anonymous client mode #1010
Labels
No Label
0.2.0
0.3.0
0.4.0
0.5.0
0.5.1
0.6.0
0.6.1
0.7.0
0.8.0
0.9.0
1.0.0
1.1.0
1.10.0
1.10.1
1.10.2
1.10a2
1.11.0
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.15.1
1.2.0
1.3.0
1.4.1
1.5.0
1.6.0
1.6.1
1.7.0
1.7.1
1.7β
1.8.0
1.8.1
1.8.2
1.8.3
1.8β
1.9.0
1.9.0-s3branch
1.9.0a1
1.9.0a2
1.9.0b1
1.9.1
1.9.2
1.9.2a1
LeastAuthority.com automation
blocker
cannot reproduce
cloud-branch
code
code-dirnodes
code-encoding
code-frontend
code-frontend-cli
code-frontend-ftp-sftp
code-frontend-magic-folder
code-frontend-web
code-mutable
code-network
code-nodeadmin
code-peerselection
code-storage
contrib
critical
defect
dev-infrastructure
documentation
duplicate
enhancement
fixed
invalid
major
minor
n/a
normal
operational
packaging
somebody else's problem
supercritical
task
trivial
unknown
was already fixed
website
wontfix
worksforme
No Milestone
No Assignees
5 Participants
Notifications
Due Date
No due date set.
Reference: tahoe-lafs/trac-2024-07-25#1010
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
For the anonymous network use case (such as I2P and Tor), we want to only use
127.0.0.1as loopback address. Right now Tahoe discovers all local addresses through various strategies and discloses them to (at least) the introducer.For I2P we have introduced the configuration option
anonymize_local_addresses(which we consider renaming totub.anonymize) to disable this lookup.Example of configuration in
tahoe.cfg:Snippit showing how this is used in
node.py:Attachment 1010_anonymize_local_addresses.diff (1259 bytes) added
What is the motivation for using all local addresses normally?
It seems like a great idea to have a tub.anonymize flag. It would be fantastic to have Tahoe throw exceptions like confetti if that option is set and a few key (tub.address) settings aren't configured. Anything less may lead to information PII leakage.
There are a number of sanitation issues that need to be carefully handled. Having a single bit to say we want to try to handle those issues is probably a good start.
Replying to ioerror:
+1 for having a single config bit to indicate that the user wants anonymous operation.
However,
tub.*" options apply to foolscap tubs, and the single config bit may need to change behaviour other than in foolscap.Also needs a doc patch.
Unsetting
review-neededsince it needs a doc patch before going back to thereview-neededstatus.I think that "tub.location = " (setting it to an empty string) is even better. tub.location is the right thing to set here: everything sent to the introducer will derive from what the Tub concludes, and tub.location is the way to override that automatically-figure-out-my-own-addresses behavior.
Perhaps a "
nodeanonymous" flag would be useful as a statement of policy, and implemented as a check in various places: if "anonymous=true", then we scan the tub's location just before sending it to the introducer, and throw an exception if it isn't empty? And if we add other places that reveal identifiable information in the future, we also guard those with the "if not anonymous" check?davidsarah: the motivation for including 127.0.0.1 in the list-of-addresses is to allow two nodes on the same machine to establish a fast (loopback) connection to each other. I use this all the time in test scenarios, and in grids in which the helper runs on the same node as something else (generally an introducer or a storage server). There's half an argument to remove it, but I think that most of those cases are handled better by having people publish an explicit tub.location that doesn't include it.
Replying to warner:
I meant, what is lost by only having 127.0.0.1 in the list of addresses, all the time?
What's the next step on this ticket? Brian answer David-Sarah's question from comment:8? Duck write docs as requested in comment:76731?
Brian: please answer David-Sarah's question from comment:8.
Adding keyword "tor" since the same issues probably apply to tor users as apply to i2p users. (Indeed, I suspect all "tor" and "i2p" tags should probably just be converted to "privacy" tags.)
Attachment 1010-anonymize-local-addresses.patch (2695 bytes) added
Allow for local address anonymization
Brian's suggestion from comment:76734 has been taken; if "tub.location = " (an empty string), then the local address discovery is replaced by just using 127.0.0.1 as address; this replaces the previously suggested
anonymize_local_addresses = trueoption.While an anonymous policy flag as suggested by ioerror in comment:76729 and by Brian in comment:76733 would be a good idea, I consider that material for another ticket.
In addition to this an unit test has been written. Once #1301 is implemented the trial patch decorator can be used instead.
