Bug 203014

It seems that the current security/tor-devel port is at 0.2.7.2, but the pkgs are out of sync only.

My mistake since I was relying on freshports.org, but nevertheless the pkgs are out of sync.

Comment 2 Vinícius Zavam 2015-10-30 18:49:32 UTC

Created attachment 162605 [details]
[PATCH] security/tor: r400464

Minor typos and updates for pkg-message.in and tor.in.

Added a radio option to use one pluggable transport proxy (security/obfsproxy).

libevent was detected by the configure script without previous patch, so the patch was removed from files/ directory. "post-patch" kept as is. Checked support for 11.0-CURRENT, 10.2-STABLE and 9.3-RELEASE (considering old OSVERSION and OpenSSL version present on base system). As reported by #204123, OpenSSL from ports should be used instead.

Static tor was compiled to test the patch removal. It works.

Comment 3 Vinícius Zavam 2015-10-30 18:55:06 UTC

Created attachment 162606 [details]
[PATCH] security/tor-devel: r400391

Same as the last one, for security/tor, but adds code to support tor-0.2.7.4-rc.

Minor typos and updates for pkg-message.in and tor.in.

Added a radio option to use one pluggable transport proxy (security/obfsproxy).

Once again, libevent was detected by the configure script without previous patch, so the patch was removed from files/ directory. "post-patch" kept as is. Checked support for 11.0-CURRENT, 10.2-STABLE and 9.3-RELEASE (considering old OSVERSION and OpenSSL version present on base system). As reported by #204123, OpenSSL from ports should be used instead.

Static tor was also compiled to test the patch removal.

Comment 4 Vinícius Zavam 2015-10-30 20:48:45 UTC

Created attachment 162608 [details]
[LOG] Poudriere Bulk: 9.3-RELEASE, amd64 (security/tor)

Comment 5 Vinícius Zavam 2015-10-30 20:50:22 UTC

Created attachment 162609 [details]
[LOG] Poudriere Bulk: 10.2-STABLE, amd64 (security/tor)

Comment 6 Vinícius Zavam 2015-10-30 20:51:43 UTC

Created attachment 162610 [details]
[LOG] Poudriere Bulk: 11.0-CURRENT, amd64 (security/tor)

Comment 7 Vinícius Zavam 2015-10-30 20:53:15 UTC

Created attachment 162611 [details]
[LOG] Poudriere Bulk: 9.3-RELEASE, amd64 (security/tor-devel)

Comment 8 Vinícius Zavam 2015-10-30 20:54:41 UTC

Created attachment 162613 [details]
[LOG] Poudriere Bulk: 10.2-STABLE, amd64 (security/tor-devel)

Comment 9 Vinícius Zavam 2015-10-30 20:56:46 UTC

Created attachment 162616 [details]
[LOG] Poudriere Bulk: 11.0-CURRENT, amd64 (security/tor-devel)

Comment 10 Vinícius Zavam 2015-10-31 03:24:24 UTC

Created attachment 162630 [details]
[LOG] Poudriere Bulk: 10.2-STABLE, armv6 (security/tor)

Comment 11 Vinícius Zavam 2015-10-31 03:25:04 UTC

Created attachment 162631 [details]
[LOG] Poudriere Bulk: 11.0-CURRENT, armv6 (security/tor)

Comment 12 Vinícius Zavam 2015-10-31 03:25:29 UTC

Created attachment 162632 [details]
[LOG] Poudriere Bulk: 10.2-STABLE, armv6 (security/tor-devel)

Comment 13 Vinícius Zavam 2015-10-31 03:26:03 UTC

Created attachment 162633 [details]
[LOG] Poudriere Bulk: 11.0-CURRENT, armv6 (security/tor-devel)

Comment 14 Vinícius Zavam 2015-11-17 16:38:32 UTC

Created attachment 163253 [details]
[PATCH] security/tor: r400464

Following ideas and recommendations from danilo@ and garga@ for the BCP to code and contribute to the FreeBSD's Ports Collection, this patch (svn diff) aims to:

1. Adds all previous updates pointed by the last uploaded patch;
2. Changes OPTIONS_RADIO to OPTIONS_GROUP to group pluggable transports;
3. Solves an issue to build STATIC_TOR and TCMALLOC together.

