174 KiB

Raw Permalink Blame History

Notes

This file describes changes in Arti through the current release. Once Arti is more mature, we may switch to using a separate changelog for each crate.

Arti 1.1.7 — 1 August 2023

Arti 1.1.7 focuses on maintenance, bugfixing, and cleanups to earlier releases. It also lays groundwork for being able to run as an onion service.

Major bugfixes

We now build with onion service client support by default. It is still not enabled by default, but you no longer need any special compile-time options in order to be able to use it. (#948, !1382)
Fix an over-strict parsing behavior that had prevented Arti from connecting to onion services whose descriptors were encoded by Stem. (#952, !1389)
We've fixed a bug where we incorrectly marked bridges as having directory information where they did not, and tried to build circuits through them without fetching descriptors. (#638, !1408)
Fix a deadlock in [TorClient::reconfigure()]. (!1432)

Breaking changes in lower-level crates

The [Conversation] API has been built as a replacement for the old "control message" API on circuits, to better support the needs of onion services. (#917, !1367, !1402)
The tor-config crate no longer exposes ItemOrBool, which was not used. (5b97b0b2ce31b3db)
The [RetryError] type now requires that its members implement AsRef<dyn Error>. (36b9d11ecb122e1e)
The error type of [tor_hsclient::ConnError::Failed] has changed. (36b9d11ecb122e1e)

Onion service development

Continued improvements to our key manager infrastructure. (#903, #937, #939 #954, !1372, !1398, !1399, !1404, !1413, !1421, !1433)
Design work and API backend designs for implementing the service side of onion services. (!1422, !1429)
Rust implementations of the HashX ASIC-resistant hash function and the related EquiX proof-of-work function, for eventual use in protecting onion services from denial-of-service attacks. Note that for now, the license on these crates is "LGPL-3.0-only"; we hope to relicense under "MIT OR Apache-2.0" if the author of the C version of this code approves. (#889, !1368)

Documentation

Improved documentation for how Arti is validated and released. (#942, !1366)
Improvement to bridge and transport-related documentation. (#706, !1370)
Add documentation to explain how to build an arti binary that will not include build path details. (#957, !1435)

Infrastructure

Our Shadow CI tests now include support for onion service clients. (!1292)
Our Runtime logic now has much improved support for test cases that need to handle time and waiting, and more consistently generated mock implementations. This has enabled us to clean up various unit tests. (!1375, !1378, !1381)
Fix a compatibility issue that had been preventing our Chutney CI tests from passing. (c98894cebc60e223, !1391, !1393)

Logging improvements

We now ensure that all panics from arti are sent to our logs. Formerly, they were only reported on stderr. (#921, !1377)
Our logfile messages now have a configurable granularity, to avoid logging excessive detail that could help with traffic analysis attacks. The default is one second granularity, and can be overridden with the logging.time_granularity option. Note that this granularity does not apply to systems like journald that have their own ideas about how to record messages. (#551, !1376)
When logging errors, we now check whether the type of the error indicates a bug. If it does, we always escalate the logging severity to "warn" or higher. (!1379, !1383, !1386, !1390)
When reporting errors caused by the failure of multiple retry attempts, we take more care to report the source failure causes. (#958, !1416)

Cleanups, minor features, and smaller bugfixes

Rename some mocking-related functions to avoid accidental infinite-recursion bugs. (!1365)
Fix or disable a series of new warnings from Clippy. (!1369, !1394, !1395, !1396)
Our (not yet used) GeoIP code now encodes country codes as two nonzero bytes, which enables the [niche optimization]. (!1384)
Our (not yet used) GeoIP code now treats zero-values ASNs as indicating an unknown ASN, for compatibility with the format used by the C tor implementation. (#961, !1417)
We now try to avoid using [Rng::gen_range()], due to the possibility of panics. We have instead added a gen_range_checked() and a gen_range_infallible() call. (#920, !1385, !1387)
The ChanMgr API now exposes a function to build unmanaged channels, in order to support external code that wants to build channels that are not managed by or shared with the rest of Arti. (!1374, !1403, !1406)
The [NetDir] API now has optional support for recording the associated country codes of its relays. (!1364)
Bridges no longer contain addresses twice. This prevents us from making unnecessary connections. (!1409)
In fs-mistrust, we now detect several kinds of errors related to failed user or group lookup. (cdafa2ce0191f612)
We have migrated our Unix user info lookups from the no-longer-maintained users crate to the new [pwd-grp] crate. (#877, !1410)
Add accessors for several bridge-related config builder types. (!1425, !1426)
Refactor handling of initial CREATE cells when opening a circuit, to clean up our reactor loop logic a bit. (!1441)

Removed features

We no longer publish the crate arti-bench to crates.io. It has no use outside of development. (!1371)
We no longer publish our as-yet-unused tor-events and tor-congestion crates to crates.io. They aren't used in the rest of Arti yet. (!1371)
We no longer validate our code with Clippy's missing_panics_doc lint, since it has begun to warn about all use of expect() in nightly. (#950, !1380)

Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander Færøy, Dimitris Apostolou, Jim Newsome, juga, Kunal Mehta, Micah Elizabeth Scott, Saksham Mittal, sw1tch, and Trinity Pointard.

Also, our deep thanks to Zcash Community Grants and our other sponsors for funding the development of Arti!

Zcash Community Grants: Zcash Community Grants: https://zcashcommunitygrants.org/ [Conversation]: https://tpo.pages.torproject.net/core/doc/rust/tor_proto/circuit/struct.Conversation.html [NetDir]: https://tpo.pages.torproject.net/core/doc/rust/tor_netdir/struct.NetDir.html [RetryError]: https://tpo.pages.torproject.net/core/doc/rust/retry_error/struct.RetryError.html [Rng::gen_range()]: https://docs.rs/rand/latest/rand/trait.Rng.html#method.gen_range [TorClient::reconfigure()]: https://tpo.pages.torproject.net/core/doc/rust/arti_client/struct.TorClient.html#method.reconfigure fs-mistrust: https://tpo.pages.torproject.net/core/doc/rust/fs_mistrust/index.html [pwd-grp]: https://docs.rs/crate/pwd-grp/latest [tor_hsclient::ConnError::Failed]: https://tpo.pages.torproject.net/core/doc/rust/tor_hsclient/enum.ConnError.html#variant.Failed [niche optimization]: https://internals.rust-lang.org/t/forbidden-niche-values/14237

Arti 1.1.6 — 30 June 2023

Arti 1.1.6 completes the core of the work needed for a client to connect to onion services on the Tor network. This is not yet enabled by default: we do not yet recommend using this feature for security-sensitive purposes, because of some missing security features. Instructions for enabling it and trying it out can be found in the README.md file. (Note that version 1.1.6 also requires a non-default cargo feature to be enabled: you must build with --features=arti/onion-service-client.)

Additionally, this version includes an experimental key manager implementation. Currently it's used to store the keys needed for client authentication, but in the future it will store the keys for onion services themselves, and eventually relays. In this release it is still missing some import functionality for interoperability; the interface is likely to change significantly.

Work on our RPC subsystem has also continued; we have achieved several prerequisites needed for applications' SOCKS connections to integrate correctly with the RPC subsystem.

And as usual, there are a large number of smaller fixes and improvements throughout the codebase.

Major bugfixes

Downgrade our dependency on x25519-dalek from "2.0.0-rc.2" to "2.0.0-pre.1". The former had a compatibility bug that made it stop working once a newer version of curve25519-dalek was released. We hope to re-upgrade to a more recent version of this crate in a future release. (#926, !1317)

Breaking changes in lower-level crates

We have removed an empty relaycell::restrict module from the tor-cell crate. This module was added in error. This change will break any code that (pointlessly) tried to import it. (589fefd581e962a7)

Onion service development

Implement the core logic of an onion service client. Having fetched a descriptor for an onion service, we now establish a rendezvous circuit, and try to send INTRODUCE1 requests to the service's introduction points, while waiting for a RENDEZVOUS2 message in response on the rendezvous circuit. Once the message is received, we can launch streams to the service over that circuit. (!1228, !1230, !1235, !1238, !1240)
Re-launch and retry onion service connection attempts as appropriate. (!1246)
Onion service descriptors now have accessor functions to enable their actual use. (!1220)
We can transform the information about relays used in onion service descriptors, and in introduce1 cells, into the format needed to connect to the relay described. (!1221)
Generate random rendezvous cookies to identify circuits at a client's rendezvous point. (!1227)
Ensure that specific information about onion services, rendezvous points, and introduction points are treated as sensitive or redacted in our error messages. (!1326, !1335)
Reduce the cost of duplicating HsDir rings in our network objects. (#883, !1234)
Refactor and simplify our hs_ntor APIs to better reuse state information. (bb6115103aad177c)
Return a more informative error type from our time-period manipulation code. (!1244)
Remember our introduction point experiences, and try to use known-good ones before ones that have failed recently. (!1247, !1295)
We now adjust the size of our pre-constructed circuit pool dynamically based on past demand for onion-service circuits (or lack thereof). (686d5cf2093322e4)
Speed improvements to the algorithm we use to select pre-constructed circuits for onion services, and correctness fixes to those speed improvements. (1691c353924f89cc, #918, !1296, !1301)
The StreamPrefs::connect_to_onion_services method now can be used to enable or disable onion service connections, and TorClients can handle onion services correctly. (!1257)
Provide the extended SOCKS5 error codes as documented in proposal 304. (#736, !1248, !1279)
Drop introduction circuits after they are no longer needed. (!1299, !1303)
Expire long-unused onion service circuits. (!1287, !1302)
Expire long-unused onion service descriptors. (!1290)
Provide a higher-level HsDescError to explain what, exactly, has gone wrong with parsing or decrypting an onion service descriptor. (!1289)
Respect the maximum onion service descriptor size in the consensus and change the default maximum from 50 KiB to 50 KB per the specification. (!1323)
Go through all of our remaining "TODO HS" comments and make sure that they are not issues that should block a release. (#892, #928, etc)
We support enabling or disabling onion service connections via a new allow_onion_addrs option, and configuring these connections through other parameters. (!1305)
Ensure that our directory ring parameters are taken from the consensus parameters, rather than set unconditionally to defaults. (!1310)
Enforce upper bounds on the number of introduction points in an onion service descriptor. (!1332)
Use correct circuit parameters when creating onion service circuits. (#935, !1340)
Use more accurate timeout predictions for building and using onion service circuits. (!1342)