This is the Ticket of the Week in Tahoe-LAFS Weekly News edition 4: http://tahoe-lafs.org/~zooko/TWN4.html
If a node is only a client, then perhaps it should default to not disclosing addresses. ( I realize that in theory a client with a public address could get incoming connections from a server without a routable address, but I consider servers without routable addresses to be buggy.)
Only use 127.0.0.1 as local addressto use only 127.0.0.1 as local addressI'm putting this into the 1.9 Milestone because duck has done the work we asked of him and it would feel good to therefore include his patch in 1.9. (
review-needed!)Reviewed patch and looks good to me.
whoops, I really lost track of this one.
DS> I meant, what is lost by only having 127.0.0.1 in the list of
DS> addresses, all the time?
Um, if everyone in the grid only publishes 127.0.0.1, then how will
distant nodes ever connect to each other? Since we don't have UPnP or
NAT traversal, we need everyone (well, N-1) to have+publish a public IP
address.
This patch needs docs: in addition to making sure people can
successfully use this feature, we need to a place to answer the user
confusion that's likely to occur when someone assumes that
"
tub.location=" should behave the same way as "#tub.location=". (I'm notas sure that
["tub.location=" == anonymous]is the best UI for this, atleast not as sure as I was 15 months ago. The whole-config "anonymous"
flag feels like an important addition.)
gdt's observation in comment:76742 is a good one. Ideally, pure-clients
should be able to hang out behind NAT and not admit to having a real
address. (I think the FURL location-hint format will tolerate this,
but I haven't actually tested it). We've always been on the fence about
whether Tahoe is a client-server system or a P2P system. Having clients
announce their addresses makes it more P2Pish.
I've had topology problems (servers behind NAT) which made me glad that
it's possible for servers to connect to clients too. To actually enable
this, I had to make my "clients" pretend to be servers (but with
storage.readonly=true): otherwise the servers wouldn't hear about the
client and wouldn't try to connect. Nodes only actually publish their
storage FURLs to the Introducer if they're configured as servers (see
init_storage()in client.py). But they'll reveal their FURLs(along with their IP address) in any reference that passes over the
wire.
So anyways, I'm ok with this patch if it includes a paragraph in
docs/configuration.rst (in the section on tub.location) explaining what
happens when you use "tub.location=" and why you might want to do that.
If we find that it's hard to explain this feature in there, then maybe
it's not a good feature to add.
Replying to warner:
Yes, I realized that was a silly question (for nodes in general) but forgot to unask it. I suppose I was thinking only of clients, or more precisely non-servers.
gdt's suggestion of only including 127.0.0.1 in the list of addresses for non-servers makes sense to me, especially given this:
actually in that case we might as well not advertise any addresses. Thta's a fairly clear hint that we don't want other people trying to contact us :)
Replying to warner:
I wasn't sure if that would break anything, but yes.
How does this interact with #1086? Do we still want servers not to try to connect to clients by default?
Attachment 1010-docs.darcs.patch (35828 bytes) added
docs/configuration.rst: document 'tub.location =' for hiding local IP addresses. refs #1010
Attachment fix-1010.darcs.patch (34807 bytes) added
node.py: implement 'tub.location =' for hiding local IP addresses. fixes #1010
Attachment test-1010.darcs.patch (35548 bytes) added
test_node.py: test that 'tub.location =' hides local IP addresses. This version unpatches on synchronous exceptions, and uses fileutil.write. refs #1010
Let's kick the question of what addresses the client should advertise by default out to the next release. I don't think that this patch conflicts with any decision we would be likely to make about that. It also doesn't conflict with adding a whole-config anonymous flag.
I've recorded the changes as darcs patches, added some docs, and made a couple of minor improvements to the test (see its description). The fix itself hasn't changed and is already reviewed.
Reviewed 1010-docs.darcs.patch and found no glaring errors. Review still needed for test-1010.darcs.patch.
Attachment cleanup-1010.dpatch (41952 bytes) added
combined some cleanup with the other three patches
Review:
I haven't thought through davidsarah's assertion in comment:76751 that this patch won't make it harder to do what I want (clients listen for connections from servers by default, and anonymous-mode is an explicit flag instead of setting
location='') in the future, but I'll take their word for it.I find it very confusing that
location=*in thetahoe.cfgfile means "Emit only 127.0.0.1" butlocation=*in source:src/allmydata/node.py's_setup_tub()means "Discover all local IP addresses and emit them.". This is on top of my slight confusion about the fact thatlocation=Noneintahoe.cfghas a different meaning fromlocation=''. Or wait -- does it? Is one of them the same as not having alocationentry at all?Off I go to search for answers in the docs in attachment:cleanup-1010.dpatch. But the fact that I experience this much confusion after glancing at a few lines of the code and the config file is a bad sign.
Okay, I've started reading the docs patch from cleanup-1010.dpatch:
It helps to allay my confusion because it explicitly says "Note that this is not the same as omitting
tub.location.". However, it doesn't help all the way: what does it mean if you omittub.location? (The answer, I believe is, that it discovers your local IP addresses and advertises them.) Does it mean anything if you saytub.location=None, or is that an error?I think there are four different use cases here, three of which are currently supported, and our docs should be more explicit about enumerating them.
Also: is there a valid distinction between
Now this patch currently lets the user express option 2 by setting
tub.location=, option 1 by setting notub.location, and option 3 by settingtub.location=207.7.145.194. I'm -1 on this design:node.anonymous = True, as we discussed above.tub.location=127.0.0.1.We discussed one of those alternative designs above, and we said maybe we can changed out minds later, but this may be a mistake because
Do we have a plan for how to provide backwards compatibility if we were to change to a different design in a future release? I guess we might need to have a phase where the
tahoenode understood both old and new configuration formats, stopped with a fatal error if they were inconsistent, and emitted a warning if the old one existed at all. Then eventually we might go through another cycle like the one we just finished with #1385 where we stop with a fatal error if the old style is present. (By the way, #1385 turned out to be a lot more painful of a patch to integrate and debug than I had anticipated.)I'm willing to listen to counter-arguments, but at the moment I'm -1 on this design. I haven't finished reviewing the actual patches in attachment:cleanup-1010.dpatch, but I'm going to stop here and focus on #393 instead. I'm sorry I didn't think about the backward-compatibility issues earlier and that I didn't think about the specific configuration format earlier so I would realize I was uncomfortable with it before this late stage. (Also it is too bad I didn't think of the potential identity-revealing weakness earlier so we could have time to think it through before this late stage.)
Once we finish this ticket, we should see if that means ticket #517 can also be closed or if there is further work to do for #517.
#1207 is a closely related ticket which shows that some people (starting with gdt) want to have yet another variation, where unrouteable IP addresses are excluded from the advertised list.
It seems as though you can already achieve exactly the effect of the current patch with "
tub.location = 127.0.0.1" -- or a similar effect with "tub.location = unreachable.example.org:0" as the [documentation suggests]source:trunk/docs/configuration.rst#overall-node-configuration.So on reflection, I'm also -1 on including this in v1.9.
(The cleanup patch also has the improvement of not calling
iputil.get_local_addresses_async()if its value is going to be discarded, but that's not urgent.)Attachment 1010-use-only-127.patch (6149 bytes) added
cleanup and refactored against current trunk
I added an updated patch against trunk which uses Brian's last patch.
In the dev meeting zooko suggested an anonymize flag that would instead of having a blank tub.location. The anonymize flag would ensure that sensitive information like IP addresses are not broadcast. Having a blank tub.location value would be confused with auto detected location. Perhaps using keywords like "auto" could be used to indicate auto configured address with that behavior being default.
I just reviewed 1010-use-only-127.patch (during Weekly Dev Chat).
