[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r23306: {} Tor moved to git. Remove the contents of trunk and add a REA (tor/trunk)



Author: sebastian
Date: 2010-09-25 10:44:30 +0000 (Sat, 25 Sep 2010)
New Revision: 23306

Added:
   tor/trunk/README
Removed:
   tor/trunk/AUTHORS
   tor/trunk/ChangeLog
   tor/trunk/Doxyfile.in
   tor/trunk/INSTALL
   tor/trunk/LICENSE
   tor/trunk/Makefile.am
   tor/trunk/README
   tor/trunk/ReleaseNotes
   tor/trunk/Win32Build/
   tor/trunk/acinclude.m4
   tor/trunk/autogen.sh
   tor/trunk/configure.in
   tor/trunk/contrib/
   tor/trunk/debian/
   tor/trunk/doc/
   tor/trunk/src/
   tor/trunk/tor.spec.in
Log:
Tor moved to git. Remove the contents of trunk and add a README file that contains a pointer to the git repository.

Deleted: tor/trunk/AUTHORS
===================================================================
--- tor/trunk/AUTHORS	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/AUTHORS	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,41 +0,0 @@
-                    This file lists the authors for Tor,
-        a free software project to provide anonymity on the Internet.
-
-       For more information about Tor, see https://www.torproject.org/.
-
-             If you got this file as a part of a larger bundle,
-        there are probably other authors that you should be aware of.
-
-Main authors:
--------------
-
-Roger Dingledine <arma@xxxxxxxxxxxxx> overhauled all of the code, did
-a bunch of new design work, etc.
-
-Nick Mathewson <nickm@xxxxxxxxxxxxx> wrote lots of stuff too, in
-particular the router and descriptor parsing, and the crypto and tls
-wrappers.
-
-Matej Pfajfar <badbytes@xxxxxxxxxxxxx> wrote the first version of the code
-(called OR) in 2001-2002.
-
-Contributors:
--------------
-
-John Bashinski <jbash@xxxxxxxxxx> contributed the initial rpm spec file.
-
-Christian Grothoff <grothoff@xxxxxxxxxxxxx> contributed better daemonizing
-behavior.
-
-Steven Hazel <sah@xxxxxxxxxxxxxxxxx> made 'make install' do the right
-thing.
-
-Jason Holt <jason@xxxxxxxxxxxx> contributed patches to the instructions
-and the man page.
-
-Peter Palfrader <peter@xxxxxxxxxxxxx> maintains everything that's
-debian-specific, and has written other useful features.
-
-Aaron Turner <aturner@xxxxxxxxxxxxx> contributed the first version of
-the tor.sh initscripts shell script.
-

Deleted: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/ChangeLog	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,8503 +0,0 @@
-Changes in version 0.2.2.6-alpha - 2009-10-??
-  o Major features:
-    - Directory authorities can now create, vote, and serve on multiple
-      parallel formats of directory data as part of their voting process.
-      This is a partial implementation of Proposal 162: "Publish the
-      consensus in multiple flavors."
-    - Directory authorities can now agree on and publish small summaries of
-      router information that clients can use in place of regular server
-      descriptors.  This will eventually allow clients to use far less
-      bandwidth for downloading information about the network.  This begins
-      the implementation of of Proposal 158: "Clients download a consensus +
-      Microdescriptors".
-    - The directory voting system is now extensible to use multiple hash
-      algorithms for signatures and resource selection.  Newer formats are
-      signed with SHA256, with a possibility for moving to a better hash
-      algorithm in the future.
-    - New DisableAllSwap option. If set to 1, Tor will attempt to lock all
-      current and future memory pages. On supported platforms, this should
-      effectively disable any and all attempts to page out memory. Under the
-      hood, DisableAllSwap uses mlockall() on unix-like platforms. Windows is
-      currently unsupported. We believe that this feature works on modern
-      Gnu/Linux distributions. Mac OS X appears to be broken by design. On
-      reasonable *BSD systems it should also be supported but this is untested.
-      This option requires that you start your Tor as root. If you use
-      DisableAllSwap, please consider using the User option to properly reduce
-      the privileges of your Tor.
-
-  o Major bugfixes:
-    - Work around a security feature in OpenSSL 0.9.8l that prevents our
-      handshake from working unless we explicitly tell OpenSSL that we are
-      using SSL renegotiation safely.  We are, of course, but OpenSSL
-      0.9.8l won't work unless we say we are.
-
-  o Code simplifications and refactorings:
-    - Numerous changes, bugfixes, and workarounds from Nathan Freitas
-      to help Tor build correctly for Android phones.
-    - Begun converting Tor's signature and message digest logic to handle
-      multiple hash algorithms.
-
-  o Minor bugfixes:
-    - Fix a crash bug when trying to initialize the evdns module in
-      Libevent 2.
-    - Stop logging at severity 'warn' when some other Tor client tries
-      to establish a circuit with us using weak DH keys. It's a protocol
-      violation, but that doesn't mean ordinary users need to hear about
-      it. Fixes the bug part of bug 1114. Bugfix on 0.1.0.13.
-    - Do not refuse to learn about authority certs and v2 networkstatus
-      documents that are older than the latest consensus.  This bug might
-      have degraded client bootstrapping.  Bugfix on 0.2.0.10-alpha.
-      Spotted and fixed by xmux.
-    - Fix numerous small code-flaws found by Coverity Scan Rung 3.
-    - If all authorities restart at once right before a consensus vote,
-      nobody will vote about "Running", and clients will get a consensus
-      with no usable relays. Instead, authorities refuse to build a
-      consensus if this happens. Bugfix on 0.2.0.10-alpha; fixes bug 1066.
-    - If your relay can't keep up with the number of incoming create
-      cells, it would log one warning per failure into your logs. Limit
-      warnings to 1 per minute. Bugfix on 0.0.2pre10; fixes bug 1042.
-    - Bridges do not use the default exit policy, but reject *:* by
-      default. Fixes bug 1113.
-
-
-Changes in version 0.2.2.5-alpha - 2009-10-11
-  Tor 0.2.2.5-alpha fixes a few compile problems in 0.2.2.4-alpha.
-
-  o Major bugfixes:
-    - Make the tarball compile again. Oops. Bugfix on 0.2.2.4-alpha.
-
-  o New directory authorities:
-    - Move dizum to an alternate IP address.
-
-
-Changes in version 0.2.2.4-alpha - 2009-10-10
-  Tor 0.2.2.4-alpha fixes more crash bugs in 0.2.2.2-alpha. It also
-  introduces a new unit test framework, shifts directry authority
-  addresses around to reduce the impact from recent blocking events,
-  and fixes a few smaller bugs.
-
-  o Major bugfixes:
-    - Fix several more asserts in the circuit_build_times code, for
-      example one that causes Tor to fail to start once we have
-      accumulated 5000 build times in the state file. Bugfixes on
-      0.2.2.2-alpha; fixes bug 1108.
-
-  o New directory authorities:
-    - Move moria1 and Tonga to alternate IP addresses.
-
-  o Minor features:
-    - Log SSL state transitions at debug level during handshake, and
-      include SSL states in error messages. This may help debug future
-      SSL handshake issues.
-    - Add a new "Handshake" log domain for activities that happen
-      during the TLS handshake.
-    - Revert to the "June 3 2009" ip-to-country file. The September one
-      seems to have removed most US IP addresses.
-    - Directory authorities now reject Tor relays with versions less than
-      0.1.2.14. This step cuts out four relays from the current network,
-      none of which are very big.
-
-  o Minor bugfixes:
-    - Fix a couple of smaller issues with gathering statistics. Bugfixes
-      on 0.2.2.1-alpha.
-    - Fix two memory leaks in the error case of
-      circuit_build_times_parse_state(). Bugfix on 0.2.2.2-alpha.
-    - Don't count one-hop circuits when we're estimating how long it
-      takes circuits to build on average. Otherwise we'll set our circuit
-      build timeout lower than we should. Bugfix on 0.2.2.2-alpha.
-    - Directory authorities no longer change their opinion of, or vote on,
-      whether a router is Running, unless they have themselves been
-      online long enough to have some idea. Bugfix on 0.2.0.6-alpha.
-      Fixes bug 1023.
-
-  o Code simplifications and refactoring:
-    - Revise our unit tests to use the "tinytest" framework, so we
-      can run tests in their own processes, have smarter setup/teardown
-      code, and so on. The unit test code has moved to its own
-      subdirectory, and has been split into multiple modules.
-
-
-Changes in version 0.2.2.3-alpha - 2009-09-23
-  Tor 0.2.2.3-alpha fixes a few crash bugs in 0.2.2.2-alpha.
-
-  o Major bugfixes:
-    - Fix an overzealous assert in our new circuit build timeout code.
-      Bugfix on 0.2.2.2-alpha; fixes bug 1103.
-
-  o Minor bugfixes:
-    - If the networkstatus consensus tells us that we should use a
-      negative circuit package window, ignore it. Otherwise we'll
-      believe it and then trigger an assert. Bugfix on 0.2.2.2-alpha.
-
-
-Changes in version 0.2.2.2-alpha - 2009-09-21
-  Tor 0.2.2.2-alpha introduces our latest performance improvement for
-  clients: Tor tracks the average time it takes to build a circuit, and
-  avoids using circuits that take too long to build. For fast connections,
-  this feature can cut your expected latency in half. For slow or flaky
-  connections, it could ruin your Tor experience. Let us know if it does!
-
-  o Major features:
-    - Tor now tracks how long it takes to build client-side circuits
-      over time, and adapts its timeout to local network performance.
-      Since a circuit that takes a long time to build will also provide
-      bad performance, we get significant latency improvements by
-      discarding the slowest 20% of circuits. Specifically, Tor creates
-      circuits more aggressively than usual until it has enough data
-      points for a good timeout estimate. Implements proposal 151.
-      We are especially looking for reports (good and bad) from users with
-      both EDGE and broadband connections that can move from broadband
-      to EDGE and find out if the build-time data in the .tor/state gets
-      reset without loss of Tor usability. You should also see a notice
-      log message telling you that Tor has reset its timeout.
-    - Directory authorities can now vote on arbitary integer values as
-      part of the consensus process. This is designed to help set
-      network-wide parameters. Implements proposal 167.
-    - Tor now reads the "circwindow" parameter out of the consensus,
-      and uses that value for its circuit package window rather than the
-      default of 1000 cells. Begins the implementation of proposal 168.
-
-  o Major bugfixes:
-    - Fix a remotely triggerable memory leak when a consensus document
-      contains more than one signature from the same voter. Bugfix on
-      0.2.0.3-alpha.
-
-  o Minor bugfixes:
-    - Fix an extremely rare infinite recursion bug that could occur if
-      we tried to log a message after shutting down the log subsystem.
-      Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
-    - Fix parsing for memory or time units given without a space between
-      the number and the unit. Bugfix on 0.2.2.1-alpha; fixes bug 1076.
-    - A networkstatus vote must contain exactly one signature. Spec
-      conformance issue. Bugfix on 0.2.0.3-alpha.
-    - Fix an obscure bug where hidden services on 64-bit big-endian
-      systems might mis-read the timestamp in v3 introduce cells, and
-      refuse to connect back to the client. Discovered by "rotor".
-      Bugfix on 0.2.1.6-alpha.
-    - We were triggering a CLOCK_SKEW controller status event whenever
-      we connect via the v2 connection protocol to any relay that has
-      a wrong clock. Instead, we should only inform the controller when
-      it's a trusted authority that claims our clock is wrong. Bugfix
-      on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
-    - We were telling the controller about CHECKING_REACHABILITY and
-      REACHABILITY_FAILED status events whenever we launch a testing
-      circuit or notice that one has failed. Instead, only tell the
-      controller when we want to inform the user of overall success or
-      overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
-      by SwissTorExit.
-    - Don't warn when we're using a circuit that ends with a node
-      excluded in ExcludeExitNodes, but the circuit is not used to access
-      the outside world. This should help fix bug 1090, but more problems
-      remain. Bugfix on 0.2.1.6-alpha.
-    - Work around a small memory leak in some versions of OpenSSL that
-      stopped the memory used by the hostname TLS extension from being
-      freed.
-    - Make our 'torify' script more portable; if we have only one of
-      'torsocks' or 'tsocks' installed, don't complain to the user;
-      and explain our warning about tsocks better.
-
-  o Minor features:
-    - Add a "getinfo status/accepted-server-descriptor" controller
-      command, which is the recommended way for controllers to learn
-      whether our server descriptor has been successfully received by at
-      least on directory authority. Un-recommend good-server-descriptor
-      getinfo and status events until we have a better design for them.
-    - Update to the "September 4 2009" ip-to-country file.
-
-
-Changes in version 0.2.2.1-alpha - 2009-08-26
-  Tor 0.2.2.1-alpha disables ".exit" address notation by default, allows
-  Tor clients to bootstrap on networks where only port 80 is reachable,
-  makes it more straightforward to support hardware crypto accelerators,
-  and starts the groundwork for gathering stats safely at relays.
-
-  o Security fixes:
-    - Start the process of disabling ".exit" address notation, since it
-      can be used for a variety of esoteric application-level attacks
-      on users. To reenable it, set "AllowDotExit 1" in your torrc. Fix
-      on 0.0.9rc5.
-
-  o New directory authorities:
-    - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
-      authority.
-
-  o Major features:
-    - New AccelName and AccelDir options add support for dynamic OpenSSL
-      hardware crypto acceleration engines.
-    - Tor now supports tunneling all of its outgoing connections over
-      a SOCKS proxy, using the SOCKS4Proxy and/or SOCKS5Proxy
-      configuration options. Code by Christopher Davis.
-
-  o Major bugfixes:
-    - Send circuit or stream sendme cells when our window has decreased
-      by 100 cells, not when it has decreased by 101 cells. Bug uncovered
-      by Karsten when testing the "reduce circuit window" performance
-      patch. Bugfix on the 54th commit on Tor -- from July 2002,
-      before the release of Tor 0.0.0. This is the new winner of the
-      oldest-bug prize.
-
-  o New options for gathering stats safely:
-    - Directories that set "DirReqStatistics 1" write statistics on
-      directory request to disk every 24 hours. As compared to the
-      --enable-geoip-stats flag in 0.2.1.x, there are a few improvements:
-      1) stats are written to disk exactly every 24 hours; 2) estimated
-      shares of v2 and v3 requests are determined as mean values, not at
-      the end of a measurement period; 3) unresolved requests are listed
-      with country code '??'; 4) directories also measure download times.
-    - Exit nodes that set "ExitPortStatistics 1" write statistics on the
-      number of exit streams and transferred bytes per port to disk every
-      24 hours.
-    - Relays that set "CellStatistics 1" write statistics on how long
-      cells spend in their circuit queues to disk every 24 hours.
-    - Entry nodes that set "EntryStatistics 1" write statistics on the
-      rough number and origins of connecting clients to disk every 24
-      hours.
-    - Relays that write any of the above statistics to disk and set
-      "ExtraInfoStatistics 1" include the past 24 hours of statistics in
-      their extra-info documents.
-
-  o Minor features:
-    - New --digests command-line switch to output the digests of the
-      source files Tor was built with.
-    - The "torify" script now uses torsocks where available.
-    - The memarea code now uses a sentinel value at the end of each area
-      to make sure nothing writes beyond the end of an area. This might
-      help debug some conceivable causes of bug 930.
-    - Time and memory units in the configuration file can now be set to
-      fractional units. For example, "2.5 GB" is now a valid value for
-      AccountingMax.
-    - Certain Tor clients (such as those behind check.torproject.org) may
-      want to fetch the consensus in an extra early manner. To enable this
-      a user may now set FetchDirInfoExtraEarly to 1. This also depends on
-      setting FetchDirInfoEarly to 1. Previous behavior will stay the same
-      as only certain clients who must have this information sooner should
-      set this option.
-    - Instead of adding the svn revision to the Tor version string, report
-      the git commit (when we're building from a git checkout).
-
-  o Minor bugfixes:
-    - If any the v3 certs we download are unparseable, we should actually
-      notice the failure so we don't retry indefinitely. Bugfix on
-      0.2.0.x; reported by "rotator".
-    - If the cached cert file is unparseable, warn but don't exit.
-    - Fix possible segmentation fault on directory authorities. Bugfix on
-      0.2.1.14-rc.
-    - When Tor fails to parse a descriptor of any kind, dump it to disk.
-      Might help diagnosing bug 1051.
-
-  o Deprecated and removed features:
-    - The controller no longer accepts the old obsolete "addr-mappings/"
-      or "unregistered-servers-" GETINFO values.
-    - Hidden services no longer publish version 0 descriptors, and clients
-      do not request or use version 0 descriptors. However, the old hidden
-      service authorities still accept and serve version 0 descriptors
-      when contacted by older hidden services/clients.
-    - The EXTENDED_EVENTS and VERBOSE_NAMES controller features are now
-      always on; using them is necessary for correct forward-compatible
-      controllers.
-    - Remove support for .noconnect style addresses. Nobody was using
-      them, and they provided another avenue for detecting Tor users
-      via application-level web tricks.
-
-  o Packaging changes:
-    - Upgrade Vidalia from 0.1.15 to 0.2.3 in the Windows and OS X
-      installer bundles. See
-      https://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.2.3/CHANGELOG
-      for details of what's new in Vidalia 0.2.3.
-    - Windows Vidalia Bundle: update Privoxy from 3.0.6 to 3.0.14-beta.
-    - OS X Vidalia Bundle: move to Polipo 1.0.4 with Tor specific
-      configuration file, rather than the old Privoxy.
-    - OS X Vidalia Bundle: Vidalia, Tor, and Polipo are compiled as
-      x86-only for better compatibility with OS X 10.6, aka Snow Leopard.
-    - OS X Tor Expert Bundle: Tor is compiled as x86-only for
-      better compatibility with OS X 10.6, aka Snow Leopard.
-    - OS X Vidalia Bundle: The multi-package installer is now replaced
-      by a simple drag and drop to the /Applications folder. This change
-      occurred with the upgrade to Vidalia 0.2.3.
-
-
-Changes in Version 0.2.1.21 - 20??-??-??
-  o Major bugfixes:
-    - Work around a security feature in OpenSSL 0.9.8l that prevents our
-      handshake from working unless we explicitly tell OpenSSL that we are
-      using SSL renegotiation safely.  We are, of course, but OpenSSL
-      0.9.8l won't work unless we say we are.
-
-  o Minor bugfixes:
-    - Do not refuse to learn about authority certs and v2 networkstatus
-      documents that are older than the latest consensus.  This bug might
-      have degraded client bootstrapping.  Bugfix on 0.2.0.10-alpha.
-      Spotted and fixed by xmux.
-    - Fix a couple of very-hard-to-trigger memory leaks, and one hard-to-
-      trigger platform-specific option misparsing case found by Coverity
-      Scan.
-
-
-Changes in version 0.2.1.20 - 2009-10-15
-  o Major bugfixes:
-    - Send circuit or stream sendme cells when our window has decreased
-      by 100 cells, not when it has decreased by 101 cells. Bug uncovered
-      by Karsten when testing the "reduce circuit window" performance
-      patch. Bugfix on the 54th commit on Tor -- from July 2002,
-      before the release of Tor 0.0.0. This is the new winner of the
-      oldest-bug prize.
-    - Fix a remotely triggerable memory leak when a consensus document
-      contains more than one signature from the same voter. Bugfix on
-      0.2.0.3-alpha.
-    - Avoid segfault in rare cases when finishing an introduction circuit
-      as a client and finding out that we don't have an introduction key
-      for it. Fixes bug 1073. Reported by Aaron Swartz.
-
-  o Major features:
-    - Tor now reads the "circwindow" parameter out of the consensus,
-      and uses that value for its circuit package window rather than the
-      default of 1000 cells. Begins the implementation of proposal 168.
-
-  o New directory authorities:
-    - Set up urras (run by Jacob Appelbaum) as the seventh v3 directory
-      authority.
-    - Move moria1 and tonga to alternate IP addresses.
-
-  o Minor bugfixes:
-    - Fix a signed/unsigned compile warning in 0.2.1.19.
-    - Fix possible segmentation fault on directory authorities. Bugfix on
-      0.2.1.14-rc.
-    - Fix an extremely rare infinite recursion bug that could occur if
-      we tried to log a message after shutting down the log subsystem.
-      Found by Matt Edman. Bugfix on 0.2.0.16-alpha.
-    - Fix an obscure bug where hidden services on 64-bit big-endian
-      systems might mis-read the timestamp in v3 introduce cells, and
-      refuse to connect back to the client. Discovered by "rotor".
-      Bugfix on 0.2.1.6-alpha.
-    - We were triggering a CLOCK_SKEW controller status event whenever
-      we connect via the v2 connection protocol to any relay that has
-      a wrong clock. Instead, we should only inform the controller when
-      it's a trusted authority that claims our clock is wrong. Bugfix
-      on 0.2.0.20-rc; starts to fix bug 1074. Reported by SwissTorExit.
-    - We were telling the controller about CHECKING_REACHABILITY and
-      REACHABILITY_FAILED status events whenever we launch a testing
-      circuit or notice that one has failed. Instead, only tell the
-      controller when we want to inform the user of overall success or
-      overall failure. Bugfix on 0.1.2.6-alpha. Fixes bug 1075. Reported
-      by SwissTorExit.
-    - Don't warn when we're using a circuit that ends with a node
-      excluded in ExcludeExitNodes, but the circuit is not used to access
-      the outside world. This should help fix bug 1090. Bugfix on
-      0.2.1.6-alpha.
-    - Work around a small memory leak in some versions of OpenSSL that
-      stopped the memory used by the hostname TLS extension from being
-      freed.
-
-  o Minor features:
-    - Add a "getinfo status/accepted-server-descriptor" controller
-      command, which is the recommended way for controllers to learn
-      whether our server descriptor has been successfully received by at
-      least on directory authority. Un-recommend good-server-descriptor
-      getinfo and status events until we have a better design for them.
-
-
-Changes in version 0.2.1.19 - 2009-07-28
-  Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
-  services on Tor 0.2.1.3-alpha through 0.2.1.18.
-
-  o Major bugfixes:
-    - Make accessing hidden services on 0.2.1.x work right again.
-      Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
-      part of patch provided by "optimist".
-
-  o Minor features:
-    - When a relay/bridge is writing out its identity key fingerprint to
-      the "fingerprint" file and to its logs, write it without spaces. Now
-      it will look like the fingerprints in our bridges documentation,
-      and confuse fewer users.
-
-  o Minor bugfixes:
-    - Relays no longer publish a new server descriptor if they change
-      their MaxAdvertisedBandwidth config option but it doesn't end up
-      changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
-      fixes bug 1026. Patch from Sebastian.
-    - Avoid leaking memory every time we get a create cell but we have
-      so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
-      fixes bug 1034. Reported by BarkerJr.
-
-
-Changes in version 0.2.1.18 - 2009-07-24
-  Tor 0.2.1.18 lays the foundations for performance improvements,
-  adds status events to help users diagnose bootstrap problems, adds
-  optional authentication/authorization for hidden services, fixes a
-  variety of potential anonymity problems, and includes a huge pile of
-  other features and bug fixes.
-
-  o Build fixes:
-    - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
-
-
-Changes in version 0.2.1.17-rc - 2009-07-07
-  Tor 0.2.1.17-rc marks the fourth -- and hopefully last -- release
-  candidate for the 0.2.1.x series. It lays the groundwork for further
-  client performance improvements, and also fixes a big bug with directory
-  authorities that were causing them to assign Guard and Stable flags
-  poorly.
-
-  The Windows bundles also finally include the geoip database that we
-  thought we'd been shipping since 0.2.0.x (oops), and the OS X bundles
-  should actually install Torbutton rather than giving you a cryptic
-  failure message (oops).
-
-  o Major features:
-    - Clients now use the bandwidth values in the consensus, rather than
-      the bandwidth values in each relay descriptor. This approach opens
-      the door to more accurate bandwidth estimates once the directory
-      authorities start doing active measurements. Implements more of
-      proposal 141.
-
-  o Major bugfixes:
-    - When Tor clients restart after 1-5 days, they discard all their
-      cached descriptors as too old, but they still use the cached
-      consensus document. This approach is good for robustness, but
-      bad for performance: since they don't know any bandwidths, they
-      end up choosing at random rather than weighting their choice by
-      speed. Fixed by the above feature of putting bandwidths in the
-      consensus. Bugfix on 0.2.0.x.
-    - Directory authorities were neglecting to mark relays down in their
-      internal histories if the relays fall off the routerlist without
-      ever being found unreachable. So there were relays in the histories
-      that haven't been seen for eight months, and are listed as being
-      up for eight months. This wreaked havoc on the "median wfu"
-      and "median mtbf" calculations, in turn making Guard and Stable
-      flags very wrong, hurting network performance. Fixes bugs 696 and
-      969. Bugfix on 0.2.0.6-alpha.
-
-  o Minor bugfixes:
-    - Serve the DirPortFrontPage page even when we have been approaching
-      our quotas recently. Fixes bug 1013; bugfix on 0.2.1.8-alpha.
-    - The control port would close the connection before flushing long
-      replies, such as the network consensus, if a QUIT command was issued
-      before the reply had completed. Now, the control port flushes all
-      pending replies before closing the connection. Also fixed a spurious
-      warning when a QUIT command is issued after a malformed or rejected
-      AUTHENTICATE command, but before the connection was closed. Patch
-      by Marcus Griep. Bugfix on 0.2.0.x; fixes bugs 1015 and 1016.
-    - When we can't find an intro key for a v2 hidden service descriptor,
-      fall back to the v0 hidden service descriptor and log a bug message.
-      Workaround for bug 1024.
-    - Fix a log message that did not respect the SafeLogging option.
-      Resolves bug 1027.
-
-  o Minor features:
-    - If we're a relay and we change our IP address, be more verbose
-      about the reason that made us change. Should help track down
-      further bugs for relays on dynamic IP addresses.
-
-
-Changes in version 0.2.0.35 - 2009-06-24
-  o Security fix:
-    - Avoid crashing in the presence of certain malformed descriptors.
-      Found by lark, and by automated fuzzing.
-    - Fix an edge case where a malicious exit relay could convince a
-      controller that the client's DNS question resolves to an internal IP
-      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
-
-  o Major bugfixes:
-    - Finally fix the bug where dynamic-IP relays disappear when their
-      IP address changes: directory mirrors were mistakenly telling
-      them their old address if they asked via begin_dir, so they
-      never got an accurate answer about their new address, so they
-      just vanished after a day. For belt-and-suspenders, relays that
-      don't set Address in their config now avoid using begin_dir for
-      all direct connections. Should fix bugs 827, 883, and 900.
-    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
-      that would occur on some exit nodes when DNS failures and timeouts
-      occurred in certain patterns. Fix for bug 957.
-
-  o Minor bugfixes:
-    - When starting with a cache over a few days old, do not leak
-      memory for the obsolete router descriptors in it. Bugfix on
-      0.2.0.33; fixes bug 672.
-    - Hidden service clients didn't use a cached service descriptor that
-      was older than 15 minutes, but wouldn't fetch a new one either,
-      because there was already one in the cache. Now, fetch a v2
-      descriptor unless the same descriptor was added to the cache within
-      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
-
-
-Changes in version 0.2.1.16-rc - 2009-06-20
-  Tor 0.2.1.16-rc speeds up performance for fast exit relays, and fixes
-  a bunch of minor bugs.