RPC development

Our RPC engine now supports holds a list of SOCKS connections, so that applications can register their SOCKS connections with their RPC sessions. (545984b095119ecc)
TorClients, and similar RPC-visible, can now be exposed with a secure global identifier so applications can refer to them outside of an RPC session. This will allow applications to name a TorClient from e.g. within the parameters of a SOCKS connection. (#863, !1208)
Enable rpc::Objects to be downcast to (some of) the &dyn Traits that they implement. This is in tension with some of Rust's current limitations, but we need it so that we can downcast a TorClient from an Object into a type we can use in the SOCKS code for opening a data stream. (!1225, !1253)
Major refactoring to our RPC session initialization code. (!1254)

New crates

New tor-keymgr crate to handle persistent cryptographic keys that can be stored to disk. In the future this will be used for all client, service, and relay keys. (!1223, !1255, !1256, !1263, !1267, !1269, !1278, !1280, !1284, !1319, !1321, !1315, !1321, !1328, !1337, etc.)
New tor-geoip crate to handle a static in-binary or on-disk IP-to-country lookup table. We will use this in the future to support country restrictions on selected paths through the network. (!1239, !1268)

Documentation

Clarify behavior of ClientCirc::send_control_message. (#885, !1219, 58babcb756f6427c)
Clarify required behavior for NetDocProvider. (!1224)
More information about how to configure snowflake and other pluggable transports. (#875, #879, !1216, !1249)
New examples and documentation for how to implement error reporting. (!1213)
Clarify some error cases for onion service descriptor validation. (!1250, !1252)
Improve documentation on the channel and circuit lifecycle. (!1316, !1318)
Clarify descriptions in NetDir's documentation of what we mean by a "usable" Relay. (a902f320b5b31812)

Infrastructure

For now we ignore an "unmaintained crate" warning for the users crate while we work on finding a replacement. (!1217)
Our CI now tests each crate individually with its default features. This helps detect bugs where a crate was only working because it had been built with the features required of it by another crate. (!1250)
We now supplement our existing system for tracking semver-breaking issues with the cargo-semver-checks tool. We require version 0.22.1 or later. (!1339)

Cleanups, minor features, and smaller bugfixes

We no longer use the arrayref crate to convert slice-references into array references. In recent versions of Rust, we can simply use TryFrom and const generics. (#872, !1214)
Our consensus directory objects now expose accessors that list required and recommended protocol versions. (205b6d176c4a619b)
The tor-error crate now exposes a convenience macro to derive AsRef<dyn Error> for our specific error types. (33c90e5b7243c3b3)
The formerly experimental send_control_message API now takes an AnyRelayMsg rather than a cell, as does its associated MsgHandler API. (#881, #887, !1232, !1236)
Backend code to more readily display and redact relay identities. (#882, !1233).
tor-proto no longer gives an error when trying to use SENDME messages with a relay digest algorithm with an output length of other than 20. (!1242)
tor-llcrypto now exposes a method to try to look up an element from a slice in constant time. (25db56777c0042a9)
Apply two now-universally-available clippy lints to all of our crates. (!1271)
Add experimental API to expose a chanmgr method from TorClient. (!1275)
The ClientCirc::path_ref() method now returns an Arc<Path> type, which can be used to find information about a circuit's path without extensive copying. The old path() method still exists, but is deprecated. (#787, !1286)
CircMgr now exposes its estimates for good timeouts for circuit operations. (!1281.)
Fix a compilation warning on Windows. (!1294)
Make sure DirProviderBuilder is Send + Sync, so that TorClientBuilder is always Send + Sync. (#924, !1307)
Implement conversion from ed25519 private keys to curve25519 private keys, as part of our eventual compatibility with ssh's key storage format. (!1297)
Numerous improvements and fixes to our configuration handling tests. (!1320, !1330)
Refactor some duplicate logic in our circuit-retention code. (!1322)
Experimentally expose some of NetDir's information about whether a relay is in the consensus (independent of whether we have full information about it). (!1325)

Removed features

We no longer support ancient (pre-0.3.6) versions of Tor without support for authenticated SENDME messages. (#914, !1283)

Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander Færøy, Andy, Jim Newsome, nate_d1azzz, pinkforest, Saksham Mittal, and Trinity Pointard.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti!

Arti 1.1.5 — 1 June 2023

Arti 1.1.5 fixes a local-only denial-of-service attack, and continues our work towards support for providing a working RPC mechanism and an onion service client.

Major bugfixes (service)

Fix a local-only CPU denial-of-service bug. Previously, an attacker with access to our SOCKS port (only open by default on localhost) could cause Arti to loop forever, consuming CPU. This issue was discovered by Jakob Lell. This is also tracked as TROVE-2023-001. (#861, !1196)

Breaking changes in lower-level crates

In tor-netdoc, the ParseErrorKind and ParseErrorSource types have been renamed to NetdocErrorKind and NetdocErrorSource respectively, to better reflect their meaning. (!1176, !1179)
In tor-linkspec and tor-cell, we have renamed UnparsedLinkSpec to EncodedLinkSpec to correctly reflect its purpose. (02785ca6505572bd)
In tor-cell, the Extend2 message now takes a list of EncodedLinkSpec. (7ce808b75bb500f2)
In tor-linkspec, CircTarget::linkspecs() now returns an encoded list instead of a Vec of unencoded link specifiers. This is needed for passing linkspecs verbatim in the onion service implementation. (7ce808b75bb500f2)
ClientCirc no longer implements Clone. In various crates, functions that used to return ClientCirc now return Arc<ClientCirc>. This allows us to be more explicit about how circuits are shared, and to make circuits visible to our RPC code. (#846, !1187)

Onion service development

Improved API for parsing onion service descriptors. (#809, !1152)
More APIs for deriving onion service keys from one another. (18cb1671c4135b3d)
Parse onion service descriptors after receiving them. (!1153)
When fetching an onion service descriptor, choose the HS directory server at random. (!1155)
Refactoring and improvements to our handling for sets of link specifiers (components of a Tor relay's address) in order to support lists of link specifiers that we receive as part of an INTRODUCE2 message or onion service descriptor. (#794, !1177)
Code to enforce rules about consistency of link specifier lists. (#855, !1186)
Correctly handle onion service descriptor lifetimes, and introduce necessary helper functions to handle overlapping sets of lifetime bounds. (!1154)
Additional design and specification about a key management system. (!1185)
Finish, refactor, debug, and test the hs-ntor handshake used to negotiate keys with onion services (#865, !1189)
Export the unencrypted portion of an INTRODUCE1 message as needed to implement the hs-ntor handshake. (#866, !1188)
Add support for adding the "virtual" hop for an onion service rendezvous circuit based on a set of cryptographic material negotiated via the hs-ntor handshake. (#726, !1191)

RPC development

Improved description of our work-in-progress RPC API design. (!1005)
Expose an initial TorClient object to our RPC sessions. (d7ab388faf96f53e)
Implement object-handle management backend for RPC sessions, so that RPC commands can refer to objects by a capability-style ID that doesn't make objects visible to other sessions. This has required significant design refinement, and will likely need more in the future. (#820, #848, !1160, !1183, !1200)
Add an experimental StreamCtrl mechanism to allow code (like the RPC module) that does not own the read or write side of a data stream to nonetheless monitor and control the stream. (#847, !1198)

Infrastructure

Our license checking code now allows the MPL-2.0 license on an allow-list basis. (#845, e5fa42e1c7957db0)
Our fixup-features script now works correctly to enforce our rules about the full feature (notably, that it must include all features not labelled as experimental or non-additive). (!1180, !1182)
The script that generates our Acknowledgments section now looks at various Git trailers in order to better acknowledge bug reporters. (!1194)
Use the latest version of Shadow in our integration tests (!1199)

Cleanups, minor features, and smaller bugfixes

Improved logging in directory manager code when deciding what to download and when to download it. (#803, !1163)
Downgrade and clarify log messages about directory replacement time. (#839)
Revise and downgrade other directory-manager logs. (#854, !1172)
When listing the features that are enabled, list static features correctly. (!1169)
Refactor the check_key function in tor-cert to provide a more reasonable API. (#759, !1184)
Improve or downgrade certain verbose log messages in tor-guardmgr and tor-proto. (!1190)
Throughout our codebase, avoid the use of ed25519 secret keys without an accompanying public key. Instead, store the two as a keypair. (Using ed25519 secret keys alone creates the risk of using them with mismatched public keys, with catastrophic cryptographic results.) (#798, !1192)

Network updates

Update to the latest list of Tor fallback directories. (!1210)

Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander Færøy, Jakob Lell, Jim Newsome, Saksham Mittal, and Trinity Pointard. Also, our deep thanks to Zcash Community Grants for funding the development of Arti!

Arti 1.1.4 — 3 May 2023

Arti 1.1.4 fixes a major bug in the directory downloading code that could cause clients to stay stuck with an old version of the directory.

Additionally, this version advances our efforts on onion services: we have implementations for descriptor downloading, and a design for improved key management.

For this month and the next, our efforts are divided between onion services and work on a new RPC API (a successor to C Tor's "control port") that will give applications a safe and powerful way to work with Arti without having to write their code in Rust or link Arti as a library (unless they want to). We have an early version of this protocol implemented, but it does not yet expose any useful functionality.

Arti 1.1.4 also increases our MSRV (Minimum Supported Rust Version) to Rust 1.65, in accordance with our MSRV Policy, and renames a few other inconsistently-named APIs.

