$Id: HISTORY,v 1.15 2005/12/02 20:34:36 nickm Exp $ New IN VERSION 0.0.8alpha2: - License changed from LGPL to the so-called "MIT" license. This has been planned for ages; see http://archives.seul.org/mixminion/dev/May-2004/msg00000.html - Numerous bugfixes: - Implement DESTDIR correctly. - Do not crash when run with python 2.4 - Bump preferred openssl version to 0.9.8a - Work when umask setting is bizarre (0077, 0000, etc.) - Make -P and mbox work correctly together. - Catch over-long paths. - Tolerate missing /dev/null - Solve crash on mixminion clean-queue - Do not exit on a spurious protocol string from another MMTP host. - Do not use stdio to read /dev/urandom: This wastes entropy. - Don't freak out when - Security improvements - Regenerate SSL certificates more frequently. - Servers schedule and retry delivery on a per-address basis, not a per-message basis. - Drop support for pre-0.0.6 servers: Servers are now located by hostname. - Add a "count-packets" command to tell how many packets will be needed to send a message. Some integrators need this. - Add a "SendmailCommand" option for invoking an external program to send email rather than simply connecting to an SMTP server. - Write much of ClientAPI, so Mixminion is easier to embed -- having this in a real release should make the Nymbaron team happy. - Experimental pinger code, using pysqlite as a data store and implementing the "Echolot" remailer reliability algorithm. More work is needed. - Partially implemented code for distributed coordinated voting directory servers. Client side and data formats are done; glue remains. - Recommended versions are no longer hard-coded. - Refactor how we learn about servers and generate paths. - Split out option-parsing logic to make option lists more consistent. - Suppress prompt when reading messages from non-TTY fds. - Implement --status-fd option to dump info to would-be integrators. - Better errors on expired certs NEW IN VERSION 0.0.7.1: - Install man pages in PREFIX/share/man, not PREFIX/man. - If the server crashed while changing a packet's metadata, it would often crash upon restart. Now it doesn't. - Don't crash when trying to route from a pre-0.0.6 server to a server with no IP. - Don't crash when we fail to download a directory. NEW IN VERSION 0.0.7: - New version number; nothing else has changed since 0.0.7rc2. NEW IN VERSION 0.0.7rc2: - BUGFIXES - Provide more helpful error messages when directory download fails. - Fix a possible crash during message delivery - Fix a race condition with multiple simultaneous processes. - Don't create empty output files when there is no data to write. - Many bugfixes for client-side message reassembly. - UI FIXES - All options that asked for a number of hops are now deprecated (with warnings) or disabled (with errors); use -P instead. - Server bandwith spikiness is now configurable. - ConnectionTimout has been renamed (more accurately) to Timeout. - The -i and -o flags are now optional whereever possible, and default to stdin and stdout. - DOCUMENTATION - Mixminion now ships with man pages for mixminion(1), mixminiond(8), mixminionrc(5), and mixminiond.conf(5). NEW IN VERSION 0.0.7rc1: - USER FUNCTIONALITY - Ability to delete or transmit queued messages to selected mixes, instead of all mixes. - Configuration options to block servers from path generation. - New "mixminiond FOO" script as alternate starting point for "mixminion server-FOO" functions. - CLI interface for client-side fragment reassembly. - Command shell (on Windows) supports filenames with spaces much better. - INFRASTRUCTURE - Allow servers to download and use directories (necessary for dummy/pinging work in future versions.) - Display server nicknames in log instead of just IP addresses. - Servers check recommended-version, complain when server is obsolete. - Put timezones in log. - Refactor RFC822 header generation logic (original patch from bfordham). - NETWORKING - Rewrite MMTP logic to implement protocol correctly and transfer packets more quickly, without waiting for round-trip acknowledgments after each before sending the next. - Unify client and server MMTP sending implementations. - Use IP TOS flags where available to request optimization for bandwidth. - Configurable limits for bandwidth. - Configurable limits on number of outgoing network connections. - New --reply-block-fd option to read reply-blocks from a file descriptor. - New --passphrase-fd option to read passphrase from a file descriptor. - The --quiet option works for clients as well as servers. - "mixminion ping" supports addr:port syntax as well as nicknames. - MISC - Call shred more efficiently when calling shred - Other bugfixes too numerous to mention - Remove some deprecated functionality - Better windows build NEW IN VERSION 0.0.6.2: - Fixed a bug that prevented the client from ever deleting messages from its queue. - Have clients handle