Commit 78d9bdff authored by intrigeri's avatar intrigeri

Rename pools to avoid confusion (refs: #15428)

People get confused by the use of pal/neutral/foe: they think we need
to particularly trust members of the "pal" pool, which is incorrect
and can lead to useless controversy.

So let's fix this by renaming the pools and clarifying our design doc.
parent 5225742f
HTP_POOL_PAL="boum.org,espiv.net,db.debian.org,epic.org,mail.riseup.net,leap.se,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
HTP_POOL_NEUTRAL="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,getfedora.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
HTP_POOL_FOE="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rackspace.com,www.sony.com"
HTP_POOL_1="boum.org,espiv.net,db.debian.org,epic.org,mail.riseup.net,leap.se,squat.net,tachanka.org,www.1984.is,www.eff.org,www.immerda.ch,www.privacyinternational.org,www.torproject.org"
HTP_POOL_2="cve.mitre.org,en.wikipedia.org,lkml.org,thepiratebay.org,www.apache.org,getfedora.org,www.democracynow.org,www.duckduckgo.com,www.gnu.org,www.kernel.org,www.mozilla.org,www.stackexchange.com,www.startpage.com,www.xkcd.com"
HTP_POOL_3="encrypted.google.com,github.com,login.live.com,login.yahoo.com,secure.flickr.com,tumblr.com,twitter.com,www.adobe.com,www.gandi.net,www.myspace.com,www.paypal.com,www.rackspace.com,www.sony.com"
......@@ -11,10 +11,10 @@ Environment=SUCCESS_FILE=/run/htpdate/success
Environment=LOG=/var/log/htpdate.log
EnvironmentFile=/etc/default/htpdate.*
ExecStartPre=/bin/sh -c \
'[ -n "${HTTP_USER_AGENT}" ] && \
[ -n "${HTP_POOL_PAL}" ] && \
[ -n "${HTP_POOL_NEUTRAL}" ] && \
[ -n "${HTP_POOL_FOE}" ]'
'[ -n "${HTTP_USER_AGENT}" ] && \
[ -n "${HTP_POOL_1}" ] && \
[ -n "${HTP_POOL_2}" ] && \
[ -n "${HTP_POOL_3}" ]'
ExecStartPre=/bin/rm -f "${DONE_FILE}"
ExecStartPre=/bin/rm -f "${SUCCESS_FILE}"
ExecStartPre=/usr/bin/install -o htp -g nogroup -m 0644 /dev/null "${LOG}"
......@@ -26,9 +26,9 @@ ExecStart=/usr/local/sbin/htpdate \
--user htp \
--done_file "${DONE_FILE}" \
--success_file "${SUCCESS_FILE}" \
--pal_pool "${HTP_POOL_PAL}" \
--neutral_pool "${HTP_POOL_NEUTRAL}" \
--foe_pool "${HTP_POOL_FOE}" \
--pool1 "${HTP_POOL_1}" \
--pool2 "${HTP_POOL_2}" \
--pool3 "${HTP_POOL_3}" \
--proxy 127.0.0.1:9062
RemainAfterExit=yes
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_SETUID CAP_SYS_TIME
......
......@@ -95,15 +95,15 @@ sub parseCommandLine () {
[ 'log_file|l:s', "log to this file rather than to STDOUT" ],
[ 'done_file|D:s', "create this file after quitting in any way" ],
[ 'success_file|T:s', "create this file after setting time successfully" ],
[ 'pal_pool=s@', "distrusted hostnames" ],
[ 'neutral_pool=s@', "neutral hostnames" ],
[ 'foe_pool=s@', "distrusted hostnames" ],
[ 'pool1=s@', "first pool of hostnames" ],
[ 'pool2=s@', "second pool of hostnames" ],
[ 'pool3=s@', "third pool of hostnames" ],
[ 'allowed_per_pool_failure_ratio:f', "ratio (0.0-1.0) of allowed per-pool failure", { default => 1.0 } ],
[ 'proxy|p:s', "what to pass to curl's --socks5-hostname (if unset, environment variables may affect curl's behavior -- see curl(1) for details)" ],
);
usage() if $opt->help;
usage() unless $opt->pal_pool && $opt->neutral_pool && $opt->foe_pool;
usage() unless $opt->pool1 && $opt->pool2 && $opt->pool3;
$runas = $opt->user if $opt->user;
$> = getpwnam($runas) if $runas;
......@@ -122,7 +122,7 @@ sub parseCommandLine () {
$_ = 'https://'.$_ unless $_ =~ /^http/i;
} split(/,/, join(',', @{$_}))
]
} ($opt->pal_pool, $opt->neutral_pool, $opt->foe_pool);
} ($opt->pool1, $opt->pool2, $opt->pool3);
}
sub usage () {
......
......@@ -156,11 +156,15 @@ unlikely to share logs (or other identifying data), or to agree to
send fake time information, with a member from
the the other pools. The pools are as follows:
* The "pal" pool are run by groups that are likely to take great care
* The first pool are run by groups that are likely to take great care
of their visitors' privacy.
* The "foe" pool are managed by adversaries of the "pal" pool.
* The "neutral" pool members have a neutral raltionship to both the
"pal" and "foe" pool.
* The second pool members have a neutral relationship to both the
members of the other pools.
* The third pool are managed by adversaries of the first pool.
This design does not require that we particularly trust even members
of the first pool: what we need is to minimize the chance members of
different pools conspire together against Tails users.
The pools are listed in [[!tails_gitweb config/chroot_local-includes/etc/default/htpdate.pools]].
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment