Let’s go with this one for now. Can be improved in later releases.
The strings aren’t great for verbatim showing to the user anyhow. Somehow I also doubt that these strings change often. But indeed, for new strings (unknown at time of development) we need a static fallback message.
It turns out for unknown reason, when DisableNetwork set to 1, a simple systmctl restart tor@defautl.service is not enough. We have to do an additional systemctl reload tor@default.service.
I can reproduce this using systemd weird behaviors on both Debian and Fedora. Is this something we should report to BTS, @Patrick ?
Since now we can make sure that Tor control socket will open no matter what value DisableNetwork is.
The only reason for us to still write it to a file is to make Tor auto-connect to the network or not:
when value is 1, start Tor process but prevent Tor from connecting to the Network.
when value is 0, start Tor process and let Tor connect to the Network.
Therefore, we may actually set a box in anon-connection-wizard saying “After reboot, I want to start anon-connection-wizard again before connecting to the Tor network” or “After reboot, I want to connect to the Tor network with current set without being asked by anon-connection-wizard”
Currently, we use systemctl stop --no-pager tor@default.service to stop Tor process. However, do you think it will be better that we still keep Tor process but simply prevent Tor from connecting to the Network by talk to Tor control protocal?
What will happen?
Tor started by anon-connection-wizard rather than directly systemd (but therefore perhaps some anon-connection-wizard component being started by systemd)
It seems without systemd, control port will still be missing for unknown reason. For now, we may keep it and let it make sure Tor’s control socket is always open?
+ if bootstrap_tag in self.tag_phase:
+ bootstrap_phase = self.tag_phase[bootstrap_tag]
+ else:
+ # Only use SUMMARY= as phase info when the TAG= is not in the dictionary
+ bootstrap_phase = re.search(r'SUMMARY=(.*)', bootstrap_status).group(1)
This needs improvement. An unknown tag and re.search(r'SUMMARY=(.*)', bootstrap_status).group(1) is actually what we try to secure against here. So in that case, it should be a static message “unknown status” or something more useful. The real output could still be written to console and/or a lot so developers can add it for a later version (or notice when something did actually went wrong with Tor).
+ '''The TAG to phase mapping is mainly according to:
+ https://gitweb.torproject.org/tor-launcher.git/tree/src/chrome/locale/en/torlauncher.properties
+ '''
+ self.tag_phase = {'starting': 'Starting',
What I am wondering is if such an alert should be exposed to daily user.
In Whonix I was always for exposing such messages. The reasoning behind
it being: Otherwise often we developers never have a chance to learn
about such corner cases (or attacks) and to do anything about them.
However the way to expose these information can be tailored with the
needs of the user in mind, i.e. usability. It’s not worth showing such
messages upfront and verbatim. A big popup with the strange message only
wouldn’t be great for the user. Of course a unknown bootstrap message
shouldn’t stop the user from enabling Tor.
Something like this…? “Unknown bootstrap message. In most cases this
is harmless. Please report this.” And then instructions how to
copy/paste this information from logs?
Or should we simply keep it in a log?
Log also.
Console output also is always good since fewest users are running gui
applications from console. More something advanced users and developers
are doing.
This needs improvement. An unknown tag and re.search(r'SUMMARY=(.*)', bootstrap_status).group(1) is actually what we try to secure against here. So in that case, it should be a static message “unknown status” or something more useful. The real output could still be written to console and/or a lot so developers can add it for a later version (or notice when something did actually went wrong with Tor).
What I am wondering is if such an alert should be exposed to daily user.
In Whonix I was always for exposing such messages. The reasoning behind
it being: Otherwise often we developers never have a chance to learn
about such corner cases (or attacks) and to do anything about them.
I agree!
However the way to expose these information can be tailored with the
needs of the user in mind, i.e. usability. It’s not worth showing such
messages upfront and verbatim. A big popup with the strange message only
wouldn’t be great for the user. Of course a unknown bootstrap message
shouldn’t stop the user from enabling Tor.
Something like this…? “Unknown bootstrap message. In most cases this
is harmless. Please report this.” And then instructions how to
copy/paste this information from logs?
Sounds great. anon-connection-wizard definitely should have a log
module. Also, in terms of copy and paste the log, we may take the
Tor-launcher’s approach as an example.
Console output also is always good since fewest users are running gui
applications from console. More something advanced users and developers
are doing.
I agree. The log module should write to both log file and stdout/stderr.
One global workaround in Debian, which is not anon-connection-wizard specific, is to put this line in the [Service] section of /lib/systemd/system/tor@default.service :
On the second thought we should be careful with this. If not absolutely
required for Whonix 14, leaving it out. This could introduce some unique
bugs.
First of all, we have to see what upstream thinks about this and how
they go about fixing it. Then if possible and needed, we can add their
fix in Whonix earlier than their fix flows down to Whonix.