dropped connections to servers correctly, by retrying only the packets that were not delivered. NEW IN VERSION 0.0.6.1: - Several documentation fixes. - Make the -H option work again when -P is not provided, and give a useful error when it is. - Make 'list-server -R' work properly. - Fix a bug that made it impossible to send replies messages with text from the command line. - Never try to clean client queues without holding the proper lock. - Prevent the server from crashing on an unresolvable hostname. NEW IN VERSION 0.0.6: - Several documentation fixes. - Starting a server for the first time will no longer give a spurious message about an out-of-date installation. - We now accept as uniform several more recent versions of zlib. - 'mixminion server-start --quiet' is now even more quiet than before. - Inital initial debian packaging files and targes (Peter Palfrader) NEW IN VERSION 0.0.6rc2: - Fixed a couple of bugs that would prevent Mixminion from running on Python 2.0 or Python 2.1. - Fixed a build problem with stand-alone Windows builds: the 'bsddb' module was not included, so we were defaulting to the slow and inefficient 'dumbdbm' module to store hash logs, SURB logs, and fragment indexes. NEW IN VERSION 0.0.6rc1: - Windows support - The Mixminion command-line interface now works on MS Windows, at least for me. It has been tested on Windows 2000, and should work on any platform running Windows 98 or later. There are probably some lingering bugs, especially when running a server. - Improved security - SURB keys are now rotated periodically. - The client now _always_ shuffles packets before delivery, and sends them in a random order. - Improved robustness - Servers are now addressed by hostname rather than IP. It is now feasible to run a Mixminion server with a dynamic IP address. Support for old-style routing will be deprecated in 0.0.7. (Servers use a DNS-farm abstraction to avoid blocking on slow DNS lookups. MMTP connections are still authenticated, so attacks against DNS can at worst delay packets from arriving.) - The path generation logic has been largely rewritten to use the optimal routing method for each server-to-server pair. - The path generation code now chooses good paths for fragmented messages and messages with specific requirements on their exit nodes. - Client queues are generally less buggy. - Consistency enforcement between fragmentation and other modules. - Better spec compliance. - Improved performance - When flushing messages from the client queue, it is no longer necessary to load them all into RAM at once. - User interface tweaks - When running as a client, Mixminion now displays servers by nickname in addition to IP:port whenever possible. Servers will gain this behavior in a later version, once they begin downloading directories. - The behavior of 'mixminion list-servers' has been changed: its default output is far terser and easier to parse than before, though output _even more_ verbose than previous can be selected. Also, whereas the old implementation only listed servers by their lifetime, capabilities, and status, it is now possible to list arbitrary 'features' of the servers in the directory. - Error messages for timeouts are more reasonable; timeouts themselves should now work a little better than before. - A longstanding typo in the MMTP server's logging code has been resolved: running at DEBUG should be far terser and more reasonable than before. - Users can now send fragmented messages for reassembly by their recipients rather than exit servers. (Client side reassembly is not yet implemented, however.) - Many error messages have been cleaned up, including a few related to SSL errors, Windows internals, corrupt databases, unsupported databases. - Build improvements - Use the preferred version of Python if one exists. - Add build target to output test vectors for crypto functionality. - Support the DESTDIR environment variable - Check SHA1 digest on downloaded OpenSSL 0.9.7c. - Other bugfixes too numerous to mention. NEW IN VERSION 0.0.5.1: - Allow exit servers to decide whether to support user-supplied from addresses. - Fail more gracefully when we try to deliver mail and the the local MTA is down. NEW IN VERSION 0.0.5: - Fix a harmless but hard-to-detect bug that showed up when running unittests on certain platforms. NEW IN VERSION 0.0.5rc2: - Fix for a bug that would crash exit servers trying to upgrade from certain older versions. - Improved error messages for several cases. - Add a draft man page (credit goes to George Danezis). NEW IN VERSION 0.0.5rc1: - Support for email headers. 'Subject', 'In-Reply-To', and 'References' are fully supported. 