-
-  o Security fixes:
-    - Fix an edge case where a malicious exit relay could convince a
-      controller that the client's DNS question resolves to an internal IP
-      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
-
-  o Major performance improvements (on 0.2.0.x):
-    - Disable and refactor some debugging checks that forced a linear scan
-      over the whole server-side DNS cache. These accounted for over 50%
-      of CPU time on a relatively busy exit node's gprof profile. Found
-      by Jacob.
-    - Disable some debugging checks that appeared in exit node profile
-      data.
-
-  o Minor features:
-    - Update to the "June 3 2009" ip-to-country file.
-    - Do not have tor-resolve automatically refuse all .onion addresses;
-      if AutomapHostsOnResolve is set in your torrc, this will work fine.
-
-  o Minor bugfixes (on 0.2.0.x):
-    - Log correct error messages for DNS-related network errors on
-      Windows.
-    - Fix a race condition that could cause crashes or memory corruption
-      when running as a server with a controller listening for log
-      messages.
-    - Avoid crashing when we have a policy specified in a DirPolicy or
-      SocksPolicy or ReachableAddresses option with ports set on it,
-      and we re-load the policy. May fix bug 996.
-    - Hidden service clients didn't use a cached service descriptor that
-      was older than 15 minutes, but wouldn't fetch a new one either,
-      because there was already one in the cache. Now, fetch a v2
-      descriptor unless the same descriptor was added to the cache within
-      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
-
-  o Minor bugfixes (on 0.2.1.x):
-    - Don't warn users about low port and hibernation mix when they
-      provide a *ListenAddress directive to fix that. Bugfix on
-      0.2.1.15-rc.
-    - When switching back and forth between bridge mode, do not start
-      gathering GeoIP data until two hours have passed.
-    - Do not complain that the user has requested an excluded node as
-      an exit when the node is not really an exit. This could happen
-      because the circuit was for testing, or an introduction point.
-      Fix for bug 984.
-
-
-Changes in version 0.2.1.15-rc - 2009-05-25
-  Tor 0.2.1.15-rc marks the second release candidate for the 0.2.1.x
-  series. It fixes a major bug on fast exit relays, as well as a variety
-  of more minor bugs.
-
-  o Major bugfixes (on 0.2.0.x):
-    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
-      that would occur on some exit nodes when DNS failures and timeouts
-      occurred in certain patterns. Fix for bug 957.
-
-  o Minor bugfixes (on 0.2.0.x):
-    - Actually return -1 in the error case for read_bandwidth_usage().
-      Harmless bug, since we currently don't care about the return value
-      anywhere. Bugfix on 0.2.0.9-alpha.
-    - Provide a more useful log message if bug 977 (related to buffer
-      freelists) ever reappears, and do not crash right away.
-    - Fix an assertion failure on 64-bit platforms when we allocated
-      memory right up to the end of a memarea, then realigned the memory
-      one step beyond the end. Fixes a possible cause of bug 930.
-    - Protect the count of open sockets with a mutex, so we can't
-      corrupt it when two threads are closing or opening sockets at once.
-      Fix for bug 939. Bugfix on 0.2.0.1-alpha.
-    - Don't allow a bridge to publish its router descriptor to a
-      non-bridge directory authority. Fixes part of bug 932.
-    - When we change to or from being a bridge, reset our counts of
-      client usage by country. Fixes bug 932.
-    - Fix a bug that made stream bandwidth get misreported to the
-      controller.
-    - Stop using malloc_usable_size() to use more area than we had
-      actually allocated: it was safe, but made valgrind really unhappy.
-    - Fix a memory leak when v3 directory authorities load their keys
-      and cert from disk. Bugfix on 0.2.0.1-alpha.
-
-  o Minor bugfixes (on 0.2.1.x):
-    - Fix use of freed memory when deciding to mark a non-addable
-      descriptor as never-downloadable. Bugfix on 0.2.1.9-alpha.
-
-
-Changes in version 0.2.1.14-rc - 2009-04-12
-  Tor 0.2.1.14-rc marks the first release candidate for the 0.2.1.x
-  series. It begins fixing some major performance problems, and also
-  finally addresses the bug that was causing relays on dynamic IP
-  addresses to fall out of the directory.
-
-  o Major features:
-    - Clients replace entry guards that were chosen more than a few months
-      ago. This change should significantly improve client performance,
-      especially once more people upgrade, since relays that have been
-      a guard for a long time are currently overloaded.
-
-  o Major bugfixes (on 0.2.0):
-    - Finally fix the bug where dynamic-IP relays disappear when their
-      IP address changes: directory mirrors were mistakenly telling
-      them their old address if they asked via begin_dir, so they
-      never got an accurate answer about their new address, so they
-      just vanished after a day. For belt-and-suspenders, relays that
-      don't set Address in their config now avoid using begin_dir for
-      all direct connections. Should fix bugs 827, 883, and 900.
-    - Relays were falling out of the networkstatus consensus for
-      part of a day if they changed their local config but the
-      authorities discarded their new descriptor as "not sufficiently
-      different". Now directory authorities accept a descriptor as changed
-      if bandwidthrate or bandwidthburst changed. Partial fix for bug 962;
-      patch by Sebastian.
-    - Avoid crashing in the presence of certain malformed descriptors.
-      Found by lark, and by automated fuzzing.
-
-  o Minor features:
-    - When generating circuit events with verbose nicknames for
-      controllers, try harder to look up nicknames for routers on a
-      circuit. (Previously, we would look in the router descriptors we had
-      for nicknames, but not in the consensus.) Partial fix for bug 941.
-    - If the bridge config line doesn't specify a port, assume 443.
-      This makes bridge lines a bit smaller and easier for users to
-      understand.
-    - Raise the minimum bandwidth to be a relay from 20000 bytes to 20480
-      bytes (aka 20KB/s), to match our documentation. Also update
-      directory authorities so they always assign the Fast flag to relays
-      with 20KB/s of capacity. Now people running relays won't suddenly
-      find themselves not seeing any use, if the network gets faster
-      on average.
-    - Update to the "April 3 2009" ip-to-country file.
-
-  o Minor bugfixes:
-    - Avoid trying to print raw memory to the logs when we decide to
-      give up on downloading a given relay descriptor. Bugfix on
-      0.2.1.9-alpha.
-    - In tor-resolve, when the Tor client to use is specified by
-      <hostname>:<port>, actually use the specified port rather than
-      defaulting to 9050. Bugfix on 0.2.1.6-alpha.
-    - Make directory usage recording work again. Bugfix on 0.2.1.6-alpha.
-    - When starting with a cache over a few days old, do not leak
-      memory for the obsolete router descriptors in it. Bugfix on
-      0.2.0.33.
-    - Avoid double-free on list of successfully uploaded hidden
-      service discriptors. Fix for bug 948. Bugfix on 0.2.1.6-alpha.
-    - Change memarea_strndup() implementation to work even when
-      duplicating a string at the end of a page. This bug was
-      harmless for now, but could have meant crashes later. Fix by
-      lark. Bugfix on 0.2.1.1-alpha.
-    - Limit uploaded directory documents to be 16M rather than 500K.
-      The directory authorities were refusing v3 consensus votes from
-      other authorities, since the votes are now 504K. Fixes bug 959;
-      bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
-    - Directory authorities should never send a 503 "busy" response to
-      requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
-      bug 959.
-
-
-Changes in version 0.2.1.13-alpha - 2009-03-09
-  Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
-  cleanups. We're finally getting close to a release candidate.
-
-  o Major bugfixes:
-    - Correctly update the list of which countries we exclude as
-      exits, when the GeoIP file is loaded or reloaded. Diagnosed by
-      lark. Bugfix on 0.2.1.6-alpha.
-
-  o Minor bugfixes (on 0.2.0.x and earlier):
-    - Automatically detect MacOSX versions earlier than 10.4.0, and
-      disable kqueue from inside Tor when running with these versions.
-      We previously did this from the startup script, but that was no
-      help to people who didn't use the startup script. Resolves bug 863.
-    - When we had picked an exit node for a connection, but marked it as
-      "optional", and it turned out we had no onion key for the exit,
-      stop wanting that exit and try again. This situation may not
-      be possible now, but will probably become feasible with proposal
-      158. Spotted by rovv. Fixes another case of bug 752.
-    - Clients no longer cache certificates for authorities they do not
-      recognize. Bugfix on 0.2.0.9-alpha.
-    - When we can't transmit a DNS request due to a network error, retry
-      it after a while, and eventually transmit a failing response to
-      the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
-    - If the controller claimed responsibility for a stream, but that
-      stream never finished making its connection, it would live
-      forever in circuit_wait state. Now we close it after SocksTimeout
-      seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
-    - Drop begin cells to a hidden service if they come from the middle
-      of a circuit. Patch from lark.
-    - When we erroneously receive two EXTEND cells for the same circuit
-      ID on the same connection, drop the second. Patch from lark.
-    - Fix a crash that occurs on exit nodes when a nameserver request
-      timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
-      been suppressing the bug since 0.1.2.10-alpha. Partial fix for
-      bug 929.
-    - Do not assume that a stack-allocated character array will be
-      64-bit aligned on platforms that demand that uint64_t access is
-      aligned. Possible fix for bug 604.
-    - Parse dates and IPv4 addresses in a locale- and libc-independent
-      manner, to avoid platform-dependent behavior on malformed input.
-    - Build correctly when configured to build outside the main source
-      path. Patch from Michael Gold.
-    - We were already rejecting relay begin cells with destination port
-      of 0. Now also reject extend cells with destination port or address
-      of 0. Suggested by lark.
-
-  o Minor bugfixes (on 0.2.1.x):
-    - Don't re-extend introduction circuits if we ran out of RELAY_EARLY
-      cells. Bugfix on 0.2.1.3-alpha. Fixes more of bug 878.
-    - If we're an exit node, scrub the IP address to which we are exiting
-      in the logs. Bugfix on 0.2.1.8-alpha.
-
-  o Minor features:
-    - On Linux, use the prctl call to re-enable core dumps when the user
-      is option is set.
-    - New controller event NEWCONSENSUS that lists the networkstatus
-      lines for every recommended relay. Now controllers like Torflow
-      can keep up-to-date on which relays they should be using.
-    - Update to the "February 26 2009" ip-to-country file.
-
-
-Changes in version 0.2.0.34 - 2009-02-08
-  Tor 0.2.0.34 features several more security-related fixes. You should
-  upgrade, especially if you run an exit relay (remote crash) or a
-  directory authority (remote infinite loop), or you're on an older
-  (pre-XP) or not-recently-patched Windows (remote exploit).
-
-  This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
-  have many known flaws, and nobody should be using them. You should
-  upgrade. If you're using a Linux or BSD and its packages are obsolete,
-  stop using those packages and upgrade anyway.
-
-  o Security fixes:
-    - Fix an infinite-loop bug on handling corrupt votes under certain
-      circumstances. Bugfix on 0.2.0.8-alpha.
-    - Fix a temporary DoS vulnerability that could be performed by
-      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
-    - Avoid a potential crash on exit nodes when processing malformed
-      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
-    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
-      Spec conformance issue. Bugfix on Tor 0.0.2pre27.
-
-  o Minor bugfixes:
-    - Fix compilation on systems where time_t is a 64-bit integer.
-      Patch from Matthias Drochner.
-    - Don't consider expiring already-closed client connections. Fixes
-      bug 893. Bugfix on 0.0.2pre20.
-
-
-Changes in version 0.2.1.12-alpha - 2009-02-08
-  Tor 0.2.1.12-alpha features several more security-related fixes. You
-  should upgrade, especially if you run an exit relay (remote crash) or
-  a directory authority (remote infinite loop), or you're on an older
-  (pre-XP) or not-recently-patched Windows (remote exploit). It also
-  includes a big pile of minor bugfixes and cleanups.
-
-  o Security fixes:
-    - Fix an infinite-loop bug on handling corrupt votes under certain
-      circumstances. Bugfix on 0.2.0.8-alpha.
-    - Fix a temporary DoS vulnerability that could be performed by
-      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
-    - Avoid a potential crash on exit nodes when processing malformed
-      input. Remote DoS opportunity. Bugfix on 0.2.1.7-alpha.
-
-  o Minor bugfixes:
-    - Let controllers actually ask for the "clients_seen" event for
-      getting usage summaries on bridge relays. Bugfix on 0.2.1.10-alpha;
-      reported by Matt Edman.
-    - Fix a compile warning on OSX Panther. Fixes bug 913; bugfix against
-      0.2.1.11-alpha.
-    - Fix a bug in address parsing that was preventing bridges or hidden
-      service targets from being at IPv6 addresses.
-    - Solve a bug that kept hardware crypto acceleration from getting
-      enabled when accounting was turned on. Fixes bug 907. Bugfix on
-      0.0.9pre6.
-    - Remove a bash-ism from configure.in to build properly on non-Linux
-      platforms. Bugfix on 0.2.1.1-alpha.
-    - Fix code so authorities _actually_ send back X-Descriptor-Not-New
-      headers. Bugfix on 0.2.0.10-alpha.
-    - Don't consider expiring already-closed client connections. Fixes
-      bug 893. Bugfix on 0.0.2pre20.
-    - Fix another interesting corner-case of bug 891 spotted by rovv:
-      Previously, if two hosts had different amounts of clock drift, and
-      one of them created a new connection with just the wrong timing,
-      the other might decide to deprecate the new connection erroneously.
-      Bugfix on 0.1.1.13-alpha.
-    - Resolve a very rare crash bug that could occur when the user forced
-      a nameserver reconfiguration during the middle of a nameserver
-      probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
-    - Support changing value of ServerDNSRandomizeCase during SIGHUP.
-      Bugfix on 0.2.1.7-alpha.
-    - If we're using bridges and our network goes away, be more willing
-      to forgive our bridges and try again when we get an application
-      request. Bugfix on 0.2.0.x.
-
-  o Minor features:
-    - Support platforms where time_t is 64 bits long. (Congratulations,
-      NetBSD!) Patch from Matthias Drochner.
-    - Add a 'getinfo status/clients-seen' controller command, in case
-      controllers want to hear clients_seen events but connect late.
-
-  o Build changes:
-    - Disable GCC's strict alias optimization by default, to avoid the
-      likelihood of its introducing subtle bugs whenever our code violates
-      the letter of C99's alias rules.
-
-
-Changes in version 0.2.0.33 - 2009-01-21
-  Tor 0.2.0.33 fixes a variety of bugs that were making relays less
-  useful to users. It also finally fixes a bug where a relay or client
-  that's been off for many days would take a long time to bootstrap.
-
-  This update also fixes an important security-related bug reported by
-  Ilja van Sprundel. You should upgrade. (We'll send out more details
-  about the bug once people have had some time to upgrade.)
-
-  o Security fixes:
-    - Fix a heap-corruption bug that may be remotely triggerable on
-      some platforms. Reported by Ilja van Sprundel.
-
-  o Major bugfixes:
-    - When a stream at an exit relay is in state "resolving" or
-      "connecting" and it receives an "end" relay cell, the exit relay
-      would silently ignore the end cell and not close the stream. If
-      the client never closes the circuit, then the exit relay never
-      closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
-      reported by "wood".
-    - When sending CREATED cells back for a given circuit, use a 64-bit
-      connection ID to find the right connection, rather than an addr:port
-      combination. Now that we can have multiple OR connections between
-      the same ORs, it is no longer possible to use addr:port to uniquely
-      identify a connection.
-    - Bridge relays that had DirPort set to 0 would stop fetching
-      descriptors shortly after startup, and then briefly resume
-      after a new bandwidth test and/or after publishing a new bridge
-      descriptor. Bridge users that try to bootstrap from them would
-      get a recent networkstatus but would get descriptors from up to
-      18 hours earlier, meaning most of the descriptors were obsolete
-      already. Reported by Tas; bugfix on 0.2.0.13-alpha.
-    - Prevent bridge relays from serving their 'extrainfo' document
-      to anybody who asks, now that extrainfo docs include potentially
-      sensitive aggregated client geoip summaries. Bugfix on
-      0.2.0.13-alpha.
-    - If the cached networkstatus consensus is more than five days old,
-      discard it rather than trying to use it. In theory it could be
-      useful because it lists alternate directory mirrors, but in practice
-      it just means we spend many minutes trying directory mirrors that
-      are long gone from the network. Also discard router descriptors as
-      we load them if they are more than five days old, since the onion
-      key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
-
-  o Minor bugfixes:
-    - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
-      could make gcc generate non-functional binary search code. Bugfix
-      on 0.2.0.10-alpha.
-    - Build correctly on platforms without socklen_t.
-    - Compile without warnings on solaris.
-    - Avoid potential crash on internal error during signature collection.
-      Fixes bug 864. Patch from rovv.
-    - Correct handling of possible malformed authority signing key
-      certificates with internal signature types. Fixes bug 880.
-      Bugfix on 0.2.0.3-alpha.
-    - Fix a hard-to-trigger resource leak when logging credential status.
-      CID 349.
-    - When we can't initialize DNS because the network is down, do not
-      automatically stop Tor from starting. Instead, we retry failed
-      dns_init() every 10 minutes, and change the exit policy to reject
-      *:* until one succeeds. Fixes bug 691.
-    - Use 64 bits instead of 32 bits for connection identifiers used with
-      the controller protocol, to greatly reduce risk of identifier reuse.
-    - When we're choosing an exit node for a circuit, and we have
-      no pending streams, choose a good general exit rather than one that
-      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
-    - Fix another case of assuming, when a specific exit is requested,
-      that we know more than the user about what hosts it allows.
-      Fixes one case of bug 752. Patch from rovv.
-    - Clip the MaxCircuitDirtiness config option to a minimum of 10
-      seconds. Warn the user if lower values are given in the
-      configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
-    - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
-      user if lower values are given in the configuration. Bugfix on
-      0.1.1.17-rc. Patch by Sebastian.
-    - Fix a memory leak when we decline to add a v2 rendezvous descriptor to
-      the cache because we already had a v0 descriptor with the same ID.
-      Bugfix on 0.2.0.18-alpha.
-    - Fix a race condition when freeing keys shared between main thread
-      and CPU workers that could result in a memory leak. Bugfix on
-      0.1.0.1-rc. Fixes bug 889.
-    - Send a valid END cell back when a client tries to connect to a
-      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
-      840. Patch from rovv.
-    - Check which hops rendezvous stream cells are associated with to
-      prevent possible guess-the-streamid injection attacks from
-      intermediate hops. Fixes another case of bug 446. Based on patch
-      from rovv.
-    - If a broken client asks a non-exit router to connect somewhere,
-      do not even do the DNS lookup before rejecting the connection.
-      Fixes another case of bug 619. Patch from rovv.
-    - When a relay gets a create cell it can't decrypt (e.g. because it's
-      using the wrong onion key), we were dropping it and letting the
-      client time out. Now actually answer with a destroy cell. Fixes
-      bug 904. Bugfix on 0.0.2pre8.
-
-  o Minor bugfixes (hidden services):
-    - Do not throw away existing introduction points on SIGHUP. Bugfix on
-      0.0.6pre1. Patch by Karsten. Fixes bug 874.
-
-  o Minor features:
-    - Report the case where all signatures in a detached set are rejected
-      differently than the case where there is an error handling the
-      detached set.
-    - When we realize that another process has modified our cached
-      descriptors, print out a more useful error message rather than
-      triggering an assertion. Fixes bug 885. Patch from Karsten.
-    - Implement the 0x20 hack to better resist DNS poisoning: set the
-      case on outgoing DNS requests randomly, and reject responses that do
-      not match the case correctly. This logic can be disabled with the
-      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
-      of servers that do not reliably preserve case in replies. See
-      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
-      for more info.
-    - Check DNS replies for more matching fields to better resist DNS
-      poisoning.
-    - Never use OpenSSL compression: it wastes RAM and CPU trying to
-      compress cells, which are basically all encrypted, compressed, or
-      both.
-
-
-Changes in version 0.2.1.11-alpha - 2009-01-20
-  Tor 0.2.1.11-alpha finishes fixing the "if your Tor is off for a
-  week it will take a long time to bootstrap again" bug. It also fixes
-  an important security-related bug reported by Ilja van Sprundel. You
-  should upgrade. (We'll send out more details about the bug once people
-  have had some time to upgrade.)
-
-  o Security fixes:
-    - Fix a heap-corruption bug that may be remotely triggerable on
-      some platforms. Reported by Ilja van Sprundel.
-
-  o Major bugfixes:
-    - Discard router descriptors as we load them if they are more than
-      five days old. Otherwise if Tor is off for a long time and then
-      starts with cached descriptors, it will try to use the onion
-      keys in those obsolete descriptors when building circuits. Bugfix
-      on 0.2.0.x. Fixes bug 887.
-
-  o Minor features:
-    - Try to make sure that the version of Libevent we're running with
-      is binary-compatible with the one we built with. May address bug
-      897 and others.
-    - Make setting ServerDNSRandomizeCase to 0 actually work. Bugfix
-      for bug 905. Bugfix on 0.2.1.7-alpha.
-    - Add a new --enable-local-appdata configuration switch to change
-      the default location of the datadir on win32 from APPDATA to
-      LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
-      entirely. Patch from coderman.
-
-  o Minor bugfixes:
-    - Make outbound DNS packets respect the OutboundBindAddress setting.
-      Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
-    - When our circuit fails at the first hop (e.g. we get a destroy
-      cell back), avoid using that OR connection anymore, and also
-      tell all the one-hop directory requests waiting for it that they
-      should fail. Bugfix on 0.2.1.3-alpha.
-    - In the torify(1) manpage, mention that tsocks will leak your
-      DNS requests.
-
-
-Changes in version 0.2.1.10-alpha - 2009-01-06
-  Tor 0.2.1.10-alpha fixes two major bugs in bridge relays (one that
-  would make the bridge relay not so useful if it had DirPort set to 0,
-  and one that could let an attacker learn a little bit of information
-  about the bridge's users), and a bug that would cause your Tor relay
-  to ignore a circuit create request it can't decrypt (rather than reply
-  with an error). It also fixes a wide variety of other bugs.
-
-  o Major bugfixes:
-    - If the cached networkstatus consensus is more than five days old,
-      discard it rather than trying to use it. In theory it could
-      be useful because it lists alternate directory mirrors, but in
-      practice it just means we spend many minutes trying directory
-      mirrors that are long gone from the network. Helps bug 887 a bit;
-      bugfix on 0.2.0.x.
-    - Bridge relays that had DirPort set to 0 would stop fetching
-      descriptors shortly after startup, and then briefly resume
-      after a new bandwidth test and/or after publishing a new bridge
-      descriptor. Bridge users that try to bootstrap from them would
-      get a recent networkstatus but would get descriptors from up to
-      18 hours earlier, meaning most of the descriptors were obsolete
-      already. Reported by Tas; bugfix on 0.2.0.13-alpha.
-    - Prevent bridge relays from serving their 'extrainfo' document
-      to anybody who asks, now that extrainfo docs include potentially
-      sensitive aggregated client geoip summaries. Bugfix on
-      0.2.0.13-alpha.
-
-  o Minor features:
-    - New controller event "clients_seen" to report a geoip-based summary
-      of which countries we've seen clients from recently. Now controllers
-      like Vidalia can show bridge operators that they're actually making
-      a difference.
-    - Build correctly against versions of OpenSSL 0.9.8 or later built
-      without support for deprecated functions.
-    - Update to the "December 19 2008" ip-to-country file.
-
-  o Minor bugfixes (on 0.2.0.x):
-    - Authorities now vote for the Stable flag for any router whose
-      weighted MTBF is at least 5 days, regardless of the mean MTBF.
-    - Do not remove routers as too old if we do not have any consensus
-      document. Bugfix on 0.2.0.7-alpha.
-    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
-      Spec conformance issue. Bugfix on Tor 0.0.2pre27.
-    - When an exit relay resolves a stream address to a local IP address,
-      do not just keep retrying that same exit relay over and
-      over. Instead, just close the stream. Addresses bug 872. Bugfix
-      on 0.2.0.32. Patch from rovv.
-    - If a hidden service sends us an END cell, do not consider
-      retrying the connection; just close it. Patch from rovv.
-    - When we made bridge authorities stop serving bridge descriptors over
-      unencrypted links, we also broke DirPort reachability testing for
-      bridges. So bridges with a non-zero DirPort were printing spurious
-      warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
-    - When a relay gets a create cell it can't decrypt (e.g. because it's
-      using the wrong onion key), we were dropping it and letting the
-      client time out. Now actually answer with a destroy cell. Fixes
-      bug 904. Bugfix on 0.0.2pre8.
-    - Squeeze 2-5% out of client performance (according to oprofile) by
-      improving the implementation of some policy-manipulation functions.
-
-  o Minor bugfixes (on 0.2.1.x):
-    - Make get_interface_address() function work properly again; stop
-      guessing the wrong parts of our address as our address.
-    - Do not cannibalize a circuit if we're out of RELAY_EARLY cells to
-      send on that circuit. Otherwise we might violate the proposal-110
-      limit. Bugfix on 0.2.1.3-alpha. Partial fix for bug 878. Diagnosis
-      thanks to Karsten.
-    - When we're sending non-EXTEND cells to the first hop in a circuit,
-      for example to use an encrypted directory connection, we don't need
-      to use RELAY_EARLY cells: the first hop knows what kind of cell
-      it is, and nobody else can even see the cell type. Conserving
-      RELAY_EARLY cells makes it easier to cannibalize circuits like
-      this later.
-    - Stop logging nameserver addresses in reverse order.
-    - If we are retrying a directory download slowly over and over, do
-      not automatically give up after the 254th failure. Bugfix on
-      0.2.1.9-alpha.
-    - Resume reporting accurate "stream end" reasons to the local control
-      port. They were lost in the changes for Proposal 148. Bugfix on
-      0.2.1.9-alpha.
-
-  o Deprecated and removed features:
-    - The old "tor --version --version" command, which would print out
-      the subversion "Id" of most of the source files, is now removed. It
-      turned out to be less useful than we'd expected, and harder to
-      maintain.
-
-  o Code simplifications and refactoring:
-    - Change our header file guard macros to be less likely to conflict
-      with system headers. Adam Langley noticed that we were conflicting
-      with log.h on Android.
-    - Tool-assisted documentation cleanup. Nearly every function or
-      static variable in Tor should have its own documentation now.
-
-
-Changes in version 0.2.1.9-alpha - 2008-12-25
-  Tor 0.2.1.9-alpha fixes many more bugs, some of them security-related.
-
-  o New directory authorities:
-    - gabelmoo (the authority run by Karsten Loesing) now has a new
-      IP address.
-
-  o Security fixes:
-    - Never use a connection with a mismatched address to extend a
-      circuit, unless that connection is canonical. A canonical
-      connection is one whose address is authenticated by the router's
-      identity key, either in a NETINFO cell or in a router descriptor.
-    - Avoid a possible memory corruption bug when receiving hidden service
-      descriptors. Bugfix on 0.2.1.6-alpha.
-
-  o Major bugfixes:
-    - Fix a logic error that would automatically reject all but the first
-      configured DNS server. Bugfix on 0.2.1.5-alpha. Possible fix for
-      part of bug 813/868. Bug spotted by coderman.
-    - When a stream at an exit relay is in state "resolving" or
-      "connecting" and it receives an "end" relay cell, the exit relay
-      would silently ignore the end cell and not close the stream. If
-      the client never closes the circuit, then the exit relay never
-      closes the TCP connection. Bug introduced in 0.1.2.1-alpha;
-      reported by "wood".
-    - When we can't initialize DNS because the network is down, do not
-      automatically stop Tor from starting. Instead, retry failed
-      dns_init() every 10 minutes, and change the exit policy to reject
-      *:* until one succeeds. Fixes bug 691.
-
-  o Minor features:
-    - Give a better error message when an overzealous init script says
-      "sudo -u username tor --user username". Makes Bug 882 easier for
-      users to diagnose.
-    - When a directory authority gives us a new guess for our IP address,
-      log which authority we used. Hopefully this will help us debug
-      the recent complaints about bad IP address guesses.
-    - Detect svn revision properly when we're using git-svn.
-    - Try not to open more than one descriptor-downloading connection
-      to an authority at once. This should reduce load on directory
-      authorities. Fixes bug 366.
-    - Add cross-certification to newly generated certificates, so that
-      a signing key is enough information to look up a certificate.
-      Partial implementation of proposal 157.
-    - Start serving certificates by <identity digest, signing key digest>
-      pairs. Partial implementation of proposal 157.
-    - Clients now never report any stream end reason except 'MISC'.
-      Implements proposal 148.
-    - On platforms with a maximum syslog string length, truncate syslog
-      messages to that length ourselves, rather than relying on the
-      system to do it for us.
-    - Optimize out calls to time(NULL) that occur for every IO operation,
-      or for every cell. On systems where time() is a slow syscall,
-      this fix will be slightly helpful.
-    - Exit servers can now answer resolve requests for ip6.arpa addresses.
-    - When we download a descriptor that we then immediately (as
-      a directory authority) reject, do not retry downloading it right
-      away. Should save some bandwidth on authorities. Fix for bug
-      888. Patch by Sebastian Hahn.
-    - When a download gets us zero good descriptors, do not notify
-      Tor that new directory information has arrived.
-    - Avoid some nasty corner cases in the logic for marking connections
-      as too old or obsolete or noncanonical for circuits.  Partial
-      bugfix on bug 891.
-
-  o Minor features (controller):
-    - New CONSENSUS_ARRIVED event to note when a new consensus has
-      been fetched and validated.
-    - When we realize that another process has modified our cached
-      descriptors file, print out a more useful error message rather
-      than triggering an assertion. Fixes bug 885. Patch from Karsten.
-    - Add an internal-use-only __ReloadTorrcOnSIGHUP option for
-      controllers to prevent SIGHUP from reloading the
-      configuration. Fixes bug 856.
-
-  o Minor bugfixes:
-    - Resume using the correct "REASON=" stream when telling the
-      controller why we closed a stream. Bugfix in 0.2.1.1-alpha.
-    - When a canonical connection appears later in our internal list
-      than a noncanonical one for a given OR ID, always use the
-      canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
-      Spotted by rovv.
-    - Clip the MaxCircuitDirtiness config option to a minimum of 10
-      seconds. Warn the user if lower values are given in the
-      configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
-    - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
-      user if lower values are given in the configuration. Bugfix on
-      0.1.1.17-rc. Patch by Sebastian.
-    - Fix a race condition when freeing keys shared between main thread
-      and CPU workers that could result in a memory leak. Bugfix on
-      0.1.0.1-rc. Fixes bug 889.
-
-  o Minor bugfixes (hidden services):
-    - Do not throw away existing introduction points on SIGHUP (bugfix on
-      0.0.6pre1); also, do not stall hidden services because we're
-      throwing away introduction points; bugfix on 0.2.1.7-alpha. Spotted
-      by John Brooks. Patch by Karsten. Fixes bug 874.
-    - Fix a memory leak when we decline to add a v2 rendezvous
-      descriptor to the cache because we already had a v0 descriptor
-      with the same ID. Bugfix on 0.2.0.18-alpha.
-
-  o Deprecated and removed features:
-    - RedirectExits has been removed. It was deprecated since
-      0.2.0.3-alpha.
-    - Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
-      has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
-    - Cell pools are now always enabled; --disable-cell-pools is ignored.
-
-  o Code simplifications and refactoring:
-    - Rename the confusing or_is_obsolete field to the more appropriate
-      is_bad_for_new_circs, and move it to or_connection_t where it
-      belongs.
-    - Move edge-only flags from connection_t to edge_connection_t: not
-      only is this better coding, but on machines of plausible alignment,
-      it should save 4-8 bytes per connection_t. "Every little bit helps."
-    - Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
-      for consistency; keep old option working for backward compatibility.
-    - Simplify the code for finding connections to use for a circuit.
-
-
-Changes in version 0.2.1.8-alpha - 2008-12-08
-  Tor 0.2.1.8-alpha fixes some crash bugs in earlier alpha releases,
-  builds better on unusual platforms like Solaris and old OS X, and
-  fixes a variety of other issues.
-
-  o Major features:
-    - New DirPortFrontPage option that takes an html file and publishes
-      it as "/" on the DirPort. Now relay operators can provide a
-      disclaimer without needing to set up a separate webserver. There's
-      a sample disclaimer in contrib/tor-exit-notice.html.
-
-  o Security fixes:
-    - When the client is choosing entry guards, now it selects at most
-      one guard from a given relay family. Otherwise we could end up with
-      all of our entry points into the network run by the same operator.
-      Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
-
-  o Major bugfixes:
-    - Fix a DOS opportunity during the voting signature collection process
-      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
-    - Fix a possible segfault when establishing an exit connection. Bugfix
-      on 0.2.1.5-alpha.
-
-  o Minor bugfixes:
-    - Get file locking working on win32. Bugfix on 0.2.1.6-alpha. Fixes
-      bug 859.
-    - Made Tor a little less aggressive about deleting expired
-      certificates. Partial fix for bug 854.
-    - Stop doing unaligned memory access that generated bus errors on
-      sparc64. Bugfix on 0.2.0.10-alpha. Fix for bug 862.
-    - Fix a crash bug when changing EntryNodes from the controller. Bugfix
-      on 0.2.1.6-alpha. Fix for bug 867. Patched by Sebastian.
-    - Make USR2 log-level switch take effect immediately. Bugfix on
-      0.1.2.8-beta.
-    - If one win32 nameserver fails to get added, continue adding the
-      rest, and don't automatically fail.
-    - Use fcntl() for locking when flock() is not available. Should fix
-      compilation on Solaris. Should fix Bug 873. Bugfix on 0.2.1.6-alpha.
-    - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
-      could make gcc generate non-functional binary search code. Bugfix
-      on 0.2.0.10-alpha.
-    - Build correctly on platforms without socklen_t.
-    - Avoid potential crash on internal error during signature collection.
-      Fixes bug 864. Patch from rovv.
-    - Do not use C's stdio library for writing to log files. This will
-      improve logging performance by a minute amount, and will stop
-      leaking fds when our disk is full. Fixes bug 861.
-    - Stop erroneous use of O_APPEND in cases where we did not in fact
-      want to re-seek to the end of a file before every last write().
-    - Correct handling of possible malformed authority signing key
-      certificates with internal signature types. Fixes bug 880. Bugfix
-      on 0.2.0.3-alpha.
-    - Fix a hard-to-trigger resource leak when logging credential status.
-      CID 349.
-
-  o Minor features:
-    - Directory mirrors no longer fetch the v1 directory or
-      running-routers files. They are obsolete, and nobody asks for them
-      anymore. This is the first step to making v1 authorities obsolete.
-
-  o Minor features (controller):
-    - Return circuit purposes in response to GETINFO circuit-status. Fixes
-      bug 858.
-
-
-Changes in version 0.2.0.32 - 2008-11-20
-  Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
-  packages (and maybe other packages) noticed by Theo de Raadt, fixes
-  a smaller security flaw that might allow an attacker to access local
-  services, further improves hidden service performance, and fixes a
-  variety of other issues.
-
-  o Security fixes:
-    - The "User" and "Group" config options did not clear the
-      supplementary group entries for the Tor process. The "User" option
-      is now more robust, and we now set the groups to the specified
-      user's primary group. The "Group" option is now ignored. For more
-      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
-      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
-      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
-    - The "ClientDNSRejectInternalAddresses" config option wasn't being
-      consistently obeyed: if an exit relay refuses a stream because its
-      exit policy doesn't allow it, we would remember what IP address
-      the relay said the destination address resolves to, even if it's
-      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
-
-  o Major bugfixes:
-    - Fix a DOS opportunity during the voting signature collection process
-      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
-
-  o Major bugfixes (hidden services):
-    - When fetching v0 and v2 rendezvous service descriptors in parallel,
-      we were failing the whole hidden service request when the v0
-      descriptor fetch fails, even if the v2 fetch is still pending and
-      might succeed. Similarly, if the last v2 fetch fails, we were
-      failing the whole hidden service request even if a v0 fetch is
-      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
-    - When extending a circuit to a hidden service directory to upload a
-      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
-      requests failed, because the router descriptor has not been
-      downloaded yet. In these cases, do not attempt to upload the
-      rendezvous descriptor, but wait until the router descriptor is
-      downloaded and retry. Likewise, do not attempt to fetch a rendezvous
-      descriptor from a hidden service directory for which the router
-      descriptor has not yet been downloaded. Fixes bug 767. Bugfix
-      on 0.2.0.10-alpha.
-
-  o Minor bugfixes:
-    - Fix several infrequent memory leaks spotted by Coverity.
-    - When testing for libevent functions, set the LDFLAGS variable
-      correctly. Found by Riastradh.
-    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
-      bootstrapping with tunneled directory connections. Bugfix on
-      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
-    - When asked to connect to A.B.exit:80, if we don't know the IP for A
-      and we know that server B rejects most-but-not all connections to
-      port 80, we would previously reject the connection. Now, we assume
-      the user knows what they were asking for. Fixes bug 752. Bugfix
-      on 0.0.9rc5. Diagnosed by BarkerJr.
-    - If we overrun our per-second write limits a little, count this as
-      having used up our write allocation for the second, and choke
-      outgoing directory writes. Previously, we had only counted this when
-      we had met our limits precisely. Fixes bug 824. Patch from by rovv.
-      Bugfix on 0.2.0.x (??).
-    - Remove the old v2 directory authority 'lefkada' from the default
-      list. It has been gone for many months.
-    - Stop doing unaligned memory access that generated bus errors on
-      sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
-    - Make USR2 log-level switch take effect immediately. Bugfix on
-      0.1.2.8-beta.
-
-  o Minor bugfixes (controller):
-    - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
-      0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
-
-
-Changes in version 0.2.1.7-alpha - 2008-11-08
-  Tor 0.2.1.7-alpha fixes a major security problem in Debian and Ubuntu
-  packages (and maybe other packages) noticed by Theo de Raadt, fixes
-  a smaller security flaw that might allow an attacker to access local
-  services, adds better defense against DNS poisoning attacks on exit
-  relays, further improves hidden service performance, and fixes a
-  variety of other issues.
-
-  o Security fixes:
-    - The "ClientDNSRejectInternalAddresses" config option wasn't being
-      consistently obeyed: if an exit relay refuses a stream because its
-      exit policy doesn't allow it, we would remember what IP address
-      the relay said the destination address resolves to, even if it's
-      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
-    - The "User" and "Group" config options did not clear the
-      supplementary group entries for the Tor process. The "User" option
-      is now more robust, and we now set the groups to the specified
-      user's primary group. The "Group" option is now ignored. For more
-      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
-      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
-      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848.
-    - Do not use or believe expired v3 authority certificates. Patch
-      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
-
-  o Minor features:
-    - Now NodeFamily and MyFamily config options allow spaces in
-      identity fingerprints, so it's easier to paste them in.
-      Suggested by Lucky Green.
-    - Implement the 0x20 hack to better resist DNS poisoning: set the
-      case on outgoing DNS requests randomly, and reject responses that do
-      not match the case correctly. This logic can be disabled with the
-      ServerDNSRandomizeCase setting, if you are using one of the 0.3%
-      of servers that do not reliably preserve case in replies. See
-      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
-      for more info.
-    - Preserve case in replies to DNSPort requests in order to support
-      the 0x20 hack for resisting DNS poisoning attacks.
-
-  o Hidden service performance improvements:
-    - When the client launches an introduction circuit, retry with a
-      new circuit after 30 seconds rather than 60 seconds.
-    - Launch a second client-side introduction circuit in parallel
-      after a delay of 15 seconds (based on work by Christian Wilms).
-    - Hidden services start out building five intro circuits rather
-      than three, and when the first three finish they publish a service
-      descriptor using those. Now we publish our service descriptor much
-      faster after restart.
-
-  o Minor bugfixes:
-    - Minor fix in the warning messages when you're having problems
-      bootstrapping; also, be more forgiving of bootstrap problems when
-      we're still making incremental progress on a given bootstrap phase.
-    - When we're choosing an exit node for a circuit, and we have
-      no pending streams, choose a good general exit rather than one that
-      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
-    - Send a valid END cell back when a client tries to connect to a
-      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
-      840. Patch from rovv.
-    - If a broken client asks a non-exit router to connect somewhere,
-      do not even do the DNS lookup before rejecting the connection.
-      Fixes another case of bug 619. Patch from rovv.
-    - Fix another case of assuming, when a specific exit is requested,
-      that we know more than the user about what hosts it allows.
-      Fixes another case of bug 752. Patch from rovv.
-    - Check which hops rendezvous stream cells are associated with to
-      prevent possible guess-the-streamid injection attacks from
-      intermediate hops. Fixes another case of bug 446. Based on patch
-      from rovv.
-    - Avoid using a negative right-shift when comparing 32-bit
-      addresses. Possible fix for bug 845 and bug 811.
-    - Make the assert_circuit_ok() function work correctly on circuits that
-      have already been marked for close.
-    - Fix read-off-the-end-of-string error in unit tests when decoding
-      introduction points.
-    - Fix uninitialized size field for memory area allocation: may improve
-      memory performance during directory parsing.
-    - Treat duplicate certificate fetches as failures, so that we do
-      not try to re-fetch an expired certificate over and over and over.
-    - Do not say we're fetching a certificate when we'll in fact skip it
-      because of a pending download.
-
-
-Changes in version 0.2.1.6-alpha - 2008-09-30
-  Tor 0.2.1.6-alpha further improves performance and robustness of
-  hidden services, starts work on supporting per-country relay selection,
-  and fixes a variety of smaller issues.
-
-  o Major features:
-    - Implement proposal 121: make it possible to build hidden services
-      that only certain clients are allowed to connect to. This is
-      enforced at several points, so that unauthorized clients are unable
-      to send INTRODUCE cells to the service, or even (depending on the
-      type of authentication) to learn introduction points. This feature
-      raises the bar for certain kinds of active attacks against hidden
-      services. Code by Karsten Loesing.
-    - Relays now store and serve v2 hidden service descriptors by default,
-      i.e., the new default value for HidServDirectoryV2 is 1. This is
-      the last step in proposal 114, which aims to make hidden service
-      lookups more reliable.
-    - Start work to allow node restrictions to include country codes. The
-      syntax to exclude nodes in a country with country code XX is
-      "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
-      refinement to decide what config options should take priority if
-      you ask to both use a particular node and exclude it.
-    - Allow ExitNodes list to include IP ranges and country codes, just
-      like the Exclude*Nodes lists. Patch from Robert Hogan.
-
-  o Major bugfixes:
-    - Fix a bug when parsing ports in tor_addr_port_parse() that caused
-      Tor to fail to start if you had it configured to use a bridge
-      relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
-    - When extending a circuit to a hidden service directory to upload a
-      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
-      requests failed, because the router descriptor had not been
-      downloaded yet. In these cases, we now wait until the router
-      descriptor is downloaded, and then retry. Likewise, clients
-      now skip over a hidden service directory if they don't yet have
-      its router descriptor, rather than futilely requesting it and
-      putting mysterious complaints in the logs. Fixes bug 767. Bugfix
-      on 0.2.0.10-alpha.
-    - When fetching v0 and v2 rendezvous service descriptors in parallel,
-      we were failing the whole hidden service request when the v0
-      descriptor fetch fails, even if the v2 fetch is still pending and
-      might succeed. Similarly, if the last v2 fetch fails, we were
-      failing the whole hidden service request even if a v0 fetch is
-      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
-    - DNS replies need to have names matching their requests, but
-      these names should be in the questions section, not necessarily
-      in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.
-
-  o Minor features:
-    - Update to the "September 1 2008" ip-to-country file.
-    - Allow ports 465 and 587 in the default exit policy again. We had
-      rejected them in 0.1.0.15, because back in 2005 they were commonly
-      misconfigured and ended up as spam targets. We hear they are better
-      locked down these days.
-    - Use a lockfile to make sure that two Tor processes are not
-      simultaneously running with the same datadir.
-    - Serve the latest v3 networkstatus consensus via the control
-      port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
-    - Better logging about stability/reliability calculations on directory
-      servers.
-    - Drop the requirement to have an open dir port for storing and
-      serving v2 hidden service descriptors.
-    - Directory authorities now serve a /tor/dbg-stability.txt URL to
-      help debug WFU and MTBF calculations.
-    - Implement most of Proposal 152: allow specialized servers to permit
-      single-hop circuits, and clients to use those servers to build
-      single-hop circuits when using a specialized controller. Patch
-      from Josh Albrecht. Resolves feature request 768.
-    - Add a -p option to tor-resolve for specifying the SOCKS port: some
-      people find host:port too confusing.
-    - Make TrackHostExit mappings expire a while after their last use, not
-      after their creation. Patch from Robert Hogan.
-    - Provide circuit purposes along with circuit events to the controller.
-
-  o Minor bugfixes:
-    - Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
-      Reported by Tas.
-    - Fixed some memory leaks -- some quite frequent, some almost
-      impossible to trigger -- based on results from Coverity.
-    - When testing for libevent functions, set the LDFLAGS variable
-      correctly. Found by Riastradh.
-    - Fix an assertion bug in parsing policy-related options; possible fix
-      for bug 811.
-    - Catch and report a few more bootstrapping failure cases when Tor
-      fails to establish a TCP connection. Cleanup on 0.2.1.x.
-    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
-      bootstrapping with tunneled directory connections. Bugfix on
-      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
-    - When asked to connect to A.B.exit:80, if we don't know the IP for A
-      and we know that server B rejects most-but-not all connections to
-      port 80, we would previously reject the connection. Now, we assume
-      the user knows what they were asking for. Fixes bug 752. Bugfix
-      on 0.0.9rc5. Diagnosed by BarkerJr.
-    - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
-      service directories if they have no advertised dir port. Bugfix
-      on 0.2.0.10-alpha.
-    - If we overrun our per-second write limits a little, count this as
-      having used up our write allocation for the second, and choke
-      outgoing directory writes. Previously, we had only counted this when
-      we had met our limits precisely. Fixes bug 824. Patch by rovv.
-      Bugfix on 0.2.0.x (??).
-    - Avoid a "0 divided by 0" calculation when calculating router uptime
-      at directory authorities. Bugfix on 0.2.0.8-alpha.
-    - Make DNS resolved controller events into "CLOSED", not
-      "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
-      bug 807.
-    - Fix a bug where an unreachable relay would establish enough
-      reachability testing circuits to do a bandwidth test -- if
-      we already have a connection to the middle hop of the testing
-      circuit, then it could establish the last hop by using the existing
-      connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
-      circuits no longer use entry guards in 0.2.1.3-alpha.
-    - If we have correct permissions on $datadir, we complain to stdout
-      and fail to start. But dangerous permissions on
-      $datadir/cached-status/ would cause us to open a log and complain
-      there. Now complain to stdout and fail to start in both cases. Fixes
-      bug 820, reported by seeess.
-    - Remove the old v2 directory authority 'lefkada' from the default
-      list. It has been gone for many months.
-
-  o Code simplifications and refactoring:
-    - Revise the connection_new functions so that a more typesafe variant
-      exists. This will work better with Coverity, and let us find any
-      actual mistakes we're making here.
-    - Refactor unit testing logic so that dmalloc can be used sensibly
-      with unit tests to check for memory leaks.
-    - Move all hidden-service related fields from connection and circuit
-      structure to substructures: this way they won't eat so much memory.
-
-
-Changes in version 0.2.0.31 - 2008-09-03
-  Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
-  a big bug we're seeing where in rare cases traffic from one Tor stream
-  gets mixed into another stream, and fixes a variety of smaller issues.
-
-  o Major bugfixes:
-    - Make sure that two circuits can never exist on the same connection
-      with the same circuit ID, even if one is marked for close. This
-      is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
-    - Relays now reject risky extend cells: if the extend cell includes
-      a digest of all zeroes, or asks to extend back to the relay that
-      sent the extend cell, tear down the circuit. Ideas suggested
-      by rovv.
-    - If not enough of our entry guards are available so we add a new
-      one, we might use the new one even if it overlapped with the
-      current circuit's exit relay (or its family). Anonymity bugfix
-      pointed out by rovv.
-
-  o Minor bugfixes:
-    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
-      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
-    - Correctly detect the presence of the linux/netfilter_ipv4.h header
-      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
-    - Pick size of default geoip filename string correctly on windows.
-      Fixes bug 806. Bugfix on 0.2.0.30.
-    - Make the autoconf script accept the obsolete --with-ssl-dir
-      option as an alias for the actually-working --with-openssl-dir
-      option. Fix the help documentation to recommend --with-openssl-dir.
-      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
-    - When using the TransPort option on OpenBSD, and using the User
-      option to change UID and drop privileges, make sure to open
-      /dev/pf before dropping privileges. Fixes bug 782. Patch from
-      Christopher Davis. Bugfix on 0.1.2.1-alpha.
-    - Try to attach connections immediately upon receiving a RENDEZVOUS2
-      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
-      on the client side when connecting to a hidden service. Bugfix
-      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
-    - When closing an application-side connection because its circuit is
-      getting torn down, generate the stream event correctly. Bugfix on
-      0.1.2.x. Anonymous patch.
-
-
-Changes in version 0.2.1.5-alpha - 2008-08-31
-  Tor 0.2.1.5-alpha moves us closer to handling IPv6 destinations, puts
-  in a lot of the infrastructure for adding authorization to hidden
-  services, lays the groundwork for having clients read their load
-  balancing information out of the networkstatus consensus rather than
-  the individual router descriptors, addresses two potential anonymity
-  issues, and fixes a variety of smaller issues.
-
-  o Major features:
-    - Convert many internal address representations to optionally hold
-      IPv6 addresses.
-    - Generate and accept IPv6 addresses in many protocol elements.
-    - Make resolver code handle nameservers located at ipv6 addresses.
-    - Begin implementation of proposal 121 ("Client authorization for
-      hidden services"): configure hidden services with client
-      authorization, publish descriptors for them, and configure
-      authorization data for hidden services at clients. The next
-      step is to actually access hidden services that perform client
-      authorization.
-    - More progress toward proposal 141: Network status consensus
-      documents and votes now contain bandwidth information for each
-      router and a summary of that router's exit policy. Eventually this
-      will be used by clients so that they do not have to download every
-      known descriptor before building circuits.
-
-  o Major bugfixes (on 0.2.0.x and before):
-    - When sending CREATED cells back for a given circuit, use a 64-bit
-      connection ID to find the right connection, rather than an addr:port
-      combination. Now that we can have multiple OR connections between
-      the same ORs, it is no longer possible to use addr:port to uniquely
-      identify a connection.
-    - Relays now reject risky extend cells: if the extend cell includes
-      a digest of all zeroes, or asks to extend back to the relay that
-      sent the extend cell, tear down the circuit. Ideas suggested
-      by rovv.
-    - If not enough of our entry guards are available so we add a new
-      one, we might use the new one even if it overlapped with the
-      current circuit's exit relay (or its family). Anonymity bugfix
-      pointed out by rovv.
-
-  o Minor bugfixes:
-    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
-      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
-    - When using the TransPort option on OpenBSD, and using the User
-      option to change UID and drop privileges, make sure to open /dev/pf
-      before dropping privileges. Fixes bug 782. Patch from Christopher
-      Davis. Bugfix on 0.1.2.1-alpha.
-    - Correctly detect the presence of the linux/netfilter_ipv4.h header
-      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
-    - Add a missing safe_str() call for a debug log message.
-    - Use 64 bits instead of 32 bits for connection identifiers used with
-      the controller protocol, to greatly reduce risk of identifier reuse.
-    - Make the autoconf script accept the obsolete --with-ssl-dir
-      option as an alias for the actually-working --with-openssl-dir
-      option. Fix the help documentation to recommend --with-openssl-dir.
-      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
-
-  o Minor features:
-    - Rate-limit too-many-sockets messages: when they happen, they happen
-      a lot. Resolves bug 748.
-    - Resist DNS poisoning a little better by making sure that names in
-      answer sections match.
-    - Print the SOCKS5 error message string as well as the error code
-      when a tor-resolve request fails. Patch from Jacob.
-
-
-Changes in version 0.2.1.4-alpha - 2008-08-04
-  Tor 0.2.1.4-alpha fixes a pair of crash bugs in 0.2.1.3-alpha.
-
-  o Major bugfixes:
-    - The address part of exit policies was not correctly written
-      to router descriptors. This generated router descriptors that failed
-      their self-checks. Noticed by phobos, fixed by Karsten. Bugfix
-      on 0.2.1.3-alpha.
-    - Tor triggered a false assert when extending a circuit to a relay
-      but we already have a connection open to that relay. Noticed by
-      phobos, fixed by Karsten. Bugfix on 0.2.1.3-alpha.
-
-  o Minor bugfixes:
-    - Fix a hidden service logging bug: in some edge cases, the router
-      descriptor of a previously picked introduction point becomes
-      obsolete and we need to give up on it rather than continually
-      complaining that it has become obsolete. Observed by xiando. Bugfix
-      on 0.2.1.3-alpha.
-
-  o Removed features:
-    - Take out the TestVia config option, since it was a workaround for
-      a bug that was fixed in Tor 0.1.1.21.
-
-
-Changes in version 0.2.1.3-alpha - 2008-08-03
-  Tor 0.2.1.3-alpha implements most of the pieces to prevent
-  infinite-length circuit attacks (see proposal 110); fixes a bug that
-  might cause exit relays to corrupt streams they send back; allows
-  address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and
-  ExcludeExitNodes config options; and fixes a big pile of bugs.
-
-  o Bootstrapping bugfixes (on 0.2.1.x-alpha):
-    - Send a bootstrap problem "warn" event on the first problem if the
-      reason is NO_ROUTE (that is, our network is down).
-
-  o Major features:
-    - Implement most of proposal 110: The first K cells to be sent
-      along a circuit are marked as special "early" cells; only K "early"
-      cells will be allowed. Once this code is universal, we can block
-      certain kinds of DOS attack by requiring that EXTEND commands must
-      be sent using an "early" cell.
-
-  o Major bugfixes:
-    - Try to attach connections immediately upon receiving a RENDEZVOUS2
-      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
-      on the client side when connecting to a hidden service. Bugfix
-      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
-    - Ensure that two circuits can never exist on the same connection
-      with the same circuit ID, even if one is marked for close. This
-      is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
-
-  o Minor features:
-    - When relays do their initial bandwidth measurement, don't limit
-      to just our entry guards for the test circuits. Otherwise we tend
-      to have multiple test circuits going through a single entry guard,
-      which makes our bandwidth test less accurate. Fixes part of bug 654;
-      patch contributed by Josh Albrecht.
-    - Add an ExcludeExitNodes option so users can list a set of nodes
-      that should be be excluded from the exit node position, but
-      allowed elsewhere. Implements proposal 151.
-    - Allow address patterns (e.g., 255.128.0.0/16) to appear in
-      ExcludeNodes and ExcludeExitNodes lists.
-    - Change the implementation of ExcludeNodes and ExcludeExitNodes to
-      be more efficient. Formerly it was quadratic in the number of
-      servers; now it should be linear. Fixes bug 509.
-    - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
-      and n_conn_id_digest fields into a separate structure that's
-      only needed when the circuit has not yet attached to an n_conn.
-
-  o Minor bugfixes:
-    - Change the contrib/tor.logrotate script so it makes the new
-      logs as "_tor:_tor" rather than the default, which is generally
-      "root:wheel". Fixes bug 676, reported by Serge Koksharov.
-    - Stop using __attribute__((nonnull)) with GCC: it can give us useful
-      warnings (occasionally), but it can also cause the compiler to
-      eliminate error-checking code. Suggested by Peter Gutmann.
-    - When a hidden service is giving up on an introduction point candidate
-      that was not included in the last published rendezvous descriptor,
-      don't reschedule publication of the next descriptor. Fixes bug 763.
-      Bugfix on 0.0.9.3.
-    - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
-      HiddenServiceExcludeNodes as obsolete: they never worked properly,
-      and nobody claims to be using them. Fixes bug 754. Bugfix on
-      0.1.0.1-rc. Patch from Christian Wilms.
-    - Fix a small alignment and memory-wasting bug on buffer chunks.
-      Spotted by rovv.
-
-  o Minor bugfixes (controller):
-    - When closing an application-side connection because its circuit
-      is getting torn down, generate the stream event correctly.
-      Bugfix on 0.1.2.x. Anonymous patch.
-
-  o Removed features:
-    - Remove all backward-compatibility code to support relays running
-      versions of Tor so old that they no longer work at all on the
-      Tor network.
-
-
-Changes in version 0.2.0.30 - 2008-07-15
-  o Minor bugfixes:
-    - Stop using __attribute__((nonnull)) with GCC: it can give us useful
-      warnings (occasionally), but it can also cause the compiler to
-      eliminate error-checking code. Suggested by Peter Gutmann.
-
-
-Changes in version 0.2.0.29-rc - 2008-07-08
-  Tor 0.2.0.29-rc fixes two big bugs with using bridges, fixes more
-  hidden-service performance bugs, and fixes a bunch of smaller bugs.
-
-  o Major bugfixes:
-    - If you have more than one bridge but don't know their keys,
-      you would only launch a request for the descriptor of the first one
-      on your list. (Tor considered launching requests for the others, but
-      found that it already had a connection on the way for $0000...0000
-      so it didn't open another.) Bugfix on 0.2.0.x.
-    - If you have more than one bridge but don't know their keys, and the
-      connection to one of the bridges failed, you would cancel all
-      pending bridge connections. (After all, they all have the same
-      digest.) Bugfix on 0.2.0.x.
-    - When a hidden service was trying to establish an introduction point,
-      and Tor had built circuits preemptively for such purposes, we
-      were ignoring all the preemptive circuits and launching a new one
-      instead. Bugfix on 0.2.0.14-alpha.
-    - When a hidden service was trying to establish an introduction point,
-      and Tor *did* manage to reuse one of the preemptively built
-      circuits, it didn't correctly remember which one it used,
-      so it asked for another one soon after, until there were no
-      more preemptive circuits, at which point it launched one from
-      scratch. Bugfix on 0.0.9.x.
-    - Make directory servers include the X-Your-Address-Is: http header in
-      their responses even for begin_dir conns. Now clients who only
-      ever use begin_dir connections still have a way to learn their IP
-      address. Fixes bug 737; bugfix on 0.2.0.22-rc. Reported by goldy.
-
-  o Minor bugfixes:
-    - Fix a macro/CPP interaction that was confusing some compilers:
-      some GCCs don't like #if/#endif pairs inside macro arguments.
-      Fixes bug 707.
-    - Fix macro collision between OpenSSL 0.9.8h and Windows headers.
-      Fixes bug 704; fix from Steven Murdoch.
-    - When opening /dev/null in finish_daemonize(), do not pass the
-      O_CREAT flag. Fortify was complaining, and correctly so. Fixes
-      bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
-    - Correctly detect transparent proxy support on Linux hosts that
-      require in.h to be included before netfilter_ipv4.h. Patch
-      from coderman.
-    - Disallow session resumption attempts during the renegotiation
-      stage of the v2 handshake protocol. Clients should never be trying
-      session resumption at this point, but apparently some did, in
-      ways that caused the handshake to fail. Bugfix on 0.2.0.20-rc. Bug
-      found by Geoff Goodell.
-
-
-Changes in version 0.2.1.2-alpha - 2008-06-20
-  Tor 0.2.1.2-alpha includes a new "TestingTorNetwork" config option to
-  make it easier to set up your own private Tor network; fixes several
-  big bugs with using more than one bridge relay; fixes a big bug with
-  offering hidden services quickly after Tor starts; and uses a better
-  API for reporting potential bootstrapping problems to the controller.
-
-  o Major features:
-    - New TestingTorNetwork config option to allow adjustment of
-      previously constant values that, while reasonable, could slow
-      bootstrapping. Implements proposal 135. Patch from Karsten.
-
-  o Major bugfixes:
-    - If you have more than one bridge but don't know their digests,
-      you would only learn a request for the descriptor of the first one
-      on your list. (Tor considered launching requests for the others, but
-      found that it already had a connection on the way for $0000...0000
-      so it didn't open another.) Bugfix on 0.2.0.x.
-    - If you have more than one bridge but don't know their digests,
-      and the connection to one of the bridges failed, you would cancel
-      all pending bridge connections. (After all, they all have the
-      same digest.) Bugfix on 0.2.0.x.
-    - When establishing a hidden service, introduction points that
-      originate from cannibalized circuits are completely ignored and not
-      included in rendezvous service descriptors. This might be another
-      reason for delay in making a hidden service available. Bugfix
-      from long ago (0.0.9.x?)
-
-  o Minor features:
-    - Allow OpenSSL to use dynamic locks if it wants.
-    - When building a consensus, do not include routers that are down.
-      This will cut down 30% to 40% on consensus size. Implements
-      proposal 138.
-    - In directory authorities' approved-routers files, allow
-      fingerprints with or without space.
-    - Add a "GETINFO /status/bootstrap-phase" controller option, so the
-      controller can query our current bootstrap state in case it attaches
-      partway through and wants to catch up.
-    - Send an initial "Starting" bootstrap status event, so we have a
-      state to start out in.
-
-  o Minor bugfixes:
-    - Asking for a conditional consensus at .../consensus/<fingerprints>
-      would crash a dirserver if it did not already have a
-      consensus. Bugfix on 0.2.1.1-alpha.
-    - Clean up some macro/CPP interactions: some GCC versions don't like
-      #if/#endif pairs inside macro arguments. Fixes bug 707. Bugfix on
-      0.2.0.x.
-
-  o Bootstrapping bugfixes (on 0.2.1.1-alpha):
-    - Directory authorities shouldn't complain about bootstrapping
-      problems just because they do a lot of reachability testing and
-      some of the connection attempts fail.
-    - Start sending "count" and "recommendation" key/value pairs in
-      bootstrap problem status events, so the controller can hear about
-      problems even before Tor decides they're worth reporting for sure.
-    - If you're using bridges, generate "bootstrap problem" warnings
-      as soon as you run out of working bridges, rather than waiting
-      for ten failures -- which will never happen if you have less than
-      ten bridges.
-    - If we close our OR connection because there's been a circuit
-      pending on it for too long, we were telling our bootstrap status
-      events "REASON=NONE". Now tell them "REASON=TIMEOUT".
-
-
-Changes in version 0.2.1.1-alpha - 2008-06-13
-  Tor 0.2.1.1-alpha fixes a lot of memory fragmentation problems that
-  were making the Tor process bloat especially on Linux; makes our TLS
-  handshake blend in better; sends "bootstrap phase" status events to
-  the controller, so it can keep the user informed of progress (and
-  problems) fetching directory information and establishing circuits;
-  and adds a variety of smaller features.
-
-  o Major features:
-    - More work on making our TLS handshake blend in: modify the list
-      of ciphers advertised by OpenSSL in client mode to even more
-      closely resemble a common web browser. We cheat a little so that
-      we can advertise ciphers that the locally installed OpenSSL doesn't
-      know about.
-    - Start sending "bootstrap phase" status events to the controller,
-      so it can keep the user informed of progress fetching directory
-      information and establishing circuits. Also inform the controller
-      if we think we're stuck at a particular bootstrap phase. Implements
-      proposal 137.
-    - Resume using OpenSSL's RAND_poll() for better (and more portable)
-      cross-platform entropy collection again. We used to use it, then
-      stopped using it because of a bug that could crash systems that
-      called RAND_poll when they had a lot of fds open. It looks like the
-      bug got fixed in late 2006. Our new behavior is to call RAND_poll()
-      at startup, and to call RAND_poll() when we reseed later only if
-      we have a non-buggy OpenSSL version.
-
-  o Major bugfixes:
-    - When we choose to abandon a new entry guard because we think our
-      older ones might be better, close any circuits pending on that
-      new entry guard connection. This fix should make us recover much
-      faster when our network is down and then comes back. Bugfix on
-      0.1.2.8-beta; found by lodger.
-
-  o Memory fixes and improvements:
-    - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
-      to avoid unused RAM in buffer chunks and memory pools.
-    - Speed up parsing and cut down on memory fragmentation by using
-      stack-style allocations for parsing directory objects. Previously,
-      this accounted for over 40% of allocations from within Tor's code
-      on a typical directory cache.
-    - Use a Bloom filter rather than a digest-based set to track which
-      descriptors we need to keep around when we're cleaning out old
-      router descriptors. This speeds up the computation significantly,
-      and may reduce fragmentation.
-    - Reduce the default smartlist size from 32 to 16; it turns out that
-      most smartlists hold around 8-12 elements tops.
-    - Make dumpstats() log the fullness and size of openssl-internal
-      buffers.
-    - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
-      patch to their OpenSSL, turn it on to save memory on servers. This
-      patch will (with any luck) get included in a mainline distribution
-      before too long.
-    - Never use OpenSSL compression: it wastes RAM and CPU trying to
-      compress cells, which are basically all encrypted, compressed,
-      or both.
-
-  o Minor bugfixes:
-    - Stop reloading the router list from disk for no reason when we
-      run out of reachable directory mirrors. Once upon a time reloading
-      it would set the 'is_running' flag back to 1 for them. It hasn't
-      done that for a long time.
-    - In very rare situations new hidden service descriptors were
-      published earlier than 30 seconds after the last change to the
-      service. (We currently think that a hidden service descriptor
-      that's been stable for 30 seconds is worth publishing.)
-
-  o Minor features:
-    - Allow separate log levels to be configured for different logging
-      domains. For example, this allows one to log all notices, warnings,
-      or errors, plus all memory management messages of level debug or
-      higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
-    - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
-      and stop using a warning that had become unfixably verbose under
-      GCC 4.3.
-    - New --hush command-line option similar to --quiet. While --quiet
-      disables all logging to the console on startup, --hush limits the
-      output to messages of warning and error severity.
-    - Servers support a new URL scheme for consensus downloads that
-      allows the client to specify which authorities are trusted.
-      The server then only sends the consensus if the client will trust
-      it. Otherwise a 404 error is sent back. Clients use this
-      new scheme when the server supports it (meaning it's running
-      0.2.1.1-alpha or later). Implements proposal 134.
-    - New configure/torrc options (--enable-geoip-stats,
-      DirRecordUsageByCountry) to record how many IPs we've served
-      directory info to in each country code, how many status documents
-      total we've sent to each country code, and what share of the total
-      directory requests we should expect to see.
-    - Use the TLS1 hostname extension to more closely resemble browser
-      behavior.
-    - Lots of new unit tests.
-    - Add a macro to implement the common pattern of iterating through
-      two parallel lists in lockstep.
-
-
-Changes in version 0.2.0.28-rc - 2008-06-13
-  Tor 0.2.0.28-rc fixes an anonymity-related bug, fixes a hidden-service
-  performance bug, and fixes a bunch of smaller bugs.
-
-  o Anonymity fixes:
-    - Fix a bug where, when we were choosing the 'end stream reason' to
-      put in our relay end cell that we send to the exit relay, Tor
-      clients on Windows were sometimes sending the wrong 'reason'. The
-      anonymity problem is that exit relays may be able to guess whether
-      the client is running Windows, thus helping partition the anonymity
-      set. Down the road we should stop sending reasons to exit relays,
-      or otherwise prevent future versions of this bug.
-
-  o Major bugfixes:
-    - While setting up a hidden service, some valid introduction circuits
-      were overlooked and abandoned. This might be the reason for
-      the long delay in making a hidden service available. Bugfix on
-      0.2.0.14-alpha.
-
-  o Minor features:
-    - Update to the "June 9 2008" ip-to-country file.
-    - Run 'make test' as part of 'make dist', so we stop releasing so
-      many development snapshots that fail their unit tests.
-
-  o Minor bugfixes:
-    - When we're checking if we have enough dir info for each relay
-      to begin establishing circuits, make sure that we actually have
-      the descriptor listed in the consensus, not just any descriptor.
-      Bugfix on 0.1.2.x.
-    - Bridge relays no longer print "xx=0" in their extrainfo document
-      for every single country code in the geoip db. Bugfix on
-      0.2.0.27-rc.
-    - Only warn when we fail to load the geoip file if we were planning to
-      include geoip stats in our extrainfo document. Bugfix on 0.2.0.27-rc.
-    - If we change our MaxAdvertisedBandwidth and then reload torrc,
-      Tor won't realize it should publish a new relay descriptor. Fixes
-      bug 688, reported by mfr. Bugfix on 0.1.2.x.
-    - When we haven't had any application requests lately, don't bother
-      logging that we have expired a bunch of descriptors. Bugfix
-      on 0.1.2.x.
-    - Make relay cells written on a connection count as non-padding when
-      tracking how long a connection has been in use. Bugfix on
-      0.2.0.1-alpha. Spotted by lodger.
-    - Fix unit tests in 0.2.0.27-rc.
-    - Fix compile on Windows.
-
-
-Changes in version 0.2.0.27-rc - 2008-06-03
-  Tor 0.2.0.27-rc adds a few features we left out of the earlier
-  release candidates. In particular, we now include an IP-to-country
-  GeoIP database, so controllers can easily look up what country a
-  given relay is in, and so bridge relays can give us some sanitized
-  summaries about which countries are making use of bridges. (See proposal
-  126-geoip-fetching.txt for details.)
-
-  o Major features:
-    - Include an IP-to-country GeoIP file in the tarball, so bridge
-      relays can report sanitized summaries of the usage they're seeing.
-
-  o Minor features:
-    - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
-      Robert Hogan. Fixes the first part of bug 681.
-    - Make bridge authorities never serve extrainfo docs.
-    - Add support to detect Libevent versions in the 1.4.x series
-      on mingw.
-    - Fix build on gcc 4.3 with --enable-gcc-warnings set.
-    - Include a new contrib/tor-exit-notice.html file that exit relay
-      operators can put on their website to help reduce abuse queries.
-
-  o Minor bugfixes:
-    - When tunneling an encrypted directory connection, and its first
-      circuit fails, do not leave it unattached and ask the controller
-      to deal. Fixes the second part of bug 681.
-    - Make bridge authorities correctly expire old extrainfo documents
-      from time to time.
-
-
-Changes in version 0.2.0.26-rc - 2008-05-13
-  Tor 0.2.0.26-rc fixes a major security vulnerability caused by a bug
-  in Debian's OpenSSL packages. All users running any 0.2.0.x version
-  should upgrade, whether they're running Debian or not.
-
-  o Major security fixes:
-    - Use new V3 directory authority keys on the tor26, gabelmoo, and
-      moria1 V3 directory authorities. The old keys were generated with
-      a vulnerable version of Debian's OpenSSL package, and must be
-      considered compromised. Other authorities' keys were not generated
-      with an affected version of OpenSSL.
-
-  o Major bugfixes:
-    - List authority signatures as "unrecognized" based on DirServer
-      lines, not on cert cache. Bugfix on 0.2.0.x.
-
-  o Minor features:
-    - Add a new V3AuthUseLegacyKey option to make it easier for
-      authorities to change their identity keys if they have to.
-
-
-Changes in version 0.2.0.25-rc - 2008-04-23
-  Tor 0.2.0.25-rc makes Tor work again on OS X and certain BSDs.
-
-  o Major bugfixes:
-    - Remember to initialize threading before initializing logging.
-      Otherwise, many BSD-family implementations will crash hard on
-      startup. Fixes bug 671. Bugfix on 0.2.0.24-rc.
-
-  o Minor bugfixes:
-    - Authorities correctly free policies on bad servers on
-      exit. Fixes bug 672. Bugfix on 0.2.0.x.
-
-
-Changes in version 0.2.0.24-rc - 2008-04-22
-  Tor 0.2.0.24-rc adds dizum (run by Alex de Joode) as the new sixth
-  v3 directory authority, makes relays with dynamic IP addresses and no
-  DirPort notice more quickly when their IP address changes, fixes a few
-  rare crashes and memory leaks, and fixes a few other miscellaneous bugs.
-
-  o New directory authorities:
-    - Take lefkada out of the list of v3 directory authorities, since
-      it has been down for months.
-    - Set up dizum (run by Alex de Joode) as the new sixth v3 directory
-      authority.
-
-  o Major bugfixes:
-    - Detect address changes more quickly on non-directory mirror
-      relays. Bugfix on 0.2.0.18-alpha; fixes bug 652.
-
-  o Minor features (security):
-    - Reject requests for reverse-dns lookup of names that are in
-      a private address space. Patch from lodger.
-    - Non-exit relays no longer allow DNS requests. Fixes bug 619. Patch
-      from lodger.
-
-  o Minor bugfixes (crashes):
-    - Avoid a rare assert that can trigger when Tor doesn't have much
-      directory information yet and it tries to fetch a v2 hidden
-      service descriptor. Fixes bug 651, reported by nwf.
-    - Initialize log mutex before initializing dmalloc. Otherwise,
-      running with dmalloc would crash. Bugfix on 0.2.0.x-alpha.
-    - Use recursive pthread mutexes in order to avoid deadlock when
-      logging debug-level messages to a controller. Bug spotted by nwf,
-      bugfix on 0.2.0.16-alpha.
-
-  o Minor bugfixes (resource management):
-    - Keep address policies from leaking memory: start their refcount
-      at 1, not 2. Bugfix on 0.2.0.16-alpha.
-    - Free authority certificates on exit, so they don't look like memory
-      leaks. Bugfix on 0.2.0.19-alpha.
-    - Free static hashtables for policy maps and for TLS connections on
-      shutdown, so they don't look like memory leaks. Bugfix on 0.2.0.x.
-    - Avoid allocating extra space when computing consensuses on 64-bit
-      platforms. Bug spotted by aakova.
-
-  o Minor bugfixes (misc):
-    - Do not read the configuration file when we've only been told to
-      generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
-      based on patch from Sebastian Hahn.
-    - Exit relays that are used as a client can now reach themselves
-      using the .exit notation, rather than just launching an infinite
-      pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
-    - When attempting to open a logfile fails, tell us why.
-    - Fix a dumb bug that was preventing us from knowing that we should
-      preemptively build circuits to handle expected directory requests.
-      Fixes bug 660. Bugfix on 0.1.2.x.
-    - Warn less verbosely about clock skew from netinfo cells from
-      untrusted sources. Fixes bug 663.
-    - Make controller stream events for DNS requests more consistent,
-      by adding "new stream" events for DNS requests, and removing
-      spurious "stream closed" events" for cached reverse resolves.
-      Patch from mwenge. Fixes bug 646.
-    - Correctly notify one-hop connections when a circuit build has
-      failed. Possible fix for bug 669. Found by lodger.
-
-
-Changes in version 0.2.0.23-rc - 2008-03-24
-  Tor 0.2.0.23-rc is the fourth release candidate for the 0.2.0 series. It
-  makes bootstrapping faster if the first directory mirror you contact
-  is down. The bundles also include the new Vidalia 0.1.2 release.
-
-  o Major bugfixes:
-    - When a tunneled directory request is made to a directory server
-      that's down, notice after 30 seconds rather than 120 seconds. Also,
-      fail any begindir streams that are pending on it, so they can
-      retry elsewhere. This was causing multi-minute delays on bootstrap.
-
-
-Changes in version 0.2.0.22-rc - 2008-03-18
-  Tor 0.2.0.22-rc is the third release candidate for the 0.2.0 series. It
-  enables encrypted directory connections by default for non-relays, fixes
-  some broken TLS behavior we added in 0.2.0.20-rc, and resolves many
-  other bugs. The bundles also include Vidalia 0.1.1 and Torbutton 1.1.17.
-
-  o Major features:
-    - Enable encrypted directory connections by default for non-relays,
-      so censor tools that block Tor directory connections based on their
-      plaintext patterns will no longer work. This means Tor works in
-      certain censored countries by default again.
-
-  o Major bugfixes:
-    - Make sure servers always request certificates from clients during
-      TLS renegotiation. Reported by lodger; bugfix on 0.2.0.20-rc.
-    - Do not enter a CPU-eating loop when a connection is closed in
-      the middle of client-side TLS renegotiation. Fixes bug 622. Bug
-      diagnosed by lodger; bugfix on 0.2.0.20-rc.
-    - Fix assertion failure that could occur when a blocked circuit
-      became unblocked, and it had pending client DNS requests. Bugfix
-      on 0.2.0.1-alpha. Fixes bug 632.
-
-  o Minor bugfixes (on 0.1.2.x):
-    - Generate "STATUS_SERVER" events rather than misspelled
-      "STATUS_SEVER" events. Caught by mwenge.
-    - When counting the number of bytes written on a TLS connection,
-      look at the BIO actually used for writing to the network, not
-      at the BIO used (sometimes) to buffer data for the network.
-      Looking at different BIOs could result in write counts on the
-      order of ULONG_MAX. Fixes bug 614.
-    - On Windows, correctly detect errors when listing the contents of
-      a directory. Fix from lodger.
-
-  o Minor bugfixes (on 0.2.0.x):
-    - Downgrade "sslv3 alert handshake failure" message to INFO.
-    - If we set RelayBandwidthRate and RelayBandwidthBurst very high but
-      left BandwidthRate and BandwidthBurst at the default, we would be
-      silently limited by those defaults. Now raise them to match the
-      RelayBandwidth* values.
-    - Fix the SVK version detection logic to work correctly on a branch.
-    - Make --enable-openbsd-malloc work correctly on Linux with alpha
-      CPUs. Fixes bug 625.
-    - Logging functions now check that the passed severity is sane.
-    - Use proper log levels in the testsuite call of
-      get_interface_address6().
-    - When using a nonstandard malloc, do not use the platform values for
-      HAVE_MALLOC_GOOD_SIZE or HAVE_MALLOC_USABLE_SIZE.
-    - Make the openbsd malloc code use 8k pages on alpha CPUs and
-      16k pages on ia64.
-    - Detect mismatched page sizes when using --enable-openbsd-malloc.
-    - Avoid double-marked-for-close warning when certain kinds of invalid
-      .in-addr.arpa addresses are passed to the DNSPort. Part of a fix
-      for bug 617. Bugfix on 0.2.0.1-alpha.
-    - Make sure that the "NULL-means-reject *:*" convention is followed by
-      all the policy manipulation functions, avoiding some possible crash
-      bugs. Bug found by lodger. Bugfix on 0.2.0.16-alpha.
-    - Fix the implementation of ClientDNSRejectInternalAddresses so that it
-      actually works, and doesn't warn about every single reverse lookup.
-      Fixes the other part of bug 617.  Bugfix on 0.2.0.1-alpha.
-
-  o Minor features:
-    - Only log guard node status when guard node status has changed.
-    - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
-      make "INFO" 75% less verbose.
-
-
-Changes in version 0.2.0.21-rc - 2008-03-02
-  Tor 0.2.0.21-rc is the second release candidate for the 0.2.0 series. It
-  makes Tor work well with Vidalia again, fixes a rare assert bug,
-  and fixes a pair of more minor bugs. The bundles also include Vidalia
-  0.1.0 and Torbutton 1.1.16.
-
-  o Major bugfixes:
-    - The control port should declare that it requires password auth
-      when HashedControlSessionPassword is set too. Patch from Matt Edman;
-      bugfix on 0.2.0.20-rc. Fixes bug 615.
-    - Downgrade assert in connection_buckets_decrement() to a log message.
-      This may help us solve bug 614, and in any case will make its
-      symptoms less severe. Bugfix on 0.2.0.20-rc. Reported by fredzupy.
-    - We were sometimes miscounting the number of bytes read from the
-      network, causing our rate limiting to not be followed exactly.
-      Bugfix on 0.2.0.16-alpha. Reported by lodger.
-
-  o Minor bugfixes:
-    - Fix compilation with OpenSSL 0.9.8 and 0.9.8a. All other supported
-      OpenSSL versions should have been working fine. Diagnosis and patch
-      from lodger, Karsten Loesing, and Sebastian Hahn. Fixes bug 616.
-      Bugfix on 0.2.0.20-rc.
-
-
-Changes in version 0.2.0.20-rc - 2008-02-24
-  Tor 0.2.0.20-rc is the first release candidate for the 0.2.0 series. It
-  makes more progress towards normalizing Tor's TLS handshake, makes
-  hidden services work better again, helps relays bootstrap if they don't
-  know their IP address, adds optional support for linking in openbsd's
-  allocator or tcmalloc, allows really fast relays to scale past 15000
-  sockets, and fixes a bunch of minor bugs reported by Veracode.
-
-  o Major features:
-    - Enable the revised TLS handshake based on the one designed by
-      Steven Murdoch in proposal 124, as revised in proposal 130. It
-      includes version negotiation for OR connections as described in
-      proposal 105. The new handshake is meant to be harder for censors
-      to fingerprint, and it adds the ability to detect certain kinds of
-      man-in-the-middle traffic analysis attacks. The version negotiation
-      feature will allow us to improve Tor's link protocol more safely
-      in the future.
-    - Choose which bridge to use proportional to its advertised bandwidth,
-      rather than uniformly at random. This should speed up Tor for
-      bridge users. Also do this for people who set StrictEntryNodes.
-    - When a TrackHostExits-chosen exit fails too many times in a row,
-      stop using it. Bugfix on 0.1.2.x; fixes bug 437.
-
-  o Major bugfixes:
-    - Resolved problems with (re-)fetching hidden service descriptors.
-      Patch from Karsten Loesing; fixes problems with 0.2.0.18-alpha
-      and 0.2.0.19-alpha.
-    - If we only ever used Tor for hidden service lookups or posts, we
-      would stop building circuits and start refusing connections after
-      24 hours, since we falsely believed that Tor was dormant. Reported
-      by nwf; bugfix on 0.1.2.x.
-    - Servers that don't know their own IP address should go to the
-      authorities for their first directory fetch, even if their DirPort
-      is off or if they don't know they're reachable yet. This will help
-      them bootstrap better. Bugfix on 0.2.0.18-alpha; fixes bug 609.
-    - When counting the number of open sockets, count not only the number
-      of sockets we have received from the socket() call, but also
-      the number we've gotten from accept() and socketpair(). This bug
-      made us fail to count all sockets that we were using for incoming
-      connections. Bugfix on 0.2.0.x.