Comment 15 Vinícius Zavam 2015-11-17 16:41:04 UTC

Created attachment 163254 [details]
[PATCH] security/tor-devel: r400391

Same as the previously reported patch for security/tor, but updates and solves small issues related to security/tor-devel.

Comment 16 Vinícius Zavam 2015-11-19 16:40:14 UTC

Created attachment 163337 [details]
[PATCH] security/tor-devel: r400391

Again, following some BCP, this new patch:

1. Uses port options helpers;
2. Takes care of r399278;
  2.1. https://reviews.freebsd.org/D3866
3. Adds a _precmd stage to better check "required_dirs=";
  3.1. Rather than mkdir(1)+chown(8)+chmod(1) routines, uses install(1)
  3.2. "check_required_before()" was breaking cheks before running new '_precmd'
  3.3. "required_dirs=" was commented on patched rc script for future debugs

Poudriere and manual config and testing for the patched-port worked as expected.

Comment 17 Vinícius Zavam 2015-11-19 16:41:15 UTC

Created attachment 163338 [details]
[PATCH] security/tor: r400464

Same as the last one but takes care of security/tor.

Comment 18 Vinícius Zavam 2015-11-19 18:43:43 UTC

Created attachment 163340 [details]
[PATCH] security/tor: r400464

Corrects 2 small but serious typos on security/tor/Makefile.

Comment 19 Vinícius Zavam 2015-11-19 18:48:54 UTC

Created attachment 163341 [details]
[LOG] Poudriere Bulk: 10.2-STABLE, i386 (security/tor)

Comment 20 Vinícius Zavam 2015-11-19 18:49:58 UTC

Created attachment 163342 [details]
[LOG] Poudriere Bulk: 10.2-STABLE, i386 (security/tor-devel)

Comment 21 Vinícius Zavam 2015-11-20 15:28:11 UTC

Created attachment 163355 [details]
[PATCH] security/tor: r400464

Handles old log files and creates a backup for it. If you are upgrading Tor from a previous version, Tor's rc script will fail with:

  install: /var/log/tor exists but is not a directory

Previous logfile was the new logdir itself (/var/log/tor)! This patch updates everything else reported before and:

  Check for an old log file;
  Verify if the file content has Tor's log information;
  Saves a backup!

Comment 22 Vinícius Zavam 2015-11-20 15:29:07 UTC

Created attachment 163356 [details]
[PATCH] security/tor-devel: r400391

Same as the last one but for security/tor-devel.

Comment 23 Brendan Fabeny 2015-11-21 13:12:07 UTC

Thanks.

If I recall correctly, the reason for the libevent changes, and for avoiding adding the clumsy LDFLAGS+="-L${LOCALBASE}/lib"  whenever possible, was to fix the linking in the static case, and to avoid linking with the wrong libraries, such as openssl.  I'll check that this works with the new tor-devel.

As far as the rc-script is concerned, I've resisted making such additions in the past when they're intended to avoid infrequent or one-time fixes, on the grounds that they add complexity to the script, often fail to handle custom configs properly, make assumptions about tools like awk, etc. being present when some of our users are running tor on smaller, stripped-down machines; and hide changes that really should be brought to the attention of users or administrators.  Usually such changes are best handled manually, with a note in UPDATING or a pkg-message.  This looks like such a case.

Comment 24 Vinícius Zavam 2015-11-25 21:52:24 UTC

Created attachment 163538 [details]
[PATCH] security/tor: r400464

This patch corrects everything else reported before, and updates "security/tor" to a new stable release.

[ https://blog.torproject.org/blog/tor-0275-released-and-stable ]

Comment 25 Brendan Fabeny 2015-12-01 14:50:32 UTC

Thanks.  But as I wrote before, we should do less in the rc script, rather than add machinery for an infrequent or one-time fix -- similar to the proposal in bug 204739 -- so I'll reconcile these two sets of changes.

Comment 26 Neel Chauhan 2015-12-01 15:18:19 UTC

(In reply to Brendan Fabeny from comment #25)

I agree. We don't want to pull a 'Lennart Poettering' and include features people didn't ask for.