Major Bugfixes

Download directories correctly in the case where we start with our cache containing all the microdescriptors from the previous directory. Previously, we had a bug where we only checked whether it was time to fetch a new consensus when we added a new microdescriptor from the network. This bug could lead to Arti running for a while with an expired directory. (#802 !1126)

Breaking changes

We now require Rust 1.65 or later for all of our crates. This change is required so that we can work correctly with several of our dependencies, including the typetag crate which we will need for RPC. (#815 !1131 !1137)
In all crates, rename *ProtocolFailed errors to *ProtocolViolation. This is a more correct name, but does potentially break API users depending on the old versions. (#804 !1121 !1132)

Breaking changes in lower level crates

Convert the DirClient request type for RouterDescs into an enum, and remove its push() method. (!1112)
Rename BridgeDescManager to BridgeDescMgr for consistency with other type names. (#805 (!1122))
In tor-async-utils, rename SinkExt to SinkPrepareExt, since it is not actually an extension trait on all Sinks. (5cd5e6a3f8431eab)

Onion service development

Added and refactored some APIs in tor-netdir to better support onion service HSDir rings. (!1094)
Clean up APIs for creating encrypted onion service descriptors. (!1097)
Support for downloading onion service descriptors on demand. (!1116 !1118)
Design an API and document on-disk behavior for a key-management subsystem, to be used not only for onion services, but eventually for other kinds of keys. (#834 !1147)

RPC/Embedding development

New specification for our capabilities-based RPC meta-protocol in rpc-meta-draft. (!1078 !1107 !1141)
An incomplete work-in-progress implementation of our new RPC framework, with a capabilities-based JSON-encoded protocol that allows for RPC-visible methods to be implemented on objects throughout our codebase. For now, it is off-by-default, and exposes nothing useful. (!1092 !1136 !1144 !1148)

Documentation

Better explain how to build our documentation. (!1090)
Explain that we explicitly support --document-private-items. (!1090)
Fix incorrect documentation of OSX configuration location. (!1125)
Document some second-order effects of our semver conformance. (!1129)

Cleanups, minor features, and minor bugfixes

Improvements to TimerangeBound API. (!1105)
Fix builds with several combinations of features. (#801 !1106)
Code to join an AsyncRead and AsyncWrite into a single object implementing both traits. (!1115)
Expose the MiddleOnly flag on router status objects, for tools that want it. (#833 !1145 !1146)
Only run doctest for BridgesConfig when the pt-client feature is enabled; otherwise it will fail. (#843, !1166)
Refactoring in and around RelayId. (!1156)

Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander Færøy, juga, Neel Chauhan, tranna, and Trinity Pointard. Also, our deep thanks to Zcash Community Grants for funding the development of Arti!

tor-llcrypto patch release 0.4.4 — 4 April 2023

On 4 April 2023, we put out a patch release (0.4.4) to tor-llcrypto, to fix a compatibility issue. We had previously configured the tor-llcrypto crate to work with any version of x25519-dalek version "2.0.0-pre.1" or later, but the recent release of version "2.0.0-rc.2" had a breaking change that stopped tor-llcrypto from compiling. The new version of tor-llcrypto now properly pins the old version of x25519-dalek, to avoid picking up such incompatible pre-releases. We hope that our next release of tor-llcrypto will upgrade to the newer x25519-dalek release. Additional resources: #807 !1108.

Arti 1.1.3 — 31 March 2023

Arti 1.1.3 continues our work on onion services. We can now parse all of the relevant message types, build circuits as needed to target relays, build and sign onion service descriptors, and deliver onion service requests to our hsclient code.

We've also solved a few annoying bugs, made our CI more bulletproof against certain programming mistakes, and exposed a few APIs that had been missing before elsewhere in our code.

Major bugfixes

Prevent a fatal error when finding a usable consensus in a read-only directory store. (#779, !1055)

Breaking changes in lower level crates

Moved futures-related utilities from tor-basic-utils to a new tor-async-utils crate. (!1091)
When the expand-paths Cargo feature is not enabled, we now reject paths in our configuration containing unescaped $ and ~ strings. Previously we would treat them as literals, which would break when expand-paths was provided. (#790, !1069)

Onion service development

We now have working implementations for all of the message types that Tor uses to implement onion services. These are included in our fuzzing, and are cross-validated against the C Tor implementation. (!1038, !1043, !1045, !1052)
Our onion service descriptor parsing code now validates the inner certificates embedded in the descriptors, for parity with C Tor's behavior. (#744, !1044)
Refactor responsibility for HS circuit management out of CircMgr (!1047)
Revise APIs and outline implementations for the initial parts of a state manager and client implementation. (!1034, !1086)
Handle requests for .onion addresses by routing them to our onion service code. (This code does not yet do anything useful.) (!1060, !1071, !1098)
Our circuit implementation now has APIs needed to send special-purpose messages and receive replies for them. We'll use this to implement onion service handshakes outside of the tor-proto module. (!1051)
Implement functionality to pre-construct and launch circuits as needed for onion service directory, introduction, and rendezvous communications. (#691, !1065)
Implement code to construct, encrypt, and sign onion service descriptors. (#745, !1070, !1084)
More work on usable APIs for HSDir ring. (!1095)

Infrastructure

Add a new check_env script to detect whether the environment is set up correctly to build Arti. (!1030)
We have the beginnings of a fixup-features tool, to make sure that our "full" and "experimental" Cargo features behave in the way we expect, and eventually to enable us to use cargo-semver-checks on our non-experimental features only. This tool is not yet ready for use; its semantics are subtly wrong. (#771, !1059)
Our CI scripts now rejects merges containing the string "XXXX"; we use this string to indicate places where the code must be fixed before it can be merged. (#782, !1067)

Testing

More of our tests now specify times using humantime (rather than as a number of seconds since the Unix epoch). (!1037)
Our fuzzers now compile again. (53e44b58f5fa0cfa, !1063)

Documentation

New example code for building a BridgeConfig and launching a TorClient with bridges, without having a config file. (#791, !1074)

Cleanups, minor features, and minor bugfixes

Our caret macro now works correctly for uninhabited enumerations. (841905948f913f73)
Defend against possible misuse of tor_bytes::Reader::extract_n. This wasn't a security hole, but could have become one in the future. (!1053)
Do not ask exits to resolve IP addresses: we already know the IP address for an IP address. (!1057)
Fix a bunch of new warnings from Rust 1.68. (!1062)
Expose builder for TransportConfigList as part of the public API. (455a7a710917965f)
Enforce use of blinded keys in places where they are required. (!1081)
Add accessors for the Blockage type, so other programs can ask what has gone wrong with the connection to the network. (#800, !1088).

Acknowledgments

Thanks to everybody who's contributed to this release, including Alexander Færøy, Dimitris Apostolou, Emil Engler, Saksham Mittal, and Trinity Pointard. Also, our welcome to Gabi Moldovan as she joins the team!

Also, our deep thanks to Zcash Community Grants for funding the development of Arti!

Arti 1.1.2 — 28 February 2023

Arti 1.1.2 continues our work on onion services, and builds out more of the necessary infrastructure, focusing on backend support for the onion service directories.

We've also done a significant revision on our handling of incoming messages on circuits, to avoid a fair amount of unnecessary copying, and defer message parsing until we're certain that the message type would be acceptable in a given context. Doing this turned up several bugs, which are now fixed too.

Breaking changes in lower level crates

The APIs for tor-cell have changed significantly, to help implement #525 and prepare for #690. This has no downstream implications outside of tor-proto.
Our IntegerMinutes type no longer has an erroneous days() accessor. (This accessor did not work correctly, and actually returned a number of minutes!) (bb2ab7c2a3e0994bb43)
The PartialNetDir::fill_from_previous_netdir() function has changed its argument types and semantics. (f69d7f96ac40dda5)

(Breaking changes in experimental APIs are not noted here.)

New features

We now have the facility to give a helpful "error hint" in response to a given failure. Right now, we use this to improve the error message given for file-system permission errors, so that it suggests either changing the permissions on a directory, or suppressing the error. (#578, #579, !976, !994, !1018)
When we log an error message from inside our code (at "info" or higher), we now make sure to log a full error report, including the cause of the error, its cause, and so on. (#680, !997)
When receiving messages on channels, circuits, and streams, we now defer parsing those messages until we know whether their types are acceptable. This shrinks our attack surface, simplifies our code, and makes our protocol handling less error-prone. (#525, !1008, !1013, !1017)
We now copy relay cell bodies much less than previously. (#7, ca3b33a1afc58b84)
We have support for handling link specifier types verbatim, for cases when we need to use them to contact a rendezvous point or introduction point without checking them. (!1029)

Onion service development

We can now parse onion service descriptors, including all encrypted layers, with support for descriptor-based client authentication. (#744, !999, !1015)
Our network directory code now supports deriving the HsDir directory ring, to find out where onion service descriptors should be uploaded and downloaded. (#687, !1012)
We've refactored our implementation of onion service message extensions into a single place, to save on code and avoid type confusion. (5521df0909ff7afa)
Our internal onion-service Cargo features have been renamed to start with hs-*. We're still using onion-* as the prefix for our high-level onion-service features. ([#756], [!1033])

Infrastructure

All our shell scripts now work when bash is somewhere other than /bin. (!990)
Our check_doc_features script is now a little more reliable. (!1023)
Our coverage tools now perform better checks to make sure they have all of their dependencies. (#776, !1025)

Cleanups, minor features, and bugfixes

The internal data structures in tor-netdir now use the typed_index_collections crate to ensure that the indices for one list are not mis-used as indices into another. (!1004)
We no longer reject authority certificates that contain an unrecognized keyword. (#752, 266c61f7213dbec7)
Our tor-netdoc parsing code now requires the caller to specify handling for unrecognized keywords explicitly, to avoid future instances of bug #752. (!1006)
Several internal APIs and patterns in tor-netdoc have been streamlined. (#760, !1016, !1021)
Make extension-handling code in for onion service message decoding more generic, since we'll reuse it a lot. (!1020)
We now kill off circuits under more circumstances when the other side of the circuit violates the protocol. (#769, #773, !1026)
We now expire router descriptors as soon as any of their internal expiration times has elapsed. Previously, we expired them when all of their expiration times had elapsed, which is incorrect. (#772, !1022)
We are much more careful than previous about validating the correctness of various message types on half-closed streams. Previously, we had separate implementations for message validation; now, we use a single object to check messages in both cases. (#744, !1026)
We now treat a RESOLVED message as closing a half-closed resolve stream. Previously, we left the stream open. (!1026)

Thanks to everyone who has contributed to this release, including Dimitris Apostolou, Emil Engler, and Shady Katy.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti!