-    - Fix code used to find strings within buffers, when those strings
-      are not in the first chunk of the buffer. Bugfix on 0.2.0.x.
-    - Fix potential segfault when parsing HTTP headers. Bugfix on 0.2.0.x.
-    - Add a new __HashedControlSessionPassword option for controllers
-      to use for one-off session password hashes that shouldn't get
-      saved to disk by SAVECONF --- Vidalia users were accumulating a
-      pile of HashedControlPassword lines in their torrc files, one for
-      each time they had restarted Tor and then clicked Save. Make Tor
-      automatically convert "HashedControlPassword" to this new option but
-      only when it's given on the command line. Partial fix for bug 586.
-
-  o Minor features (performance):
-    - Tune parameters for cell pool allocation to minimize amount of
-      RAM overhead used.
-    - Add OpenBSD malloc code from phk as an optional malloc
-      replacement on Linux: some glibc libraries do very poorly
-      with Tor's memory allocation patterns. Pass
-      --enable-openbsd-malloc to get the replacement malloc code.
-    - Add a --with-tcmalloc option to the configure script to link
-      against tcmalloc (if present). Does not yet search for
-      non-system include paths.
-    - Stop imposing an arbitrary maximum on the number of file descriptors
-      used for busy servers. Bug reported by Olaf Selke; patch from
-      Sebastian Hahn.
-
-  o Minor features (other):
-    - When SafeLogging is disabled, log addresses along with all TLS
-      errors.
-    - When building with --enable-gcc-warnings, check for whether Apple's
-      warning "-Wshorten-64-to-32" is available.
-    - Add a --passphrase-fd argument to the tor-gencert command for
-      scriptability.
-
-  o Minor bugfixes (memory leaks and code problems):
-    - We were leaking a file descriptor if Tor started with a zero-length
-      cached-descriptors file. Patch by freddy77; bugfix on 0.1.2.
-    - Detect size overflow in zlib code. Reported by Justin Ferguson and
-      Dan Kaminsky.
-    - We were comparing the raw BridgePassword entry with a base64'ed
-      version of it, when handling a "/tor/networkstatus-bridges"
-      directory request. Now compare correctly. Noticed by Veracode.
-    - Recover from bad tracked-since value in MTBF-history file.
-      Should fix bug 537.
-    - Alter the code that tries to recover from unhandled write
-      errors, to not try to flush onto a socket that's given us
-      unhandled errors. Bugfix on 0.1.2.x.
-    - Make Unix controlsockets work correctly on OpenBSD. Patch from
-      tup. Bugfix on 0.2.0.3-alpha.
-
-  o Minor bugfixes (other):
-    - If we have an extra-info document for our server, always make
-      it available on the control port, even if we haven't gotten
-      a copy of it from an authority yet. Patch from mwenge.
-    - Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
-    - Directory mirrors no longer include a guess at the client's IP
-      address if the connection appears to be coming from the same /24
-      network; it was producing too many wrong guesses.
-    - Make the new hidden service code respect the SafeLogging setting.
-      Bugfix on 0.2.0.x. Patch from Karsten.
-    - When starting as an authority, do not overwrite all certificates
-      cached from other authorities. Bugfix on 0.2.0.x. Fixes bug 606.
-    - If we're trying to flush the last bytes on a connection (for
-      example, when answering a directory request), reset the
-      time-to-give-up timeout every time we manage to write something
-      on the socket. Bugfix on 0.1.2.x.
-    - Change the behavior of "getinfo status/good-server-descriptor"
-      so it doesn't return failure when any authority disappears.
-    - Even though the man page said that "TrackHostExits ." should
-      work, nobody had ever implemented it. Bugfix on 0.1.0.x.
-    - Report TLS "zero return" case as a "clean close" and "IO error"
-      as a "close". Stop calling closes "unexpected closes": existing
-      Tors don't use SSL_close(), so having a connection close without
-      the TLS shutdown handshake is hardly unexpected.
-    - Send NAMESERVER_STATUS messages for a single failed nameserver
-      correctly.
-
-  o Code simplifications and refactoring:
-    - Remove the tor_strpartition function: its logic was confused,
-      and it was only used for one thing that could be implemented far
-      more easily.
-
-
-Changes in version 0.2.0.19-alpha - 2008-02-09
-  Tor 0.2.0.19-alpha makes more progress towards normalizing Tor's TLS
-  handshake, makes path selection for relays more secure and IP address
-  guessing more robust, and generally fixes a lot of bugs in preparation
-  for calling the 0.2.0 branch stable.
-
-  o Major features:
-    - Do not include recognizeable strings in the commonname part of
-      Tor's x509 certificates.
-
-  o Major bugfixes:
-    - If we're a relay, avoid picking ourselves as an introduction point,
-      a rendezvous point, or as the final hop for internal circuits. Bug
-      reported by taranis and lodger. Bugfix on 0.1.2.x.
-    - Patch from "Andrew S. Lists" to catch when we contact a directory
-      mirror at IP address X and he says we look like we're coming from
-      IP address X. Bugfix on 0.1.2.x.
-
-  o Minor features (security):
-    - Be more paranoid about overwriting sensitive memory on free(),
-      as a defensive programming tactic to ensure forward secrecy.
-
-  o Minor features (directory authority):
-    - Actually validate the options passed to AuthDirReject,
-      AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
-    - Reject router descriptors with out-of-range bandwidthcapacity or
-      bandwidthburst values.
-
-  o Minor features (controller):
-    - Reject controller commands over 1MB in length.  This keeps rogue
-      processes from running us out of memory.
-
-  o Minor features (misc):
-    - Give more descriptive well-formedness errors for out-of-range
-      hidden service descriptor/protocol versions.
-    - Make memory debugging information describe more about history
-      of cell allocation, so we can help reduce our memory use.
-
-  o Deprecated features (controller):
-    - The status/version/num-versioning and status/version/num-concurring
-      GETINFO options are no longer useful in the v3 directory protocol:
-      treat them as deprecated, and warn when they're used.
-
-  o Minor bugfixes:
-    - When our consensus networkstatus has been expired for a while, stop
-      being willing to build circuits using it. Fixes bug 401. Bugfix
-      on 0.1.2.x.
-    - Directory caches now fetch certificates from all authorities
-      listed in a networkstatus consensus, even when they do not
-      recognize them. Fixes bug 571. Bugfix on 0.2.0.x.
-    - When connecting to a bridge without specifying its key, insert
-      the connection into the identity-to-connection map as soon as
-      a key is learned. Fixes bug 574. Bugfix on 0.2.0.x.
-    - Detect versions of OS X where malloc_good_size() is present in the
-      library but never actually declared. Resolves bug 587. Bugfix
-      on 0.2.0.x.
-    - Stop incorrectly truncating zlib responses to directory authority
-      signature download requests. Fixes bug 593. Bugfix on 0.2.0.x.
-    - Stop recommending that every server operator send mail to tor-ops.
-      Resolves bug 597. Bugfix on 0.1.2.x.
-    - Don't trigger an assert if we start a directory authority with a
-      private IP address (like 127.0.0.1).
-    - Avoid possible failures when generating a directory with routers
-      with over-long versions strings, or too many flags set. Bugfix
-      on 0.1.2.x.
-    - If an attempt to launch a DNS resolve request over the control
-      port fails because we have overrun the limit on the number of
-      connections, tell the controller that the request has failed.
-    - Avoid using too little bandwidth when our clock skips a few
-      seconds. Bugfix on 0.1.2.x.
-    - Fix shell error when warning about missing packages in configure
-      script, on Fedora or Red Hat machines. Bugfix on 0.2.0.x.
-    - Do not become confused when receiving a spurious VERSIONS-like
-      cell from a confused v1 client.  Bugfix on 0.2.0.x.
-    - Re-fetch v2 (as well as v0) rendezvous descriptors when all
-      introduction points for a hidden service have failed. Patch from
-      Karsten Loesing. Bugfix on 0.2.0.x.
-
-  o Code simplifications and refactoring:
-    - Remove some needless generality from cpuworker code, for improved
-      type-safety.
-    - Stop overloading the circuit_t.onionskin field for both "onionskin
-      from a CREATE cell that we are waiting for a cpuworker to be
-      assigned" and "onionskin from an EXTEND cell that we are going to
-      send to an OR as soon as we are connected". Might help with bug 600.
-    - Add an in-place version of aes_crypt() so that we can avoid doing a
-      needless memcpy() call on each cell payload.
-
-
-Changes in version 0.2.0.18-alpha - 2008-01-25
-  Tor 0.2.0.18-alpha adds a sixth v3 directory authority run by CCC,
-  fixes a big memory leak in 0.2.0.17-alpha, and adds new config options
-  that can warn or reject connections to ports generally associated with
-  vulnerable-plaintext protocols.
-
-  o New directory authorities:
-    - Set up dannenberg (run by CCC) as the sixth v3 directory
-      authority.
-
-  o Major bugfixes:
-    - Fix a major memory leak when attempting to use the v2 TLS
-      handshake code. Bugfix on 0.2.0.x; fixes bug 589.
-    - We accidentally enabled the under-development v2 TLS handshake
-      code, which was causing log entries like "TLS error while
-      renegotiating handshake". Disable it again. Resolves bug 590.
-    - We were computing the wrong Content-Length: header for directory
-      responses that need to be compressed on the fly, causing clients
-      asking for those items to always fail. Bugfix on 0.2.0.x; partially
-      fixes bug 593.
-
-  o Major features:
-    - Avoid going directly to the directory authorities even if you're a
-      relay, if you haven't found yourself reachable yet or if you've
-      decided not to advertise your dirport yet. Addresses bug 556.
-    - If we've gone 12 hours since our last bandwidth check, and we
-      estimate we have less than 50KB bandwidth capacity but we could
-      handle more, do another bandwidth test.
-    - New config options WarnPlaintextPorts and RejectPlaintextPorts so
-      Tor can warn and/or refuse connections to ports commonly used with
-      vulnerable-plaintext protocols. Currently we warn on ports 23,
-      109, 110, and 143, but we don't reject any.
-
-  o Minor bugfixes:
-    - When we setconf ClientOnly to 1, close any current OR and Dir
-      listeners. Reported by mwenge.
-    - When we get a consensus that's been signed by more people than
-      we expect, don't log about it; it's not a big deal. Reported
-      by Kyle Williams.
-
-  o Minor features:
-    - Don't answer "/tor/networkstatus-bridges" directory requests if
-      the request isn't encrypted.
-    - Make "ClientOnly 1" config option disable directory ports too.
-    - Patches from Karsten Loesing to make v2 hidden services more
-      robust: work even when there aren't enough HSDir relays available;
-      retry when a v2 rend desc fetch fails; but don't retry if we
-      already have a usable v0 rend desc.
-
-
-Changes in version 0.2.0.17-alpha - 2008-01-17
-  Tor 0.2.0.17-alpha makes the tarball build cleanly again (whoops).
-
-  o Compile fixes:
-    - Make the tor-gencert man page get included correctly in the tarball.
-
-
-Changes in version 0.2.0.16-alpha - 2008-01-17
-  Tor 0.2.0.16-alpha adds a fifth v3 directory authority run by Karsten
-  Loesing, and generally cleans up a lot of features and minor bugs.
-
-  o New directory authorities:
-    - Set up gabelmoo (run by Karsten Loesing) as the fifth v3 directory
-      authority.
-
-  o Major performance improvements:
-    - Switch our old ring buffer implementation for one more like that
-      used by free Unix kernels. The wasted space in a buffer with 1mb
-      of data will now be more like 8k than 1mb. The new implementation
-      also avoids realloc();realloc(); patterns that can contribute to
-      memory fragmentation.
-
-  o Minor features:
-    - Configuration files now accept C-style strings as values. This
-      helps encode characters not allowed in the current configuration
-      file format, such as newline or #. Addresses bug 557.
-    - Although we fixed bug 539 (where servers would send HTTP status 503
-      responses _and_ send a body too), there are still servers out
-      there that haven't upgraded. Therefore, make clients parse such
-      bodies when they receive them.
-    - When we're not serving v2 directory information, there is no reason
-      to actually keep any around. Remove the obsolete files and directory
-      on startup if they are very old and we aren't going to serve them.
-
-  o Minor performance improvements:
-    - Reference-count and share copies of address policy entries; only 5%
-      of them were actually distinct.
-    - Never walk through the list of logs if we know that no log is
-      interested in a given message.
-
-  o Minor bugfixes:
-    - When an authority has not signed a consensus, do not try to
-      download a nonexistent "certificate with key 00000000". Bugfix
-      on 0.2.0.x. Fixes bug 569.
-    - Fix a rare assert error when we're closing one of our threads:
-      use a mutex to protect the list of logs, so we never write to the
-      list as it's being freed. Bugfix on 0.1.2.x. Fixes the very rare
-      bug 575, which is kind of the revenge of bug 222.
-    - Patch from Karsten Loesing to complain less at both the client
-      and the relay when a relay used to have the HSDir flag but doesn't
-      anymore, and we try to upload a hidden service descriptor.
-    - Stop leaking one cert per TLS context. Fixes bug 582. Bugfix on
-      0.2.0.15-alpha.
-    - Do not try to download missing certificates until we have tried
-      to check our fallback consensus. Fixes bug 583.
-    - Make bridges round reported GeoIP stats info up to the nearest
-      estimate, not down. Now we can distinguish between "0 people from
-      this country" and "1 person from this country".
-    - Avoid a spurious free on base64 failure. Bugfix on 0.1.2.
-    - Avoid possible segfault if key generation fails in
-      crypto_pk_hybrid_encrypt. Bugfix on 0.2.0.
-    - Avoid segfault in the case where a badly behaved v2 versioning
-      directory sends a signed networkstatus with missing client-versions.
-      Bugfix on 0.1.2.
-    - Avoid segfaults on certain complex invocations of
-      router_get_by_hexdigest(). Bugfix on 0.1.2.
-    - Correct bad index on array access in parse_http_time(). Bugfix
-      on 0.2.0.
-    - Fix possible bug in vote generation when server versions are present
-      but client versions are not.
-    - Fix rare bug on REDIRECTSTREAM control command when called with no
-      port set: it could erroneously report an error when none had
-      happened.
-    - Avoid bogus crash-prone, leak-prone tor_realloc when we're
-      compressing large objects and find ourselves with more than 4k
-      left over. Bugfix on 0.2.0.
-    - Fix a small memory leak when setting up a hidden service.
-    - Fix a few memory leaks that could in theory happen under bizarre
-      error conditions.
-    - Fix an assert if we post a general-purpose descriptor via the
-      control port but that descriptor isn't mentioned in our current
-      network consensus. Bug reported by Jon McLachlan; bugfix on
-      0.2.0.9-alpha.
-
-  o Minor features (controller):
-    - Get NS events working again. Patch from tup.
-    - The GETCONF command now escapes and quotes configuration values
-      that don't otherwise fit into the torrc file.
-    - The SETCONF command now handles quoted values correctly.
-
-  o Minor features (directory authorities):
-    - New configuration options to override default maximum number of
-      servers allowed on a single IP address. This is important for
-      running a test network on a single host.
-    - Actually implement the -s option to tor-gencert.
-    - Add a manual page for tor-gencert.
-
-  o Minor features (bridges):
-    - Bridge authorities no longer serve bridge descriptors over
-      unencrypted connections.
-
-  o Minor features (other):
-    - Add hidden services and DNSPorts to the list of things that make
-      Tor accept that it has running ports. Change starting Tor with no
-      ports from a fatal error to a warning; we might change it back if
-      this turns out to confuse anybody. Fixes bug 579.
-
-
-Changes in version 0.1.2.19 - 2008-01-17
-  Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
-  exit policy a little bit more conservative so it's safer to run an
-  exit relay on a home system, and fixes a variety of smaller issues.
-
-  o Security fixes:
-    - Exit policies now reject connections that are addressed to a
-      relay's public (external) IP address too, unless
-      ExitPolicyRejectPrivate is turned off. We do this because too
-      many relays are running nearby to services that trust them based
-      on network address.
-
-  o Major bugfixes:
-    - When the clock jumps forward a lot, do not allow the bandwidth
-      buckets to become negative. Fixes bug 544.
-    - Fix a memory leak on exit relays; we were leaking a cached_resolve_t
-      on every successful resolve. Reported by Mike Perry.
-    - Purge old entries from the "rephist" database and the hidden
-      service descriptor database even when DirPort is zero.
-    - Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
-      requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
-      crashing or mis-answering these requests.
-    - When we decide to send a 503 response to a request for servers, do
-      not then also send the server descriptors: this defeats the whole
-      purpose. Fixes bug 539.
-
-  o Minor bugfixes:
-    - Changing the ExitPolicyRejectPrivate setting should cause us to
-      rebuild our server descriptor.
-    - Fix handling of hex nicknames when answering controller requests for
-      networkstatus by name, or when deciding whether to warn about
-      unknown routers in a config option. (Patch from mwenge.)
-    - Fix a couple of hard-to-trigger autoconf problems that could result
-      in really weird results on platforms whose sys/types.h files define
-      nonstandard integer types.
-    - Don't try to create the datadir when running --verify-config or
-      --hash-password. Resolves bug 540.
-    - If we were having problems getting a particular descriptor from the
-      directory caches, and then we learned about a new descriptor for
-      that router, we weren't resetting our failure count. Reported
-      by lodger.
-    - Although we fixed bug 539 (where servers would send HTTP status 503
-      responses _and_ send a body too), there are still servers out there
-      that haven't upgraded. Therefore, make clients parse such bodies
-      when they receive them.
-    - Run correctly on systems where rlim_t is larger than unsigned long.
-      This includes some 64-bit systems.
-    - Run correctly on platforms (like some versions of OS X 10.5) where
-      the real limit for number of open files is OPEN_FILES, not rlim_max
-      from getrlimit(RLIMIT_NOFILES).
-    - Avoid a spurious free on base64 failure.
-    - Avoid segfaults on certain complex invocations of
-      router_get_by_hexdigest().
-    - Fix rare bug on REDIRECTSTREAM control command when called with no
-      port set: it could erroneously report an error when none had
-      happened.
-
-
-Changes in version 0.2.0.15-alpha - 2007-12-25
-  Tor 0.2.0.14-alpha and 0.2.0.15-alpha fix a bunch of bugs with the
-  features added in 0.2.0.13-alpha.
-
-  o Major bugfixes:
-    - Fix several remotely triggerable asserts based on DirPort requests
-      for a v2 or v3 networkstatus object before we were prepared. This
-      was particularly bad for 0.2.0.13 and later bridge relays, who
-      would never have a v2 networkstatus and would thus always crash
-      when used. Bugfixes on 0.2.0.x.
-    - Estimate the v3 networkstatus size more accurately, rather than
-      estimating it at zero bytes and giving it artificially high priority
-      compared to other directory requests. Bugfix on 0.2.0.x.
-
-  o Minor bugfixes:
-    - Fix configure.in logic for cross-compilation.
-    - When we load a bridge descriptor from the cache, and it was
-      previously unreachable, mark it as retriable so we won't just
-      ignore it. Also, try fetching a new copy immediately. Bugfixes
-      on 0.2.0.13-alpha.
-    - The bridge GeoIP stats were counting other relays, for example
-      self-reachability and authority-reachability tests.
-
-  o Minor features:
-    - Support compilation to target iPhone; patch from cjacker huang.
-      To build for iPhone, pass the --enable-iphone option to configure.
-
-
-Changes in version 0.2.0.14-alpha - 2007-12-23
-  o Major bugfixes:
-    - Fix a crash on startup if you install Tor 0.2.0.13-alpha fresh
-      without a datadirectory from a previous Tor install. Reported
-      by Zax.
-    - Fix a crash when we fetch a descriptor that turns out to be
-      unexpected (it used to be in our networkstatus when we started
-      fetching it, but it isn't in our current networkstatus), and we
-      aren't using bridges. Bugfix on 0.2.0.x.
-    - Fix a crash when accessing hidden services: it would work the first
-      time you use a given introduction point for your service, but
-      on subsequent requests we'd be using garbage memory. Fixed by
-      Karsten Loesing. Bugfix on 0.2.0.13-alpha.
-    - Fix a crash when we load a bridge descriptor from disk but we don't
-      currently have a Bridge line for it in our torrc. Bugfix on
-      0.2.0.13-alpha.
-
-  o Major features:
-    - If bridge authorities set BridgePassword, they will serve a
-      snapshot of known bridge routerstatuses from their DirPort to
-      anybody who knows that password. Unset by default.
-
-  o Minor bugfixes:
-    - Make the unit tests build again.
-    - Make "GETINFO/desc-annotations/id/<OR digest>" actually work.
-    - Make PublishServerDescriptor default to 1, so the default doesn't
-      have to change as we invent new directory protocol versions.
-    - Fix test for rlim_t on OSX 10.3: sys/resource.h doesn't want to
-      be included unless sys/time.h is already included.  Fixes
-      bug 553.  Bugfix on 0.2.0.x.
-    - If we receive a general-purpose descriptor and then receive an
-      identical bridge-purpose descriptor soon after, don't discard
-      the next one as a duplicate.
-
-  o Minor features:
-    - If BridgeRelay is set to 1, then the default for
-      PublishServerDescriptor is now "bridge" rather than "v2,v3".
-    - If the user sets RelayBandwidthRate but doesn't set
-      RelayBandwidthBurst, then make them equal rather than erroring out.
-
-
-Changes in version 0.2.0.13-alpha - 2007-12-21
-  Tor 0.2.0.13-alpha adds a fourth v3 directory authority run by Geoff
-  Goodell, fixes many more bugs, and adds a lot of infrastructure for
-  upcoming features.
-
-  o New directory authorities:
-    - Set up lefkada (run by Geoff Goodell) as the fourth v3 directory
-      authority.
-
-  o Major bugfixes:
-    - Only update guard status (usable / not usable) once we have
-      enough directory information. This was causing us to always pick
-      two new guards on startup (bugfix on 0.2.0.9-alpha), and it was
-      causing us to discard all our guards on startup if we hadn't been
-      running for a few weeks (bugfix on 0.1.2.x). Fixes bug 448.
-    - Purge old entries from the "rephist" database and the hidden
-      service descriptor databases even when DirPort is zero. Bugfix
-      on 0.1.2.x.
-    - We were ignoring our RelayBandwidthRate for the first 30 seconds
-      after opening a circuit -- even a relayed circuit. Bugfix on
-      0.2.0.3-alpha.
-    - Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
-      requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
-      crashing or mis-answering these types of requests.
-    - Relays were publishing their server descriptor to v1 and v2
-      directory authorities, but they didn't try publishing to v3-only
-      authorities. Fix this; and also stop publishing to v1 authorities.
-      Bugfix on 0.2.0.x.
-    - When we were reading router descriptors from cache, we were ignoring
-      the annotations -- so for example we were reading in bridge-purpose
-      descriptors as general-purpose descriptors. Bugfix on 0.2.0.8-alpha.
-    - When we decided to send a 503 response to a request for servers, we
-      were then also sending the server descriptors: this defeats the
-      whole purpose. Fixes bug 539; bugfix on 0.1.2.x.
-
-  o Major features:
-    - Bridge relays now behave like clients with respect to time
-      intervals for downloading new consensus documents -- otherwise they
-      stand out. Bridge users now wait until the end of the interval,
-      so their bridge relay will be sure to have a new consensus document.
-    - Three new config options (AlternateDirAuthority,
-      AlternateBridgeAuthority, and AlternateHSAuthority) that let the
-      user selectively replace the default directory authorities by type,
-      rather than the all-or-nothing replacement that DirServer offers.
-    - Tor can now be configured to read a GeoIP file from disk in one
-      of two formats. This can be used by controllers to map IP addresses
-      to countries. Eventually, it may support exit-by-country.
-    - When possible, bridge relays remember which countries users
-      are coming from, and report aggregate information in their
-      extra-info documents, so that the bridge authorities can learn
-      where Tor is blocked.
-    - Bridge directory authorities now do reachability testing on the
-      bridges they know. They provide router status summaries to the
-      controller via "getinfo ns/purpose/bridge", and also dump summaries
-      to a file periodically.
-    - Stop fetching directory info so aggressively if your DirPort is
-      on but your ORPort is off; stop fetching v2 dir info entirely.
-      You can override these choices with the new FetchDirInfoEarly
-      config option.
-
-  o Minor bugfixes:
-    - The fix in 0.2.0.12-alpha cleared the "hsdir" flag in v3 network
-      consensus documents when there are too many relays at a single
-      IP address. Now clear it in v2 network status documents too, and
-      also clear it in routerinfo_t when the relay is no longer listed
-      in the relevant networkstatus document.
-    - Don't crash if we get an unexpected value for the
-      PublishServerDescriptor config option. Reported by Matt Edman;
-      bugfix on 0.2.0.9-alpha.
-    - Our new v2 hidden service descriptor format allows descriptors
-      that have no introduction points. But Tor crashed when we tried
-      to build a descriptor with no intro points (and it would have
-      crashed if we had tried to parse one). Bugfix on 0.2.0.x; patch
-      by Karsten Loesing.
-    - Fix building with dmalloc 5.5.2 with glibc.
-    - Reject uploaded descriptors and extrainfo documents if they're
-      huge. Otherwise we'll cache them all over the network and it'll
-      clog everything up. Reported by Aljosha Judmayer.
-    - Check for presence of s6_addr16 and s6_addr32 fields in in6_addr
-      via autoconf. Should fix compile on solaris. Bugfix on 0.2.0.x.
-    - When the DANGEROUS_VERSION controller status event told us we're
-      running an obsolete version, it used the string "OLD" to describe
-      it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
-      "OBSOLETE" in both cases. Bugfix on 0.1.2.x.
-    - If we can't expand our list of entry guards (e.g. because we're
-      using bridges or we have StrictEntryNodes set), don't mark relays
-      down when they fail a directory request. Otherwise we're too quick
-      to mark all our entry points down. Bugfix on 0.1.2.x.
-    - Fix handling of hex nicknames when answering controller requests for
-      networkstatus by name, or when deciding whether to warn about unknown
-      routers in a config option. Bugfix on 0.1.2.x. (Patch from mwenge.)
-    - Fix a couple of hard-to-trigger autoconf problems that could result
-      in really weird results on platforms whose sys/types.h files define
-      nonstandard integer types. Bugfix on 0.1.2.x.
-    - Fix compilation with --disable-threads set. Bugfix on 0.2.0.x.
-    - Don't crash on name lookup when we have no current consensus.  Fixes
-      bug 538; bugfix on 0.2.0.x.
-    - Only Tors that want to mirror the v2 directory info should
-      create the "cached-status" directory in their datadir. (All Tors
-      used to create it.) Bugfix on 0.2.0.9-alpha.
-    - Directory authorities should only automatically download Extra Info
-      documents if they're v1, v2, or v3 authorities. Bugfix on 0.1.2.x.
-
-  o Minor features:
-    - On the USR1 signal, when dmalloc is in use, log the top 10 memory
-      consumers. (We already do this on HUP.)
-    - Authorities and caches fetch the v2 networkstatus documents
-      less often, now that v3 is encouraged.
-    - Add a new config option BridgeRelay that specifies you want to
-      be a bridge relay. Right now the only difference is that it makes
-      you answer begin_dir requests, and it makes you cache dir info,
-      even if your DirPort isn't on.
-    - Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
-      ask about source, timestamp of arrival, purpose, etc. We need
-      something like this to help Vidalia not do GeoIP lookups on bridge
-      addresses.
-    - Allow multiple HashedControlPassword config lines, to support
-      multiple controller passwords.
-    - Authorities now decide whether they're authoritative for a given
-      router based on the router's purpose.
-    - New config options AuthDirBadDir and AuthDirListBadDirs for
-      authorities to mark certain relays as "bad directories" in the
-      networkstatus documents. Also supports the "!baddir" directive in
-      the approved-routers file.
-
-
-Changes in version 0.2.0.12-alpha - 2007-11-16
-  This twelfth development snapshot fixes some more build problems as
-  well as a few minor bugs.
-
-  o Compile fixes:
-    - Make it build on OpenBSD again. Patch from tup.
-    - Substitute BINDIR and LOCALSTATEDIR in scripts. Fixes
-      package-building for Red Hat, OS X, etc.
-
-  o Minor bugfixes (on 0.1.2.x):
-    - Changing the ExitPolicyRejectPrivate setting should cause us to
-      rebuild our server descriptor.
-
-  o Minor bugfixes (on 0.2.0.x):
-    - When we're lacking a consensus, don't try to perform rendezvous
-      operations. Reported by Karsten Loesing.
-    - Fix a small memory leak whenever we decide against using a
-      newly picked entry guard. Reported by Mike Perry.
-    - When authorities detected more than two relays running on the same
-      IP address, they were clearing all the status flags but forgetting
-      to clear the "hsdir" flag. So clients were being told that a
-      given relay was the right choice for a v2 hsdir lookup, yet they
-      never had its descriptor because it was marked as 'not running'
-      in the consensus.
-    - If we're trying to fetch a bridge descriptor and there's no way
-      the bridge authority could help us (for example, we don't know
-      a digest, or there is no bridge authority), don't be so eager to
-      fall back to asking the bridge authority.
-    - If we're using bridges or have strictentrynodes set, and our
-      chosen exit is in the same family as all our bridges/entry guards,
-      then be flexible about families.
-
-  o Minor features:
-    - When we negotiate a v2 link-layer connection (not yet implemented),
-      accept RELAY_EARLY cells and turn them into RELAY cells if we've
-      negotiated a v1 connection for their next step. Initial code for
-      proposal 110.
-
-
-Changes in version 0.2.0.11-alpha - 2007-11-12
-  This eleventh development snapshot fixes some build problems with
-  the previous snapshot. It also includes a more secure-by-default exit
-  policy for relays, fixes an enormous memory leak for exit relays, and
-  fixes another bug where servers were falling out of the directory list.
-
-  o Security fixes:
-    - Exit policies now reject connections that are addressed to a
-      relay's public (external) IP address too, unless
-      ExitPolicyRejectPrivate is turned off. We do this because too
-      many relays are running nearby to services that trust them based
-      on network address. Bugfix on 0.1.2.x.
-
-  o Major bugfixes:
-    - Fix a memory leak on exit relays; we were leaking a cached_resolve_t
-      on every successful resolve. Reported by Mike Perry; bugfix
-      on 0.1.2.x.
-    - On authorities, never downgrade to old router descriptors simply
-      because they're listed in the consensus. This created a catch-22
-      where we wouldn't list a new descriptor because there was an
-      old one in the consensus, and we couldn't get the new one in the
-      consensus because we wouldn't list it. Possible fix for bug 548.
-      Also, this might cause bug 543 to appear on authorities; if so,
-      we'll need a band-aid for that. Bugfix on 0.2.0.9-alpha.
-
-  o Packaging fixes on 0.2.0.10-alpha:
-    - We were including instructions about what to do with the
-      src/config/fallback-consensus file, but we weren't actually
-      including it in the tarball. Disable all of that for now.
-
-  o Minor features:
-    - Allow people to say PreferTunnelledDirConns rather than
-      PreferTunneledDirConns, for those alternate-spellers out there.
-
-  o Minor bugfixes:
-    - Don't reevaluate all the information from our consensus document
-      just because we've downloaded a v2 networkstatus that we intend
-      to cache. Fixes bug 545; bugfix on 0.2.0.x.
-
-
-Changes in version 0.2.0.10-alpha - 2007-11-10
-  This tenth development snapshot adds a third v3 directory authority
-  run by Mike Perry, adds most of Karsten Loesing's new hidden service
-  descriptor format, fixes a bad crash bug and new bridge bugs introduced
-  in 0.2.0.9-alpha, fixes many bugs with the v3 directory implementation,
-  fixes some minor memory leaks in previous 0.2.0.x snapshots, and
-  addresses many more minor issues.
-
-  o New directory authorities:
-    - Set up ides (run by Mike Perry) as the third v3 directory authority.
-
-  o Major features:
-    - Allow tunnelled directory connections to ask for an encrypted
-      "begin_dir" connection or an anonymized "uses a full Tor circuit"
-      connection independently. Now we can make anonymized begin_dir
-      connections for (e.g.) more secure hidden service posting and
-      fetching.
-    - More progress on proposal 114: code from Karsten Loesing to
-      implement new hidden service descriptor format.
-    - Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
-      accommodate the growing number of servers that use the default
-      and are reaching it.
-    - Directory authorities use a new formula for selecting which nodes
-      to advertise as Guards: they must be in the top 7/8 in terms of
-      how long we have known about them, and above the median of those
-      nodes in terms of weighted fractional uptime.
-    - Make "not enough dir info yet" warnings describe *why* Tor feels
-      it doesn't have enough directory info yet.
-
-  o Major bugfixes:
-    - Stop servers from crashing if they set a Family option (or
-      maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported
-      by Fabian Keil.
-    - Make bridge users work again -- the move to v3 directories in
-      0.2.0.9-alpha had introduced a number of bugs that made bridges
-      no longer work for clients.
-    - When the clock jumps forward a lot, do not allow the bandwidth
-      buckets to become negative. Bugfix on 0.1.2.x; fixes bug 544.
-
-  o Major bugfixes (v3 dir, bugfixes on 0.2.0.9-alpha):
-    - When the consensus lists a router descriptor that we previously were
-      mirroring, but that we considered non-canonical, reload the
-      descriptor as canonical. This fixes bug 543 where Tor servers
-      would start complaining after a few days that they don't have
-      enough directory information to build a circuit.
-    - Consider replacing the current consensus when certificates arrive
-      that make the pending consensus valid. Previously, we were only
-      considering replacement when the new certs _didn't_ help.
-    - Fix an assert error on startup if we didn't already have the
-      consensus and certs cached in our datadirectory: we were caching
-      the consensus in consensus_waiting_for_certs but then free'ing it
-      right after.
-    - Avoid sending a request for "keys/fp" (for which we'll get a 400 Bad
-      Request) if we need more v3 certs but we've already got pending
-      requests for all of them.
-    - Correctly back off from failing certificate downloads. Fixes
-      bug 546.
-    - Authorities don't vote on the Running flag if they have been running
-      for less than 30 minutes themselves. Fixes bug 547, where a newly
-      started authority would vote that everyone was down.
-
-  o New requirements:
-    - Drop support for OpenSSL version 0.9.6. Just about nobody was using
-      it, it had no AES, and it hasn't seen any security patches since
-      2004.
-
-  o Minor features:
-    - Clients now hold circuitless TLS connections open for 1.5 times
-      MaxCircuitDirtiness (15 minutes), since it is likely that they'll
-      rebuild a new circuit over them within that timeframe. Previously,
-      they held them open only for KeepalivePeriod (5 minutes).
-    - Use "If-Modified-Since" to avoid retrieving consensus
-      networkstatuses that we already have.
-    - When we have no consensus, check FallbackNetworkstatusFile (defaults
-      to $PREFIX/share/tor/fallback-consensus) for a consensus.  This way
-      we start knowing some directory caches.
-    - When we receive a consensus from the future, warn about skew.
-    - Improve skew reporting: try to give the user a better log message
-      about how skewed they are, and how much this matters.
-    - When we have a certificate for an authority, believe that
-      certificate's claims about the authority's IP address.
-    - New --quiet command-line option to suppress the default console log.
-      Good in combination with --hash-password.
-    - Authorities send back an X-Descriptor-Not-New header in response to
-      an accepted-but-discarded descriptor upload.  Partially implements
-      fix for bug 535.
-    - Make the log message for "tls error. breaking." more useful.
-    - Better log messages about certificate downloads, to attempt to
-      track down the second incarnation of bug 546.
-
-  o Minor features (bridges):
-    - If bridge users set UpdateBridgesFromAuthority, but the digest
-      they ask for is a 404 from the bridge authority, they now fall
-      back to trying the bridge directly.
-    - Bridges now use begin_dir to publish their server descriptor to
-      the bridge authority, even when they haven't set TunnelDirConns.
-
-  o Minor features (controller):
-    - When reporting clock skew, and we know that the clock is _at least
-      as skewed_ as some value, but we don't know the actual value,
-      report the value as a "minimum skew."
-
-  o Utilities:
-    - Update linux-tor-prio.sh script to allow QoS based on the uid of
-      the Tor process. Patch from Marco Bonetti with tweaks from Mike
-      Perry.
-
-  o Minor bugfixes:
-    - Refuse to start if both ORPort and UseBridges are set. Bugfix
-      on 0.2.0.x, suggested by Matt Edman.
-    - Don't stop fetching descriptors when FetchUselessDescriptors is
-      set, even if we stop asking for circuits. Bugfix on 0.1.2.x;
-      reported by tup and ioerror.
-    - Better log message on vote from unknown authority.
-    - Don't log "Launching 0 request for 0 router" message.
-
-  o Minor bugfixes (memory leaks):
-    - Stop leaking memory every time we parse a v3 certificate. Bugfix
-      on 0.2.0.1-alpha.
-    - Stop leaking memory every time we load a v3 certificate. Bugfix
-      on 0.2.0.1-alpha. Fixes bug 536.
-    - Stop leaking a cached networkstatus on exit.  Bugfix on
-      0.2.0.3-alpha.
-    - Stop leaking voter information every time we free a consensus.
-      Bugfix on 0.2.0.3-alpha.
-    - Stop leaking signed data every time we check a voter signature.
-      Bugfix on 0.2.0.3-alpha.
-    - Stop leaking a signature every time we fail to parse a consensus or
-      a vote.  Bugfix on 0.2.0.3-alpha.
-    - Stop leaking v2_download_status_map on shutdown.  Bugfix on
-      0.2.0.9-alpha.
-    - Stop leaking conn->nickname every time we make a connection to a
-      Tor relay without knowing its expected identity digest (e.g. when
-      using bridges). Bugfix on 0.2.0.3-alpha.
-
-  - Minor bugfixes (portability):
-    - Run correctly on platforms where rlim_t is larger than unsigned
-      long, and/or where the real limit for number of open files is
-      OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). In
-      particular, these may be needed for OS X 10.5.
-
-
-Changes in version 0.1.2.18 - 2007-10-28
-  Tor 0.1.2.18 fixes many problems including crash bugs, problems with
-  hidden service introduction that were causing huge delays, and a big
-  bug that was causing some servers to disappear from the network status
-  lists for a few hours each day.
-
-  o Major bugfixes (crashes):
-    - If a connection is shut down abruptly because of something that
-      happened inside connection_flushed_some(), do not call
-      connection_finished_flushing(). Should fix bug 451:
-      "connection_stop_writing: Assertion conn->write_event failed"
-      Bugfix on 0.1.2.7-alpha.
-    - Fix possible segfaults in functions called from
-      rend_process_relay_cell().
-
-  o Major bugfixes (hidden services):
-    - Hidden services were choosing introduction points uniquely by
-      hexdigest, but when constructing the hidden service descriptor
-      they merely wrote the (potentially ambiguous) nickname.
-    - Clients now use the v2 intro format for hidden service
-      connections: they specify their chosen rendezvous point by identity
-      digest rather than by (potentially ambiguous) nickname. These
-      changes could speed up hidden service connections dramatically.
-
-  o Major bugfixes (other):
-    - Stop publishing a new server descriptor just because we get a
-      HUP signal. This led (in a roundabout way) to some servers getting
-      dropped from the networkstatus lists for a few hours each day.
-    - When looking for a circuit to cannibalize, consider family as well
-      as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
-      circuit cannibalization).
-    - When a router wasn't listed in a new networkstatus, we were leaving
-      the flags for that router alone -- meaning it remained Named,
-      Running, etc -- even though absence from the networkstatus means
-      that it shouldn't be considered to exist at all anymore. Now we
-      clear all the flags for routers that fall out of the networkstatus
-      consensus. Fixes bug 529.
-
-  o Minor bugfixes:
-    - Don't try to access (or alter) the state file when running
-      --list-fingerprint or --verify-config or --hash-password. Resolves
-      bug 499.
-    - When generating information telling us how to extend to a given
-      router, do not try to include the nickname if it is
-      absent. Resolves bug 467.
-    - Fix a user-triggerable segfault in expand_filename(). (There isn't
-      a way to trigger this remotely.)
-    - When sending a status event to the controller telling it that an
-      OR address is reachable, set the port correctly. (Previously we
-      were reporting the dir port.)
-    - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
-      command. Bugfix on 0.1.2.17.
-    - When loading bandwidth history, do not believe any information in
-      the future. Fixes bug 434.
-    - When loading entry guard information, do not believe any information
-      in the future.
-    - When we have our clock set far in the future and generate an
-      onion key, then re-set our clock to be correct, we should not stop
-      the onion key from getting rotated.
-    - On some platforms, accept() can return a broken address. Detect
-      this more quietly, and deal accordingly. Fixes bug 483.
-    - It's not actually an error to find a non-pending entry in the DNS
-      cache when canceling a pending resolve. Don't log unless stuff
-      is fishy. Resolves bug 463.
-    - Don't reset trusted dir server list when we set a configuration
-      option. Patch from Robert Hogan.
-    - Don't try to create the datadir when running --verify-config or
-      --hash-password. Resolves bug 540.
-
-
-Changes in version 0.2.0.9-alpha - 2007-10-24
-  This ninth development snapshot switches clients to the new v3 directory
-  system; allows servers to be listed in the network status even when they
-  have the same nickname as a registered server; and fixes many other
-  bugs including a big one that was causing some servers to disappear
-  from the network status lists for a few hours each day.
-
-  o Major features (directory system):
-    - Clients now download v3 consensus networkstatus documents instead
-      of v2 networkstatus documents. Clients and caches now base their
-      opinions about routers on these consensus documents. Clients only
-      download router descriptors listed in the consensus.
-    - Authorities now list servers who have the same nickname as
-      a different named server, but list them with a new flag,
-      "Unnamed". Now we can list servers that happen to pick the same
-      nickname as a server that registered two years ago and then
-      disappeared. Partially implements proposal 122.
-    - If the consensus lists a router as "Unnamed", the name is assigned
-      to a different router: do not identify the router by that name.
-      Partially implements proposal 122.
-    - Authorities can now come to a consensus on which method to use to
-      compute the consensus. This gives us forward compatibility.
-
-  o Major bugfixes:
-    - Stop publishing a new server descriptor just because we HUP or
-      when we find our DirPort to be reachable but won't actually publish
-      it. New descriptors without any real changes are dropped by the
-      authorities, and can screw up our "publish every 18 hours" schedule.
-      Bugfix on 0.1.2.x.
-    - When a router wasn't listed in a new networkstatus, we were leaving
-      the flags for that router alone -- meaning it remained Named,
-      Running, etc -- even though absence from the networkstatus means
-      that it shouldn't be considered to exist at all anymore. Now we
-      clear all the flags for routers that fall out of the networkstatus
-      consensus. Fixes bug 529; bugfix on 0.1.2.x.
-    - Fix awful behavior in DownloadExtraInfo option where we'd fetch
-      extrainfo documents and then discard them immediately for not
-      matching the latest router. Bugfix on 0.2.0.1-alpha.
-
-  o Minor features (v3 directory protocol):
-    - Allow tor-gencert to generate a new certificate without replacing
-      the signing key.
-    - Allow certificates to include an address.
-    - When we change our directory-cache settings, reschedule all voting
-      and download operations.
-    - Reattempt certificate downloads immediately on failure, as long as
-      we haven't failed a threshold number of times yet.
-    - Delay retrying consensus downloads while we're downloading
-      certificates to verify the one we just got.  Also, count getting a
-      consensus that we already have (or one that isn't valid) as a failure,
-      and count failing to get the certificates after 20 minutes as a
-      failure.
-    - Build circuits and download descriptors even if our consensus is a
-      little expired. (This feature will go away once authorities are
-      more reliable.)
-
-  o Minor features (router descriptor cache):
-    - If we find a cached-routers file that's been sitting around for more
-      than 28 days unmodified, then most likely it's a leftover from
-      when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
-      routers anyway.
-    - When we (as a cache) download a descriptor because it was listed
-      in a consensus, remember when the consensus was supposed to expire,
-      and don't expire the descriptor until then.
-
-  o Minor features (performance):
-    - Call routerlist_remove_old_routers() much less often. This should
-      speed startup, especially on directory caches.
-    - Don't try to launch new descriptor downloads quite so often when we
-      already have enough directory information to build circuits.
-    - Base64 decoding was actually showing up on our profile when parsing
-      the initial descriptor file; switch to an in-process all-at-once
-      implementation that's about 3.5x times faster than calling out to
-      OpenSSL.
-
-  o Minor features (compilation):
-    - Detect non-ASCII platforms (if any still exist) and refuse to
-      build there: some of our code assumes that 'A' is 65 and so on.
-
-  o Minor bugfixes (v3 directory authorities, bugfixes on 0.2.0.x):
-    - Make the "next period" votes into "current period" votes immediately
-      after publishing the consensus; avoid a heisenbug that made them
-      stick around indefinitely.
-    - When we discard a vote as a duplicate, do not report this as
-      an error.
-    - Treat missing v3 keys or certificates as an error when running as a
-      v3 directory authority.
-    - When we're configured to be a v3 authority, but we're only listed
-      as a non-v3 authority in our DirServer line for ourself, correct
-      the listing.
-    - If an authority doesn't have a qualified hostname, just put
-      its address in the vote. This fixes the problem where we referred to
-      "moria on moria:9031."
-    - Distinguish between detached signatures for the wrong period, and
-      detached signatures for a divergent vote.
-    - Fix a small memory leak when computing a consensus.
-    - When there's no concensus, we were forming a vote every 30
-      minutes, but writing the "valid-after" line in our vote based
-      on our configured V3AuthVotingInterval: so unless the intervals
-      matched up, we immediately rejected our own vote because it didn't
-      start at the voting interval that caused us to construct a vote.
-
-  o Minor bugfixes (v3 directory protocol, bugfixes on 0.2.0.x):
-    - Delete unverified-consensus when the real consensus is set.
-    - Consider retrying a consensus networkstatus fetch immediately
-      after one fails: don't wait 60 seconds to notice.
-    - When fetching a consensus as a cache, wait until a newer consensus
-      should exist before trying to replace the current one.
-    - Use a more forgiving schedule for retrying failed consensus
-      downloads than for other types.
-
-  o Minor bugfixes (other directory issues):
-    - Correct the implementation of "download votes by digest." Bugfix on
-      0.2.0.8-alpha.
-    - Authorities no longer send back "400 you're unreachable please fix
-      it" errors to Tor servers that aren't online all the time. We're
-      supposed to tolerate these servers now. Bugfix on 0.1.2.x.
-
-  o Minor bugfixes (controller):
-    - Don't reset trusted dir server list when we set a configuration
-      option. Patch from Robert Hogan; bugfix on 0.1.2.x.
-    - Respond to INT and TERM SIGNAL commands before we execute the
-      signal, in case the signal shuts us down. We had a patch in
-      0.1.2.1-alpha that tried to do this by queueing the response on
-      the connection's buffer before shutting down, but that really
-      isn't the same thing at all. Bug located by Matt Edman.
-
-  o Minor bugfixes (misc):
-    - Correctly check for bad options to the "PublishServerDescriptor"
-      config option. Bugfix on 0.2.0.1-alpha; reported by Matt Edman.
-    - Stop leaking memory on failing case of base32_decode, and make
-      it accept upper-case letters. Bugfixes on 0.2.0.7-alpha.
-    - Don't try to download extrainfo documents when we're trying to
-      fetch enough directory info to build a circuit: having enough
-      info should get priority. Bugfix on 0.2.0.x.
-    - Don't complain that "your server has not managed to confirm that its
-      ports are reachable" if we haven't been able to build any circuits
-      yet. Bug found by spending four hours without a v3 consensus. Bugfix
-      on 0.1.2.x.
-    - Detect the reason for failing to mmap a descriptor file we just
-      wrote, and give a more useful log message.  Fixes bug 533. Bugfix
-      on 0.1.2.x.
-
-  o Code simplifications and refactoring:
-    - Remove support for the old bw_accounting file: we've been storing
-      bandwidth accounting information in the state file since
-      0.1.2.5-alpha.  This may result in bandwidth accounting errors
-      if you try to upgrade from 0.1.1.x or earlier, or if you try to
-      downgrade to 0.1.1.x or earlier.
-    - New convenience code to locate a file within the DataDirectory.
-    - Move non-authority functionality out of dirvote.c.
-    - Refactor the arguments for router_pick_{directory_|trusteddir}server
-      so that they all take the same named flags.
-
-  o Utilities
-    - Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
-      Unix users an easy way to script their Tor process (e.g. by
-      adjusting bandwidth based on the time of the day).
-
-
-Changes in version 0.2.0.8-alpha - 2007-10-12
-  This eighth development snapshot fixes a crash bug that's been bothering
-  us since February 2007, lets bridge authorities store a list of bridge
-  descriptors they've seen, gets v3 directory voting closer to working,
-  starts caching v3 directory consensus documents on directory mirrors,
-  and fixes a variety of smaller issues including some minor memory leaks.
-
-  o Major features (router descriptor cache):
-    - Store routers in a file called cached-descriptors instead of in
-      cached-routers. Initialize cached-descriptors from cached-routers
-      if the old format is around. The new format allows us to store
-      annotations along with descriptors.
-    - Use annotations to record the time we received each descriptor, its
-      source, and its purpose.
-    - Disable the SETROUTERPURPOSE controller command: it is now
-      obsolete.
-    - Controllers should now specify cache=no or cache=yes when using
-      the +POSTDESCRIPTOR command.
-    - Bridge authorities now write bridge descriptors to disk, meaning
-      we can export them to other programs and begin distributing them
-      to blocked users.
-
-  o Major features (directory authorities):
-    - When a v3 authority is missing votes or signatures, it now tries
-      to fetch them.
-    - Directory authorities track weighted fractional uptime as well as
-      weighted mean-time-between failures.  WFU is suitable for deciding
-      whether a node is "usually up", while MTBF is suitable for deciding
-      whether a node is "likely to stay up."  We need both, because
-      "usually up" is a good requirement for guards, while "likely to
-      stay up" is a good requirement for long-lived connections.
-
-  o Major features (v3 directory system):
-    - Caches now download v3 network status documents as needed,
-      and download the descriptors listed in them.
-    - All hosts now attempt to download and keep fresh v3 authority
-      certificates, and re-attempt after failures.
-    - More internal-consistency checks for vote parsing.
-
-  o Major bugfixes (crashes):
-    - If a connection is shut down abruptly because of something that
-      happened inside connection_flushed_some(), do not call
-      connection_finished_flushing(). Should fix bug 451. Bugfix on
-      0.1.2.7-alpha.
-
-  o Major bugfixes (performance):
-    - Fix really bad O(n^2) performance when parsing a long list of
-      routers: Instead of searching the entire list for an "extra-info "
-      string which usually wasn't there, once for every routerinfo
-      we read, just scan lines forward until we find one we like.
-      Bugfix on 0.2.0.1.
-    - When we add data to a write buffer in response to the data on that
-      write buffer getting low because of a flush, do not consider the
-      newly added data as a candidate for immediate flushing, but rather
-      make it wait until the next round of writing. Otherwise, we flush
-      and refill recursively, and a single greedy TLS connection can
-      eat all of our bandwidth. Bugfix on 0.1.2.7-alpha.
-
-  o Minor features (v3 authority system):
-    - Add more ways for tools to download the votes that lead to the
-      current consensus.
-    - Send a 503 when low on bandwidth and a vote, consensus, or
-      certificate is requested.
-    - If-modified-since is now implemented properly for all kinds of
-      certificate requests.
-
-  o Minor bugfixes (network statuses):
-    - Tweak the implementation of proposal 109 slightly: allow at most
-      two Tor servers on the same IP address, except if it's the location
-      of a directory authority, in which case allow five. Bugfix on
-      0.2.0.3-alpha.
-
-  o Minor bugfixes (controller):
-    - When sending a status event to the controller telling it that an
-      OR address is reachable, set the port correctly. (Previously we
-      were reporting the dir port.) Bugfix on 0.1.2.x.
-
-  o Minor bugfixes (v3 directory system):
-    - Fix logic to look up a cert by its signing key digest. Bugfix on
-      0.2.0.7-alpha.
-    - Only change the reply to a vote to "OK" if it's not already
-      set. This gets rid of annoying "400 OK" log messages, which may
-      have been masking some deeper issue. Bugfix on 0.2.0.7-alpha.
-    - When we get a valid consensus, recompute the voting schedule.
-    - Base the valid-after time of a vote on the consensus voting
-      schedule, not on our preferred schedule.
-    - Make the return values and messages from signature uploads and
-      downloads more sensible.
-    - Fix a memory leak when serving votes and consensus documents, and
-      another when serving certificates.
-
-  o Minor bugfixes (performance):
-    - Use a slightly simpler string hashing algorithm (copying Python's
-      instead of Java's) and optimize our digest hashing algorithm to take
-      advantage of 64-bit platforms and to remove some possibly-costly
-      voodoo.
-    - Fix a minor memory leak whenever we parse guards from our state
-      file. Bugfix on 0.2.0.7-alpha.
-    - Fix a minor memory leak whenever we write out a file. Bugfix on
-      0.2.0.7-alpha.
-    - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
-      command. Bugfix on 0.2.0.5-alpha.
-
-  o Minor bugfixes (portability):
-    - On some platforms, accept() can return a broken address. Detect
-      this more quietly, and deal accordingly. Fixes bug 483.
-    - Stop calling tor_strlower() on uninitialized memory in some cases.
-      Bugfix in 0.2.0.7-alpha.
-
-  o Minor bugfixes (usability):
-    - Treat some 403 responses from directory servers as INFO rather than
-      WARN-severity events.
-    - It's not actually an error to find a non-pending entry in the DNS
-      cache when canceling a pending resolve. Don't log unless stuff is
-      fishy. Resolves bug 463.
-
-  o Minor bugfixes (anonymity):
-    - Never report that we've used more bandwidth than we're willing to
-      relay: it leaks how much non-relay traffic we're using. Resolves
-      bug 516.
-    - When looking for a circuit to cannibalize, consider family as well
-      as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
-      circuit cannibalization).
-
-  o Code simplifications and refactoring:
-    - Make a bunch of functions static. Remove some dead code.
-    - Pull out about a third of the really big routerlist.c; put it in a
-      new module, networkstatus.c.
-    - Merge the extra fields in local_routerstatus_t back into
-      routerstatus_t: we used to need one routerstatus_t for each
-      authority's opinion, plus a local_routerstatus_t for the locally
-      computed consensus opinion. To save space, we put the locally
-      modified fields into local_routerstatus_t, and only the common
-      stuff into routerstatus_t. But once v3 directories are in use,
-      clients and caches will no longer need to hold authority opinions;
-      thus, the rationale for keeping the types separate is now gone.