Thank you for updating this patch to apply to the current trunk! The patch makes sense and is usefully addressing this issue. However, we talked it over at our recent Weekly Dev Chat ([//pipermail/tahoe-dev/2013-August/008674.html notes]), and have a few requirements for safety of the configuration:
Let's add a
nodeanonymizeflag to thetahoe.cfgfile. The meaning of this flag is: stop the process and print an error message if any of the configuration options would compromise my identity. There are also probably going to be other meanings of this flag added in other patches (i.e., this flag will probably come to mean also: do not allow any outgoing connections that are not over a anonymous routing layer such as Tor or I2P).Instead of "
tub.location=" (the empty string) meaning to not advertise any location, lettub.location=UNREACHABLEmean that. (This is in order to avoid confusion in the mind of the user about the distinction betweentub.locationbeing absent versus it being present with an empty value. See also below, about backward compatibility.)If
tub.location=UNREACHABLE, then pass the special hardcoded valueunreachable.example.org:0to foolscap instead of the empty string to foolscap. (This is because foolscap currently can't handle the empty string for its connection hints — see http://foolscap.lothar.com/trac/ticket/208 .)Instead of expressing that the node's IP address should be auto-detected by the absence of
tub.location, express it bytub.locationbeing set toAUTODETECT.Note that there is a third option besides
AUTODETECTandUNREACHABLE, and that is to settub.locationto a specific set of IP address+port, DNS name+port, I2P addresses, or Tor (.onion) addresses. I don't know if Tor or I2P users would always do the latter, or if they would sometimes set it toUNREACHABLE.Therefore, if
nodeanonymizeis set toTrue, then:tub.locationsetting (including iftub.locationis commented-out), the node will abort on startup. (This is important because people who created their node with an older release of Tahoe-LAFS will have atahoe.cfgwithtub.locationcommented out. See below about backward-compatibility.)tub.locationis set toAUTODETECT, the node will abort on a startup with an error message.tub.locationis set to a specific connection-hints value which includes an IP address or domain name, then the node will abort on startup with an error message.tub.locationis set to aUNREACHABLE, the node will start up normally.tub.locationis set to a specific connection-hints value which contains only I2P and/or Tor (.onion) addresses, the node will start up normally.tahoe.cfg's (generated by thecreate-clientor {{create-node}}} command) should come withtub.location = AUTODETECTinstead of a commented out "#tub.location = put your IP address here" (see [create_node.py]source:trunk/src/allmydata/scripts/create_node.py?annotate=blame&rev=3ee950f09ed8b7f6cc72a98c26eefe9e02c11d85#L91.)Okay, now what about backward-compatibility?
For backwards compatibility, we still accept the absence of
tub.locationas meaning to AUTODETECT. But only if thenodeanonymizeflag isn't on! Because if thenodeanonymizeflag makes a setting fortub.locationbe required.Maybe in a future release we'll start emitting a warning about the absence of a
tub.locationsetting, but for now, no warning.I agree with most of this design, but I'm unconvinced of the value of requiring an explicit
tub.location = AUTODETECT, rather than keeping that as the default as it is now. Thenode anonymizeflag would still disallow auto-detection, that's independent of whether auto-detection is the default.Note that if we keep auto-detection as the default, we can still change the comment that is added to a new
tahoe.cfgto something likeThanks for the design-review, daira. I still want to eventually switch to spelling this as
tub.location = AUTODETECT, even if it isn't necessary to do so, because:tub.location =for meaning "set my tub location to the empty string".So for those reasons, I'd prefer to move ahead with making an explicit
AUTODETECTbe the preferred way to indicate this configuration (as in comment:76761).Oh, I see that my specification in comment:76761 omits a case: what if
tub.locationis set to the empty string? I propose that this is treated as a configuration error (the node stops at startup with a verbose error message about this), regardless of the setting ofnodeanonymize.#1947 was a duplicate of this, and #1947 has lots of good content on it. Please read #1947 if you are working on this ticket.
Note that in the modern world, "only use 127.0.0.1" should really be "only use 127.0.0.1 and ::1". I will refrain from updating the ticket-title, but IMHO we should purge v4-only statements.
Greetings,
My branch implements of Zooko's design in comment:76761 :
https://github.com/david415/tahoe-lafs/tree/david-ticket1010-unittests
Please let me know what else I can do to get this trac ticket resolved.
For reference, the relevant commits are here:
https://github.com/david415/tahoe-lafs/compare/david-truckee-venv...david-ticket1010-unittests
There is also an earlier commit in the same branch which drafts a Tor-only mode, meaning that the branch can't be directly merged to close this ticket:
https://github.com/david415/tahoe-lafs/commit/d9757d75aebe675ca6114d63673ac597e1198084
Reviewed the commits for this ticket (from the link I posted above).
nodeanonymizefor the flag. The commits implementnodetub.anonymizeinstead. I don't know what the Tahoe and Foolscap conventions are, but I expect thatnodetub.*are intended to be passed through to Foolscap, and this flag will not be.check_anonymity_config():_startService()) and 429 (in_setup_tub()) confuse me. Why istub.locationbeing set to empty? Is this being written to the config file?tahoe.cfgfiles.use only 127.0.0.1 as local addressto anonymous client modeOK... I've cleaned up my code here:
https://github.com/david415/tahoe-lafs/tree/david-ticket1010-unittests
Additionally this latest change uses the my Foolscap branch from Foolscap trac ticket 208:
http://foolscap.lothar.com/trac/ticket/208
This ticket now requires code review. Thanks!
Reviewed :)
src/allmydata/node.py:anonymize.py).is_errincheck_anonymity_config()can be replaced with set unions (joining the expressions withor-s).tubport = ...) can be moved inside theself.anonymizecheck._unreachable_tub()necessary? AFAICT removing lines 356-359 and changing line 360 toif location != "UNREACHABLE" and not self.anonymize:would have the same effect (apart from the log line, which could be checked inside_setup_tub()instead. This is probably a coding style decision, I will defer to Zooko et al. on this.src/allmydata/util/anonymize.py:is_anonymous()still contains code to split a location hint into parts, which is what IMHO should be centralized (outside ofanonymize.py). I haven't hunted for where else location hints are split up currently, but per the anonymity roadmap there will be more parts in Tahoe that will need to do so (e.g. per-config client endpoint string parameters).Overall IMHO this is looking very nice. It can't be directly merged to close this ticket because of the Tor-only content, and I'm not sure whether it can even be cherry-picked (I haven't checked which commits do what).
I would prefer
nodeanonymousrather thannodeanonymize, because it has the same spelling in U.S. and British English. Also I think it more clearly conveys that this option is asserting that other options are compatible with anonymity, not changing the behaviour itself.FYI, http://foolscap.lothar.com/trac/ticket/236 is a plan that dawuud and I came up with for making Foolscap handle Tor/i2p Listeners and connection-hints cleanly. I need to re-read this ticket and see how/if it interacts with the changes we propose over there.
I have cherry-picked the #1010 changes out of dawuud's branch and rebased them onto master:
https://github.com/str4d/tahoe-lafs/tree/1010-anonymous-client-mode
I have intentionally left out commit
e03ac001387f8341240e730cd918027c2d111b7dbecause Foolscap #208 is still undecided.Other changes:
AUTOas a flag intub.location, basically implementing use case 4 from comment:76754. Therefore I have replacedtub.location == AUTODETECTchecks withAUTO in tub.location.nodeanonymizehas been changed tonodeanonymousper comment:76773.In today's meeting, while sketching out the tor-socks-proxy syntax (/tahoe-lafs/trac-2024-07-25/issues/5579#comment:76759), we talked briefly about how the Accounting "client ID" would interact with anonymity. In particular, without other changes, Accounting-enabled Tahoe clients will use the same !ed25519 key for all connections. There are (at least) three things that might be linkable, and using Tor/I2P will only remove one of them:
We could change the accounting system to provide a way to use random client-ids (or none at all), but then storage servers can't enforce any of their Accounting things. And even with that, clients who always start at the same rootcap will be linkable by the storage server observing repeated accesses to the same storage index.
The upshot is that now I'm wondering if a tahoe.cfg flag named
anonymousmight be better spelledpsuedonymous, orip-anonymous, ornetwork-anonymous, or something that makes a slightly weaker claim. Or, should we say thatanonymous=truealso requires that you've added some other (as-yet undefined) tahoe.cfg flag which disables Accounting client-ids?For more terminology discussion, see this tweet by Zooko, and this one, and their replies.
IMHO random Accounting client-ids are not necessary. From the I2P perspective, a Tahoe client is going to have a visible known I2P Destination at least for the duration of the process (by default client sessions are transient), and so an Accounting client-id that persists as long as the I2P Destination does is within the existing threat model. For a Tahoe client that is also a server, this will be long-term; for client-only nodes, this will be until restart (unless code was added to intentionally cycle Destinations on a shorter timescale). The Tor side will have similar considerations. I don't see a use case that requires a Tahoe client's I2P activity and Tor activity to be unlinked.
Another consideration raised by this: we need to ensure that if the Tahoe configuration is changed, all identifiers are cycled (as best as possible). That means, if a user is running a "non-anonymous" client, and subsequently configures it to be "anonymous", then Tahoe needs to regenerate:
The shares being accessed is a harder identifier to prevent leaking across, and I'm not sure how it could be done within the Tahoe-LAFS operational model. For comparison: the BitTorrent client Vuze has an I2P plugin, and internally it runs two I2P Destinations - one for "pure" I2P traffic, and one for "mixed" I2P traffic (for any torrents being seeded simultaneously to/from I2P and the clearnet). It explicitly warns the user that once a torrent has been added with a given privacy setting, it should not be changed, because the already-fetched-blocks are a unique fingerprint for incomplete torrents. To change, they recommend deleting and re-adding the torrent. It's not something they can defend against, but they try to at least give the user plenty of warning.
We agreed in today's Nuts & Bolts meeting to bump better Tor/I2P support out to 1.11.0.
Milestone renamed
We should release some basic features as described in this ticket soon so that we can complete Phase 1 of native Tor integration for Tahoe-LAFS as described in warner's roadmap in a comment here: (@@https://tahoe-lafs.org/trac/tahoe-lafs/ticket/517#comment:76765@@)
It seems like progress on this ticket has stalled. What can I do about it?
I don't think we need to implement accounting first. We just need to have some basic features and I think it should be really simple to have an anonymize=true option; it should error if another option is set in conflict with the policy and it should turn off autodetect. anything else? str4d rebased my old patch. perhaps i need to change it to use the foolscap trac ticket 208 feature now that ticket is closed?:
https://foolscap.lothar.com/trac/ticket/208
This here is the latest with upstream/master merged in;
https://github.com/david415/tahoe-lafs/tree/1010-anonymous-client-mode
It seems like we need to fix the above changeset:
fixed here:
https://github.com/david415/tahoe-lafs/tree/1010-anonymous-client-mode.2
In various conversations and tickets Leif and Zooko both point out that our language is misleading because in this case the word "anonymous" doesn't mean unlinkable identity from the storage server's perspective at all... but merely means that our origin IP is hidden via the network transport. This is arguably not anonymity at all. It is important to make this distinction I think.
Question: Do any you have suggestions for how to make this explicitly clear to the user? Should we change the name of the configuration option to something else?
How about mask-origin-ip?
moving most tickets from 1.12 to 1.13 so we can release 1.12 with magic-folders
I think we're ready to add this flag, and then a
tahoe create-clientCLI argument to turn it on from the very beginning. So we need to make some decisions. I'm going to propose the following.. please let me know what you think.tahoe create-client --anonymousortahoe create-node --anonymouscausesnode anonymous = trueto be written totahoe.cfgnode anonymous = true, any of the following problems will causetahoe startto throw an exception before any network traffic has occurred:node tub.location =contains anytcp:hintsnode tub.location =is empty or missing, since that meansAUTO, which means atcp:hint with automatically-detected addressesconnectionslacks atcp = torline, since otherwise introducer and server connections could use raw TCP connectionsThere are a few other things we might consider adding, but I'm inclined to not include them:
tub.locationhostnames (for any type of hint) to end in.onionor.i2ptub.socks_portto point at a local host (maybe limit it to127.0.0.1andlocalhost, or maybe to any RFC1918 address)storage enabled = falseandhelper enabled = false(i.e. we're a pure client), then requiretub.port=(empty), to forbid the main tub from listening at allI'm tentatively pulling this into the 1.12 milestone, because I think we're close, and it'd be awesome to include proper (client-side) Tor/I2P support, and I think this flag is a necessary part of that.
From today's devchat, folks seemed ok with my proposal, and with omitting the other three items (constraints on tub.location hostnames, tub.socks_port, and forbidding pure-clients from listening).
However Zooko (and others) pointed out that "anonymous" is not the best name for this flag (it's inaccurate, imprecise, and carries negative connotations for a lot of folks outside our community).
private, orprivate-ipseems better:Switching to a term that makes it clear that we're specifically protecting the IP address means that we don't need to include #2384 in its scope (randomized TubIDs).
Do people prefer
private = true, orprivate-ip = true? Or something else?My pal George Tankersley suggested a great idea for this today:
(the default value of
reveal-IP-address=is True, when left unspecified)That is specific (Tor/I2P are only about not revealing your IP address), non-negatively-connotative, and encourages the obvious constructive question of "why the heck isn't
falsethe default?" (which then begins the conversation about performance consequences of Tor/I2P connections and the additional install/run-time dependencies).(https://github.com/tahoe-lafs/tahoe-lafs/pull/326) adds this safety flag, and docs/tests.
If the syntax is ok with everyone, the next step will be to add a
tahoe create-client/create-nodeCLI argument which sets this flag. Maybe--no-reveal-IP-address? Or--reveal-IP-address=false?--hide-IP-address?In d47fc0f/trunk:
I think we're converging on
--hide-ip. It's not as provocative as--no-reveal-ipor--reveal-ip=false, but I think it's simpler, and just as accurate.--hide-ippatch in https://github.com/tahoe-lafs/tahoe-lafs/pull/330In d0da17a/trunk:
Ok, with the landing of
--hide-ip, I think we can close this one: we've implemented pretty much everything we've talked about in this ticket.In 5a195e2/trunk: