use sortChanges to fold changes files into changelog. No additional editing or formatting yet.

ChangeLog

@@ -1,3 +1,432 @@
+Changes in version 0.2.8.1-alpha - 2016-02-0?
+  XXXX Blurb goes here XXXX
+
+  o Major features (consensus downloads):
+    - Schedule multiple in-progress consensus downloads during client
+      bootstrap. Use the first one that starts downloading, close the
+      rest. This reduces failures when authorities are slow or down.
+      Together with the code for feature 15775, it reduces failures due to fallback churn.
+      Implements ticket 4483 (reduce failures when authorities are down).
+      Patch by "teor".
+      Implements IPv4 portions of proposal 210 by "mikeperry" and
+      "teor".
+
+  o Major features (controller):
+    - New "GETINFO hs/service/desc/id/" command to retrieve a hidden service
+      descriptor from a service's local hidden service descriptor cache.
+      Closes ticket 14846.
+
+  o Major features (directory mirrors):
+    - Include an opt-in trial list of Default Fallback Directories in
+      add_default_fallback_dir_servers().
+      "Tor has included a feature to fetch the initial consensus from nodes
+       other than the authorities for a while now. We just haven't shipped a
+       list of alternate locations for clients to go to yet.
+       Reasons why we might want to ship tor with a list of additional places
+       where clients can find the consensus is that it makes authority
+       reachability and BW less important.
+       We want them to have been around and using their current key, address,
+       and port for a while now (120 days), and have been running, a guard,
+       and a v2 directory mirror for most of that time."
+      We exclude BadExits and tor versions that aren't recommended.
+      We include an IPv6 address for each FallbackDir (see ticket 8374).
+      (Tor might not use IPv6 fallbacks until ticket the code for ticket6027 is merged.)
+      The unit test ensures that we successfully load all included
+      default fallback directories.
+      Closes ticket 15775. Patch by "teor".
+      OnionOO script by "weasel", "teor", "gsathya", and "karsten".
+
+  o Major features (relay):
+    - When Tor is started as root on Linux and told to switch user ID, it
+      can now retain the capabilitity to bind to low ports.  By default,
+      Tor will do this only when it's switching user ID and some low
+      ports have been configured.  You can change this behavior with
+      the new option KeepBindCapabilities.  Closes ticket 8195.
+
+  o Minor feature (crypto):
+    - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
+      George Tankersley.
+
+  o Minor feature (directory downloads):
+    - Wait for busy authorities and fallbacks to become non-busy when
+      bootstrapping. (A similar change was made in 6c443e987d for
+      directory servers chosen from the consensus.)
+      Closes ticket 17864; patch by "teor".
+
+  o Minor feature (fallback directories):
+    - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
+      directory mirrors. Default is 1, set it to 0 to disable fallbacks.
+      Implements ticket 17576. Patch by "teor".
+
+  o Minor feature (IPv6):
+    - Add a flag ipv6=address:orport to the DirAuthority and FallbackDir torrc
+      options. Add hard-coded ipv6 addresses for directory authorities with
+      ipv6 lines in their descriptors.
+      Closes ticket 17327; patch from Nick Mathewson / "teor".
+    - Add address policy assume_action support for IPv6 addresses.
+    - Limit IPv6 mask bits to 128.
+    - Warn when comparing against an AF_UNSPEC address in a policy,
+      it's almost always a bug.
+      Closes ticket 17863; patch by "teor".
+
+  o Minor feature (logging):
+    - When logging to syslog, allow a tag to be added to the syslog
+      identity ("Tor"), i.e. the string prepended to every log message.
+      The tag can be configured by setting SyslogIdentityTag and defaults
+      to none.  Setting it to "foo" will cause logs to be tagged as
+      "Tor-foo". Closes ticket 17194.
+
+  o Minor feature (refactoring):
+    - Move logging of redundant policy entries in
+      policies_parse_exit_policy_internal into its own function.
+      Closes ticket 17608; patch from "juce".
+
+  o Minor features (accounting):
+    - Added two modes to AccountingRule in torrc for
+      limiting just input or just output.
+      Closes ticket 15989; patch from "unixninja92".
+
+  o Minor features (authorities):
+    - Update the V3 identity key for dannenberg: it was changed on
+      18 November 2015.
+      Closes task 17906. Patch by "teor".
+
+  o Minor features (build):
+    - Since our build process now uses 'make distcheck', we no longer force
+      "make dist" to depend on "make check". Closes ticket 17893;
+      patch from "cypherpunks."
+
+  o Minor features (compilation):
+    - Repair some compilation issues with some recent (unreleased, alpha)
+      vesions of OpenSSL 1.1. Closes ticket 17549.
+
+  o Minor features (controller):
+    - Adds FallbackDir entries to 'GETINFO config/defaults'. Closes tickets
+      16774 and 17817. Patch by George Tankersley.
+
+  o Minor features (crypto):
+    - When allocating a digest state object, allocate no more space than we
+      actually need.  Previously, we were allocating as much space as the
+      state for the largest algorithm would need.  This change saves up to
+      672 bytes per circuit.  Closes ticket 17796.
+
+  o Minor features (directory system):
+    Previously only relays who explicitly opened a directory port (DirPort)
+    accepted directory requests from clients.  Now all relays, with and without
+    a DirPort, who do not disable the DirCache option accept and serve
+    directory requests sent (tunnelled) through their ORPort.
+    Closes ticket 12538.
+
+  o Minor features (exit policies, controllers):
+    - Add controller getinfo exit-policy/reject-private/[default,relay]
+      for the reject rules added by ExitPolicyRejectPrivate. This makes
+      it easier for stem to display exit policies.
+    - Add unit tests for getinfo exit-policy/*.
+      Finishes implementation for ticket 17183. Patch by "teor".
+
+  o Minor features (fallback directories):
+    - Add a set of default fallback directories for the 0.2.8 alpha releases.
+      Closes ticket 17158.
+      Patch by "teor".
+
+  o Minor features (geoip):
+    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
+      Country database.
+
+  o Minor features (IPv6 support):
+    - Allow users to configure directory authorities and fallback
+      directory servers with IPv6 addresses and ORPorts.  Resolves
+      ticket 6027.
+
+  o Minor features (portability):
+    - Use timingsafe_memcmp() where available. Closes ticket 17944;
+      patch from <logan@hackers.mu>.
+
+  o Minor features (relay, address discovery):
+    - Add a family argument to get_interface_addresses_raw() and
+      subfunctions to make network interface address interogation more
+      efficient. Now Tor can specifically ask for IPv4, IPv6 or both
+      types of interfaces from the operating system. Resolves ticket 17950.
+    - When get_interface_address6_list(.,AF_UNSPEC,.) is called and fails
+      to enumerate interface addresses using the platform-specific API,
+      have it rely on the UDP socket fallback technique to try and find
+      out what IP addresses (both IPv4 and IPv6) our machine has. Resolves
+      ticket 17951.
+
+  o Minor features (replaycache):
+    - The replay cache now uses SHA256 instead of SHA1.
+      Implements feature 8961.
+      Patch by "teor", issue reported by "rransom".
+
+  o Minor features (security):
+    - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
+      positively are not allowed to fail. Previously we depended on
+      internals about OpenSSL behavior. Closes ticket 17686.
+    - Never use the system entropy output directly for anything besides
+      seeding the PRNG.  When we want to generate important keys, instead
+      of using system entropy directly, hash it with the PRNG stream.
+      This may help resist certain attacks based on broken OS entropy
+      implementations. Closes part of ticket 17694.
+    - Set unused entires in a smartlist to NULL. This helped catch a
+      (harmless) bug, and shouldn't affect performance too much.
+      Implements ticket 17026.
+    - Use SecureMemoryWipe() function to securely clean memory on
+      Windows. Implements feature 17986.
+    - Use explicit_bzero or memset_s when present. Previously, we'd use
+      OpenSSL's OPENSSL_cleanse() function.
+      Closes ticket 7419; patches from <logan@hackers.mu> and <selven@hackers.mu>.
+
+  o Minor features (security, clock):
+    - Warn when the system clock is set back in time (when the
+      state file was last written in the future). Tor doesn't know
+      that consensuses have expired if the clock is in the past.
+      Patch by "teor". Implements ticket 17188.
+
+  o Minor features (security, cryptography):
+    - Use modern system calls to generate strong entropy on platforms that
+      provide them. Closes ticket 13696.
+
+  o Minor features (testing):
+    - Log more information when the backtrace tests fail.
+      Closes ticket 17892. Patch from "cypherpunks."
+
+  o Minor features (unit tests, random number generation):
+    - Add unit tests that check for common RNG failure modes, such as
+      returning all zeroes, identical values, or incrementing values
+      (OpenSSL's rand_predictable feature).
+      Patch by "teor".
+
+  o Minor features (unix permissions):
+    - Defer creation of Unix sockets until after setuid. This avoids needing
+      CAP_CHOWN and CAP_FOWNER when using systemd's CapabilityBoundingSet, or
+      chown and fowner when using SELinux.
+      Implements part of ticket 17562. Patch from Jamie Nguyen.
+    - If any directory created by Tor is marked as group readable, the
+      filesystem group is allowed to be either the default GID or the root
+      user. Allowing root to read the DataDirectory prevents the need for
+      CAP_READ_SEARCH when using systemd's CapabilityBoundingSet, or
+      dac_read_search when using SELinux.
+      Implements part of ticket 17562. Patch from Jamie Nguyen.
+    - Introduce DataDirectoryGroupReadable boolean. If set to 1, the
+      DataDirectory will be made readable by the default GID.
+      Implements part of ticket 17562. Patch from Jamie Nguyen.
+
+  o Minor bugfix (crypto):
+    - Check the return value of HMAC and assert on failure.
+      Fixes bug 17658; bugfix on 0.2.3.6-alpha.
+      Patch by "teor".
+
+  o Minor bugfix (fallback directories):
+    - Mark fallbacks as "too busy" when they return a 503 response,
+      rather than just marking authorities.
+      Fixes bug 17572; bugfix on 5c51b3f1f0d4 released in 0.2.4.7-alpha.
+      Patch by "teor".
+
+  o Minor bugfix (IPv6 compatibility, unit tests):
+    - Make tor_ersatz_socketpair work on IPv6-only systems.
+      Fixes bug 17638; bugfix on 0.0.2pre8.
+      Patch by "teor".
+
+  o Minor bugfix (relays, hidden services):
+    - Refuse connection requests to private OR addresses unless
+      ExtendAllowPrivateAddresses is set. Previously, tor would
+      connect, then refuse to send any cells to a private address.
+      Fixes bugs 17674 and 8976; bugfix on 0.2.3.21-rc.
+      Patch by "teor".
+
+  o Minor bugfix (SipHash-2-4 performance):
+    - Improve performance when hashing non-multiple of 8 sized buffers,
+      based on Andrew Moon's Public Domain SipHash-2-4 implementation.
+      Fixes bug 17544; bugfix on 0.2.5.3-alpha.
+
+  o Minor bugfix (testing):
+    - The test for log_heartbeat was incorrectly failing in timezones
+      with non-integer offsets. Instead of comparing the end of the
+      time string against a constant, compare it to the output of
+      format_local_iso_time when given the correct input.
+      Fixes bug 18039; bugfix on 0.2.5.4-alpha.
+
+  o Minor bugfix (unit tests):
+    - Make unit tests pass on IPv6-only systems, and systems without
+      localhost addresses (like some FreeBSD jails).
+      Fixes bug 17632; bugfix on 0.2.7.3-rc.
+      Patch by "teor".
+
+  o Minor bugfixes (accounting):
+    - The max bandwidth when using AccountRule sum
+      is now correctly logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha.
+      Patch from "unixninja92".
+
+  o Minor bugfixes (build):
+    - Mark all object files that include micro-revision.i as depending on
+      it, so as to make our build more reliable with parallel builds.
+      Fixes bug 17826; bugfix on 0.2.5.1-alpha.
+
+  o Minor bugfixes (client, correctness):
+    - When closing an entry connection, generate a warning if we should
+      have sent an end cell for it but we haven't.  Fixes bug 17876;
+      bugfix on 0.2.3.2-alpha.
+
+  o Minor bugfixes (code correctness):
+    - Assert that allocated memory held by the reputation code is freed
+      according to its internal counters. Fixes bug 17753; bugfix on
+      tor-0.1.1.1-alpha.
+
+  o Minor bugfixes (compilation):
+    - Don't try to use the pthrad_condattr_setclock() function unless
+      it actually exists.  Fixes compilation on NetBSD-6.x. Fixes bug
+      17819; bugfix on 0.2.6.3-alpha.
+    - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix on
+      tor-0.2.5.2-alpha.
+    - Fix compilation of sandbox.c with musl-libc.
+      Fixes bug 17347; bugfix on 0.2.5.1-alpha.
+      Patch from 'jamestk'.
+    - Fix search for libevent libraries on OpenBSD (and similar systems
+      which install libevent 1 and libevent 2 in parallel). Fixes bug
+      16651; bugfix on 0.1.0.7-rc.
+      Patch from "rubiate".