-    - Make the code used to reschedule and reattempt downloads more
-      uniform.
-    - Turn all 'Are we a directory server/mirror?' logic into a call to
-      dirserver_mode().
-    - Remove the code to generate the oldest (v1) directory format.
-      The code has been disabled since 0.2.0.5-alpha.
-
-
-Changes in version 0.2.0.7-alpha - 2007-09-21
-  This seventh development snapshot makes bridges work again, makes bridge
-  authorities work for the first time, fixes two huge performance flaws
-  in hidden services, and fixes a variety of minor issues.
-
-  o New directory authorities:
-    - Set up moria1 and tor26 as the first v3 directory authorities. See
-      doc/spec/dir-spec.txt for details on the new directory design.
-
-  o Major bugfixes (crashes):
-    - Fix possible segfaults in functions called from
-      rend_process_relay_cell(). Bugfix on 0.1.2.x.
-
-  o Major bugfixes (bridges):
-    - Fix a bug that made servers send a "404 Not found" in response to
-      attempts to fetch their server descriptor. This caused Tor servers
-      to take many minutes to establish reachability for their DirPort,
-      and it totally crippled bridges. Bugfix on 0.2.0.5-alpha.
-    - Make "UpdateBridgesFromAuthority" torrc option work: when bridge
-      users configure that and specify a bridge with an identity
-      fingerprint, now they will lookup the bridge descriptor at the
-      default bridge authority via a one-hop tunnel, but once circuits
-      are established they will switch to a three-hop tunnel for later
-      connections to the bridge authority. Bugfix in 0.2.0.3-alpha.
-
-  o Major bugfixes (hidden services):
-    - Hidden services were choosing introduction points uniquely by
-      hexdigest, but when constructing the hidden service descriptor
-      they merely wrote the (potentially ambiguous) nickname.
-    - Clients now use the v2 intro format for hidden service
-      connections: they specify their chosen rendezvous point by identity
-      digest rather than by (potentially ambiguous) nickname. Both
-      are bugfixes on 0.1.2.x, and they could speed up hidden service
-      connections dramatically. Thanks to Karsten Loesing.
-
-  o Minor features (security):
-    - As a client, do not believe any server that tells us that an
-      address maps to an internal address space.
-    - Make it possible to enable HashedControlPassword and
-      CookieAuthentication at the same time.
-
-  o Minor features (guard nodes):
-    - Tag every guard node in our state file with the version that
-      we believe added it, or with our own version if we add it. This way,
-      if a user temporarily runs an old version of Tor and then switches
-      back to a new one, she doesn't automatically lose her guards.
-
-  o Minor features (speed):
-    - When implementing AES counter mode, update only the portions of the
-      counter buffer that need to change, and don't keep separate
-      network-order and host-order counters when they are the same (i.e.,
-      on big-endian hosts.)
-
-  o Minor features (controller):
-    - Accept LF instead of CRLF on controller, since some software has a
-      hard time generating real Internet newlines.
-    - Add GETINFO values for the server status events
-      "REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
-      Robert Hogan.
-
-  o Removed features:
-     - Routers no longer include bandwidth-history lines in their
-       descriptors; this information is already available in extra-info
-       documents, and including it in router descriptors took up 60%
-       (!) of compressed router descriptor downloads. Completes
-       implementation of proposal 104.
-     - Remove the contrib scripts ExerciseServer.py, PathDemo.py,
-       and TorControl.py, as they use the old v0 controller protocol,
-       and are obsoleted by TorFlow anyway.
-     - Drop support for v1 rendezvous descriptors, since we never used
-       them anyway, and the code has probably rotted by now. Based on
-       patch from Karsten Loesing.
-     - On OSX, stop warning the user that kqueue support in libevent is
-      "experimental", since it seems to have worked fine for ages.
-
-  o Minor bugfixes:
-    - When generating information telling us how to extend to a given
-      router, do not try to include the nickname if it is absent. Fixes
-      bug 467. Bugfix on 0.2.0.3-alpha.
-    - Fix a user-triggerable (but not remotely-triggerable) segfault
-      in expand_filename(). Bugfix on 0.1.2.x.
-    - Fix a memory leak when freeing incomplete requests from DNSPort.
-      Found by Niels Provos with valgrind. Bugfix on 0.2.0.1-alpha.
-    - Don't try to access (or alter) the state file when running
-      --list-fingerprint or --verify-config or --hash-password. (Resolves
-      bug 499.) Bugfix on 0.1.2.x.
-    - Servers used to decline to publish their DirPort if their
-      BandwidthRate, RelayBandwidthRate, or MaxAdvertisedBandwidth
-      were below a threshold. Now they only look at BandwidthRate and
-      RelayBandwidthRate. Bugfix on 0.1.2.x.
-    - Remove an optimization in the AES counter-mode code that assumed
-      that the counter never exceeded 2^68. When the counter can be set
-      arbitrarily as an IV (as it is by Karsten's new hidden services
-      code), this assumption no longer holds. Bugfix on 0.1.2.x.
-    - Resume listing "AUTHORITY" flag for authorities in network status.
-      Bugfix on 0.2.0.3-alpha; reported by Alex de Joode.
-
-  o Code simplifications and refactoring:
-    - Revamp file-writing logic so we don't need to have the entire
-      contents of a file in memory at once before we write to disk. Tor,
-      meet stdio.
-    - Turn "descriptor store" into a full-fledged type.
-    - Move all NT services code into a separate source file.
-    - Unify all code that computes medians, percentile elements, etc.
-    - Get rid of a needless malloc when parsing address policies.
-
-
-Changes in version 0.1.2.17 - 2007-08-30
-  Tor 0.1.2.17 features a new Vidalia version in the Windows and OS
-  X bundles. Vidalia 0.0.14 makes authentication required for the
-  ControlPort in the default configuration, which addresses important
-  security risks. Everybody who uses Vidalia (or another controller)
-  should upgrade.
-
-  In addition, this Tor update fixes major load balancing problems with
-  path selection, which should speed things up a lot once many people
-  have upgraded.
-
-  o Major bugfixes (security):
-    - We removed support for the old (v0) control protocol. It has been
-      deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
-      become more of a headache than it's worth.
-
-  o Major bugfixes (load balancing):
-    - When choosing nodes for non-guard positions, weight guards
-      proportionally less, since they already have enough load. Patch
-      from Mike Perry.
-    - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
-      will allow fast Tor servers to get more attention.
-    - When we're upgrading from an old Tor version, forget our current
-      guards and pick new ones according to the new weightings. These
-      three load balancing patches could raise effective network capacity
-      by a factor of four. Thanks to Mike Perry for measurements.
-
-  o Major bugfixes (stream expiration):
-    - Expire not-yet-successful application streams in all cases if
-      they've been around longer than SocksTimeout. Right now there are
-      some cases where the stream will live forever, demanding a new
-      circuit every 15 seconds. Fixes bug 454; reported by lodger.
-
-  o Minor features (controller):
-    - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
-      is valid before any authentication has been received. It tells
-      a controller what kind of authentication is expected, and what
-      protocol is spoken. Implements proposal 119.
-
-  o Minor bugfixes (performance):
-    - Save on most routerlist_assert_ok() calls in routerlist.c, thus
-      greatly speeding up loading cached-routers from disk on startup.
-    - Disable sentinel-based debugging for buffer code: we squashed all
-      the bugs that this was supposed to detect a long time ago, and now
-      its only effect is to change our buffer sizes from nice powers of
-      two (which platform mallocs tend to like) to values slightly over
-      powers of two (which make some platform mallocs sad).
-
-  o Minor bugfixes (misc):
-    - If exit bandwidth ever exceeds one third of total bandwidth, then
-      use the correct formula to weight exit nodes when choosing paths.
-      Based on patch from Mike Perry.
-    - Choose perfectly fairly among routers when choosing by bandwidth and
-      weighting by fraction of bandwidth provided by exits. Previously, we
-      would choose with only approximate fairness, and correct ourselves
-      if we ran off the end of the list.
-    - If we require CookieAuthentication but we fail to write the
-      cookie file, we would warn but not exit, and end up in a state
-      where no controller could authenticate. Now we exit.
-    - If we require CookieAuthentication, stop generating a new cookie
-      every time we change any piece of our config.
-    - Refuse to start with certain directory authority keys, and
-      encourage people using them to stop.
-    - Terminate multi-line control events properly. Original patch
-      from tup.
-    - Fix a minor memory leak when we fail to find enough suitable
-      servers to choose a circuit.
-    - Stop leaking part of the descriptor when we run into a particularly
-      unparseable piece of it.
-
-
-Changes in version 0.2.0.6-alpha - 2007-08-26
-  This sixth development snapshot features a new Vidalia version in the
-  Windows and OS X bundles. Vidalia 0.0.14 makes authentication required for
-  the ControlPort in the default configuration, which addresses important
-  security risks.
-
-  In addition, this snapshot fixes major load balancing problems
-  with path selection, which should speed things up a lot once many
-  people have upgraded. The directory authorities also use a new
-  mean-time-between-failure approach to tracking which servers are stable,
-  rather than just looking at the most recent uptime.
-
-  o New directory authorities:
-    - Set up Tonga as the default bridge directory authority.
-
-  o Major features:
-    - Directory authorities now track servers by weighted
-      mean-times-between-failures. When we have 4 or more days of data,
-      use measured MTBF rather than declared uptime to decide whether
-      to call a router Stable. Implements proposal 108.
-
-  o Major bugfixes (load balancing):
-    - When choosing nodes for non-guard positions, weight guards
-      proportionally less, since they already have enough load. Patch
-      from Mike Perry.
-    - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
-      will allow fast Tor servers to get more attention.
-    - When we're upgrading from an old Tor version, forget our current
-      guards and pick new ones according to the new weightings. These
-      three load balancing patches could raise effective network capacity
-      by a factor of four. Thanks to Mike Perry for measurements.
-
-  o Major bugfixes (descriptor parsing):
-    - Handle unexpected whitespace better in malformed descriptors. Bug
-      found using Benedikt Boss's new Tor fuzzer! Bugfix on 0.2.0.x.
-
-  o Minor features:
-    - There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
-      GETINFO for Torstat to use until it can switch to using extrainfos.
-    - Optionally (if built with -DEXPORTMALLINFO) export the output
-      of mallinfo via http, as tor/mallinfo.txt. Only accessible
-      from localhost.
-
-  o Minor bugfixes:
-    - Do not intermix bridge routers with controller-added
-      routers. (Bugfix on 0.2.0.x)
-    - Do not fail with an assert when accept() returns an unexpected
-      address family. Addresses but does not wholly fix bug 483. (Bugfix
-      on 0.2.0.x)
-    - Let directory authorities startup even when they can't generate
-      a descriptor immediately, e.g. because they don't know their
-      address.
-    - Stop putting the authentication cookie in a file called "0"
-      in your working directory if you don't specify anything for the
-      new CookieAuthFile option. Reported by Matt Edman.
-    - Make it possible to read the PROTOCOLINFO response in a way that
-      conforms to our control-spec. Reported by Matt Edman.
-    - Fix a minor memory leak when we fail to find enough suitable
-      servers to choose a circuit. Bugfix on 0.1.2.x.
-    - Stop leaking part of the descriptor when we run into a particularly
-      unparseable piece of it. Bugfix on 0.1.2.x.
-    - Unmap the extrainfo cache file on exit.
-
-
-Changes in version 0.2.0.5-alpha - 2007-08-19
-  This fifth development snapshot fixes compilation on Windows again;
-  fixes an obnoxious client-side bug that slowed things down and put
-  extra load on the network; gets us closer to using the v3 directory
-  voting scheme; makes it easier for Tor controllers to use cookie-based
-  authentication; and fixes a variety of other bugs.
-
-  o Removed features:
-    - Version 1 directories are no longer generated in full. Instead,
-      authorities generate and serve "stub" v1 directories that list
-      no servers. This will stop Tor versions 0.1.0.x and earlier from
-      working, but (for security reasons) nobody should be running those
-      versions anyway.
-
-  o Major bugfixes (compilation, 0.2.0.x):
-    - Try to fix Win32 compilation again: improve checking for IPv6 types.
-    - Try to fix MSVC compilation: build correctly on platforms that do
-      not define s6_addr16 or s6_addr32.
-    - Fix compile on platforms without getaddrinfo: bug found by Li-Hui
-      Zhou.
-
-  o Major bugfixes (stream expiration):
-    - Expire not-yet-successful application streams in all cases if
-      they've been around longer than SocksTimeout. Right now there are
-      some cases where the stream will live forever, demanding a new
-      circuit every 15 seconds. Bugfix on 0.1.2.7-alpha; fixes bug 454;
-      reported by lodger.
-
-  o Minor features (directory servers):
-    - When somebody requests a list of statuses or servers, and we have
-      none of those, return a 404 rather than an empty 200.
-
-  o Minor features (directory voting):
-    - Store v3 consensus status consensuses on disk, and reload them
-      on startup.
-
-  o Minor features (security):
-    - Warn about unsafe ControlPort configurations.
-    - Refuse to start with certain directory authority keys, and
-      encourage people using them to stop.
-
-  o Minor features (controller):
-    - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
-      is valid before any authentication has been received. It tells
-      a controller what kind of authentication is expected, and what
-      protocol is spoken. Implements proposal 119.
-    - New config option CookieAuthFile to choose a new location for the
-      cookie authentication file, and config option
-      CookieAuthFileGroupReadable to make it group-readable.
-
-  o Minor features (unit testing):
-    - Add command-line arguments to unit-test executable so that we can
-      invoke any chosen test from the command line rather than having
-      to run the whole test suite at once; and so that we can turn on
-      logging for the unit tests.
-
-  o Minor bugfixes (on 0.1.2.x):
-    - If we require CookieAuthentication but we fail to write the
-      cookie file, we would warn but not exit, and end up in a state
-      where no controller could authenticate. Now we exit.
-    - If we require CookieAuthentication, stop generating a new cookie
-      every time we change any piece of our config.
-    - When loading bandwidth history, do not believe any information in
-      the future.  Fixes bug 434.
-    - When loading entry guard information, do not believe any information
-      in the future.
-    - When we have our clock set far in the future and generate an
-      onion key, then re-set our clock to be correct, we should not stop
-      the onion key from getting rotated.
-    - Clean up torrc sample config file.
-    - Do not automatically run configure from autogen.sh. This
-      non-standard behavior tended to annoy people who have built other
-      programs.
-
-  o Minor bugfixes (on 0.2.0.x):
-    - Fix a bug with AutomapHostsOnResolve that would always cause
-      the second request to fail. Bug reported by Kate. Bugfix on
-      0.2.0.3-alpha.
-    - Fix a bug in ADDRMAP controller replies that would sometimes
-      try to print a NULL. Patch from tup.
-    - Read v3 directory authority keys from the right location.
-    - Numerous bugfixes to directory voting code.
-
-
-Changes in version 0.1.2.16 - 2007-08-01
-  Tor 0.1.2.16 fixes a critical security vulnerability that allows a
-  remote attacker in certain situations to rewrite the user's torrc
-  configuration file. This can completely compromise anonymity of users
-  in most configurations, including those running the Vidalia bundles,
-  TorK, etc. Or worse.
-
-  o Major security fixes:
-    - Close immediately after missing authentication on control port;
-      do not allow multiple authentication attempts.
-
-
-Changes in version 0.2.0.4-alpha - 2007-08-01
-  This fourth development snapshot fixes a critical security vulnerability
-  for most users, specifically those running Vidalia, TorK, etc. Everybody
-  should upgrade to either 0.1.2.16 or 0.2.0.4-alpha.
-
-  o Major security fixes:
-    - Close immediately after missing authentication on control port;
-      do not allow multiple authentication attempts.
-
-  o Major bugfixes (compilation):
-    - Fix win32 compilation: apparently IN_ADDR and IN6_ADDR are already
-      defined there.
-
-  o Minor features (performance):
-    - Be even more aggressive about releasing RAM from small
-      empty buffers. Thanks to our free-list code, this shouldn't be too
-      performance-intensive.
-    - Disable sentinel-based debugging for buffer code: we squashed all
-      the bugs that this was supposed to detect a long time ago, and
-      now its only effect is to change our buffer sizes from nice
-      powers of two (which platform mallocs tend to like) to values
-      slightly over powers of two (which make some platform mallocs sad).
-    - Log malloc statistics from mallinfo() on platforms where it
-      exists.
-
-
-Changes in version 0.2.0.3-alpha - 2007-07-29
-  This third development snapshot introduces new experimental
-  blocking-resistance features and a preliminary version of the v3
-  directory voting design, and includes many other smaller features
-  and bugfixes.
-
-  o Major features:
-    - The first pieces of our "bridge" design for blocking-resistance
-      are implemented. People can run bridge directory authorities;
-      people can run bridges; and people can configure their Tor clients
-      with a set of bridges to use as the first hop into the Tor network.
-      See http://archives.seul.org/or/talk/Jul-2007/msg00249.html for
-      details.
-    - Create listener connections before we setuid to the configured
-      User and Group. Now non-Windows users can choose port values
-      under 1024, start Tor as root, and have Tor bind those ports
-      before it changes to another UID. (Windows users could already
-      pick these ports.)
-    - Added a new ConstrainedSockets config option to set SO_SNDBUF and
-      SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
-      on "vserver" accounts. (Patch from coderman.)
-    - Be even more aggressive about separating local traffic from relayed
-      traffic when RelayBandwidthRate is set. (Refines proposal 111.)
-
-  o Major features (experimental):
-    - First cut of code for "v3 dir voting": directory authorities will
-      vote on a common network status document rather than each publishing
-      their own opinion. This code needs more testing and more corner-case
-      handling before it's ready for use.
-
-  o Security fixes:
-    - Directory authorities now call routers Fast if their bandwidth is
-      at least 100KB/s, and consider their bandwidth adequate to be a
-      Guard if it is at least 250KB/s, no matter the medians. This fix
-      complements proposal 107. [Bugfix on 0.1.2.x]
-    - Directory authorities now never mark more than 3 servers per IP as
-      Valid and Running. (Implements proposal 109, by Kevin Bauer and
-      Damon McCoy.)
-    - Minor change to organizationName and commonName generation
-      procedures in TLS certificates during Tor handshakes, to invalidate
-      some earlier censorware approaches. This is not a long-term
-      solution, but applying it will give us a bit of time to look into
-      the epidemiology of countermeasures as they spread.
-
-  o Major bugfixes (directory):
-    - Rewrite directory tokenization code to never run off the end of
-      a string. Fixes bug 455. Patch from croup. [Bugfix on 0.1.2.x]
-
-  o Minor features (controller):
-    - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
-      match requests to applications. (Patch from Robert Hogan.)
-    - Report address and port correctly on connections to DNSPort. (Patch
-      from Robert Hogan.)
-    - Add a RESOLVE command to launch hostname lookups. (Original patch
-      from Robert Hogan.)
-    - Add GETINFO status/enough-dir-info to let controllers tell whether
-      Tor has downloaded sufficient directory information. (Patch
-      from Tup.)
-    - You can now use the ControlSocket option to tell Tor to listen for
-      controller connections on Unix domain sockets on systems that
-      support them. (Patch from Peter Palfrader.)
-    - STREAM NEW events are generated for DNSPort requests and for
-      tunneled directory connections. (Patch from Robert Hogan.)
-    - New "GETINFO address-mappings/*" command to get address mappings
-      with expiry information. "addr-mappings/*" is now deprecated.
-      (Patch from Tup.)
-
-  o Minor features (misc):
-    - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
-      from croup.)
-    - The tor-gencert tool for v3 directory authorities now creates all
-      files as readable to the file creator only, and write-protects
-      the authority identity key.
-    - When dumping memory usage, list bytes used in buffer memory
-      free-lists.
-    - When running with dmalloc, dump more stats on hup and on exit.
-    - Directory authorities now fail quickly and (relatively) harmlessly
-      if they generate a network status document that is somehow
-      malformed.
-
-  o Traffic load balancing improvements:
-    - If exit bandwidth ever exceeds one third of total bandwidth, then
-      use the correct formula to weight exit nodes when choosing paths.
-      (Based on patch from Mike Perry.)
-    - Choose perfectly fairly among routers when choosing by bandwidth and
-      weighting by fraction of bandwidth provided by exits. Previously, we
-      would choose with only approximate fairness, and correct ourselves
-      if we ran off the end of the list. [Bugfix on 0.1.2.x]
-
-  o Performance improvements:
-    - Be more aggressive with freeing buffer RAM or putting it on the
-      memory free lists.
-    - Use Critical Sections rather than Mutexes for synchronizing threads
-      on win32; Mutexes are heavier-weight, and designed for synchronizing
-      between processes.
-
-  o Deprecated and removed features:
-    - RedirectExits is now deprecated.
-    - Stop allowing address masks that do not correspond to bit prefixes.
-      We have warned about these for a really long time; now it's time
-      to reject them. (Patch from croup.)
-
-  o Minor bugfixes (directory):
-    - Fix another crash bug related to extra-info caching. (Bug found by
-      Peter Palfrader.) [Bugfix on 0.2.0.2-alpha]
-    - Directories no longer return a "304 not modified" when they don't
-      have the networkstatus the client asked for. Also fix a memory
-      leak when returning 304 not modified. [Bugfixes on 0.2.0.2-alpha]
-    - We had accidentally labelled 0.1.2.x directory servers as not
-      suitable for begin_dir requests, and had labelled no directory
-      servers as suitable for uploading extra-info documents. [Bugfix
-      on 0.2.0.1-alpha]
-
-  o Minor bugfixes (dns):
-    - Fix a crash when DNSPort is set more than once. (Patch from Robert
-      Hogan.) [Bugfix on 0.2.0.2-alpha]
-    - Add DNSPort connections to the global connection list, so that we
-      can time them out correctly. (Bug found by Robert Hogan.) [Bugfix
-      on 0.2.0.2-alpha]
-    - Fix a dangling reference that could lead to a crash when DNSPort is
-      changed or closed (Patch from Robert Hogan.) [Bugfix on
-      0.2.0.2-alpha]
-
-  o Minor bugfixes (controller):
-    - Provide DNS expiry times in GMT, not in local time. For backward
-      compatibility, ADDRMAP events only provide GMT expiry in an extended
-      field. "GETINFO address-mappings" always does the right thing.
-    - Use CRLF line endings properly in NS events.
-    - Terminate multi-line control events properly. (Original patch
-      from tup.) [Bugfix on 0.1.2.x-alpha]
-    - Do not include spaces in SOURCE_ADDR fields in STREAM
-      events. Resolves bug 472. [Bugfix on 0.2.0.x-alpha]
-
-
-Changes in version 0.1.2.15 - 2007-07-17
-  Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related
-  problems, fixes compilation on BSD, and fixes a variety of other
-  bugs. Everybody should upgrade.
-
-  o Major bugfixes (compilation):
-    - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
-
-  o Major bugfixes (crashes):
-    - Try even harder not to dereference the first character after
-      an mmap(). Reported by lodger.
-    - Fix a crash bug in directory authorities when we re-number the
-      routerlist while inserting a new router.
-    - When the cached-routers file is an even multiple of the page size,
-      don't run off the end and crash. (Fixes bug 455; based on idea
-      from croup.)
-    - Fix eventdns.c behavior on Solaris: It is critical to include
-      orconfig.h _before_ sys/types.h, so that we can get the expected
-      definition of _FILE_OFFSET_BITS.
-
-  o Major bugfixes (security):
-    - Fix a possible buffer overrun when using BSD natd support. Bug
-      found by croup.
-    - When sending destroy cells from a circuit's origin, don't include
-      the reason for tearing down the circuit. The spec says we didn't,
-      and now we actually don't. Reported by lodger.
-    - Keep streamids from different exits on a circuit separate. This
-      bug may have allowed other routers on a given circuit to inject
-      cells into streams. Reported by lodger; fixes bug 446.
-    - If there's a never-before-connected-to guard node in our list,
-      never choose any guards past it. This way we don't expand our
-      guard list unless we need to.
-
-  o Minor bugfixes (guard nodes):
-    - Weight guard selection by bandwidth, so that low-bandwidth nodes
-      don't get overused as guards.
-
-  o Minor bugfixes (directory):
-    - Correctly count the number of authorities that recommend each
-      version. Previously, we were under-counting by 1.
-    - Fix a potential crash bug when we load many server descriptors at
-      once and some of them make others of them obsolete. Fixes bug 458.
-
-  o Minor bugfixes (hidden services):
-    - Stop tearing down the whole circuit when the user asks for a
-      connection to a port that the hidden service didn't configure.
-      Resolves bug 444.
-
-  o Minor bugfixes (misc):
-    - On Windows, we were preventing other processes from reading
-      cached-routers while Tor was running. Reported by janbar.
-    - Fix a possible (but very unlikely) bug in picking routers by
-      bandwidth. Add a log message to confirm that it is in fact
-      unlikely. Patch from lodger.
-    - Backport a couple of memory leak fixes.
-    - Backport miscellaneous cosmetic bugfixes.
-
-
-Changes in version 0.2.0.2-alpha - 2007-06-02
-  o Major bugfixes on 0.2.0.1-alpha:
-    - Fix an assertion failure related to servers without extra-info digests.
-      Resolves bugs 441 and 442.
-
-  o Minor features (directory):
-    - Support "If-Modified-Since" when answering HTTP requests for
-      directories, running-routers documents, and network-status documents.
-      (There's no need to support it for router descriptors, since those
-      are downloaded by descriptor digest.)
-
-  o Minor build issues:
-    - Clear up some MIPSPro compiler warnings.
-    - When building from a tarball on a machine that happens to have SVK
-      installed, report the micro-revision as whatever version existed
-      in the tarball, not as "x".
-
-
-Changes in version 0.2.0.1-alpha - 2007-06-01
-  This early development snapshot provides new features for people running
-  Tor as both a client and a server (check out the new RelayBandwidth
-  config options); lets Tor run as a DNS proxy; and generally moves us
-  forward on a lot of fronts.
-
-  o Major features, server usability:
-    - New config options RelayBandwidthRate and RelayBandwidthBurst:
-      a separate set of token buckets for relayed traffic. Right now
-      relayed traffic is defined as answers to directory requests, and
-      OR connections that don't have any local circuits on them.
-
-  o Major features, client usability:
-    - A client-side DNS proxy feature to replace the need for
-      dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
-      for DNS requests on port 9999, use the Tor network to resolve them
-      anonymously, and send the reply back like a regular DNS server.
-      The code still only implements a subset of DNS.
-    - Make PreferTunneledDirConns and TunnelDirConns work even when
-      we have no cached directory info. This means Tor clients can now
-      do all of their connections protected by TLS.
-
-  o Major features, performance and efficiency:
-    - Directory authorities accept and serve "extra info" documents for
-      routers. These documents contain fields from router descriptors
-      that aren't usually needed, and that use a lot of excess
-      bandwidth. Once these fields are removed from router descriptors,
-      the bandwidth savings should be about 60%. [Partially implements
-      proposal 104.]
-    - Servers upload extra-info documents to any authority that accepts
-      them. Authorities (and caches that have been configured to download
-      extra-info documents) download them as needed. [Partially implements
-      proposal 104.]
-    - Change the way that Tor buffers data that it is waiting to write.
-      Instead of queueing data cells in an enormous ring buffer for each
-      client->OR or OR->OR connection, we now queue cells on a separate
-      queue for each circuit.  This lets us use less slack memory, and
-      will eventually let us be smarter about prioritizing different kinds
-      of traffic.
