On Sun, Oct 3, 2010 at 2:05 PM, <[email protected]> wrote: > Hello everyone. > > I found a fork (?) of tor software with GUI named Advanced Tor. I was > surprised of its features, but found just nothing about it in web, > though it has opened source placed in sf.net. > > Have you people discussed it? Please give a link to discussion if yes. > Otherwise you are welcome (if it won`t break any or-talk rules), > especially I`d like to know if someone can get through the code to > check it for backdoors or something like that. > > Description and source: > http://nemesis.te-home.net/Projects/AdvTor.html > http://sourceforge.net/projects/advtor/ >
It looks like they forked some older version of Tor. It purports to be a forked 0.2.1.26, but lots of the comment string typos and copyright notices from the source code don't match up to that version, and I suspect that it's actually based on a mixture of files from more than one Tor version. There are indeed bugfixes from 0.2.1.26 that seem never to have made it into the source of this thing. Frankly, when I run into a programmer whose first instinct is to fork rather than to contribute, I kind of assume that they're not too familiar with how things are done in free software, which makes me a little nervous. Some of the stuff they added is possibly worth taking into mainstream Tor, though we can't use their code to do it: their license says that the changes they made in the Tor client are under the Creative Commons Noncommercial Share-Alike license, so we wouldn't be able to use them even if, on examination, we did like them. The olla-podrida of different Tor source versions makes it hard to actually tell what the changes *are*: when you run into a point where there's a difference, you don't know whether it's just a fix from 0.2.1.26 that the author didn't feel like forward-porting, or whether Some of the changes are downright gratuitous; It looks like they changed the torrc comment character from # to ; because... well, Windows, I guess. It also looks like they ripped out a big pile of code that wasn't built on windows because... well, it offended them or something. Some of the changes are good ideas, like trying to learn time skew (rather than just reporting it) and better handling of HTTP. I am pretty sure there's a security hole in the time skew learning thing if it works how I think it does, though, and all the string handling in buffers.c is done with the kind of character-at-a-time, who-needs-functions thing that is error-prone even when done by good programmers with other programmers reviewing their stuff. So yeah. I would not recommend this software. If the author wants to participate in the wider world of Tor, I would recommend that he work on figuring out what changes he wants in Tor itself, cleaning up the implementation, speccing out the design for security review, and getting them upstreamed to us. yrs, -- Nick *********************************************************************** To unsubscribe, send an e-mail to [email protected] with unsubscribe or-talk in the body. http://archives.seul.org/or/talk/