'From' support is limited, as documented in 'E2E-spec.txt'. - Limited support for K-of-N message fragmentation and reassembly. Right now, clients can send large fragmented messages for servers to reassemble them. Not yet supported are independent paths, fragmented reply messages, and client-side fragment reassembly. - UI improvements - Path generation can now create random-length paths - Support for removing old messages from client queues. - 'Mixminion shell' command to wrap other commands on platforms with iffy terminals or shells. Poor substitute for a real GUI. - Improved portability - All client and server functionality works properly on Cygwin. - Everything should work on win32 too. (But it won't be supported till I can get Py2Exe working.) - The build system should work on more unixes. - Improved configurability - Support for suppressing directory permission messages. - Improved performance - Server RAM usage should be way down, except while reassembling large messages. - Improved testability - Server descriptors now describe the server's platform and configuration. - Bugfixes too numerous to mention. Server pools in general should be significantly more robust. NEW IN FINAL 0.0.4 RELEASE: BUGFIXES: - Fixed a bug that would sometimes give a useless error message when trying to build a message with a too-long path. NEW IN VERSION 0.0.4rc4: BUGFIXES: - Improved error message on nonexistent directory. - Fixed a bug (found by Mike Gurski) that could kill a server if a message was received for an old key in between deleting the old key's replay cache, and deleting the old key itself. - Fixed a bug in setting up server directories. NEW IN VERSION 0.0.4rc3: BUGFIXES: - Memory leaks: - Made server code release memory more aggressively. - Fixed a race condition where messages could be queued on a server connection that was already shutting down. - Fixed memory leaks on certificate checking. - Server bugs: - Fixed a server crash on key-rotation that would occur when to trying to open the same hash log db file twice. - Fixed bug that would crash server if PublicKeyLifetime changed. - Made server differentiate between ENOENT and EACCES when starting. - Fixed a bug that would cause key generation to happen at the wrong times. - Other bugs: - Fixed a bug related to using client keyrings without passwords. - Made ASCII armor more reliable in the face of extraneous space, headerless armor, and so on. - Excluded superseded servers from directories more thoroughly. OTHER CHANGES: - Cosmetic: - Commented most uncommented code. - Refactored path selection again. - Refactored code to use more reliable file accessing functions. - Added more unit tests - Performance enhancements: - Changed recommended OpenSSL version to 0.9.7b. - Implementation quality - Improved a few log messages. - Made included etc/mixminiond.conf more reasonable by using a less aggressive retry schedule, commenting out unused Allow lines, and decreasing PublicKeyLifetime. - Made os.expanduser work on more configuration values. - Enabled threading on more C functions. NEW IN VERSION 0.0.4rc2: BUGFIXES: - The server shouldn't crash so much when it gets bad TLS errors or timed-out connections. Sometimes, it will give better errors when it does. NEW IN VERSION 0.0.4rc1: First steps toward directory automation: - Servers generate new keys and server descriptors when the old ones are close to expiring. (~2 weeks) - Servers also regenerate server descriptors when their configuration changes. - When a set of keys expires, a server rotates to the next set automatically (with some overlap). - Servers can upload their descriptors to a directory server automatically. - There's a trivial directory backend that accepts signed updates automatically, and queues new servers. - Directories now include a list of which servers are believed to be working correctly. Right now, this list is still manually configured. - There's a cron job that regenerates the directory every so often. Packet format overhaul: - Server RSA keys are now 2048 bits long. - The header representation is more compact now, so we don't pay in space for the increased key length. MMTP improvements: - The certificate regime has changed so that key rotation is now possible: instead of authenticating servers based on their TLS keys, we authenticate based on their identity keys, which never change. - Packets sent from a server to itself no longer hit the network. - When relaying messages, a server never opens more than 1 connection at a time to the same server. - MMTP clients now recognize a 'REJECTED' reply that a server can use to refuse messages when under high load. Other server improvements: - Servers can (optionally) track the number of packets received, relayed successfully, dropped, and so on. - Servers can recognize and advertise whether they are configured 'securely.' - The deliver/retry logic has been largely rewritten. It should freak out and die less frequently now. In any case, it also prints better debugging messages, and thrashes the disk less. Minor changes: - We now use real OpenPGP-style ASCII-armor. Accept no substitutes! Numerous