June was a pretty decent month!
With help from Mike Perry, I finished a couple of rounds of job interviews, so we could select a new core developer. Let's welcome Andrea Shepard to the Tor project; she's already off to a great start, even though she's only part-time for her first couple of months.
I migrated the Free Haven Anonymity Bibliography (http://freehaven.net) to git, and fixed a bunch of longstanding bugs in it, so that its output finally passes the w3 validator.
I wrote up a couple of emails about the statuses of current proposals, and proposals implemented in 0.2.3.x, and send them to tor-dev. I hope to do this every month or two.
I finally circulated my proposals for improved cell crypto (202), and for impersonating an HTTPS server (203).
Weasel and I had a chat about how to avoid backporting all conceivable patches to 0.2.2.x. From now on, I'm going to distinguish between "new stable" and "extended support stable" -- once a Tor series has been stable for long enough, it should really get fixes for grave bugs only.
With help from many others, we tagged Tor 0.2.3.17-beta and 0.2.3.18-rc. These fixed a lot of bugs; I think Tor 0.2.3.x is getting close to being ready for a stable release. Once there are packages available for your platform, please try them out!
"I reviewed piles of code, merged a bunch of code, and fixed piles of bugs." This is usually the shortest sentence in my status reports with the highest amount of time actually consumed. For details, see the ChangeLogs for Tor 0.2.3.17-beta and 0.2.3.18-rc inclusive for everything that actually got merged. If you like to follow code getting reviewed and merged, and you have a high tolerance for incoming email volume, I recommend the tor-bugs and tor-commits mailing lists.
Some highlights include:
* Tor clients now declare a less fingerprintable (and actually accurate, we hope!) set of ciphers in their TLS handshakes. In 0.2.4, this will enable us to use more secure TLS ciphersuites. (See bug 4744 and proposal 198.)
* Tor now enables compiler-hardening options by default.
* We made a quick workaround for a horrible bug in OpenSSL 1.0.1 that prevents TLS 1.1 and TLS 1.2 from renegotiating successfully.
I forked a maint-0.2.3 branch from master. Now changes to Tor 0.2.3 go into maint-0.2.3, which gets merged forward into master; changes made only in master will appear in 0.2.4 only.
I started a new repository called "tor-next" (at https://gitweb.torproject.org/tor-next.git). It has two main branches, "tor-next" and "tor-next-023". These branches are regenerated periodically; they contain the patches that I'm currently considering merging to master and to maint-0.2.3 respectively. This way, complex code can get a little testing before I actually merge it. If the alpha code just hasn't been alpha enough for your tastes, and you like building from source, you might want to give tor-next a spin.
Tor-next is automatically generated by a script; you can see it in our "githax" repository at https://gitweb.torproject.org/githax.git/blob_plain/HEAD:/scripts/make-tor-n...
I've started merging pending things into 0.2.4.x, and reviewing patch series which had been tagged for Tor 0.2.4.x.
I participated in a fun reddit "ask me anything" session with Runa, Karen, and others.
I've started playing around with shadow to get it running on my desktop. It worked out okay, but I haven't yet managed to actually do more with it than say, "Yup, that runs."
I've scrambled to try to get ready for the developers' meeting and for PETS in early July. Apparently, I'm out of practice at arranging and preparing for travel.
Andrea and I started sketching out plans and possible schedules for Tor 0.2.4. We're doing okay making plans at the proposal level, but trying to select and cost out individual tickets seems to be proving more trouble than it might be worth. Further, we're a bit stymied by the state of deliverables tracking; that's going to take some brain-dumps at the dev meeting. Still, I'm hoping we can have a rough plan for 0.2.4 some time before mid-July: I'd like to be able to declare merge deadlines some time around then.
best wishes,