Comment 27 Vinícius Zavam 2015-12-01 15:39:59 UTC

Most of the changes here in between, came from http://lists.nycbug.org/pipermail/tor-bsd/2015-November/000380.html

Now that Chauhan points "L.P." it hurts... 

My perception was that we could help lazy people that forget (do not want) to read UPDATING and its change logs. Also, it's possible to minimize the impact on production relays running under FreeBSD machines.

Comment 28 Vinícius Zavam 2015-12-12 19:05:13 UTC

Created attachment 164153 [details]
[PATCH] security/tor: r400464

This patch corrects everything else reported before by the last patches related to security/tor, and updates it to a new stable release (2.7.6).

[ https://blog.torproject.org/blog/tor-0276-released ]

Comment 29 Dmitry Marakasov 2015-12-25 10:58:31 UTC

I suggest to update it and split it into parts, as it probably won't apply any more, and parts will be easier to comprehend and discuss, and anyway need to be committed separately because some may need to be MFHd. After a quick glance:

- You can't omit ${PORTSDIR} from depends until a next quartely branch is created
- Datadir/logdir/piddir handling should be done in plist, not rc script. Backing up stuff does not belong to the port at all
- Test should be switched to new test framework
- MTMALLOC changes do not seem correct at all: you depend on shared library for static case, and use lib and build depends at the same time.
- OFSPROXY option is useless as it does nothing beyond adding a run-dependency

Comment 30 Vinícius Zavam 2015-12-28 04:26:34 UTC

(In reply to Dmitry Marakasov from comment #29)

Nice!
I was really hoping to get a more clear feedback (like this one you did).
Thank you very much for your time and concern amdmi3@.

K.R.,
Vinícius

Comment 31 Rene Ladan 2016-06-27 21:45:06 UTC

Maintainer reset.

Comment 32 Ben Woods 2016-08-24 13:51:41 UTC

Requesting feedback from new maintainer as to if these patches still apply.

Comment 33 Yuri Victorovich 2016-10-23 22:55:30 UTC

The current version is 0.2.8.9. This bug report needs to be closed as "overcome by events".

Comment 34 Vinícius Zavam 2016-10-24 20:26:20 UTC

Created attachment 176119 [details]
[PATCH] security/tor-devel: r424527

I did plan to release a new patch (suggestion) to take care of security/tor-devel, but right now there's no working code I can give you.

Nevertheless, I do think it might be useful to merge some useful "options helpers" and stuff... or provide a new starting point to both ports.

The (NOT WORKING) patch for security/tor-devel is attached, and comes with this considerations:

a) uses "options helpers", as recommended by porter's handbook;
b) '--enable-transparent' is no longer a valid config parameter;
c) proper OSVERSION for bumping openssl from ports is "< 1000015";
d) suggests the use of --with-tor-{user,group}=_tor;
e) it is a work in progress. it does not work yet :)

KR,
Vinícius

Comment 35 Yuri Victorovich 2016-10-24 20:33:25 UTC

Thanks,

I will look at the patched.

Yuri

Comment 36 Vinícius Zavam 2016-11-08 18:59:30 UTC

Created attachment 176798 [details]
[PATCH] security/tor-devel: r425755

(In reply to Yuri Victorovich from comment #35)

Yuri,
hi.

Please take a look at this new patch when you have some time. It also updates security/tor-devel to version 0.2.9.5-alpha.

This one is pretty much close to the best practices described by the Porter's Handbook, and let the user chose between 'ssl=base' or any other from ports. There's also the considerations pointed by brnrd@ (I think), to set USES+=ssl only when we try to compile Tor using ports' openssl/libressl from ports.

I added/merged your warning about Tor2Web, as reported (and solved) on #210389.

KR,
Vinícius

Comment 37 Yuri Victorovich 2016-11-08 19:05:47 UTC

Comment on attachment 176798 [details]
[PATCH] security/tor-devel: r425755

Thanks Vinícius!

Comment 38 Rene Ladan 2016-11-09 19:40:00 UTC

Poudriere logs OK on 9.3/10.1/11.0/12.0 i386/amd64 and 11.0-armv6 (10.1-armv6 and 12.0-armv6 failed on dependencies)

Comment 39 Yuri Victorovich 2016-11-09 19:53:47 UTC

Please note that the subject is wrong, it should be "security/tor-devel: Update and fix a few problems".

