On Sun, Jun 23, 2024 at 07:30:00PM +0000, Edward Cage via tor-relays wrote:

Quick question about the fingerprints of our bridges. It's clearly written in torrc that we should not include them in MyFamily.

Correct.

I don't well understand why, especially because: - Every bridge, and their fingerprints, are publicly listed on Tor Metrics;

Actually it is the *hash* of the fingerprint (hash of hash of key) that is publicly listed in Tor metrics. This way you can look up your bridge if you know its fingerprint, but other people can't learn more about your bridge just based on the relay-search page.

- The contact email is disclosed for each of them, and it allows our

bridges and relays to be easily linked to a same operator. (or should we use a different email address for each bridge?)

It is fine to use the same contactinfo on your bridges and relays -- because it won't help somebody discover your bridge address or bridge fingerprint if they don't already know it.

Ultimately the right answer is to move to a better design for declaring families. The current best idea is Proposal 321: https://gitlab.torproject.org/tpo/core/torspec/-/blob/HEAD/proposals/321-hap... with more details here: https://gitlab.torproject.org/tpo/core/tor/-/issues/40134 and a suggestion at the end of that ticket by trinity that seems like it could be a good short-term fix.

I think all of the core devs who might work on Proposal 321 are instead working on Arti though, so at this rate it will be a long while until the topic sees progress.

--Roger