UI Improvements: - There are saner error messages for many common cases. - Support for multiple SURB keys to prevent identity-blending attack. - There's a new (temporary) 'mixminion ping' command that you can use to tell whether a server is accepting connections. It's potentially dangerous (if you go pinging all the servers in your path), and has a banner saying so. - The path selection syntax has changed to be more flexible. (You can now specify a single random hop, or N random hops.) NEW IN VERSION 0.0.3: Better build support: - Fail more gracefully with missing 'which'. - Fail more gracefully with missing python-dev. - Portability fixes for Python 2.0. Client tweaks: - Default connection timeout to 1 minute. - Rename stop-server to server-stop. - Rename reload-server to server-reload. NEW IN VERSION 0.0.3rc2: Numerous bugfixes, including: - More verbose client locking - More reasonable log messages - Better messages on missing openssl - Improved documentation - Better support for confused permissions on build - Better errors on failing directory retrieval - Less verbose description of reply blocks skipped. - Base64 encoding should no longer get corrupted by outlook - Fix nasty race on queue cleaning. - The code compiles (but doesn't run) under cygwin. New features: - mixminion stop-server and mixminion reload-server commands. NEW IN VERSION 0.0.3rc1: CLIENT: - Single-use reply blocks (SURBs) are fully supported and available. - You can use client-side pooling: it holds messages until you're ready to send them. Pooling also prevents you from losing messages when the first hop in your path is temporarily down. - You can now decode binary messages or reply messages from the command line. - We now time out faster when servers are down. - Many error messages are far friendlier. - It's now safe to run multiple instances of the client at once. - Numerous UI improvements and typo fixes; error reporting is better in many ways. BUILD: - It's easier to build with different OpenSSL installations. SERVERS: - Servers now have a lightly multithreaded design to prevent extreme stalling under heavy loads. Now the network should remain fairly responsive under far more traffic than before. - When a message delivery fails, the retry schedule is more reasonable. By default, a server will retry an undeliverable message every 30 minutes for a day, then every 7 hours for 5 days. - All modules that use SMTP now set a "X-Anonymous: yes" header. CONFORMANCE: - We now implement MMTP correctly; before, we didn't accept junk packets; handle protocol negotiation right; or do support key renegotiation. - DROP packets have random payloads. - A nasty bug in our implementation of counter mode is fixed. On the bright side, big-endian and little-endian hosts should now, finally, be compatible. On the minus side, we lose backward compatibility. - Server descriptors and directories now follow a more forward- compatible format: we can add sections and entries in the future with less risk of breaking existing clients. NEW IN VERSION 0.0.2.2: - Fixed a bug that crashed your server when another server's KeyID was incorrect. - Add minimal handlers for TERM and HUP signals. - Add a disclaimer to main usage message. NEW IN VERSION 0.0.2.1: - BUGFIX: A nasty bug is fixed that could, under just the right circumstances, send the server into an infinite loop and fill up your hard drive. If you're running a server, you *should* upgrade. - Server log messages are more reasonably structured. - setup.py is more clever about half-installed Python. - "list-servers" now supports the same directory-download options as does "send". NEW IN VERSION 0.0.2: - A real SMTP exit module to relay messages via a local MTA. Blacklisting is supported by address, by username, by host, by entire domain, and by regular expression. - Integrated directory support for clients. - Automatic path selection, along with a better user interface to specify paths. - You can now enable Cottrell (DynamicPool) and Binomial Dynamic Pool batching, though they are disabled by default to make the system more testable. - Servers resist certain trivial DoS attacks more strongly. In particular, you should no longer be able to send zlib bombs or flood a server with open connections. - Clean build process under FreeBSD. - Ability to run server as a daemon. - Slightly better documentation and error messages. - Better resistance to newline corruption of server descriptors. - Other bugfixes and performance improvements too numerous to mention. NEW IN VERSION 0.0.1: - You can run a rudimentary server that can deliver to other Mixminion servers, that can use Mixmaster to deliver to any external address, or that sends SMTP directly to a preconfigured set of addresses. - You can send anonymous email via these servers. ------------------ (for emacs) Local Variables: mode:text indent-tabs-mode:nil fill-column:77 End: