Update our disclaimers and limitations sections.

2021-10-27 11:13:46 -04:00 · 2021-10-27 11:13:46 -04:00 · 134c04a67a
parent 5a4db67b16
commit 134c04a67a
13 changed files with 38 additions and 92 deletions
--- a/README.md
+++ b/README.md
@ -50,18 +50,18 @@ needlessly hard to understand and improve.
 Arti is a work-in-progress.  It can connect to the Tor network, bootstrap a
 view of the Tor directory, and make anonymized connections over the network.

-Arti is currently missing some features that are required for good privacy,
-and is therefore vulnerable to a lot of attacks that do not yet affect the
-Tor network.  Therefore, **you should probably not use Arti in production**
-if you want any kind of privacy at all.
+We're not _aware_ of any critical security features missing in Arti; but
+however, since Arti is comparatively new software, you should probably be
+cautious about using it in production.

-There are absolutely no guarantees about API stability yet: if you write code
-that uses Arti, you should expect that
+There are no guarantees about API stability yet: if you write code
+that uses Arti, you should expect it to break with future versions.  If you
+write an a configuration file for Arti, it might stop working in the future.

 ## Trying it out today

-Arti can act as a SOCKS proxy that uses the Tor network.  (Not a very
-secure or anonymous one!)  It knows how to download directory
+Arti can act as a SOCKS proxy that uses the Tor network.
+It knows how to download directory
 information and how to load it from cache, but it doesn't try to
 download more than one directory per run.

@ -70,8 +70,8 @@ SOCKS proxy on port 9150.

    % cargo run --release

-Again, do not use this program yet if you need anonymity, privacy, security,
-or stability.
+Again, do not use this program yet if you seriously need anonymity, privacy,
+security, or stability.

 ## Minimum supported Rust Version

@ -99,11 +99,11 @@ get our project manager to sign off on them.

 * Arti 0.0.1: Minimal Secure Client (Goal: end of October 2021??)
   * Target audience: **developers**
-   * [ ] Guard support
-   * [ ] Stream Isolation
-   * [ ] High test coverage
-   * [ ] Draft APIs for basic usage
-   * [ ] Code cleanups
+   * [x] Guard support
+   * [x] Stream Isolation
+   * [x] High test coverage
+   * [x] Draft APIs for basic usage
+   * [x] Code cleanups
   * [and more...](https://gitlab.torproject.org/tpo/core/arti/-/milestones/6)

 * Arti 0.1.0: Okay for experimental embedding (Goal: Mid March, 2022??)
--- a/crates/arti-client/README.md
+++ b/crates/arti-client/README.md
@ -16,24 +16,15 @@ It is the highest-level library crate in
 Arti, and the one that nearly all client-only programs should use.
 Most of its functionality is provided by lower-level crates in Arti.

-### ⚠️️ Warnings ⚠️
-️
-**Do not expect ANY privacy from this code yet.**
+### ⚠ Warnings ⚠

-Arti is a work in progress, and there are currently certain
-missing features that _will_ make it far less private than the
-standard Tor implementation.  In fact, the absence of these makes
-Arti clients vulnerable to certain classes of well known attacks
-that the standard Tor implementation defends against.
+Note that Arti is a work in progress; although we've tried to
+write all the critical security components, you probably shouldn't
+use Arti in production until it's a bit more mature.

-At present, do not expect Arti to give you _any privacy at all_.  (We'll
-remove or soften this warning once we're more confident in our privacy.)
-
-**Do not use this code in production yet.**
-
-All of the APIs for this crate, and for Arti in general, are not
-the least bit stable.  If you use this code, please expect your
-software to break on a regular basis.
+Also note that all of the APIs for this crate, and for Arti in
+general, are not the least bit stable.  If you use this code,
+please expect your software to break on a regular basis.

 ### Design considerations, privacy considerations.

--- a/crates/arti-client/src/lib.rs
+++ b/crates/arti-client/src/lib.rs
@ -14,24 +14,15 @@
 //! Arti, and the one that nearly all client-only programs should use.
 //! Most of its functionality is provided by lower-level crates in Arti.
 //!
-//! ## ⚠️️ Warnings ⚠️
-//! ️
-//! **Do not expect ANY privacy from this code yet.**
+//! ## ⚠ Warnings ⚠
 //!
-//! Arti is a work in progress, and there are currently certain
-//! missing features that _will_ make it far less private than the
-//! standard Tor implementation.  In fact, the absence of these makes
-//! Arti clients vulnerable to certain classes of well known attacks
-//! that the standard Tor implementation defends against.
+//! Note that Arti is a work in progress; although we've tried to
+//! write all the critical security components, you probably shouldn't
+//! use Arti in production until it's a bit more mature.
 //!
-//! At present, do not expect Arti to give you _any privacy at all_.  (We'll
-//! remove or soften this warning once we're more confident in our privacy.)
-//!
-//! **Do not use this code in production yet.**
-//!
-//! All of the APIs for this crate, and for Arti in general, are not
-//! the least bit stable.  If you use this code, please expect your
-//! software to break on a regular basis.
+//! Also note that all of the APIs for this crate, and for Arti in
+//! general, are not the least bit stable.  If you use this code,
+//! please expect your software to break on a regular basis.
 //!
 //! ## Design considerations, privacy considerations.
 //!
--- a/crates/arti/README.md
+++ b/crates/arti/README.md
@ -7,10 +7,9 @@ This crate is the primary command-line interface for
 implement [Tor](https://www.torproject.org/) in Rust.
 Many other crates in Arti depend on it.

-⚠️**WARNING**: Arti is not yet a secure or complete Tor implementation!
-If you use it, you should expect that it _will_ harm your privacy.
-For now, if you have actual privacy or security needs, please use
-the C implementation of Tor instead. ⚠️
+Note that Arti is a work in progress; although we've tried to
+write all the critical security components, you probably shouldn't
+use Arti in production until it's a bit more mature.