+    - Isolate environment variables meant for tests from the rest of the
+      build system. Fixes bug 17818; bugfix on tor-0.2.7.3-rc.
+    - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
+      on tor-0.0.2pre8.
+
+  o Minor bugfixes (IPv6):
+    - Update the limits in max_dl_per_request for IPv6 address
+      length. Fixes bug 17573; bugfix on 0.2.1.5-alpha.
+
+  o Minor bugfixes (linux seccomp2 sandbox):
+    - Fix a crash when using offline master ed25519 keys with the
+      Linux seccomp2 sandbox enabled. Fixes bug 17675; bugfix on
+      0.2.7.3-alpha.
+
+  o Minor bugfixes (logging):
+    - In log messages that include a function name, use __FUNCTION__ instead
+      of __PRETTY_FUNCTION__.  In GCC, these are synonymous, but with clang
+      __PRETTY_FUNCTION__ has extra information we don't need.
+      Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van der Woerdt.
+    - Remove needless quotes from a log message about unparseable addresses.
+      Fixes bug 17843; bugfix on 0.2.3.3-alpha.
+
+  o Minor bugfixes (makefile):
+    - Remove config.log only from make distclean, not from 
+      make clean. Fixes bug 17924; bugfix on 0.2.4.1-alpha.
+
+  o Minor bugfixes (portability):
+    - Remove an #endif from configure.ac so that we correctly detect
+      the presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix on
+      0.2.0.13-alpha.
+
+  o Minor bugfixes (relays):
+    - Check that both the ORPort and DirPort (if present) are reachable
+      before publishing a relay descriptor. Otherwise, relays publish a
+      descriptor with DirPort 0 when the DirPort reachability test takes
+      longer than the ORPort reachability test.
+      Fixes bug 18050; bugfix on 0.1.0.1-rc.
+      Reported by "starlight", patch by "teor".
+
+  o Minor bugfixes (routersets, IPv6):
+    - routerset_parse now accepts IPv6 literal addresses.
+      Fixes bug 17060; bugfix on 0.2.1.3-alpha. Patch by "teor".
+
+  o Minor bugfixes (safe logging):
+    - When logging a malformed hostname received through socks4, scrub it
+      if SafeLogging says we should. Fixes bug 17419; bugfix on 0.1.1.16-rc.
+
+  o Minor bugfixes (security):
+    - Make memwipe() do nothing when passed a NULL pointer
+      or zero size. Check size argument to memwipe() for underflow.
+      Fixes bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha.
+      Reported by "gk", patch by "teor".
+
+  o Minor bugfixes (security, exit policies):
+    - ExitPolicyRejectPrivate rejects more private addresses by default.
+      Specifically, it rejects
+      the relay's outbound bind addresses (if configured), and
+      the relay's configured port addresses (such as ORPort and DirPort).
+      Fixes bug 17027; bugfix on 0.2.0.11-alpha. Patch by "teor".
+
+  o Minor bugfixes (statistics code):
+    - Consistently check for overflow in round_*_to_next_multiple_of
+      functions, and add unit tests with additional and maximal values.
+      Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
+    - Handle edge cases in the laplace functions: avoid division by zero,
+      avoid taking the log of zero, and silence clang type conversion
+      warnings using round and trunc.  Add unit tests for edge cases with
+      maximal values. Fixes part of bug 13192; bugfix on 0.2.6.2-alpha.
+
+  o Minor bugfixes (tests):
+    - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix on
+      0.2.4.8-alpha.
+
+  o Minor bugfixes (TLS context):
+    - Assert when the TLS contexts fail to initialize. Fixes bug 17683;
+      bugfix on 0.0.6.
+
+  o Minor bugfixes (unit tests):
+    - Check the full results of SHA256 and SHA512 digests in the
+      unit tests. Bugfix on 0.2.2.4-alpha. Patch by "teor".
+
+  o Code simplification and refactoring:
+     - Extract the more complicated parts of circuit_mark_for_close into
+       a new function run periodically before connections are freed.
+       This change removes more than half of the functions currently
+       in the "blob".
+       Closes ticket 17218.
+    - Clean up a little duplicated code in crypto_expand_key_material_TAP.
+      Closes ticket 17587; patch from "pfrankw".
+    - Decouple the list of streams needing to be attached to circuits
+      from the overall connection list. This change makes it possible to
+      attach streams quickly while both simplifying Tor's callgraph and
+      avoiding O(N) scans of the entire connection list.  Closes ticket
+      17590.
+    - When a direct directory request fails immediately on launch,
+      instead of relaunching that request from inside the code that
+      launches it, instead mark the connection for teardown. This
+      change simplifies Tor's callback and prevents the directory-
+      request launching code from invoking itself recursively.
+      Closes ticket 17589.
+
+  o Documentation:
+    - Add a description of the correct use of the '--keygen' command-line
+      option. Closes ticket 17583; based on text by 's7r'.
+    - Document the minimum HeartbeatPeriod value. Closes ticket 15638.
+    - Explain actual minima for BandwidthRate. Closes ticket 16382.
+    - Fix a minor formatting typo in the manpage. Closes ticket
+      17791.
+    - Mention torspec URL in the manpage and point the reader to it
+      whenever we mention a document that belongs in torspce.
+      Fixes issue 17392.
+
+  o Removed features:
+    - Remove client-side support for connecting to Tor servers running
+      versions of Tor before 0.2.3.6-alpha. These servers didn't
+      support the v3 TLS handshake protocol, and are no longer allowed
+      on the Tor network.  Implements the client side of ticket
+      11150. Based on patches by Tom van der Woerdt.
+    - Remove code for OpenSSL dynamic locks; OpenSSL doesn't use them.
+      Closes ticket 17926.
+
+  o Testing:
+    - Always test both ed25519 backends, so that we can be sure that
+      our batch-open replacement code works. Part of ticket 16794.
+    - Cover dns_resolve_impl() in dns.c with unit tests. Implements a
+      portion of ticket 16831.
+    - More unit tests for compat_libevent.c. Closes ticket 17075.
+      Patch from Ola Bini.
+    - More unit tests for procmon.c. Closes ticket 17078.
+      Patch from Ola Bini.
+    - More unit tests for tortls.c. Closes ticket 17082.
+      Patch from Ola Bini.
+    - More unit tests for util_format.c. Closes ticket 17084.
+      Patch from Ola Bini.
+    - New tests for directory.c functions. Closes ticket 17003.  Patch
+      from Ola Bini.
+    - New tests for options_validate.  Closes ticket 17076. Patch from
+      Ola Bini.
+    - Unit tests for directory_handle_command_get. Closes ticket 17004.
+      Patch from Reinaldo de Souza Jr.
+
+
 Changes in version 0.2.7.6 - 2015-12-10
   Tor version 0.2.7.6 fixes a major bug in entry guard selection, as
   well as a minor bug in hidden service reliability.

changes/11150

@@ -1,6 +0,0 @@
-  o Removed features:
-    - Remove client-side support for connecting to Tor servers running
-      versions of Tor before 0.2.3.6-alpha. These servers didn't
-      support the v3 TLS handshake protocol, and are no longer allowed
-      on the Tor network.  Implements the client side of ticket
-      11150. Based on patches by Tom van der Woerdt.

changes/17004

@@ -1,3 +0,0 @@
-  o Testing:
-    - Unit tests for directory_handle_command_get. Closes ticket 17004.
-      Patch from Reinaldo de Souza Jr.

changes/17075

@@ -1,3 +0,0 @@
-  o Testing:
-    - More unit tests for compat_libevent.c. Closes ticket 17075.
-      Patch from Ola Bini.

changes/17078

@@ -1,3 +0,0 @@
-  o Testing:
-    - More unit tests for procmon.c. Closes ticket 17078.
-      Patch from Ola Bini.

changes/17082

@@ -1,3 +0,0 @@
-  o Testing:
-    - More unit tests for tortls.c. Closes ticket 17082.
-      Patch from Ola Bini.

changes/17084

@@ -1,3 +0,0 @@
-  o Testing:
-    - More unit tests for util_format.c. Closes ticket 17084.
-      Patch from Ola Bini.

changes/17573

@@ -1,4 +0,0 @@
-  o Minor bugfixes (IPv6):
-    - Update the limits in max_dl_per_request for IPv6 address
-      length. Fixes bug 17573; bugfix on 0.2.1.5-alpha.
-

changes/17826

@@ -1,5 +0,0 @@
-  o Minor bugfixes (build):
-    - Mark all object files that include micro-revision.i as depending on
-      it, so as to make our build more reliable with parallel builds.
-      Fixes bug 17826; bugfix on 0.2.5.1-alpha.
-      

changes/17926

@@ -1,3 +0,0 @@
-  o Removed features:
-    - Remove code for OpenSSL dynamic locks; OpenSSL doesn't use them.
-      Closes ticket 17926.

changes/17944

@@ -1,3 +0,0 @@
-  o Minor features (portability):
-    - Use timingsafe_memcmp() where available. Closes ticket 17944;
-      patch from <logan@hackers.mu>.

changes/7419

@@ -1,6 +0,0 @@
-  o Minor features (security):
-    - Use explicit_bzero or memset_s when present. Previously, we'd use
-      OpenSSL's OPENSSL_cleanse() function.
-      Closes ticket 7419; patches from <logan@hackers.mu> and <selven@hackers.mu>.
-
-

changes/bug15638

@@ -1,2 +0,0 @@
-  o Documentation:
-    - Document the minimum HeartbeatPeriod value. Closes ticket 15638.

changes/bug16382

@@ -1,3 +0,0 @@
-  o Documentation:
-    - Explain actual minima for BandwidthRate. Closes ticket 16382.
-

changes/bug16563

@@ -1,6 +0,0 @@
-  o Minor bugfixes (logging):
-    - In log messages that include a function name, use __FUNCTION__ instead
-      of __PRETTY_FUNCTION__.  In GCC, these are synonymous, but with clang
-      __PRETTY_FUNCTION__ has extra information we don't need.
-      Fixes bug 16563; bugfix on 0.0.2pre8. Fix by Tom van der Woerdt.
-      

changes/bug16651

@@ -1,6 +0,0 @@
-  o Minor bugfixes (compilation):
-
-    - Fix search for libevent libraries on OpenBSD (and similar systems
-      which install libevent 1 and libevent 2 in parallel). Fixes bug
-      16651; bugfix on 0.1.0.7-rc.
-      Patch from "rubiate".

changes/bug16794_ed

@@ -1,3 +0,0 @@
-  o Testing:
-    - Always test both ed25519 backends, so that we can be sure that
-      our batch-open replacement code works. Part of ticket 16794.

changes/bug17003

@@ -1,3 +0,0 @@
-  o Testing:
-    - New tests for directory.c functions. Closes ticket 17003.  Patch
-      from Ola Bini.

changes/bug17026

@@ -1,5 +0,0 @@
-  o Minor features (security):
-    - Set unused entires in a smartlist to NULL. This helped catch a
-      (harmless) bug, and shouldn't affect performance too much.
-      Implements ticket 17026.
-

changes/bug17027-reject-private-bind-port

@@ -1,6 +0,0 @@
-  o Minor bugfixes (security, exit policies):
-    - ExitPolicyRejectPrivate rejects more private addresses by default.
-      Specifically, it rejects
-      the relay's outbound bind addresses (if configured), and
-      the relay's configured port addresses (such as ORPort and DirPort).
-      Fixes bug 17027; bugfix on 0.2.0.11-alpha. Patch by "teor".

changes/bug17194

@@ -1,7 +0,0 @@
-  o Minor feature (logging):
-    - When logging to syslog, allow a tag to be added to the syslog
-      identity ("Tor"), i.e. the string prepended to every log message.
-      The tag can be configured by setting SyslogIdentityTag and defaults
-      to none.  Setting it to "foo" will cause logs to be tagged as
-      "Tor-foo". Closes ticket 17194.
-

changes/bug17347

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix compilation of sandbox.c with musl-libc.
-      Fixes bug 17347; bugfix on 0.2.5.1-alpha.
-      Patch from 'jamestk'.

changes/bug17419

@@ -1,3 +0,0 @@
-  o Minor bugfixes (safe logging):
-    - When logging a malformed hostname received through socks4, scrub it
-      if SafeLogging says we should. Fixes bug 17419; bugfix on 0.1.1.16-rc.

changes/bug17544

@@ -1,4 +0,0 @@
-  o Minor bugfix (SipHash-2-4 performance):
-    - Improve performance when hashing non-multiple of 8 sized buffers,
-      based on Andrew Moon's Public Domain SipHash-2-4 implementation.
-      Fixes bug 17544; bugfix on 0.2.5.3-alpha.

changes/bug17549

@@ -1,3 +0,0 @@
-  o Minor features (compilation):
-    - Repair some compilation issues with some recent (unreleased, alpha)
-      vesions of OpenSSL 1.1. Closes ticket 17549.

changes/bug17562-DataDirectoryGroupReadable

@@ -1,5 +0,0 @@
-  o Minor features (unix permissions):
-    - Introduce DataDirectoryGroupReadable boolean. If set to 1, the
-      DataDirectory will be made readable by the default GID.
-      Implements part of ticket 17562. Patch from Jamie Nguyen.
-

changes/bug17562-allow-root-group-read

@@ -1,7 +0,0 @@
-  o Minor features (unix permissions):
-    - If any directory created by Tor is marked as group readable, the
-      filesystem group is allowed to be either the default GID or the root
-      user. Allowing root to read the DataDirectory prevents the need for
-      CAP_READ_SEARCH when using systemd's CapabilityBoundingSet, or
-      dac_read_search when using SELinux.
-      Implements part of ticket 17562. Patch from Jamie Nguyen.

changes/bug17562-defer-unix-socket-creation

@@ -1,5 +0,0 @@
-  o Minor features (unix permissions):
-    - Defer creation of Unix sockets until after setuid. This avoids needing
-      CAP_CHOWN and CAP_FOWNER when using systemd's CapabilityBoundingSet, or
-      chown and fowner when using SELinux.
-      Implements part of ticket 17562. Patch from Jamie Nguyen.

changes/bug17572-fallback-by-digest

@@ -1,5 +0,0 @@
-  o Minor bugfix (fallback directories):
-    - Mark fallbacks as "too busy" when they return a 503 response,
-      rather than just marking authorities.
-      Fixes bug 17572; bugfix on 5c51b3f1f0d4 released in 0.2.4.7-alpha.
-      Patch by "teor".

changes/bug17583

@@ -1,4 +0,0 @@
-  o Documentation:
-    - Add a description of the correct use of the '--keygen' command-line
-      option. Closes ticket 17583; based on text by 's7r'.
-

changes/bug17589

@@ -1,7 +0,0 @@
-  o Code simplification and refactoring:
-    - When a direct directory request fails immediately on launch,
-      instead of relaunching that request from inside the code that
-      launches it, instead mark the connection for teardown. This
-      change simplifies Tor's callback and prevents the directory-
-      request launching code from invoking itself recursively.
-      Closes ticket 17589.

changes/bug17632-no-ipv4-no-localhost

@@ -1,5 +0,0 @@
-  o Minor bugfix (unit tests):
-    - Make unit tests pass on IPv6-only systems, and systems without
-      localhost addresses (like some FreeBSD jails).
-      Fixes bug 17632; bugfix on 0.2.7.3-rc.
-      Patch by "teor".

changes/bug17638-ipv6-ersatz-socketpair

@@ -1,5 +0,0 @@
-  o Minor bugfix (IPv6 compatibility, unit tests):
-    - Make tor_ersatz_socketpair work on IPv6-only systems.
-      Fixes bug 17638; bugfix on 0.0.2pre8.
-      Patch by "teor".
-

changes/bug17675

@@ -1,4 +0,0 @@
-  o Minor bugfixes (linux seccomp2 sandbox):
-    - Fix a crash when using offline master ed25519 keys with the
-      Linux seccomp2 sandbox enabled. Fixes bug 17675; bugfix on
-      0.2.7.3-alpha.

changes/bug17683

@@ -1,3 +0,0 @@
-  o Minor bugfixes (TLS context):
-    - Assert when the TLS contexts fail to initialize. Fixes bug 17683;
-      bugfix on 0.0.6.

changes/bug17686

@@ -1,4 +0,0 @@
-  o Minor features (security):
-    - Adjust Tor's use of OpenSSL's RNG APIs so that they absolutely,
-      positively are not allowed to fail. Previously we depended on
-      internals about OpenSSL behavior. Closes ticket 17686.

changes/bug17694_strongest

@@ -1,6 +0,0 @@
-  o Minor features (security):
-    - Never use the system entropy output directly for anything besides
-      seeding the PRNG.  When we want to generate important keys, instead
-      of using system entropy directly, hash it with the PRNG stream.
-      This may help resist certain attacks based on broken OS entropy
-      implementations. Closes part of ticket 17694.

changes/bug17753

@@ -1,4 +0,0 @@
-  o Minor bugfixes (code correctness):
-    - Assert that allocated memory held by the reputation code is freed
-      according to its internal counters. Fixes bug 17753; bugfix on
-      tor-0.1.1.1-alpha.

changes/bug17778

@@ -1,3 +0,0 @@
-  o Minor bugfixes (tests):
-    - Fix a memory leak in the ntor test. Fixes bug 17778; bugfix on
-      0.2.4.8-alpha.

changes/bug17791

@@ -1,4 +0,0 @@
-  o Documentation:
-    - Fix a minor formatting typo in the manpage. Closes ticket
-      17791.
-   

changes/bug17804

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Replace usage of 'INLINE' with 'inline'. Fixes bug 17804; bugfix
-      on tor-0.0.2pre8.

changes/bug17818

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Isolate environment variables meant for tests from the rest of the
-      build system. Fixes bug 17818; bugfix on tor-0.2.7.3-rc.

changes/bug17819

@@ -1,4 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Don't try to use the pthrad_condattr_setclock() function unless
-      it actually exists.  Fixes compilation on NetBSD-6.x. Fixes bug
-      17819; bugfix on 0.2.6.3-alpha.

changes/bug17827

@@ -1,3 +0,0 @@
-  o Minor bugfixes (compilation):
-    - Fix backtrace compilation on FreeBSD. Fixes bug 17827; bugfix on
-      tor-0.2.5.2-alpha.

changes/bug17843

@@ -1,3 +0,0 @@
-  o Minor bugfixes (logging):
-    - Remove needless quotes from a log message about unparseable addresses.
-      Fixes bug 17843; bugfix on 0.2.3.3-alpha.

changes/bug17876

@@ -1,5 +0,0 @@
-  o Minor bugfixes (client, correctness):
-    - When closing an entry connection, generate a warning if we should
-      have sent an end cell for it but we haven't.  Fixes bug 17876;
-      bugfix on 0.2.3.2-alpha.
-

changes/bug17892

@@ -1,4 +0,0 @@
-  o Minor features (testing):
-    - Log more information when the backtrace tests fail.
-      Closes ticket 17892. Patch from "cypherpunks."
-

changes/bug17893

@@ -1,4 +0,0 @@
-  o Minor features (build):
-    - Since our build process now uses 'make distcheck', we no longer force
-      "make dist" to depend on "make check". Closes ticket 17893;
-      patch from "cypherpunks."

changes/bug17906

@@ -1,4 +0,0 @@
-  o Minor features (authorities):
-    - Update the V3 identity key for dannenberg: it was changed on
-      18 November 2015.
-      Closes task 17906. Patch by "teor".

changes/bug17923

@@ -1,4 +0,0 @@
-  o Minor bugfixes (portability):
-    - Remove an #endif from configure.ac so that we correctly detect
-      the presence of in6_addr.s6_addr32. Fixes bug 17923; bugfix on
-      0.2.0.13-alpha.

changes/bug17924

@@ -1,4 +0,0 @@
-  o Minor bugfixes (makefile):
-    - Remove config.log only from make distclean, not from 
-      make clean. Fixes bug 17924; bugfix on 0.2.4.1-alpha.
-

changes/bug18050

@@ -1,7 +0,0 @@
-  o Minor bugfixes (relays):
-    - Check that both the ORPort and DirPort (if present) are reachable
-      before publishing a relay descriptor. Otherwise, relays publish a
-      descriptor with DirPort 0 when the DirPort reachability test takes
-      longer than the ORPort reachability test.
-      Fixes bug 18050; bugfix on 0.1.0.1-rc.
-      Reported by "starlight", patch by "teor".

changes/bug18089

@@ -1,5 +0,0 @@
-  o Minor bugfixes (security):
-    - Make memwipe() do nothing when passed a NULL pointer
-      or zero size. Check size argument to memwipe() for underflow.
-      Fixes bug 18089; bugfix on 0.2.3.25 and 0.2.4.6-alpha.
-      Reported by "gk", patch by "teor".

changes/bug4483-multiple-consensus-downloads

@@ -1,9 +0,0 @@
-  o Major features (consensus downloads):
-    - Schedule multiple in-progress consensus downloads during client
-      bootstrap. Use the first one that starts downloading, close the
-      rest. This reduces failures when authorities are slow or down.
-      Together with the code for feature 15775, it reduces failures due to fallback churn.
-      Implements ticket 4483 (reduce failures when authorities are down).
-      Patch by "teor".
-      Implements IPv4 portions of proposal 210 by "mikeperry" and
-      "teor".

changes/bug6027

@@ -1,4 +0,0 @@
-  o Minor features (IPv6 support):
-    - Allow users to configure directory authorities and fallback
-      directory servers with IPv6 addresses and ORPorts.  Resolves
-      ticket 6027.

changes/check-crypto-errors

@@ -1,4 +0,0 @@
-  o Minor bugfix (crypto):
-    - Check the return value of HMAC and assert on failure.
-      Fixes bug 17658; bugfix on 0.2.3.6-alpha.
-      Patch by "teor".

changes/cleanup_17587

@@ -1,3 +0,0 @@
-  o Code simplification and refactoring:
-    - Clean up a little duplicated code in crypto_expand_key_material_TAP.
-      Closes ticket 17587; patch from "pfrankw".

changes/decouple_circuit_mark

@@ -1,6 +0,0 @@
-  o Code simplification and refactoring:
-     - Extract the more complicated parts of circuit_mark_for_close into
-       a new function run periodically before connections are freed.
-       This change removes more than half of the functions currently
-       in the "blob".
-       Closes ticket 17218.

changes/decouple_conn_attach

@@ -1,6 +0,0 @@
-  o Code simplification and refactoring:
-    - Decouple the list of streams needing to be attached to circuits
-      from the overall connection list. This change makes it possible to
-      attach streams quickly while both simplifying Tor's callgraph and
-      avoiding O(N) scans of the entire connection list.  Closes ticket
-      17590.

changes/doc17392

@@ -1,4 +0,0 @@
-  o Documentation:
-    - Mention torspec URL in the manpage and point the reader to it
-      whenever we mention a document that belongs in torspce.
-      Fixes issue 17392.

changes/feature12538

@@ -1,6 +0,0 @@
-  o Minor features (directory system):
-    Previously only relays who explicitly opened a directory port (DirPort)
-    accepted directory requests from clients.  Now all relays, with and without
-    a DirPort, who do not disable the DirCache option accept and serve
-    directory requests sent (tunnelled) through their ORPort.
-    Closes ticket 12538.

changes/feature13696

@@ -1,3 +0,0 @@
-  o Minor features (security, cryptography):
-    - Use modern system calls to generate strong entropy on platforms that
-      provide them. Closes ticket 13696.

changes/feature14846

@@ -1,4 +0,0 @@
-  o Major features (controller):
-    - New "GETINFO hs/service/desc/id/" command to retrieve a hidden service
-      descriptor from a service's local hidden service descriptor cache.
-      Closes ticket 14846.

changes/feature15775-fallback

@@ -1,19 +0,0 @@
-  o Major features (directory mirrors):
-    - Include an opt-in trial list of Default Fallback Directories in
-      add_default_fallback_dir_servers().
-      "Tor has included a feature to fetch the initial consensus from nodes
-       other than the authorities for a while now. We just haven't shipped a
-       list of alternate locations for clients to go to yet.
-       Reasons why we might want to ship tor with a list of additional places
-       where clients can find the consensus is that it makes authority
-       reachability and BW less important.
-       We want them to have been around and using their current key, address,
-       and port for a while now (120 days), and have been running, a guard,
-       and a v2 directory mirror for most of that time."
-      We exclude BadExits and tor versions that aren't recommended.
-      We include an IPv6 address for each FallbackDir (see ticket 8374).
-      (Tor might not use IPv6 fallbacks until ticket the code for ticket6027 is merged.)
-      The unit test ensures that we successfully load all included
-      default fallback directories.
-      Closes ticket 15775. Patch by "teor".
-      OnionOO script by "weasel", "teor", "gsathya", and "karsten".

changes/feature16774

@@ -1,3 +0,0 @@
-  o Minor features (controller):
-    - Adds FallbackDir entries to 'GETINFO config/defaults'. Closes tickets
-      16774 and 17817. Patch by George Tankersley.

changes/feature17076

@@ -1,3 +0,0 @@
-  o Testing:
-    - New tests for options_validate.  Closes ticket 17076. Patch from
-      Ola Bini.

changes/feature17327

@@ -1,5 +0,0 @@
-  o Minor feature (IPv6):
-    - Add a flag ipv6=address:orport to the DirAuthority and FallbackDir torrc
-      options. Add hard-coded ipv6 addresses for directory authorities with
-      ipv6 lines in their descriptors.
-      Closes ticket 17327; patch from Nick Mathewson / "teor".

changes/feature17576-UseDefaultFallbackDirs

@@ -1,4 +0,0 @@
-  o Minor feature (fallback directories):
-    - Add UseDefaultFallbackDirs, which enables any hard-coded fallback
-      directory mirrors. Default is 1, set it to 0 to disable fallbacks.
-      Implements ticket 17576. Patch by "teor".

changes/feature17608

@@ -1,4 +0,0 @@
-  o Minor feature (refactoring):
-    - Move logging of redundant policy entries in
-      policies_parse_exit_policy_internal into its own function.
-      Closes ticket 17608; patch from "juce".

changes/feature17663

@@ -1,3 +0,0 @@
-  o Minor feature (crypto):
-    - Add SHA512 support to crypto.c. Closes ticket 17663; patch from
-      George Tankersley.

changes/feature17796

@@ -1,6 +0,0 @@
-  o Minor features (crypto):
-    - When allocating a digest state object, allocate no more space than we
-      actually need.  Previously, we were allocating as much space as the
-      state for the largest algorithm would need.  This change saves up to
-      672 bytes per circuit.  Closes ticket 17796.
-

changes/feature17863

@@ -1,6 +0,0 @@
-  o Minor feature (IPv6):
-    - Add address policy assume_action support for IPv6 addresses.
-    - Limit IPv6 mask bits to 128.
-    - Warn when comparing against an AF_UNSPEC address in a policy,
-      it's almost always a bug.
-      Closes ticket 17863; patch by "teor".

changes/feature17864

@@ -1,5 +0,0 @@
-  o Minor feature (directory downloads):
-    - Wait for busy authorities and fallbacks to become non-busy when
-      bootstrapping. (A similar change was made in 6c443e987d for
-      directory servers chosen from the consensus.)
-      Closes ticket 17864; patch by "teor".

changes/feature17950

@@ -1,5 +0,0 @@
-  o Minor features (relay, address discovery):
-    - Add a family argument to get_interface_addresses_raw() and
-      subfunctions to make network interface address interogation more
-      efficient. Now Tor can specifically ask for IPv4, IPv6 or both
-      types of interfaces from the operating system. Resolves ticket 17950.

changes/feature17951

@@ -1,6 +0,0 @@
-  o Minor features (relay, address discovery):
-    - When get_interface_address6_list(.,AF_UNSPEC,.) is called and fails
-      to enumerate interface addresses using the platform-specific API,
-      have it rely on the UDP socket fallback technique to try and find
-      out what IP addresses (both IPv4 and IPv6) our machine has. Resolves
-      ticket 17951.

changes/feature17986

@@ -1,3 +0,0 @@
-  o Minor features (security):
-    - Use SecureMemoryWipe() function to securely clean memory on
-      Windows. Implements feature 17986.

changes/feature8195

@@ -1,6 +0,0 @@
-  o Major features (relay):
-    - When Tor is started as root on Linux and told to switch user ID, it
-      can now retain the capabilitity to bind to low ports.  By default,
-      Tor will do this only when it's switching user ID and some low
-      ports have been configured.  You can change this behavior with
-      the new option KeepBindCapabilities.  Closes ticket 8195.

changes/feature8961-replaycache-sha256

@@ -1,4 +0,0 @@
-  o Minor features (replaycache):
-    - The replay cache now uses SHA256 instead of SHA1.
-      Implements feature 8961.
-      Patch by "teor", issue reported by "rransom".

changes/first-hop-no-private

@@ -1,6 +0,0 @@
-  o Minor bugfix (relays, hidden services):
-    - Refuse connection requests to private OR addresses unless
-      ExtendAllowPrivateAddresses is set. Previously, tor would
-      connect, then refuse to send any cells to a private address.
-      Fixes bugs 17674 and 8976; bugfix on 0.2.3.21-rc.
-      Patch by "teor".

changes/geoip-january2016

@@ -1,4 +0,0 @@
-  o Minor features (geoip):
-    - Update geoip and geoip6 to the January 5 2016 Maxmind GeoLite2
-      Country database.
-

changes/getinfo-private-exitpolicy

@@ -1,6 +0,0 @@
-  o Minor features (exit policies, controllers):
-    - Add controller getinfo exit-policy/reject-private/[default,relay]
-      for the reject rules added by ExitPolicyRejectPrivate. This makes
-      it easier for stem to display exit policies.
-    - Add unit tests for getinfo exit-policy/*.
-      Finishes implementation for ticket 17183. Patch by "teor".

changes/laplace-edge-cases

@@ -1,9 +0,0 @@
-  o Minor bugfixes (statistics code):
-    - Handle edge cases in the laplace functions: avoid division by zero,
-      avoid taking the log of zero, and silence clang type conversion
-      warnings using round and trunc.  Add unit tests for edge cases with
-      maximal values. Fixes part of bug 13192; bugfix on 0.2.6.2-alpha.
-    - Consistently check for overflow in round_*_to_next_multiple_of
-      functions, and add unit tests with additional and maximal values.
-      Fixes part of bug 13192; bugfix on 0.2.2.1-alpha.
-

changes/log_heartbeat_test

@@ -1,6 +0,0 @@
-  o Minor bugfix (testing):
-    - The test for log_heartbeat was incorrectly failing in timezones
-      with non-integer offsets. Instead of comparing the end of the
-      time string against a constant, compare it to the output of
-      format_local_iso_time when given the correct input.
-      Fixes bug 18039; bugfix on 0.2.5.4-alpha.

changes/rand-failure-modes

@@ -1,5 +0,0 @@
-  o Minor features (unit tests, random number generation):
-    - Add unit tests that check for common RNG failure modes, such as
-      returning all zeroes, identical values, or incrementing values
-      (OpenSSL's rand_predictable feature).
-      Patch by "teor".

changes/routerset-parse-IPv6-literals

@@ -1,3 +0,0 @@
-  o Minor bugfixes (routersets, IPv6):
-    - routerset_parse now accepts IPv6 literal addresses.
-      Fixes bug 17060; bugfix on 0.2.1.3-alpha. Patch by "teor".

changes/sha-unit-tests

@@ -1,3 +0,0 @@
-  o Minor bugfixes (unit tests):
-    - Check the full results of SHA256 and SHA512 digests in the
-      unit tests. Bugfix on 0.2.2.4-alpha. Patch by "teor".

changes/test16831

@@ -1,3 +0,0 @@
-  o Testing:
-    - Cover dns_resolve_impl() in dns.c with unit tests. Implements a
-      portion of ticket 16831.

changes/ticket15989

@@ -1,9 +0,0 @@
-  o Minor features (accounting):
-    - Added two modes to AccountingRule in torrc for
-      limiting just input or just output.
-      Closes ticket 15989; patch from "unixninja92".
-
-  o Minor bugfixes (accounting):
-    - The max bandwidth when using AccountRule sum
-      is now correctly logged. Fixes bug 18024; bugfix on 0.2.6.1-alpha.
-      Patch from "unixninja92".

changes/ticket17158

@@ -1,4 +0,0 @@
-  o Minor features (fallback directories):
-    - Add a set of default fallback directories for the 0.2.8 alpha releases.
-      Closes ticket 17158.
-      Patch by "teor".

changes/warn-when-time-goes-backwards

@@ -1,5 +0,0 @@
-  o Minor features (security, clock):
-    - Warn when the system clock is set back in time (when the
-      state file was last written in the future). Tor doesn't know
-      that consensuses have expired if the clock is in the past.
-      Patch by "teor". Implements ticket 17188.

scripts/maint/sortChanges.py

@@ -16,10 +16,36 @@ def fetch(fn):
         s = "%s\n" % s.rstrip()
         return s
 
+CSR='Code simplification and refactoring'
+
+REPLACEMENTS = {
+    # plurals
+    'Minor bugfix' : 'Minor bugfixes',
+    'Major bugfix' : 'Major bugfixes',
+    'Minor feature' : 'Minor features',
+    'Major feature' : 'Major features',
+    'Removed feature' : 'Removed features',
+    'Code simplification and refactorings' : CSR,
+    'Code simplifications and refactoring' : CSR,
+    'Code simplifications and refactorings' : CSR,
+
+    # wrong words
+    'Minor fix' : 'Minor bugfixes',
+    'Major fix' : 'Major bugfixes',
+    'Minor fixes' : 'Minor bugfixes',
+    'Major fixes' : 'Major bugfixes',
+    'Minor enhancement' : 'Minor features',
+    'Minor enhancements' : 'Minor features',
+    'Major enhancement' : 'Major features',
+    'Major enhancements' : 'Major features',
+}
+
 def score(s,fname=None):
     m = re.match(r'^ +o ([^\n]*)\n(.*)', s, re.M|re.S)
     if not m:
         print >>sys.stderr, "Can't score %r from %s"%(s,fname)
+    heading = m.group(1)
+    heading = REPLACEMENTS.get(heading, heading)
     lw = m.group(1).lower()
     if lw.startswith("major feature"):
         score = 0
@@ -36,7 +62,7 @@ def score(s,fname=None):
     else:
         score = 100
 
-    return (score, lw, m.group(1), m.group(2))
+    return (score, lw, heading, m.group(2))
 
 def splitChanges(s):
     this_entry = []