical users
|
||||
NR- write a spec appendix for 'being nice with tor'
|
||||
- tor-in-the-media page
|
||||
@ -34,16 +33,13 @@ NR- write a spec appendix for 'being nice with tor'
|
||||
tor-0.1.0.7.rc
|
||||
- Remove need for HACKING file.
|
||||
|
||||
For 0.1.0.x:
|
||||
. Memory use on Linux: what's happening?
|
||||
- Is it threading? (Maybe, maybe not)
|
||||
- Is it the buf_shrink bug? (Quite possibly)
|
||||
- Instrument the 0.1.1 code to figure out where our memory is going;
|
||||
apply the results. (all platforms?)
|
||||
|
||||
|
||||
for 0.1.1.x:
|
||||
R - are dirservers auto-verifying duplicate nicknames?
|
||||
|
||||
N . Additional controller features
|
||||
- Find a way to make event info more extensible
|
||||
- change circuit status events to give more details, like purpose,
|
||||
whether they're internal, etc.
|
||||
. Expose more information via getinfo:
|
||||
@ -54,116 +50,92 @@ N . Additional controller features
|
||||
download directories/network-status, and a way to force a download.
|
||||
- It would be nice to request address lookups from the controller
|
||||
without using SOCKS.
|
||||
N . helper nodes (Choose N nodes randomly; if a node dies (goes down for a
|
||||
long time), replace it. Store nodes on disk.
|
||||
o Implement (basic case)
|
||||
o Implement (persistence)
|
||||
o Document
|
||||
. Test, debug
|
||||
- On sighup, if usehelpernodes changed to 1, use new circs.
|
||||
|
||||
. Helper nodes
|
||||
. More testing and debugging
|
||||
- On sighup, if usehelpernodes changed to 1, use new circuits?
|
||||
- If your helper nodes are unavailable, don't abandon them unless
|
||||
other nodes *are* reachable.
|
||||
R - If you think an OR conn is open but you can never establish a circuit
|
||||
to it, reconsider whether it's actually open.
|
||||
- switch accountingmax to count total in+out, not either in or
|
||||
out. it's easy to move in this direction (not risky), but hard to
|
||||
back, out if we decide we prefer it the way it already is. hm.
|
||||
. Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
||||
logic for reading from TLS sockets is likely to overrun the bandwidth
|
||||
buckets under heavy load. (Really, the logic was never right in the
|
||||
first place.) Also, we should audit all users of get_pending_bytes().)
|
||||
- Make it harder to circumvent bandwidth caps: look at number of bytes
|
||||
sent across sockets, not number sent inside TLS stream.
|
||||
. Handle rendezvousing with unverified nodes.
|
||||
o Specify: Stick rendezvous point's address and port in INTRODUCE cell.
|
||||
o Handle new format.
|
||||
o Support to extend circuit/target circuit to a chosen combination of
|
||||
addr/port/ID/onionkey
|
||||
o Parse new format
|
||||
o Generate new format (#ifdef out the logic to generate it for now)
|
||||
o Specify: make service descriptors contain onion key and identity.
|
||||
o Implement new service desc format
|
||||
o Think: are we okay with the partitioning? (Yes. It's a simple
|
||||
migration issue.)
|
||||
o Implement new directory code
|
||||
o Implement new server code (Don't enable till directory code is deployed)
|
||||
o Implement new client code (Don't enable till directory code is deployed)
|
||||
o Look for v1 descriptor if available, else look for v0 descriptor.
|
||||
o Use new INTRODUCE protocol if allowed.
|
||||
N . Verify that new code works.
|
||||
- Enable the new code
|
||||
- christian grothoff's attack of infinite-length circuit.
|
||||
|
||||
- Miscellaneous cleanups
|
||||
- switch accountingmax to count total in+out, not either in or
|
||||
out. it's easy to move in this direction (not risky), but hard to
|
||||
back, out if we decide we prefer it the way it already is. hm.
|
||||
. Come up with a coherent strategy for bandwidth buckets and TLS. (The
|
||||
logic for reading from TLS sockets is likely to overrun the bandwidth
|
||||
buckets under heavy load. (Really, the logic was never right in the
|
||||
first place.) Also, we should audit all users of get_pending_bytes().)
|
||||
- Make it harder to circumvent bandwidth caps: look at number of bytes
|
||||
sent across sockets, not number sent inside TLS stream.
|
||||
R - remove the warnings from rendezvous stuff that shouldn't be warnings.
|
||||
|
||||
N . Handle rendezvousing with unverified nodes.
|
||||
o Implement everything
|
||||
. Enable the new code
|
||||
. Verify that new code works.
|
||||
|
||||
- Christian Grothoff's attack of infinite-length circuit.
|
||||
the solution is to have a separate 'extend-data' cell type
|
||||
which is used for the first N data cells, and only
|
||||
extend-data cells can be extend requests.
|
||||
- Specify, including thought about
|
||||
- Implement
|
||||
|
||||
N - Destroy and truncated cells should have reasons.
|
||||
N - Add private:* alias in exit policies to make it easier to ban all the
|
||||
fiddly little 192.168.foo addresses.
|
||||
(AGL had a patch; consider applying it.)
|
||||
- recommended-versions for client / server ?
|
||||
|
||||
N - warn if listening for SOCKS on public IP.
|
||||
|
||||
- cpu fixes:
|
||||
- see if we should make use of truncate to retry
|
||||
o hardware accelerator support (configure engines.)
|
||||
- hardware accelerator support (use instead of aes.c when reasonable)
|
||||
R - kill dns workers more slowly
|
||||
R - remove the warnings from rendezvous stuff that shouldn't be warnings.
|
||||
- continue decentralizing the directory
|
||||
o Specify and design all of the below before implementing any.
|
||||
- Figure out what to do about hidden service descriptors.
|
||||
X have two router descriptor formats
|
||||
R . dirservers verify reachability claims
|
||||
o basic reachability testing, influencing network-status list.
|
||||
R - rate-limiting the reporting of trouble servers
|
||||
R - check reachability as soon as you hear about a new server
|
||||
- find 10 dirservers. (what are criteria to be a dirserver?)
|
||||
- some back-out mechanism?
|
||||
|
||||
. Directory changes
|
||||
o recommended-versions for client / server ?
|
||||
- Some back-out mechanism for auto-approval
|
||||
- dirservers have blacklist of IPs they hate
|
||||
- a way of rolling back approvals to before a timestamp
|
||||
- have new people be in limbo and need to demonstrate usefulness
|
||||
before we approve them
|
||||
- other?
|
||||
N . Authoritative dirservers publish very compressed network-status objects.
|
||||
o Generate format
|
||||
o Publish it
|
||||
N . Everyone downloads network-status objects
|
||||
- From all directories, round-robin
|
||||
- Cache them, reload on restart
|
||||
o Serve cached directories
|
||||
- If DirPort, act as a cache.
|
||||
N - Directories expose individual descriptors
|
||||
o By server ID
|
||||
o By 'all'
|
||||
- By 'if-newer-than' (Does the spec require this??)
|
||||
- Support compression.
|
||||
o Expose "own most recent descriptor".
|
||||
N - Alice acts on network-status objects, downloading descriptors as needed.
|
||||
o Servers publish new descriptors when:
|
||||
o options change
|
||||
o when 12-24 hours have passed
|
||||
o when uptime is reset
|
||||
o When bandwidth changes a lot.
|
||||
- alices avoid duplicate class C nodes.
|
||||
o everybody with a dirport will give you his descriptor.
|
||||
- config option, on by default, to cache all descriptors.
|
||||
- Compress router desc sets before transmitting them
|
||||
M Analyze how bad the partitioning is or isn't.
|
||||
- Naming:
|
||||
- Specify and design all of the below before implementing any.
|
||||
- some dirservers announce that they manage bindings (a flag in
|
||||
router-status).
|
||||
- other dirservers mention a binding if there is no conflict for
|
||||
that binding among the dirservers that manage it.
|
||||
no conflict == any of them bind it and no disagreement.
|
||||
- alice can specify a nickname and it will record that name in her
|
||||
datadir along with the key *if* it is bound. otherwise her specifying
|
||||
will fail (loudly we hope).
|
||||
- thus when a binding vanishes (e.g. conflict) alice will keep using
|
||||
the one she meant.
|
||||
- if the binding changes keys, the entry in her datadir will silently
|
||||
get corrected.
|
||||
|
||||
R . Dirservers verify reachability claims
|
||||
o basic reachability testing, influencing network-status list.
|
||||
R - rate-limiting the reporting of trouble servers
|
||||
R - check reachability as soon as you hear about a new server
|
||||
|
||||
- Decentralization
|
||||
- Figure out what to do about hidden service descriptors.
|
||||
- find 10 dirservers.
|
||||
- (what are criteria to be a dirserver?)
|
||||
N . Dirservers publish compressed network-status objects.
|
||||
- Support several-at-once
|
||||
N . Everyone downloads network-status objects
|
||||
- From all directories, round-robin
|
||||
- Cache them, reload on restart
|
||||
o Serve cached directories
|
||||
N . Directories expose individual descriptors
|
||||
X By 'if-newer-than' (Does the spec require this??)
|
||||
- Support compression.
|
||||
N - Alice acts on network-status objects
|
||||
- Alice downloads descriptors as needed.
|
||||
- Alice sets descriptor status from networks-status
|
||||
|
||||
- Security
|
||||
- Alices avoid duplicate class C nodes.
|
||||
- Analyze how bad the partitioning is or isn't.
|
||||
|
||||
N - Naming:
|
||||
- Separate naming from validation in authdirs.
|
||||
- Clients choose names based on network-status options.
|
||||
- Names are remembered in client status.
|
||||
|
||||
- packaging and ui stuff:
|
||||
. multiple sample torrc files
|
||||
- uninstallers
|
||||
@ -175,15 +147,18 @@ N - Alice acts on network-status objects, downloading descriptors as needed.
|
||||
N - Vet all pending installer patches
|
||||
- Win32 installer plus privoxy, sockscap/freecap, etc.
|
||||
- Vet win32 systray helper code
|
||||
o Make logs go into platform default locations.
|
||||
o OSX
|
||||
X Windows. (?)
|
||||
|
||||
Reach (deferrable) items for 0.1.1.x:
|
||||
- Start using create-fast cells as clients
|
||||
o Let more config options (e.g. ORPort) change dynamically.
|
||||
- start handling server descriptors without a socksport?
|
||||
|
||||
. Research memory use on Linux: what's happening?
|
||||
- Is it threading? (Maybe, maybe not)
|
||||
- Is it the buf_shrink bug? (Quite possibly)
|
||||
- Instrument the 0.1.1 code to figure out where our memory is going;
|
||||
apply the results. (all platforms?)
|
||||
|
||||
For 0.1.1.x, if we can figure out how:
|
||||
- rewrite how libevent does select() on win32 so it's not so very slow.
|
||||
o enclaves (at least preliminary)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user