 More documentation will follow as this program improves.  For now,
 just know that it can run as a simple SOCKS proxy over the Tor network.
@ -52,7 +51,6 @@ to disable tokio.
 There are many missing features.  Among them: there's no onion
 service support yet. There's no anti-censorship support.  You
 can't be a relay.  There isn't any kind of proxy besides SOCKS.
-Resolve-over-SOCKS isn't implemented yet.

 See the [README
 file](https://gitlab.torproject.org/tpo/core/arti/-/blob/main/README.md)
--- a/crates/arti/src/main.rs
+++ b/crates/arti/src/main.rs
@ -5,10 +5,9 @@
 //! implement [Tor](https://www.torproject.org/) in Rust.
 //! Many other crates in Arti depend on it.
 //!
-//! ⚠️**WARNING**: Arti is not yet a secure or complete Tor implementation!
-//! If you use it, you should expect that it _will_ harm your privacy.
-//! For now, if you have actual privacy or security needs, please use
-//! the C implementation of Tor instead. ⚠️
+//! Note that Arti is a work in progress; although we've tried to
+//! write all the critical security components, you probably shouldn't
+//! use Arti in production until it's a bit more mature.
 //!
 //! More documentation will follow as this program improves.  For now,
 //! just know that it can run as a simple SOCKS proxy over the Tor network.
@ -50,7 +49,6 @@
 //! There are many missing features.  Among them: there's no onion
 //! service support yet. There's no anti-censorship support.  You
 //! can't be a relay.  There isn't any kind of proxy besides SOCKS.
-//! Resolve-over-SOCKS isn't implemented yet.
 //!
 //! See the [README
 //! file](https://gitlab.torproject.org/tpo/core/arti/-/blob/main/README.md)
--- a/crates/tor-cell/README.md
+++ b/crates/tor-cell/README.md
@ -59,13 +59,4 @@ packed into a single RELAY cell.
 The distinction between RelayCell and RelayMsg is meant in part
 to future-proof arti against these proposals if they are adopted.

-## Limitations
-
-There aren't any tests.
-
-There isn't enough documentation.
-
-This is the first part of the project I started working on, and
-probably reflects the most naive understanding of Rust.
-
 License: MIT OR Apache-2.0
--- a/crates/tor-cell/src/lib.rs
+++ b/crates/tor-cell/src/lib.rs
@ -56,15 +56,6 @@
 //!
 //! The distinction between RelayCell and RelayMsg is meant in part
 //! to future-proof arti against these proposals if they are adopted.
-//!
-//! # Limitations
-//!
-//! There aren't any tests.
-//!
-//! There isn't enough documentation.
-//!
-//! This is the first part of the project I started working on, and
-//! probably reflects the most naive understanding of Rust.

 #![deny(missing_docs)]
 #![warn(noop_method_call)]
--- a/crates/tor-circmgr/README.md
+++ b/crates/tor-circmgr/README.md
@ -22,8 +22,4 @@ But for now, this `tor-circmgr` code is extremely preliminary; its
 data structures are all pretty bad, and it's likely that the API
 is wrong too.

-The path generation code in this crate is missing a colossal
-number of features that you'd probably want in production: the
-paths it generates should not be considered secure.
-
 License: MIT OR Apache-2.0
--- a/crates/tor-circmgr/src/lib.rs
+++ b/crates/tor-circmgr/src/lib.rs
@ -19,10 +19,6 @@
 //! But for now, this `tor-circmgr` code is extremely preliminary; its
 //! data structures are all pretty bad, and it's likely that the API
 //! is wrong too.
-//!
-//! The path generation code in this crate is missing a colossal
-//! number of features that you'd probably want in production: the
-//! paths it generates should not be considered secure.

 #![deny(missing_docs)]
 #![warn(noop_method_call)]
--- a/crates/tor-guardmgr/README.md
+++ b/crates/tor-guardmgr/README.md
@ -82,6 +82,7 @@ below) and comments and internal documentation in this crate.

 * Our circuit blocking algorithm is simplified from the one that Tor uses.
  See comments in `GuardSet::circ_usability_status` for more information.
+  See also [proposal 337](https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/337-simpler-guard-usability.md).

 ## References

--- a/crates/tor-guardmgr/src/lib.rs
+++ b/crates/tor-guardmgr/src/lib.rs
@ -80,6 +80,7 @@
 //!
 //! * Our circuit blocking algorithm is simplified from the one that Tor uses.
 //!   See comments in `GuardSet::circ_usability_status` for more information.
+//!   See also [proposal 337](https://gitlab.torproject.org/tpo/core/torspec/-/blob/main/proposals/337-simpler-guard-usability.md).
 //!
 //! # References
 //!
--- a/crates/tor-proto/src/crypto/handshake/ntor.rs
+++ b/crates/tor-proto/src/crypto/handshake/ntor.rs
@ -1,9 +1,4 @@
 //! Implements the ntor handshake, as used in modern Tor.
-//!
-//! # Limitations
-//!
-//! These functions should be extensible to work with the ntor variant
-//! used in v3 hidden services; but right now they aren't.

 use super::KeyGenerator;
 use crate::util::ct;
--- a/crates/tor-proto/src/stream.rs
+++ b/crates/tor-proto/src/stream.rs
@ -7,10 +7,7 @@
 //!
 //! # Limitations
 //!
-//! TODO: This should eventually expose a bytes-oriented type rather than a
-//! cell-oriented type.
-//!
-//! XXXX TODO: There is no fairness, rate-limiting, or flow control.
+//! There is no fairness, rate-limiting, or flow control.

 mod data;
 mod raw;