Tor's Bug Smash Fund: Progress So Far

At the beginning of August 2019, we asked you to help us build our very first Bug Smash Fund. This fund will ensure that the Tor Project has a healthy reserve earmarked for maintenance work and smashing the bugs necessary to keep Tor Browser, the Tor network, and the many tools that rely on Tor strong, safe, and running smoothly. Together we raised $86,081.

We want to share an update on some of the work the Bug Smash Fund has made possible.

So far, we’ve marked 77 tickets with BugSmashFund. As of today, 56 of those tickets have been closed, and 21 of them are still in progress. With this reserve, we’ve been able to fix bugs and complete necessary maintenance on core tor, bridgedb, Snowflake, and Metrics, as well as complete the Tor Browser ESR 68 migration. Roughly half of the Bug Smash Fund remains available for allocation, and we will continue to tag relevant maintenance work and bug fixing tickets that will be covered with this reserve. Thanks for supporting this work!

Below is a full list of the tickets we’ve closed so far.

Tor Browser – ESR Migration

Tor Browser is built on the Firefox Extended Series Release. When a new ESR is available, we migrate Tor Browser (both desktop and Android), which requires significant attention from the Tor Browser team. The Bug Smash Fund covered the following tickets associated with the ESR 68 migration completed in late 2019.

• 21549  Investigate wasm for linkability/fingerprintability/disk avoidance issues

• 26345  Disable tracking protection UI in FF67-esr

• 28822  re-implement desktop onboarding for ESR 68

• 30304  Browser locale can be obtained via DTD strings

• 30429  Rebase Tor Browser patches for Firefox ESR 68

• 30460  Update TOPL Project to Use Android Toolchain (Firefox 68)

• 30463  Make sure telemetry reporting is disabled in Tor Browser 9

• 30504  Investigate if New Identity works properly after moving to ESR 68

• 30662  Make sure about:newtab is blank

• 30665  Get Firefox 68 ESR Working with latest android toolchain

• 30846  Audit activity-stream for network requests

• 31065  Set network.proxy.allow_hijacking_localhost to true

• 31192  TBA - Support x86_64 target

• 31286  Include bridge configuration into about:preferences

• 31308  Sync mozconfig files used in tor-browser over to tor-browser-build for esr68

• 31448  gold and lld break linking 32bit Linux bundles we need to resort to bfd

• 31450  Still use GCC for 64bit Linux debug builds after switch to 68 ESR

• 31457  disable per-installation profiles

• 31607  App menu items stop working

Anti-Censorship

Bridges are Tor relays that help people circumvent censorship against the Tor network. For several reasons, people may want to ask for a bridge via email, and for these circumstances, we have the bridge@torproject.org distribution method. When somebody emails bridges@torproject.org from a riseup or Gmail account, the account replies with a bridge. The Bug Smash Fund helped fix bugs related to this mechanism.

Snowflake is a new system to defeat censorship. The Bug Smash Fund also helped us to work on a spec that will contribute to the process of collecting metrics on Snowflake.

• 32105  bridges@torproject.org don't respond

• 31407  Create a broker spec for metrics collection

Core Tor

The Bug Smash Fund has helped the Network team to fix many bugs—from circuit padding to onion services to documentation—as well as backport many previous bug fixes.

• 25568  hs: Lookup failure cache when introducing to an intro point

• 27992  config DataDirectoryGroupReadable 1 is overridden if you set KeyDir == DataDir

• 30344  conn_read_callback is called on connections that are marked for closed

• 30916  assert in dimap_add_entry()

• 31107  channel: channel_tls_handle_cell() CELL_VERSIONS code reached

• 31111  Properly support two padding machines per circuit

• 31189  potential docs update needed for GuardLifetime?

• 31408  torrc : ClientOnionAuthDir after include directives breaks client to v2 services

• 31466  Consider demoting ".exit is disabled" log message to info

• 31570  INTERNAL ERROR: raw assertion failed (core dump) in termux

• 31571  Add the tor version and a newline to raw_assert()

• 31615  Reorder the early subsystems based on their dependencies

• 31657  Rephrase "missing descriptors" notice log to be less confusing

• 31687  FreeBSD compilation warns with Tor 0.4.1.5

• 31696  Assertion failure in map-anon.c:218

• 31734  Add accessor functions for cb_buf, which enforce locking and unlocking

• 31793  Bug: tor_addr_is_internal() called from src/feature/dirauth/process_descs.c:447 with a non-IP address of type 0

• 31807  Update outdated documentation note for "bridge-distribution"

• 31825  Use the full name of optional modules, rather than an abbreviation

• 31837  Make test_rebind.py more robust

• 31841  test addr/parse takes a long time on master on some machines

• 31884  Define ExecuteBash in the Appveyor error block

• 31897  util/map_anon_nofork test fails on SunOS

• 31939  log spam: Bug: buffers_tls.c:73: buf_read_from_tls: Non-fatal assertion !(buf->datalen >= INT_MAX - at_most) failed.

• 32058  mainloop: make periodic events restartable

• 32060  CID 1454761: wrong type passed to unlock_cb_buf()?

• 32108  tor can overrun its accountingmax if it enters soft hibernation first

• 32124  Interpret --disable-module-dirauth=no correctly

• 32191  when cross-compiling, lzma and zstd will be detected on build system

• 32196  cmux: Implement unit tests

• 32338  Warn about more relative file paths when validating options

• 32352  Stop adding a space when dumping an empty config value

• 32463  TypeError in practracker "includes.py" script

Metrics

This fund made it possible for the Metrics team to improve tooling, as well as fix a bug in the Tor network data collecting service, CollecTor.

• 31398  Add all metrics master branches to GitLab's CI
• 31558  Process bridge pool assignments again

Thank you to everybody who made a contribution to the Bug Smash Fund. This work is critical in helping us to provide safer tools for millions of people around the world exercising their human rights to privacy and freedom online.

If you’d like to make a contribution to the Bug Smash Fund, you can do so by making a gift at hzcyulizwd.tudasnich.de: just add “Bug Smash Fund” into the comment field, and we’ll make sure it’s directed to the right place.