Arti 1.1.1 — 1 February 2023

After months of work, we have a new release of Arti! Arti 1.1.1 is an incremental release, and cleans up a few issues from previous releases, including a few annoyances and limitations.

More significantly, Arti 1.1.1 begins our work on Onion Services. This code won't be finished till later this year, but you can read about our process below.

Breaking changes in lower level crates

Some accessors for the message types in tor-cell are renamed. (#608, !948)

New features

When logging an error at severity info or higher, we now (sometimes) include a full report of the error's sources. Previously we only logged the highest-level error, which often lacked enough detail to make a full diagnosis. This work will be completed in a subsequent release.(!936)
When asked via SOCKS to resolve an address that is already an IP address, we now just return the same address, rather than asking the Tor network. (#714, !957)
There is a new release profile, quicktest, for development purposes. It should run faster than debug, but compile faster than release. It is meant for quick integration and acceptance test purposes. (#639, !960)
The TorClient object now exposes a set_stream_prefs API to let callers change their stream settings without cloning a new TorClient. (#718, !977)

Onion service development

There is now an unimplemented draft set of high-level and low-level APIs throughout our codebase that we will need to implement onion services. These not-yet-functional APIs are gated behind the onion-client and onion-service features. They are not covered by semantic versioning; we will use them to guide our implementation efforts in the coming months. (#525, #716, !959, !966, !969, !970, !971, !972, !974)
We have implemented the private-key version of the key-blinding algorithm used in onion services. (#719, !964)
We now parse and expose consensus network parameters related to onion services. (!968)
Our SOCKS backend now supports returning the extended onion service SOCKS result codes from proposal 304. (#736, !978)
The tor-netdoc crate now has a (not-yet-used) backend for constructing documents in Tor's metaformat. (!969, !984)
Implement the lower level cryptographic key types (and some of the cryptographic algorithms) used by onion services. (#684, #742, !980)
Add support for parsing Shared Random Values from consensus documents, including the extensions from proposal 342.
In tor-netdir, implement the algorithms for determining the current time period and constructing the cryptographic parameters for each period's HsDir ring. (#686, !987)

Network updates

Update to the latest identity key for the directory authority moria1. (!922)
Retire the directory authority faravahar. (!924, tor#40688)

Testing

Upgrade to a newer version of the Shadow simulator, and use it to test Arti with bridges. (#651, !915)
More tests for our safe-logging features. (!928)
More tests for error cases in persistent-data manager. (!930)
We now have a standard block of clippy exceptions that we allow in our test code, and we apply it uniformly. (!937)
In our Shadow scripts, use bare paths to find tor and tgen. (!949)

Documentation

Move internal-facing documentation into a doc/dev subdirectory, so that it's easy for downstream users to ignore it. (#576, !921)
Make the summary line style consistent across our README files, and make the crate list in Architecture.md match. (!951)
Add more high level documentation to Architecture.md, including a rough crate-dependency diagram, and an object model diagram for our manager types. (#624, !963)

Example code

Make the arti-hyper example code compile and work correctly on OSX. (#569, #715, !958)

Cleanups, minor features, and bugfixes

Use Rust 1.60's conditional dependency feature to simplify our dependency and feature logic. (#434, !920)
Upgrade to shellexpand 3.x. (!927)
The unwrap method on Sensitive is renamed to into_inner; unwrap is now deprecated. (!926)
Clean up tests to use humantime more, and to specify fewer times as raw integers. (#663, !931, !941, !942, !943)
We now use a low-level CtByteArray type to handle the common case of declaring a fixed-length array that should always be compared in constant time. (!962)
There is now much more diagnostic logging in the pluggable transport IPC code, and for connection launching. (#677, !923)
We have labeled more data throughout our logs and error messages as "sensitive" for logging purposes. (#556, !934, !986)
We've migrated all of our base64 parsing to base64ct. (This work began with !600 in Arti 0.5.0; now we have migrated even the parsing that doesn't need to be constant-time, under the theory that having only one implementation is probably better.) (889206cde4ef29d)
Our scripts now all indirect through /usr/bin/env, to support platforms that don't put bash in /bin. (!988)
Clean up various warnings introduced in Rust 1.67 (#748, #749, !992)
Numerous spelling fixes.

Thanks to everyone who has contributed to this release, including Alexander Færøy, coral, Dimitris Apostolou, Emil Engler, Jim Newsome, Michael van Straten, Neel Chauhan, and Trinity Pointard.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti 1.1.1!

Arti 1.1.0 — 30 November 2022

Arti 1.1.0 adds support for Tor's anti-censorship features: Bridges (unlisted relays), and Pluggable Transports (external tools to hide what protocol you're using).

Use of these features can make Arti more effective at gaining access to Tor, in spite of censorship (or breakage) between you and the wider public internet.

These features are still very new, so there are likely to be bugs, and the user experience may not yet be optimal. (In particular, there are a bunch of spurious warnings and error messages in the logs.) Nonetheless, we believe that the quality of these features is good enough to be used.

Breaking changes

Arti now requires Rust 1.60 or later. This allows us to use a few new features, and to upgrade a few of our dependencies that had grown stale. See "Minimum Supported Rust Version" in README.md for more information on our MSRV policy. (#591, #526, #613, #621, !837)

Breaking changes in lower level crates

SocksHandshake has been renamed to SocksProxyHandshake, to distinguish it from SocksClientHandshake. (b08073c2d43d7be5)
Numerous changes to the bridge-related APIs introduced in 1.0.1. (!758, #600, !759], !780)
API changes to tor-dirclient::Response. (!782)
Netinfo cell constructors have been renamed. (!793)
The guard manager API no long accepts NetDir arguments to most of its methods; instead, it expects to be given a NetDirProvider. (95a95076a77f4447)
Move the responsibility for creating a GuardMgr to the arti-client crate. (!850)
Numerous other changes to lower-level APIs.

New features

Arti can now connect to bridges when compiled with the bridge-client feature. (This is on by default in the arti binary.) As part of this feature, we have had to implement:
- Configuration logic for bridges (#599, !744, !745, !767, !781, !780, !783, !826, !874, !877, !881)
- Data structures to keep track of relays based on possibly non-overlapping sets of keys (!747, !774, !797, !806)
- Improved functionality for parsing router descriptors and integrating them with our list of bridges (!755)
- Large-scale refactoring of the channel-manager internals to handle bridges and relays while treating them as distinct. (!773)
- Code to download, store, and cache bridge descriptors. (!782, !795, !810, !820, !827, !828, !831, !834, !845, !851,)
- Allow the guard manager to treat bridges as a kind of guard, and to treat bridge-lists and network directories as two kinds of a "universe" of possible guards. (!785, !808, !815, !832, !840)
- Support code to integrate directory management code with guard management code. (!847, !852)
- More careful logging about changes in guard status. (!869)
- Logic to retire circuits when the bridge configuration changes. (#650, !880)
Arti can now connect via pluggable transports when compiled with the pt-client feature. (This is on by default in the arti binary.) This has required us to implement:
- Configuration logic for pluggable transports (!823)
- The client side of the SOCKS protocol (!746)
- An abstraction mechanism to allow the ChanMgr code to delegate channel construction to caller-provided code. (!769, !771, !887, !888)
- Integrating the SOCKS client code into the ChanMgr code. (!776)
- Launching pluggable transports and communicating with them using Tor's pluggable transport IPC protocol. (#394, !779, !813)
- Code to keep track of which pluggable transports are needed, and launch them on demand. (!886, !893)
- Support code to integrate the pluggable transport manager with arti-client. (#659)
- A "reactor" task to monitor PT status and launch pluggable transports as needed. (!901, !903)
Paths in the configuration can now be configured using ${PROGRAM_DIR}, which means "the directory containing the current executable". (#586, !760)
Some objects can now be marked as "Redactable". A "Redactable" object is one that can be displayed in the logs with some of its contents suppressed. For example, whereas a full IP might be "192.0.2.7", and a completely removed IP would be logged as "[scrubbed]", a redacted IP might be displayed as "192.x.x.x". (#648, !882)

Testing

We now use the Shadow discrete event simulator to test Arti against a simulated Tor network in our CI tests. (#174, !634)
Fuzzing for SOCKS client implementations. (dc55272602cbc9ff)
Fuzzing for more types of cells (c41305d1100d9685)
Fuzzing for pluggable transport IPC (!814)
CI testing for more combinations of features. (#303, !775)
CI testing for more targets. (#585, !844)
Better reproducible builds, even on environments with small /dev/shm configured. (#614, !818)

Cleanups, minor features, and bugfixes

We now use the hostname-validator crate to check hostnames for correctness. (!739)
Now that we require a more recent Rust, we no longer need to duplicate all of our README.md files explicitly in our crate-level documentation. (#603, !768)
A few small refactorings to avoid copying. (!790, !791)
Refactor guard-manager code to make it harder to become confused about which sample a guard came from. (19fdf196d89e670f)
More robust conversion to u16 at some places in tor-cell, to avoid future integer overflows. (!803)
Refactor our "flag event" to make it easier to (eventually) use in other crates. (!804)
Significant refactoring of our file-change watching code. (#562, !819)
Upgrade to clap v3 for our command-line option parsing. (#616, !830)
Fix documentation for starting Tor Browser with Arti on Windows. (!849)
Allow empty lines at the end of a router descriptor. (!857)
Improve some error messages while parsing directory documents. (#640, !859)
Internal refactoring in ChanMgr to better match current design. (#606, !864)
Improve display output for describing relays as channel targets, to provide a more useful summary, and avoid displaying too much information about guards. (#647, !868)
Better error reporting for some kinds of router descriptor parsing failures (!870)
Numerous typo and comment fixes.

Thanks to everyone who has contributed to this release, including Alexander Færøy, arnabanimesh, breezykermo, Dimitris Apostolou, EliTheCoder, Emil Engler, Gabriel de Perthuis, Jim Newsome, Reylaba, and Trinity Pointard.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti 1.1.0!

Arti 1.0.1 — 3 October 2022

Arti 1.0.1 fixes a few bugs in our previous releases.

This is a fairly small release: Members of our team have spent a lot of September at a company meeting, on our vacations, and/or recovering from COVID-19. The feature work we have managed to get done is largely behind-the-scenes preparation for our anti-censorship release, which we now hope is coming in early November.

Breaking changes

The Schedule::sleep()* functions in tor-rtcompat now return a Result. This change was part of the fix for part of #572.

New features

Optionally expose an accessor to get the CircuitBuilder from a CircMgr. If you don't mind voiding your semver guarantees, you can enable this accessor with the experimental-api feature, and use it to build circuits using paths of your own creation. (!738)
We now apply our "safe logging" feature to the console as well, to avoid exposing sensitive information in our console log. (#553, !742)

Major bugfixes

Fixed a busy loop that could occur when dropping an Arti client, that would cause Arti to busy-loop and use too much CPU. (#572, !725)
Fixed compilation when building with async-std. (!723)

Documentation

Our high-level documentation has significantly tidied and revised for clarity and completeness. (!717)
We've updated our documentation for how to use Arti with Tor Browser. (!719)

Infrastructure

Our reproducible builds now use Rust 1.63, and the code to make them has been cleaned up a bit. (!716)

Cleanups, minor features, and minor bugfixes

Fix a test failure that would occur on some platforms depending on their inlining decisions. (#570, !727)
Better listing of platforms that don't have getresuid(), so that we can compile there without breaking. (!728)
Preliminary back-end support for encoding and decoding some messages in the onion service protocol. (!714, !735, !736)
Fixes for various newly implemented Clippy warnings. (!729, !749)
The RouterDesc type now implements Clone and Debug. (571e7f9556adf12d)
Preliminary internal API designs for most of the logic needed to implement Tor's anti-censorship features. These APIs are unstable, and mostly not implemented yet, but they give us something to fill in. (#543, #558, !740, !743, !748)

Thanks to everyone who has contributed to this release, including Alexander Færøy, Trinity Pointard, and Yuan Lyu.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti 1.0.0!

Arti 1.0.0 — 1 September 2022

Arti 1.0.0 adds a final set of security features, clears up some portability bugs, and addresses numerous other issues.

With this release, we are now ready to declare Arti stable: we are relatively confident that Arti has the security features that it needs for usage via the arti command-line proxy, or embedding via the arti-client API.

In our next releases, we will focus on adding anti-censorship features similar to C tor, including support for connecting via bridges and pluggable transports.

Breaking changes

Most of the APIs in the arti crate—the one providing our binary—are now hidden behind an experimental-api feature, to mark that they are unstable and unsupported. If you need to embed arti in your application, please use the arti-client crate instead. (#530, !664)
The default_config_file function has been replaced with default_config_files, since we now have both a default directory and a default file. (!682)

Breaking changes in lower-level crates

New params() method in the NetDirProvider trait, to expose the latest parameters even when we don't have a complete directory. (#528, !658)
Large refactoring on the traits that represent a relay's set of identities, to better support more identity types in the future, and to make sure we can support bridges with unknown Ed25519 identities when we implement them. (#428, !662)
Require that our TcpStream types implement Send. (!675)

New features

Arti now implements Tor's channel padding feature, to make netflow logs less useful for traffic analysis. (#62, !657)
Use zeroize more consistently across our code base. This tool clears various sensitive objects before they get dropped, for defense-in-depth against memory exposure. (#254, !655)
Provide a "process hardening" feature (on by default) that uses secmem_proc to prevent low-privileged processes from inspecting our memory or our monitoring our execution. This is another defense-in-depth mechanism. (#364, !672)
Arti now rejects attempts to run as root. You can override this with with application.allow_running_as_root. (#523, !688)
Arti now rejects attempts to run in a setuid environment: this is not something we support. (#523, !689, !691)
We now support having an arti.d directory full of .toml configuration files, to be read in sorted order. (#271, #474, #544, !682, !697)
On Unix-like platforms, we now reload our configuration file when we receive a HUP signal. (#316, !702)

Major bugfixes

Numerous fixes to our fs-mistrust crate for Android and iOS, including some that prevented it from building or working correctly. (!667)
The fs-mistrust crate now handles Windows prefixes correctly. Previously, it would try to read C:, and fail. (!698)

Infrastructure

The check_licenses tool now works with the latest version of cargo-license. (!674)
Our continuous integration configuration now has support for building and testing Arti on Windows. (#450, !705)

Documentation

Our documentation is now much more careful about listing which Cargo features are required for any optional items. (#541, !681, !706)
Better documentation about our API stability and overall design. (#522, #531)
Better documentation on the DONE stream-close condition. (!677)

Cleanups, minor features, and minor bugfixes

The dns_port and socks_port options have been renamed to dns_listen and socks_listen. They now support multiple addresses. Backward compatibility with the old options is retained. (#502, !602)
Renamed .inc files to end with .rs, to help analysis tools. (#381, !645)
Backend support for some cell types that we'll need down the road when we implement onion services. (!651, !648)
Switch to the once-again-maintained main branch of shellexpand. (!661)
Use less storage on disk for descriptors, by expiring them more aggressively. (#527, !669)
Backend support for RTT estimation, as needed for congestion-based flow-control. (!525)
Running as a DNS proxy can now be disabled at compile-time, by turning off the dns-proxy feature. (#532)
When a circuit fails for a reason that was not the fault of the Tor network, we no longer count it against our total number of permitted circuit failures. (#517, !676)
Tests for older configuration file formats. (!684)
Our default log messages have been cleaned up a bit, to make them more useful. (!692, 0f133de6b90e799d, e8fcf2b0383f49a6)
We use safelog in more places, to avoid logging information that could be useful if the logs were stolen or accidentally leaked. (!687, !693)
Fix a race condition that could prevent us from noticing multiple configuration changes in rapid succession. (#544, a7bb3a73b4dfb0e8)
Better errors on invalid escapes in our configuration files. (In toml, you can't say "C:\Users"; you have to escape it as "C:\\Users". We now try to explain this.) (#549, !695)
Improve reliability of a fs-mistrust test. (!699)
Various tests have been adjusted to work on Windows, or disabled on Windows because they were checking for Unix-only features. (#450, #557, !696, !701)
When displaying filenames in logs or error messages, we try to replace the user's home directory with ${HOME} or %UserProfile% as appropriate, to reduce the frequency with which the username appears in the logs. (#555, !700)

Testing

Lengthen a timeout in a tor-rtcompat test, to make it more reliable. (#515, !644)

Acknowledgments

Thanks to everyone who has contributed to this release, including Alexander Færøy, Arturo Marquez, Dimitris Apostolou, Emptycup, FAMASoon, Trinity Pointard, and Yuan Lyu.

Also, our deep thanks to Zcash Community Grants for funding the development of Arti 1.0.0!

Arti 0.6.0 — 1 August 2022

Arti 0.6.0 fixes bugs, cleans up some messy internals, improves error messages, and adds more preparation for future work in netflow padding.

(These notes summarize changes in all crates since Arti 0.5.0.)

Breaking changes

The download_tolerance configuration section has been renamed to directory_tolerance: It's not about tolerances at download time, but rather about how expired or premature a directory can be. The related DirSkewTolerance has also been renamed. (#503, !638)
Several methods related to managing the Mistrust file-permissions object have been removed or changed, thanks to refactoring elsewhere. (#483, #640)

Breaking changes in lower level crates

These changes should not break any code that only depends on the arti_client APIs, but they will affect programs that use APIs from lower-level crates to interact more closely with the Tor protocols.

The Error types in all crates have been refactored to include far more accurate information about errors and their context. This does not break the arti_client API, but it will affect anybody using lower-level crates. (#323, !614, !616, !619, !620, !625, !628, !638)
The Writeable trait used to encode data, and related methods, are now fallible. Previously they had no way to report errors. (#513, !623, !640)
The tor-cert APIs have been tweaked to support more compact internal representations and more idiomatic usage. (#512, !641, !643).
The NetDirProvider API, and related APIs in tor-dirmgr, have been changed to support returning network directories with varying timeliness requirements. (#528, !642)
The fs-mistrust API no longer supports certain operations related to unix groups, when built on iOS. (!652)

New features

The internal tor-cert API now supports generating Tor-compatible certificates. (#511, !611)
Improved API support for circuit handshakes that include external encrypted data, such as ntor-v3 and hs-ntor. (!618)

Major bugfixes

Fix a bug that prevented Arti from storing consensus files on Windows. Previously, we had generated filenames containing a colon, which Windows treats as a reserved character. (#516, !627)
Fix compilation on iOS. Our dependency on the rust-users crate had broken our ability to work correctly there. (#519, !652)

Infrastructure

Our license checker now tolerates complicated licenses with nested boolean expressions, by explicitly allow-listing the ones we like. (!635)

Cleanups, minor features, and minor bugfixes

Upgrade to a newer version of base64ct, and remove some work-around logic required for the older versions. (!608)
Various typo fixes. (!609, !610, !650)
Upgrade to a pre-release version of x25519-dalek to avoid a hard dependency on an outdated version of zeroize, so we can follow the latest version of the rsa crate. (#448, !612)
Our client-global "dormant mode" flag is now published via a postage::watch, which makes it easier to observe for changes. (!632)
Preliminary (unused) support for some onion-service-related cells. (!626)
The fs-mistrust crate can now use environment variables to be told to disable itself. This has allowed for simplifications elsewhere in our configuration logic. (#483, !630)
Clean up an incorrect --help message. (!633)

Testing

More tests for arti-hyper. (!615)
More tests for our undderlying base-64 implementation. (!613)

Acknowledgments

Thanks to everyone who has contributed to this release, including Arturo Marquez, Dimitris Apostolou, feelingnothing, Jim Newsome, Richard Pospesel, spongechameleon, Trinity Pointard, and Yuan Lyu.

tor-dirmgr patch release 0.5.1 — 14 July 2022

On 14 July 2022, we put out a patch release (0.5.1) to tor-dirmgr, to fix a bug that prevented Arti from storing consensus files on Windows. Previously, we had generated filenames containing a colon, which Windows treats as a reserved character.