Comment 40 Rene Ladan 2016-11-09 20:25:20 UTC

Actually tor 0.2.9.5-alpha fails on FreeBSD 9.3 because its bundled copy of OpenSSL is too old, see the attached log.

Comment 41 Rene Ladan 2016-11-09 20:26:17 UTC

Created attachment 176829 [details]
poudriere log of 9.3-i386, OpenSSL too old

Comment 42 Neel Chauhan 2016-11-09 20:30:00 UTC

(In reply to Rene Ladan from comment #40)

This was the issue since Tor 0.2.7.2-alpha, looking back at the ChangeLog.

Comment 43 Yuri Victorovich 2016-11-09 20:33:22 UTC

Is security/tor also failing on 9.3?

Comment 44 Rene Ladan 2016-11-09 20:47:44 UTC

I'll test-build current security/tor (0.2.8.9) on 9.3 i386 and amd64

Comment 45 Rene Ladan 2016-11-09 21:21:40 UTC

security/tor builds fine on 9.3-i386, looking at the diff between the two ports, I thought that this typo was the culprit (around line 90):

-.if ${OSVERSION} < 1000000
-WITH_OPENSSL_PORT=     yes
-.endif
-
-.if !defined(USE_GCC) && empty(CC:T:M*gcc4*) && \
-empty(PORT_OPTIONS:MSTATIC_TOR) && empty(ARCH:Mia64)
-CONFIGURE_ARGS+=       --enable-gcc-hardening
-.else
-CONFIGURE_ARGS+=       --disable-gcc-hardening
+.if ${OSVERSION} < 1000015
+DEFAULT_VERSIONS+=     ssl=openssl
+# OPENSSL_PORT=                security/openssl
+WITH_OPENSSLPORT=      yes  <-- missing space between OPENSSL and PORT ?
 .endif

But that gives the same error. I think the solution is to always use OpenSSL from ports on 9.3. I'll test a patched Makefile

Comment 46 Vinícius Zavam 2016-11-09 21:49:45 UTC

Created attachment 176832 [details]
[PATCH] security/tor-devel: r425755

(In reply to Rene Ladan from comment #45)

ooops! you are right. there was a little typo to be corrected... and this new patch solves it!

yes; it's focused on security/tor-devel only. if everything goes well, security/tor can get/merge its updates.

thank you very much for your time, and feedback :)

Comment 47 Yuri Victorovich 2016-11-09 21:55:25 UTC

Thank you for doing this!

Go ahead and commit the patch if you are sure it fixes the problem.

Yuri

Comment 48 Rene Ladan 2016-11-09 22:03:10 UTC

No, I doesn't fix it in my tests, see the rest of comment 45.

I think you also have to adjust the configure flags/environment for FreeBSD 9.3.
And not setting a default for SSLTLS seems to break the port in other ways, weird.

Comment 49 Vinícius Zavam 2016-11-10 12:51:08 UTC

Created attachment 176857 [details]
[PATCH] security/tor-devel: r425808

(In reply to Rene Ladan from comment #48)

hm... I did think that typo should handle the things properly. good to know it did not. thanks!

your tests ran in a 9.3-release environment, so we can check OSVERSION for values <= 903000 and change OPTIONS_DEFAULT= to "SSLTLS_PORTS". that could do the trick. or, afaik, 903511 is the last documented OSVERSION (https://www.freebsd.org/doc/en_US.ISO8859-1/books/porters-handbook/versions-9.html) related to 9.x, and we should use it:

    .if ${OSVERSION} < 903511
    OPTIONS_DEFAULT=	SSLTLS_PORTS
    .endif

the attached patch adds it to the Makefile // sorry for not running a test on 9.x before reporting it back; I need to setup+upgrade my env.

kr,
vinícius

Comment 50 Vinícius Zavam 2016-11-10 12:55:24 UTC

(In reply to Vinícius Zavam from comment #49)

-${OSVERSION} < 903511
+${OSVERSION} <= 903511

Comment 51 Vinícius Zavam 2016-11-10 12:55:54 UTC

Created attachment 176858 [details]
[PATCH] security/tor-devel: r425808

Comment 52 Vinícius Zavam 2016-11-10 21:29:35 UTC

Created attachment 176873 [details]
[PATCH] security/tor-devel: r425808

latest patch.

Comment 53 Vinícius Zavam 2016-11-10 21:30:32 UTC

Created attachment 176874 [details]
[LOG] security/tor-devel: r425808 (9.3-RELEASE-p50, amd64)

Comment 54 Vinícius Zavam 2016-11-10 21:30:54 UTC

Created attachment 176875 [details]
[LOG] security/tor-devel: r425808 (9.3-RELEASE-p50, i386)

Comment 55 Vinícius Zavam 2016-11-11 00:56:28 UTC

my poudriere's bulk logs are available at http://[2604:a880:400:d0::477:4001]/logs/ (because some files are bigger than the max allowed to attach here).

if someone can test it against 9.3-stable, it would be great! same for other architectures like arm, aarch64 and/or mips.

kr,
vinícius

I'm going to buy a couple new RPI3 devices this weekend with the goal of setting up a tor relay and/or bridge. I can give it a whirl soon-ish.

Comment 57 Rene Ladan 2016-11-11 22:21:26 UTC

@ Vinícius Zavam: I can reach your server but it refuses to serve the logs, instead it gives an HTTP 403

Comment 58 Vinícius Zavam 2016-11-11 23:12:27 UTC

(In reply to Rene Ladan from comment #57)

Wow! Sorry about that. Please try to get it now, and... if someone needs to reach it over v4: http://192.241.135.129/logs

Comment 59 Yuri Victorovich 2016-11-16 11:13:09 UTC

see also: bug#214567 is a simple update to 0.2.9.5-alpha.

Comment 60 Vinícius Zavam 2016-12-02 19:15:52 UTC

Created attachment 177615 [details]
[PATCH] security/tor-devel: r427582

this patch obsoletes the last one; it updates security/tor-devel to version 0.2.9.6-rc.

bug #215009 does not solves issues or improves security/tor-devel like this patch does. please test it and report any issues you might get with it! more information about this current patch, please refer to previous comments posted here.

kr,
vinícius

PS: there's just one missing suggestion that this patch does not apply, and it is the presence of a default log file for the Tor daemon.

Your new patch builds and runs fine on amd64, though I haven't tried anything other than starting it up. Additionally, I compiled with PIE, RELRO + BIND_NOW, and SafeStack enabled in HardenedBSD.

Comment 62 Vinícius Zavam 2016-12-02 20:30:59 UTC

Created attachment 177618 [details]
[PATCH] security/tor-devel: r427582 (logging by default)

(In reply to Shawn Webb from comment #61)

tyvm, shawn!

here I also add a new patch with an improved tor.in, so we get a default log for Tor (with 'notice' severity); its severity can easily be changed via sysrc(8), if needed.

the current port does not ship with this feature. if you need to see/confirm that the Tor daemon is really running with a working circuit just check the log.

Comment 63 Rene Ladan 2017-06-26 17:42:15 UTC

What is the current status of this PR, are parts still applicable?

Comment 64 Vinícius Zavam 2017-08-02 08:04:22 UTC

(In reply to Rene Ladan from comment #63)

The idea behind all patches and suggestions are definitely something we could apply to both ports. Unfortunately I decided to move all the efforts and new codes to a small/partial GitHub repository, and choose no longer to post or bump more things here.

If there's any chance it hits "upstream" (official FreeBSD ports), I would be happy to help and work on merging stuff up. The current repository+branch with both ports and related works is https://github.com/egypcio/freebsd-ports/tree/torbsd

Main changes in between official branch and the GH stuff? Makefiles were "completely" redesigned and the rc script does not support the idea of multi instances (if one wants to run Tor like that, should separate it using jails). pkg-message and pkg-descr cosmetics.

Thank you very much for writing back! Very appreciated.

Comment 65 Rene Ladan 2018-01-06 11:40:19 UTC

This PR outlived its usefulness, any development is now done in a GitHub repository.