Thanks to "@feelingnothing" for the bug report and the fix.

Arti 0.5.0 — 24 Jun 2022

Arti 0.5.0 adds more cryptographic acceleration, a useful set of toplevel build features, reachable-address filtering, detection for failed directory downloads, and numerous cleanups.

Note that for the first time, we did not have breaking changes in the arti-client crate, so its version is staying at 0.4.1.

Breaking changes

The NetDirProvider trait now requires Send and Sync. (2223398eb1670c15)
The traits that make up Runtime now also require Send and Sync. (3ba3b26842254cfd)
The "journald" option for LoggingConfig now takes Option<Into<String>>. (!582)
(Various smaller breaking changes in lower-level crates.)

New features

We can now (optionally) use OpenSSL as our cryptography backend, for its better performance. To enable this, build with the accel-openssl feature. (#441, #442, #493, !550)
We can now (optionally) use the assembly implementation of SHA1 in our cryptography backend, for its better performance. To enable this, build with the accel-sha1-asm feature. (#441, !590)
Our top-level crates (arti and arti-client) now have a full feature that enables most of their optional features—but not those that are unstable, those that are testing-only, those that select a particular implementation or build flag, or those whose licenses may be incompatible with some downstream licenses. (#499, !584)
We now notice when we get stuck when trying to bootstrap a directory, and report the problem as part of our blockage-detection API. (#468, !587)
We support a reachable_addrs feature that allows the user to tell Arti that only some addresses and/or ports are reachable over the local network. (#491, #93, !583)
Our configuration logic now handles "no such value" options (like using "0" to mean "no port") more consistently, warns about unrecognized options, and includes tests to be sure that the "default configuration" file really lists all of the defaults. (#457, #480, #488, !582, !589, !594)

Infrastructure

Our shell scripts are now more robust to a few different runtime environments. (!539, !541)
Our license-checking code is more accurate and careful. (#462, !559)
The PRNG logic in our unit tests now uses reproducible seeds, so that we can better diagnose issues related to sometimes-failing tests. (!561)

Cleanups, minor features, and minor bugfixes

The fs-mistrust crate now handles environments where getgrouplist() doesn't include the current GID. (#487, !548)
dns_port now de-duplicates requests based on transaction ID. (#441, !535)
dns_port returns more accurate errors in several cases. (!564)
More unit tests in various places. (!551, !562)
We avoid initializing a DataStream if it would immediately be closed. (!556)
We return a more useful error message for incorrect file permissions (!554)
The directory manager code now uses a refactored timing backend that knows how to respect dormant mode. (#497, !571)
Fix an unreliable test related to guard filtering. (#491, 89f9e1decb7872d6)
We now use a constant-time implementation of base-64 decoding. (#154, !600)
We now make sure that at least some log messages can get reported before the logging is configured. In particular, unknown configuration settings now generate warning messages on stderr when arti starts up. (!589)
Many of our lower-level Error types have been refactored to give more accurate, useful, and best-practices-conformant messages. (#323, !598, !601, !604)

Acknowledgments

Thanks to everybody who has contributed to this release, including 0x4ndy, Alex Xu, Arturo Marquez, Dimitris Apostolou, Michael McCune, Neel Chauhan, Orhun Parmaksız, Steven Murdoch, and Trinity Pointard.

Arti 0.4.0 — 27 May 2022

Arti 0.4.0 wraps up our changes to the configuration logic, detects several kinds of unsafe filesystem configuration, and has a refactored directory manager to help us tolerate far more kinds of broken networks and invalid documents.

There are significant breaking changes in this release; please see below.

Breaking changes

We've merged the last (we hope) of our breaking configuration changes.
- Configuration and command-line loading is now handled consistently via the option-agnostic tor-config crate. (!495, !498)
- We follow a uniform pattern where configuration objects are constructed from associated Builder types, and these Builders support serde traits, and everything provides a consistent API. (!499, !505, !507)
- The arti-config crate no longer exists: its functionality has been divided among arti, arti-client, and tor-config. (!508)
- The [TorClientConfig] object no longer implements TryInto<DirMgrConfig>.
- The configuration logic now supports extensible configurations, where applications can add their own sections and keys without interfering with Arti, and unrecognized keys can still produce warnings. (#459, #417)
The Runtime trait now also requires that Debug be implemented. (!496)
(Various smaller breaking changes in lower-level crates.)

New features

Arti now checks file permissions before starting up, and rejects configuration files, state files, and cache files if they can be modified by untrusted users. You can disable this feature with the ARTI_FS_DISABLE_PERMISSION_CHECKS environment variable. (#315, #465, !468, !483, !504, !515)
Arti now tolerates a much wider array of broken networks and installations when trying to bootstrap a working connection to the Tor network. This includes improved handling for skewed clocks, untimely documents, and invalid consensus documents. (#412, #466, #467, !500, !501, !511)

Major bugfixes

Arti no longer exits or gets stuck when it has received a consensus with invalid signatures, or a consensus claiming to be signed with certificates that don't exist. (#412, #439, !511)

Infrastructure

Clean up more effectively in chutney-based test scripts. (ee9730cab4e4b21e)
Nightly coverage reports are now generated and exported to gitlab pages. (!489)
We no longer include a dependency on cargo-husky: If you want to have git hooks in your local repository, you'll need to install your own. (See CONTRIBUTING.md for instructions.) (!494)
Our shell scripts are more uniform in their behaiour. (!533)

Documentation and Examples

Better documentation for Cargo features. (#445, !496)
Better explanation of what platforms and dependencies we support, and what "support" means anyway. (#379, !513)
An advanced example of using the stream isolation feature for trickier behavior. (#414, !524)

Cleanups, minor features, and minor bugfixes

Use tinystr to hold relay nicknames; this should save a bit of memory. (!405)
Refactor the DirMgr crate's bootstrapping implementation to reduce amount of mutable state, reduce complexity, and reduce the amount of code that has to modify a running directory. (!488)
We only check the formatting of our backtraces on our target platforms, to better tolerate operating systems where Rust's backtraces don't correctly include function details. (#455, !512)
DirMgr is now better at remembering the origin of a piece of directory information. (ef2640acfaf9f873)
Used a new Sink::prepare_send_from helper to simplify the implementation of Channel reactors. (!514)
The SOCKS code now sends correct error messages under more circumstances. (#258, !531)

Acknowledgments

Thanks to everybody who has contributed to this release, including Alex Xu, Dimitris Apostolou, Jim Newsome, Michael Mccune, and Trinity Pointard.

Arti 0.3.0 — 6 May 2022

Arti 0.3.0 includes several new features, including an improved configuration builder API, improved detection and tolerance of numerous network failure types, and several important bugfixes.

There are significant breaking changes in this release; please see below.

Breaking changes

Here are the main breaking changes visible from the arti-client crate. Numerous other lower-level crates have breaking changes not noted here.

We now require Rust 1.56 or later. This change enables us to use more recent versions of several of our dependencies, including a significantly faster aes. (!472)
Some unused accessors have been removed from tor-socksproto. (3103549cba603173)
Our configuration logic and APIs have been significantly revised. Major changes are described below. We expect that we're mostly done with breaking changes in this area, though we expect a few minor API breaks here in the next release.
- Lists of objects, and contained configuration objects, are now constructed using a uniform pattern.
- All of our config builder types are now Deserialize; our configuration types themselves are not.
- Various types are now more consistently constructed, which breaks some of the APIs.
- Paths can now be given as "literal" paths, which will not be expanded.
- Several options have been renamed for consistency.
- For background see #451, !447, !462, !471, !473, !474, !475, !477, !478, !481, and !487.

New features

Arti now tracks clock skew reports from the guard relays and fallback directories that we contact, and uses this information to infer whether our clock is actually skewed, and whether this skew is the likely cause of a failure to bootstrap. (!450, !455)
We now remove obsolete files from our state directory. (#282)
More objects from tor-dirmgr are now exposed when the experimental-api feature is enabled. (!463)
Arti now has a feature to avoid logging certain sensitive information to persistent logs at level info or higher. When safe logging is enabled (which it is, by default), the string [scrubbed] is printed in these contexts, rather than the sensitive information. At present, only target addresses are considered sensitive, though we aim to protect more information moving forward. This feature can be disabled with the configuration option storage.log_sensitive_information. (#189, !485)

Major bugfixes

Our circuit-build logic is now much more careful about which errors are retriable, and how long to wait between attempts. (#421, !443)
We resolved a race condition that could cause internal errors to be reported erroneously during circuit construction. (#427)
We no longer interpret a successful circuit as meaning that a guard is working as a directory. Even if it can build circuits, it may be unable to answer directory requests to our satisfaction. (b3e06b93b6a34922)

Infrastructure

Our CI infrastructure now correctly detects (and reports!) failures from cargo-audit. (!452)

Cleanups, minor features, and minor bugfixes

We report more accurate and useful messages on failure to build a circuit. (f7810d42eb953bf5)
Avoid dropping information when reloading guards. (#429)
Arti now treats expired or not-yet-valid directory objects as an error condition, since they indicate that the directory cache (or the client) likely has a skewed clock. (#431)
We now back off on attempts to build preemptive circuits, if we find that those attempts are failing. (#437, !456)
As part of the configuration refactoring, we've extended the amount of our configuration builders that are auto-generated. (!462)
Improve handling of some integer overflows. (!466)
More unit tests throughout the code.

Acknowledgments

Thanks to everybody who has contributed to this release, including Christian Grigis, Dimitris Apostolou, Samanta Navarro, and Trinity Pointard.

Arti 0.2.0 — 1 Apr 2022

Arti 0.2.0 makes a large number of changes to Arti's code and infrastructure for better configurability, lower memory usage, support for running as a basic DNS resolver, improved stream isolation, better behavior under network failures, and API support for a "dormant mode" to suspend background activities.

Breaking changes

Here are the main breaking changes visible from the arti-client crate. Numerous other lower-level crates have breaking changes not noted here.

Significant refactoring to our configuration handling logic and APIs. The goals here are: - To have the ConfigBuilder objects be the primary configuration objects, and simplify the handling of configuration at the TorClient and arti APIs. - To remove arti-config entirely, and fold its contents into arti or arti-client as appropriate. - To remove unnecessary ad-hoc accessor functions until they prove to be needed.

This change is not done in this release; we expect to have more breakage in this area in our next release as well. (#314, #371, #372, #374, #396, #418, !391, !401, !417, !421, !423, !425, !427)
The Runtime trait now includes (and requires) UDP support. (Part of !390's support for DNS.)
Stream isolation support is completely revised; see notes on isolation below.

New features

Experimental feature to allow the DirMgr to be replaced by a user-provided DirProvider. (#267, !318, !347)
Arti now tolerates IPv6-only environments, by using a basic form of the RFC 8305 "happy eyeballs" algorithm to try connections to relays' IPv4 and IPv6 addresses in parallel. (!382)
New experimental APIs for modifying consensus objects (!318, !402)
The arti crate now exists as a library, to better expose features like its top-level configuration logic. (!403)
Arti now supports a dns_port to relay A, AAAA, and PTR requests over the Tor network, like the C tor implementation's DnsPort. (!390, !408, !409)
Arti has a new full-featured stream isolation API that supports more complicated isolation rules, including user-supplied rules. (#150, #414, !377, !418, !420, !429, !434)
Channel and Circuit objects now remember the peers that they used when they were constructed, and allow queries of this information as part of their API. (#415)
The logic for retrying failed guards has been revised to use the same decorrelated-jitter algorithm as directory requests, per proposal 336. (cb103e04cf4d9853, part of #407, !426)
When all our guards have failed, we no longer retry them all aggressively, but rather assume that our net connection is down and wait a while. (eed1f06662366511, part of #407, !426)
When running as a directory client, we now remember more information about the source of each request, so we can avoid caches that have failed. (87a3f6b58a5e75f7)
Experimental feature to install a "filter" for modifying incoming directory objects. Used for testing, to observe client behavior when the directory is in an inconsistent or non-working state. (#397, !431)
Arti now has initial support for a "Dormant Mode" where periodic events are suspended. Later, even more background tasks will be shut down. (#90, !429, !436)
Fallback directory caches are now handled with logic similar to guards, so we can avoid ones that aren't working, and simplify our logic for path construction. As a fringe benefit, this unification means that we can now use our guards as directory caches even when we don't have an up-to-date consensus. (#220, #406, !433)

Infrastructure

We have a new arti-testing crate (not published on crates.io) to perform various kinds of stress-testing on our implementation. It can simulate several kinds of failure and overload conditions; we've been using it to improve Arti's behavior when the network is broken or misbehaving. (#397, !378, !392, !442; see also #329)
The arti-bench tool now constructs streams in parallel and supports isolated circuits, so we can stress-test the performance of a simulated busy client. (#380, !384)
Reproducible build scripts now use Rust 1.59 and Alpine 3.15. (#376, !380)
Improved messages from reproducible build script. (#378, !383)
Scripts to launch chutney are now refactored and de-duplicated (!396)

Documentation and Examples

Better documentation for default configuration paths. (!386)
Instructions for using Tor Browser with Arti on Windows. (!388)
Better instructions for building Arti on Windows. (!389, !393)
Improved documentation for stress-testing Arti. (!407)

Cleanups, minor features, and minor bugfixes

Use derive_more and educe (and simple built-in derive) in many places to simplify our code. (!374, !375)
Use a forked version of shellexpand to provide correct behavior on Windows. (!274, !373)
Avoid unnecessary Arc::clone()s in arti-client experimental APIs. (#369, !379)
New tor-basic-utils crates for small pieces of low-level functionality.
Small performance improvements to parsing and allocating directory objects, to improve start-up and download times. (#377, !381)
Use significantly less memory (on the order of a few megabytes less per running client) to store directory objects. (#384, #385, #386, #387, #388, !389, !398, !415)
Avoid allocating a backtrace object for each channel-creation attempt. (#383, !394)
Always send an "If-Modified-Since" header on consensus requests, since we wouldn't want a consensus that was far too old. (#403, !412)
Actually use the configuration for preemptive circuit construction. Previously, we missed a place where we needed to copy it. (Part of !417)
Backend support for collecting clock skew information; not yet used. (#405, !410)
Major refactoring for periodic events, to support an initial version of "dormant mode." (!429)
Remove most uses of SystemTime::now, in favor of calling the equivalent function on SleepProvider. (#306, !365)
Several bugs in the logic for retrying directory downloads have been fixed, and several parameters have been tuned, to lead to better behavior under certain network failure conditions. (!439)

Acknowledgments

Thanks to everybody who has contributed to this release, including Christian Grigis, Dimitris Apostolou, Lennart Kloock, Michael, solanav, Steven Murdoch, and Trinity Pointard.

Arti 0.1.0 — 1 Mar 2022

Arti 0.1.0 marks another important step towards stability, and the completion of our 0.1.0 milestone. With this milestone, we now consider Arti ready for experimental embedding within other applications.

Additionally with this release, we're now ready to declare the arti_client API more or less stable and supported. (We're not committing to never break it again in the future, but we'll try not to do so without pretty good reasons.) The 1.0.0 release, scheduled for this September, will represent an even stronger API commitment.

Breaking changes

Our top-level Error type is now a mostly-opaque wrapper around an inner hidden ErrorDetail type. (You can access ErrorDetail by enabling a feature, but it breaks your semver guarantees.) To distinguish among different kinds of Errors, we provide a supported (and hopefully stable) ErrorKind API that developers can use. (!262, !291, !325, #322, #348)
The interface to construct a TorClient instance has been completely replaced. The new API should be stable, and prevent the need for additional breaking changes in the future. (#350, !364, #326)
Many smaller changes, too numerous to list. (Starting after this release, we will try be much more careful about breaking changes, and note them specifically here.)
We no longer recommend the static feature flag; instead use static-native-tls or static-sqlite as appropriate. (#302)

New features

The Arti client can now watch its configuration files to see if they change, and reconfigure itself when they do. This is controlled by a watch_configuration option, and is off-by-default. (#270, !280)
Unused channels now expire after enough time has passed. (This is mostly not needed on the client side, since relays also expire unused channels.) (#41, !273)
You can now create an unbootstrapped TorClient object, so that you can observe its bootstrapping progress and/or bootstrap it at a later time. (#293, !298)
You can configure an unbootstrapped TorClient object to automatically bootstrap itself the first time it's used. (!322)
Arti now returns a webpage with an error message if you try to use its SOCKS proxy as an HTTP proxy (!348)
We now provide an arti-hyper crate for using Arti with the hyper HTTP library. This is also good example code for showing how to integrate Arti with other tools. (!342, !355]

Major bugfixes

Fixed a number of problems in the circuit Reactor implementation that could result in cell reordering, leading to relays closing our circuits because of protocol violations. (!264, !282)
Fixed bugs that could cause strange behavior on shutdown or failure during circuit construction. (#210, #365, !363, !366, !368)

Infrastructure

Numerous CI improvements.
Numerous coverage-testing improvements.
We renamed our shell and python scripts to remove their ".sh" and ".py" suffixes, so that we can more freely change their implementations in the future (if needed). (#309)
The DirMgr crate now uses an abstract Store trait to make it easier for us to implement new storage backends in the future. (!345, !317)

Documentation and Examples

Provide better sample code for TorClient::connect. (!303)
Provide an example for how to make a lazy-initialized TorClient object. (#278, !322)
Provide an example for how to override the default TCP-connect implementation. (!341, !356)

Cleanups, minor features, and minor bugfixes

Stop using : as a path character; it's reserved on Windows. (!277)
Avoid returning junk data from over-long directory downloads (!271)
Implement Debug and Display for many more types.
We no longer deny(clippy::all); instead we only use warn(clippy::all) to prevent future clippy versions from breaking completely on our code. (#338)
As part of our Error refactoring and implementation of ErrorKind, we improved the Error objects in many individual crates for better accuracy and specificity.
Fix a bug that caused us to flush our persistent state to disk too aggressively. (#320, !321)
The arti proxy now starts listening on its SOCKS port immediately, rather than waiting for bootstrapping to complete. (!333)

Acknowledgments

Thanks to everybody who has contributed to this release, including Daniel Schischkin, Dimitris Apostolou, Michael Prantl, tharvik, Trinity Pointard, and Yuan Lyu.

Arti 0.0.4 — 31 Jan 2022

This release adds support for bootstrap reporting and rustls, improves several APIs, fixes a few bugs, and adds numerous smaller features for future-proofing and correctness.

It breaks compatibility with previous releases, as is expected before release 0.1.0 (scheduled March 2022).

New features

Add backends for exposing changes in bootstrap status, either to be queried by a function or read as a stream of events. These APIs will become more useful once there is a way to actually get an un-bootstrapped TorClient. (#96)
TorClient now has a clone_with_prefs method to make a new client with a different set of default stream preferences. (7ff16fc252c0121f6607, #290])
Add a feature for telling a TorClient that every stream should be isolated on its own circuit. Please use this sparingly; it can be inefficient. (!252)
Convenience types for overriding parts of the behavior of an asynchronous Runtime. (!251)
Optional support for rustls in place of native_tls. This is off by default; to turn it on, use the rustls feature, and construct your client using one of the Runtimes with Rustls in its name. (!260, #86)

Breaking changes

Significant refactoring of exports and constructor functions in the arti-client crate. (!235)
Change the persistence format used for guard information, to make it more future-proof. (#176)
Functions and types that used to refer to "Connections" now refer to "Streams" for consistency. (!256)
The types exported by the tor-rtcompat crate, and the functions used to create them, have been renamed for consistency. (!263)
The Runtime API has changed slightly, to avoid a conflict with newer versions of async_executors. (bf8fa66d36298561cc86)

Major bugfixes

Require authenticated SENDMEs when the relay supports them, and not otherwise. (#294)
Fix the default location for the cache files. (Previously, they were put into the state directory.) (#297)

Infrastructure

Numerous improvements to coverage tooling. (#248, !221, !269, !253)
Improvements to arti-bench reliability and usefulness. (#292)
Our CI now runs shellcheck on our shell scripts. ([#275])

Documentation

Build instructions for iOS. (#132)
Adopt a MSRV policy. (#283)
More information about troubleshooting the build process. (#277)

Cleanups, minor features, and minor bugfixes

The max_file_limit setting is now configurable. (#299)
Fix an unreliable test. (#276)
Fix a test that would always fail when run after January 27. (!268)
Avoid possible incomplete reads and writes in Tor channel handshake. (1d5a480f79e7d878ff, !249])
Refactor some types to expose Arc<> less often. (!236)
Too many others to list!

Acknowledgments

Thanks to everybody who has contributed to this release, including Arturo Marquez, Daniel Eades, Daniel Schischkin, Jani Monoses, Neel Chauhan, and Trinity Pointard.

Arti 0.0.3 — 11 Jan 2022

This release adds support for preemptive circuit construction, refactors Arti's configuration code and behavior, and adds numerous smaller features needed for a correct Tor client implementation.

It breaks compatibility with previous releases, as is expected before release 0.1.0 (scheduled March 2022).

New features

Arti now builds preemptive circuits in order to anticipate the user's predicted needs. This change matches Tor's behavior more closely, and should reduce latency for stream creation. (!154)
The configuration for a TorClient object can be changed while the client is running. (!181)
Guard selection now obeys family restrictions concerning exit nodes. (!139)
Better support for overriding the TcpProvider on an Arti client and having this change affect the TlsProvider. This helps with testing support, with cases where TCP streams must be constructed specially, etc. (!166)
We no longer consider a directory to be "complete" until we have microdescriptors for all of our primary guards. (!220)

Breaking changes

Configuration files have been reorganized, and we have an all-new API for creating configuration objects. (!135, !137)
A few unused types and functions have been removed. (214c251e etc)
CircMgr now returns ClientCirc directly, not wrapped in an Arc. (ClientCirc instances are already cheap to clone.) (!224)
TorClient now has separate connect and connect_with_prefs methods. (!229)
Various other API refactorings and revisions. (Please remember that we plan to break backward compatibility with every release between now and 0.1.0 in early March.)

Major bugfixes

We fixed a bug in handling stream-level SENDMEs that would sometimes result in an Arti client sending too much data, causing the exit relay to close the circuit. (!194)

Infrastructure

We now have an experimental benchmarking tool to compare Arti's performance with Tor's, when running over a chutney network. So far, we seem competitive, but we'll probably find cases where we underperform. (!195)
Our coverage tool now post-processes grcov's output to produce per-crate results. (!163)
Our integration test scripts are more robust to cases where the user has already configured a CHUTNEY_PATH. (!168)
We have lowered the required dependency versions in our Cargo.toml files so that each one is the lowest version that actually works with our code. (!227)

Cleanups, minor features, and minor bugfixes

We store fewer needless fields from Tor directory documents. (!151, !165)
We've gone through and converted every XXXX comment in our code (which indicated a must-fix issue) into a ticket, or a TODO. (#231)
Our SOCKS code is much more careful about sending error messages if an error occurs before the SOCKS connection succeeds. (!189)
We no longer build non-directory circuits when the consensus is super-old. (!90)
We no longer consider timeouts to indicate that our circuits are all timing out unless we have seen some recent incoming network traffic. (!207)
You can now configure logging to files, with support for rotating the files hourly or daily. You can have separate filters for each logging target. (!222)
Too many others to list!

Acknowledgments

Thanks to everybody who has contributed to this release, including dagon, Daniel Eades, Muhammad Falak R Wani, Neel Chauhan, Trinity Pointard, and Yuan Lyu!

Arti 0.0.2 — 30 Nov 2021

This release tries to move us towards a more permanent API, and sets the stage for future work in performance evaluation and event reporting.

It breaks compatibility with previous releases, as is expected before release 0.1.0 (scheduled March 2022).

New features

Warn if guard restrictions are too strict. (#242)
Optimistic data is now supported on streams, and used by default on directory requests. (#23)
Initial cut at a typed event framework. Not yet used, but will eventually take the role of Tor's "controller event" system. (#230)
Large rewrite of configuration handling system, with more ergonomic builders for top-level configurations. (#84)

Breaking changes

The ${APP_*} path variables have been renamed to ${ARTI_*}. (efdd3275)
The configuration file format has been substantially revised. (#84)
Most code that clients don't need is now behind a cargo feature. (#124)
Revised APIs in many other high-level crates.

Documentation

Many other improvements and rewrites.

Infrastructure

Update our cargo-husky scripts to better match our CI. (!62)
Use grcov, not tarpaulin. (!136)

Cleanups, minor features, and bugfixes

Huge refactoring of the tor-proto crate to conform more closely to the reactor architecture, and reduce the need for locks. (#205, #217).
By default, cargo build --release now chooses a more aggressive set of optimization flags. (!124)
- Too many smaller fixes to list.

Acknowledgments

Thanks to everybody who's contributed to this release, including dagon, Daniel Eades, Dimitris Apostolou, Neel Chauhan, S0AndS0, Trinity Pointard, and Yuan Lyu!

Arti 0.0.1 — 29 Oct 2021

This release attempts to be "free of known privacy holes". That isn't to say that there are no remaining bugs, but rather that we've implemented the missing features that we think are essential for basic privacy.

New features

Guard relay support... (#58)
- ...with "Lightweight" path bias detection. (#185)
Circuit isolation API. (#73, !104)
Circuit build timeout inference. (#57)
Persistent state on disk. (#59)
Allow multiple Arti instances to share directories. (#194)
Support for EnforceDistinctSubnets. (#43)
Configurable logging (!68) to journald. (!73)
Rejecting attempts to connect to internal addresses. (#85)
Support for Tor RESOLVE and RESOLVE_PTR socks extensions. (#33)
And too many others to list.

Breaking changes

Switched from log to tracing. (#74)
Renamed arti-tor-client to arti-client. (#130)
Stopped exposing anyhow errors. (#165)
CLI now uses clap, and uses subcommands. (!109)
Too many others to list.

Documentation

New top-level documentation for arti-client, with examples. (!111)
Many other improvements and rewrites.

Infrastructure

Reproducible builds for Linux (!69), Windows (!70), and OSX (!86).
Support for static binaries. (!69)
Simple integration tests, using chutney (!88).

Cleanups, minor features, and bugfixes

Too many to list.

Acknowledgments

Thanks to everybody who's contributed to this release, including Ben Armstead, Daniel Eades, Dimitris Apostolou, Eugene Lomov, Felipe Lema, Jani Monoses, Lennart Kloock, Neel Chauhan, S0AndS0, Smitty, Trinity Pointard, Yuan Lyu, dagger, and rls!

Arti 0.0.0

Initial release, to reserve our crate names on crates.io.

174 KiB Raw Permalink Blame History Unescape Escape

Notes

Arti 1.1.7 — 1 August 2023

Major bugfixes

Breaking changes in lower-level crates

Onion service development

Documentation

Infrastructure

Logging improvements

Cleanups, minor features, and smaller bugfixes

Removed features

Acknowledgments

Arti 1.1.6 — 30 June 2023

Major bugfixes

Breaking changes in lower-level crates

Onion service development

RPC development

New crates

Documentation

Infrastructure

Cleanups, minor features, and smaller bugfixes

Removed features

Acknowledgments

Arti 1.1.5 — 1 June 2023

Major bugfixes (service)

Breaking changes in lower-level crates

Onion service development

RPC development

Infrastructure

Cleanups, minor features, and smaller bugfixes

Network updates

Acknowledgments

Arti 1.1.4 — 3 May 2023

Major Bugfixes

Breaking changes

Breaking changes in lower level crates

Onion service development

RPC/Embedding development

Documentation

Cleanups, minor features, and minor bugfixes

Acknowledgments

tor-llcrypto patch release 0.4.4 — 4 April 2023

Arti 1.1.3 — 31 March 2023

Major bugfixes

Breaking changes in lower level crates

Onion service development

Infrastructure

Testing

Documentation

Cleanups, minor features, and minor bugfixes

Acknowledgments

Arti 1.1.2 — 28 February 2023

Breaking changes in lower level crates

New features

Onion service development

Infrastructure

Cleanups, minor features, and bugfixes

Arti 1.1.1 — 1 February 2023

Breaking changes in lower level crates

New features

Onion service development

Network updates

Testing

Documentation

Example code

Cleanups, minor features, and bugfixes

Arti 1.1.0 — 30 November 2022

Breaking changes

Breaking changes in lower level crates

New features

Testing

Cleanups, minor features, and bugfixes

Arti 1.0.1 — 3 October 2022

Breaking changes

New features

Major bugfixes

Documentation

Infrastructure

Cleanups, minor features, and minor bugfixes

Arti 1.0.0 — 1 September 2022

174 KiB

Raw Permalink Blame History