-    - Use memory pools to allocate cells with better speed and memory
-      efficiency, especially on platforms where malloc() is inefficient.
-    - Stop reading on edge connections when their corresponding circuit
-      buffers are full; start again as the circuits empty out.
-
-  o Major features, other:
-    - Add an HSAuthorityRecordStats option that hidden service authorities
-      can use to track statistics of overall hidden service usage without
-      logging information that would be very useful to an attacker.
-    - Start work implementing multi-level keys for directory authorities:
-      Add a standalone tool to generate key certificates. (Proposal 103.)
-
-  o Security fixes:
-    - Directory authorities now call routers Stable if they have an
-      uptime of at least 30 days, even if that's not the median uptime
-      in the network. Implements proposal 107, suggested by Kevin Bauer
-      and Damon McCoy.
-
-  o Minor fixes (resource management):
-    - Count the number of open sockets separately from the number
-      of active connection_t objects. This will let us avoid underusing
-      our allocated connection limit.
-    - We no longer use socket pairs to link an edge connection to an
-      anonymous directory connection or a DirPort test connection.
-      Instead, we track the link internally and transfer the data
-      in-process. This saves two sockets per "linked" connection (at the
-      client and at the server), and avoids the nasty Windows socketpair()
-      workaround.
-    - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
-      for every single inactive connection_t. Free items from the
-      4k/16k-buffer free lists when they haven't been used for a while.
-
-  o Minor features (build):
-    - Make autoconf search for libevent, openssl, and zlib consistently.
-    - Update deprecated macros in configure.in.
-    - When warning about missing headers, tell the user to let us
-      know if the compile succeeds anyway, so we can downgrade the
-      warning.
-    - Include the current subversion revision as part of the version
-      string: either fetch it directly if we're in an SVN checkout, do
-      some magic to guess it if we're in an SVK checkout, or use
-      the last-detected version if we're building from a .tar.gz.
-      Use this version consistently in log messages.
-
-  o Minor features (logging):
-    - Always prepend "Bug: " to any log message about a bug.
-    - Put a platform string (e.g. "Linux i686") in the startup log
-      message, so when people paste just their logs, we know if it's
-      OpenBSD or Windows or what.
-    - When logging memory usage, break down memory used in buffers by
-      buffer type.
-
-  o Minor features (directory system):
-    - New config option V2AuthoritativeDirectory that all directory
-      authorities should set. This will let future authorities choose
-      not to serve V2 directory information.
-    - Directory authorities allow multiple router descriptors and/or extra
-      info documents to be uploaded in a single go.  This will make
-      implementing proposal 104 simpler.
-
-  o Minor features (controller):
-    - Add a new config option __DisablePredictedCircuits designed for
-      use by the controller, when we don't want Tor to build any circuits
-      preemptively.
-    - Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
-      so we can exit from the middle of the circuit.
-    - Implement "getinfo status/circuit-established".
-    - Implement "getinfo status/version/..." so a controller can tell
-      whether the current version is recommended, and whether any versions
-      are good, and how many authorities agree. (Patch from shibz.)
-
-  o Minor features (hidden services):
-    - Allow multiple HiddenServicePort directives with the same virtual
-      port; when they occur, the user is sent round-robin to one
-      of the target ports chosen at random.  Partially fixes bug 393 by
-      adding limited ad-hoc round-robining.
-
-  o Minor features (other):
-    - More unit tests.
-    - Add a new AutomapHostsOnResolve option: when it is enabled, any
-      resolve request for hosts matching a given pattern causes Tor to
-      generate an internal virtual address mapping for that host.  This
-      allows DNSPort to work sensibly with hidden service users.  By
-      default, .exit and .onion addresses are remapped; the list of
-      patterns can be reconfigured with AutomapHostsSuffixes.
-    - Add an "-F" option to tor-resolve to force a resolve for a .onion
-      address. Thanks to the AutomapHostsOnResolve option, this is no
-      longer a completely silly thing to do.
-    - If Tor is invoked from something that isn't a shell (e.g. Vidalia),
-      now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
-    - Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
-      minus 1 byte: the actual maximum declared bandwidth.
-
-  o Removed features:
-    - Removed support for the old binary "version 0" controller protocol.
-      This has been deprecated since 0.1.1, and warnings have been issued
-      since 0.1.2.  When we encounter a v0 control message, we now send
-      back an error and close the connection.
-    - Remove the old "dns worker" server DNS code: it hasn't been default
-      since 0.1.2.2-alpha, and all the servers seem to be using the new
-      eventdns code.
-
-  o Minor bugfixes (portability):
-    - Even though Windows is equally happy with / and \ as path separators,
-      try to use \ consistently on Windows and / consistently on Unix: it
-      makes the log messages nicer.
-    - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
-    - Read resolv.conf files correctly on platforms where read() returns
-      partial results on small file reads.
-
-  o Minor bugfixes (directory):
-    - Correctly enforce that elements of directory objects do not appear
-      more often than they are allowed to appear.
-    - When we are reporting the DirServer line we just parsed, we were
-      logging the second stanza of the key fingerprint, not the first.
-
-  o Minor bugfixes (logging):
-    - When we hit an EOF on a log (probably because we're shutting down),
-      don't try to remove the log from the list: just mark it as
-      unusable.  (Bulletproofs against bug 222.)
-
-  o Minor bugfixes (other):
-    - In the exitlist script, only consider the most recently published
-      server descriptor for each server. Also, when the user requests
-      a list of servers that _reject_ connections to a given address,
-      explicitly exclude the IPs that also have servers that accept
-      connections to that address. (Resolves bug 405.)
-    - Stop allowing hibernating servers to be "stable" or "fast".
-    - On Windows, we were preventing other processes from reading
-      cached-routers while Tor was running.  (Reported by janbar)
-    - Make the NodeFamilies config option work. (Reported by
-      lodger -- it has never actually worked, even though we added it
-      in Oct 2004.)
-    - Check return values from pthread_mutex functions.
-    - Don't save non-general-purpose router descriptors to the disk cache,
-      because we have no way of remembering what their purpose was when
-      we restart.
-    - Add even more asserts to hunt down bug 417.
-    - Build without verbose warnings even on (not-yet-released) gcc 4.2.
-    - Fix a possible (but very unlikely) bug in picking routers by bandwidth.
-      Add a log message to confirm that it is in fact unlikely.
-
-  o Minor bugfixes (controller):
-    - Make 'getinfo fingerprint' return a 551 error if we're not a
-      server, so we match what the control spec claims we do. Reported
-      by daejees.
-    - Fix a typo in an error message when extendcircuit fails that
-      caused us to not follow the \r\n-based delimiter protocol. Reported
-      by daejees.
-
-  o Code simplifications and refactoring:
-    - Stop passing around circuit_t and crypt_path_t pointers that are
-      implicit in other procedure arguments.
-    - Drop the old code to choke directory connections when the
-      corresponding OR connections got full: thanks to the cell queue
-      feature, OR conns don't get full any more.
-    - Make dns_resolve() handle attaching connections to circuits
-      properly, so the caller doesn't have to.
-    - Rename wants_to_read and wants_to_write to read/write_blocked_on_bw.
-    - Keep the connection array as a dynamic smartlist_t, rather than as
-      a fixed-sized array. This is important, as the number of connections
-      is becoming increasingly decoupled from the number of sockets.
-
-
-Changes in version 0.1.2.14 - 2007-05-25
-  Tor 0.1.2.14 changes the addresses of two directory authorities (this
-  change especially affects those who serve or use hidden services),
-  and fixes several other crash- and security-related bugs.
-
-  o Directory authority changes:
-    - Two directory authorities (moria1 and moria2) just moved to new
-      IP addresses. This change will particularly affect those who serve
-      or use hidden services.
-
-  o Major bugfixes (crashes):
-    - If a directory server runs out of space in the connection table
-      as it's processing a begin_dir request, it will free the exit stream
-      but leave it attached to the circuit, leading to unpredictable
-      behavior. (Reported by seeess, fixes bug 425.)
-    - Fix a bug in dirserv_remove_invalid() that would cause authorities
-      to corrupt memory under some really unlikely scenarios.
-    - Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
-    - Avoid segfaults when reading from mmaped descriptor file. (Reported
-      by lodger.)
-
-  o Major bugfixes (security):
-    - When choosing an entry guard for a circuit, avoid using guards
-      that are in the same family as the chosen exit -- not just guards
-      that are exactly the chosen exit. (Reported by lodger.)
-
-  o Major bugfixes (resource management):
-    - If a directory authority is down, skip it when deciding where to get
-      networkstatus objects or descriptors. Otherwise we keep asking
-      every 10 seconds forever. Fixes bug 384.
-    - Count it as a failure if we fetch a valid network-status but we
-      don't want to keep it. Otherwise we'll keep fetching it and keep
-      not wanting to keep it. Fixes part of bug 422.
-    - If all of our dirservers have given us bad or no networkstatuses
-      lately, then stop hammering them once per minute even when we
-      think they're failed. Fixes another part of bug 422.
-
-  o Minor bugfixes:
-    - Actually set the purpose correctly for descriptors inserted with
-      purpose=controller.
-    - When we have k non-v2 authorities in our DirServer config,
-      we ignored the last k authorities in the list when updating our
-      network-statuses.
-    - Correctly back-off from requesting router descriptors that we are
-      having a hard time downloading.
-    - Read resolv.conf files correctly on platforms where read() returns
-      partial results on small file reads.
-    - Don't rebuild the entire router store every time we get 32K of
-      routers: rebuild it when the journal gets very large, or when
-      the gaps in the store get very large.
-
-  o Minor features:
-    - When routers publish SVN revisions in their router descriptors,
-      authorities now include those versions correctly in networkstatus
-      documents.
-    - Warn when using a version of libevent before 1.3b to run a server on
-      OSX or BSD: these versions interact badly with userspace threads.
-
-
-Changes in version 0.1.2.13 - 2007-04-24
-  This release features some major anonymity fixes, such as safer path
-  selection; better client performance; faster bootstrapping, better
-  address detection, and better DNS support for servers; write limiting as
-  well as read limiting to make servers easier to run; and a huge pile of
-  other features and bug fixes. The bundles also ship with Vidalia 0.0.11.
-
-  Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
-  of the Freenode IRC network, remembering his patience and vision for
-  free speech on the Internet.
-
-  o Minor fixes:
-    - Fix a memory leak when we ask for "all" networkstatuses and we
-      get one we don't recognize.
-    - Add more asserts to hunt down bug 417.
-    - Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
-
-
-Changes in version 0.1.2.12-rc - 2007-03-16
-  o Major bugfixes:
-    - Fix an infinite loop introduced in 0.1.2.7-alpha when we serve
-      directory information requested inside Tor connections (i.e. via
-      begin_dir cells). It only triggered when the same connection was
-      serving other data at the same time. Reported by seeess.
-
-  o Minor bugfixes:
-    - When creating a circuit via the controller, send a 'launched'
-      event when we're done, so we follow the spec better.
-
-
-Changes in version 0.1.2.11-rc - 2007-03-15
-  o Minor bugfixes (controller), reported by daejees:
-    - Correct the control spec to match how the code actually responds
-      to 'getinfo addr-mappings/*'.
-    - The control spec described a GUARDS event, but the code
-      implemented a GUARD event. Standardize on GUARD, but let people
-      ask for GUARDS too.
-
-
-Changes in version 0.1.2.10-rc - 2007-03-07
-  o Major bugfixes (Windows):
-    - Do not load the NT services library functions (which may not exist)
-      just to detect if we're a service trying to shut down. Now we run
-      on Win98 and friends again.
-
-  o Minor bugfixes (other):
-    - Clarify a couple of log messages.
-    - Fix a misleading socks5 error number.
-
-
-Changes in version 0.1.2.9-rc - 2007-03-02
-  o Major bugfixes (Windows):
-    - On MinGW, use "%I64u" to printf/scanf 64-bit integers, instead
-      of the usual GCC "%llu". This prevents a bug when saving 64-bit
-      int configuration values: the high-order 32 bits would get
-      truncated. In particular, we were being bitten by the default
-      MaxAdvertisedBandwidth of 128 TB turning into 0. (Fixes bug 400
-      and maybe also bug 397.)
-
-  o Minor bugfixes (performance):
-    - Use OpenSSL's AES implementation on platforms where it's faster.
-      This could save us as much as 10% CPU usage.
-
-  o Minor bugfixes (server):
-    - Do not rotate onion key immediately after setting it for the first
-      time.
-
-  o Minor bugfixes (directory authorities):
-    - Stop calling servers that have been hibernating for a long time
-      "stable". Also, stop letting hibernating or obsolete servers affect
-      uptime and bandwidth cutoffs.
-    - Stop listing hibernating servers in the v1 directory.
-
-  o Minor bugfixes (hidden services):
-    - Upload hidden service descriptors slightly less often, to reduce
-      load on authorities.
-
-  o Minor bugfixes (other):
-    - Fix an assert that could trigger if a controller quickly set then
-      cleared EntryNodes.  (Bug found by Udo van den Heuvel.)
-    - On architectures where sizeof(int)>4, still clamp declarable bandwidth
-      to INT32_MAX.
-    - Fix a potential race condition in the rpm installer.  Found by
-      Stefan Nordhausen.
-    - Try to fix eventdns warnings once and for all: do not treat a dns rcode
-      of 2 as indicating that the server is completely bad; it sometimes
-      means that the server is just bad for the request in question. (may fix
-      the last of bug 326.)
-    - Disable encrypted directory connections when we don't have a server
-      descriptor for the destination. We'll get this working again in
-      the 0.2.0 branch.
-
-
-Changes in version 0.1.2.8-beta - 2007-02-26
-  o Major bugfixes (crashes):
-    - Stop crashing when the controller asks us to resetconf more than
-      one config option at once. (Vidalia 0.0.11 does this.)
-    - Fix a crash that happened on Win98 when we're given command-line
-      arguments: don't try to load NT service functions from advapi32.dll
-      except when we need them. (Bug introduced in 0.1.2.7-alpha;
-      resolves bug 389.)
-    - Fix a longstanding obscure crash bug that could occur when
-      we run out of DNS worker processes. (Resolves bug 390.)
-
-  o Major bugfixes (hidden services):
-    - Correctly detect whether hidden service descriptor downloads are
-      in-progress. (Suggested by Karsten Loesing; fixes bug 399.)
-
-  o Major bugfixes (accounting):
-    - When we start during an accounting interval before it's time to wake
-      up, remember to wake up at the correct time. (May fix bug 342.)
-
-  o Minor bugfixes (controller):
-    - Give the controller END_STREAM_REASON_DESTROY events _before_ we
-      clear the corresponding on_circuit variable, and remember later
-      that we don't need to send a redundant CLOSED event.  (Resolves part
-      3 of bug 367.)
-    - Report events where a resolve succeeded or where we got a socks
-      protocol error correctly, rather than calling both of them
-      "INTERNAL".
-    - Change reported stream target addresses to IP consistently when
-      we finally get the IP from an exit node.
-    - Send log messages to the controller even if they happen to be very
-      long.
-
-  o Minor bugfixes (other):
-    - Display correct results when reporting which versions are
-      recommended, and how recommended they are. (Resolves bug 383.)
-    - Improve our estimates for directory bandwidth to be less random:
-      guess that an unrecognized directory will have the average bandwidth
-      from all known directories, not that it will have the average
-      bandwidth from those directories earlier than it on the list.
-    - If we start a server with ClientOnly 1, then set ClientOnly to 0
-      and hup, stop triggering an assert based on an empty onion_key.
-    - On platforms with no working mmap() equivalent, don't warn the
-      user when cached-routers doesn't exist.
-    - Warn the user when mmap() [or its equivalent] fails for some reason
-      other than file-not-found.
-    - Don't warn the user when cached-routers.new doesn't exist: that's
-      perfectly fine when starting up for the first time.
-    - When EntryNodes are configured, rebuild the guard list to contain,
-      in order: the EntryNodes that were guards before; the rest of the
-      EntryNodes; the nodes that were guards before.
-    - Mask out all signals in sub-threads; only the libevent signal
-      handler should be processing them. This should prevent some crashes
-      on some machines using pthreads. (Patch from coderman.)
-    - Fix switched arguments on memset in the implementation of
-      tor_munmap() for systems with no mmap() call.
-    - When Tor receives a router descriptor that it asked for, but
-      no longer wants (because it has received fresh networkstatuses
-      in the meantime), do not warn the user.  Cache the descriptor if
-      we're a cache; drop it if we aren't.
-    - Make earlier entry guards _really_ get retried when the network
-      comes back online.
-    - On a malformed DNS reply, always give an error to the corresponding
-      DNS request.
-    - Build with recent libevents on platforms that do not define the
-      nonstandard types "u_int8_t" and friends.
-
-  o Minor features (controller):
-    - Warn the user when an application uses the obsolete binary v0
-      control protocol.  We're planning to remove support for it during
-      the next development series, so it's good to give people some
-      advance warning.
-    - Add STREAM_BW events to report per-entry-stream bandwidth
-      use. (Patch from Robert Hogan.)
-    - Rate-limit SIGNEWNYM signals in response to controllers that
-      impolitely generate them for every single stream. (Patch from
-      mwenge; closes bug 394.)
-    - Make REMAP stream events have a SOURCE (cache or exit), and
-      make them generated in every case where we get a successful
-      connected or resolved cell.
-
-  o Minor bugfixes (performance):
-    - Call router_have_min_dir_info half as often. (This is showing up in
-      some profiles, but not others.)
-    - When using GCC, make log_debug never get called at all, and its
-      arguments never get evaluated, when no debug logs are configured.
-      (This is showing up in some profiles, but not others.)
-
-  o Minor features:
-    - Remove some never-implemented options.  Mark PathlenCoinWeight as
-      obsolete.
-    - Implement proposal 106: Stop requiring clients to have well-formed
-      certificates; stop checking nicknames in certificates. (Clients
-      have certificates so that they can look like Tor servers, but in
-      the future we might want to allow them to look like regular TLS
-      clients instead. Nicknames in certificates serve no purpose other
-      than making our protocol easier to recognize on the wire.)
-    - Revise messages on handshake failure again to be even more clear about
-      which are incoming connections and which are outgoing.
-    - Discard any v1 directory info that's over 1 month old (for
-      directories) or over 1 week old (for running-routers lists).
-    - Do not warn when individual nodes in the configuration's EntryNodes,
-      ExitNodes, etc are down: warn only when all possible nodes
-      are down. (Fixes bug 348.)
-    - Always remove expired routers and networkstatus docs before checking
-      whether we have enough information to build circuits. (Fixes
-      bug 373.)
-    - Put a lower-bound on MaxAdvertisedBandwidth.
-
-
-Changes in version 0.1.2.7-alpha - 2007-02-06
-  o Major bugfixes (rate limiting):
-    - Servers decline directory requests much more aggressively when
-      they're low on bandwidth. Otherwise they end up queueing more and
-      more directory responses, which can't be good for latency.
-    - But never refuse directory requests from local addresses.
-    - Fix a memory leak when sending a 503 response for a networkstatus
-      request.
-    - Be willing to read or write on local connections (e.g. controller
-      connections) even when the global rate limiting buckets are empty.
-    - If our system clock jumps back in time, don't publish a negative
-      uptime in the descriptor. Also, don't let the global rate limiting
-      buckets go absurdly negative.
-    - Flush local controller connection buffers periodically as we're
-      writing to them, so we avoid queueing 4+ megabytes of data before
-      trying to flush.
-
-  o Major bugfixes (NT services):
-    - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
-      command-line flag so that admins can override the default by saying
-      "tor --service install --user "SomeUser"".  This will not affect
-      existing installed services.  Also, warn the user that the service
-      will look for its configuration file in the service user's
-      %appdata% directory.  (We can't do the 'hardwire the user's appdata
-      directory' trick any more, since we may not have read access to that
-      directory.)
-
-  o Major bugfixes (other):
-    - Previously, we would cache up to 16 old networkstatus documents
-      indefinitely, if they came from nontrusted authorities. Now we
-      discard them if they are more than 10 days old.
-    - Fix a crash bug in the presence of DNS hijacking (reported by Andrew
-      Del Vecchio).
-    - Detect and reject malformed DNS responses containing circular
-      pointer loops.
-    - If exits are rare enough that we're not marking exits as guards,
-      ignore exit bandwidth when we're deciding the required bandwidth
-      to become a guard.
-    - When we're handling a directory connection tunneled over Tor,
-      don't fill up internal memory buffers with all the data we want
-      to tunnel; instead, only add it if the OR connection that will
-      eventually receive it has some room for it. (This can lead to
-      slowdowns in tunneled dir connections; a better solution will have
-      to wait for 0.2.0.)
-
-  o Minor bugfixes (dns):
-    - Add some defensive programming to eventdns.c in an attempt to catch
-      possible memory-stomping bugs.
-    - Detect and reject DNS replies containing IPv4 or IPv6 records with
-      an incorrect number of bytes. (Previously, we would ignore the
-      extra bytes.)
-    - Fix as-yet-unused reverse IPv6 lookup code so it sends nybbles
-      in the correct order, and doesn't crash.
-    - Free memory held in recently-completed DNS lookup attempts on exit.
-      This was not a memory leak, but may have been hiding memory leaks.
-    - Handle TTL values correctly on reverse DNS lookups.
-    - Treat failure to parse resolv.conf as an error.
-
-  o Minor bugfixes (other):
-    - Fix crash with "tor --list-fingerprint" (reported by seeess).
-    - When computing clock skew from directory HTTP headers, consider what
-      time it was when we finished asking for the directory, not what
-      time it is now.
-    - Expire socks connections if they spend too long waiting for the
-      handshake to finish. Previously we would let them sit around for
-      days, if the connecting application didn't close them either.
-    - And if the socks handshake hasn't started, don't send a
-      "DNS resolve socks failed" handshake reply; just close it.
-    - Stop using C functions that OpenBSD's linker doesn't like.
-    - Don't launch requests for descriptors unless we have networkstatuses
-      from at least half of the authorities.  This delays the first
-      download slightly under pathological circumstances, but can prevent
-      us from downloading a bunch of descriptors we don't need.
-    - Do not log IPs with TLS failures for incoming TLS
-      connections. (Fixes bug 382.)
-    - If the user asks to use invalid exit nodes, be willing to use
-      unstable ones.
-    - Stop using the reserved ac_cv namespace in our configure script.
-    - Call stat() slightly less often; use fstat() when possible.
-    - Refactor the way we handle pending circuits when an OR connection
-      completes or fails, in an attempt to fix a rare crash bug.
-    - Only rewrite a conn's address based on X-Forwarded-For: headers
-      if it's a parseable public IP address; and stop adding extra quotes
-      to the resulting address.
-
-  o Major features:
-    - Weight directory requests by advertised bandwidth. Now we can
-      let servers enable write limiting but still allow most clients to
-      succeed at their directory requests. (We still ignore weights when
-      choosing a directory authority; I hope this is a feature.)
-
-  o Minor features:
-    - Create a new file ReleaseNotes which was the old ChangeLog. The
-      new ChangeLog file now includes the summaries for all development
-      versions too.
-    - Check for addresses with invalid characters at the exit as well
-      as at the client, and warn less verbosely when they fail. You can
-      override this by setting ServerDNSAllowNonRFC953Addresses to 1.
-    - Adapt a patch from goodell to let the contrib/exitlist script
-      take arguments rather than require direct editing.
-    - Inform the server operator when we decide not to advertise a
-      DirPort due to AccountingMax enabled or a low BandwidthRate. It
-      was confusing Zax, so now we're hopefully more helpful.
-    - Bring us one step closer to being able to establish an encrypted
-      directory tunnel without knowing a descriptor first. Still not
-      ready yet. As part of the change, now assume we can use a
-      create_fast cell if we don't know anything about a router.
-    - Allow exit nodes to use nameservers running on ports other than 53.
-    - Servers now cache reverse DNS replies.
-    - Add an --ignore-missing-torrc command-line option so that we can
-      get the "use sensible defaults if the configuration file doesn't
-      exist" behavior even when specifying a torrc location on the command
-      line.
-
-  o Minor features (controller):
-    - Track reasons for OR connection failure; make these reasons
-      available via the controller interface. (Patch from Mike Perry.)
-    - Add a SOCKS_BAD_HOSTNAME client status event so controllers
-      can learn when clients are sending malformed hostnames to Tor.
-    - Clean up documentation for controller status events.
-    - Add a REMAP status to stream events to note that a stream's
-      address has changed because of a cached address or a MapAddress
-      directive.
-
-
-Changes in version 0.1.2.6-alpha - 2007-01-09
-  o Major bugfixes:
-    - Fix an assert error introduced in 0.1.2.5-alpha: if a single TLS
-      connection handles more than 4 gigs in either direction, we crash.
-    - Fix an assert error introduced in 0.1.2.5-alpha: if we're an
-      advertised exit node, somebody might try to exit from us when
-      we're bootstrapping and before we've built our descriptor yet.
-      Refuse the connection rather than crashing.
-
-  o Minor bugfixes:
-    - Warn if we (as a server) find that we've resolved an address that we
-      weren't planning to resolve.
-    - Warn that using select() on any libevent version before 1.1 will be
-      unnecessarily slow (even for select()).
-    - Flush ERR-level controller status events just like we currently
-      flush ERR-level log events, so that a Tor shutdown doesn't prevent
-      the controller from learning about current events.
-
-  o Minor features (more controller status events):
-    - Implement EXTERNAL_ADDRESS server status event so controllers can
-      learn when our address changes.
-    - Implement BAD_SERVER_DESCRIPTOR server status event so controllers
-      can learn when directories reject our descriptor.
-    - Implement SOCKS_UNKNOWN_PROTOCOL client status event so controllers
-      can learn when a client application is speaking a non-socks protocol
-      to our SocksPort.
-    - Implement DANGEROUS_SOCKS client status event so controllers
-      can learn when a client application is leaking DNS addresses.
-    - Implement BUG general status event so controllers can learn when
-      Tor is unhappy about its internal invariants.
-    - Implement CLOCK_SKEW general status event so controllers can learn
-      when Tor thinks the system clock is set incorrectly.
-    - Implement GOOD_SERVER_DESCRIPTOR and ACCEPTED_SERVER_DESCRIPTOR
-      server status events so controllers can learn when their descriptors
-      are accepted by a directory.
-    - Implement CHECKING_REACHABILITY and REACHABILITY_{SUCCEEDED|FAILED}
-      server status events so controllers can learn about Tor's progress in
-      deciding whether it's reachable from the outside.
-    - Implement BAD_LIBEVENT general status event so controllers can learn
-      when we have a version/method combination in libevent that needs to
-      be changed.
-    - Implement NAMESERVER_STATUS, NAMESERVER_ALL_DOWN, DNS_HIJACKED,
-      and DNS_USELESS server status events so controllers can learn
-      about changes to DNS server status.
-
-  o Minor features (directory):
-    - Authorities no longer recommend exits as guards if this would shift
-      too much load to the exit nodes.
-
-
-Changes in version 0.1.2.5-alpha - 2007-01-06
-  o Major features:
-    - Enable write limiting as well as read limiting. Now we sacrifice
-      capacity if we're pushing out lots of directory traffic, rather
-      than overrunning the user's intended bandwidth limits.
-    - Include TLS overhead when counting bandwidth usage; previously, we
-      would count only the bytes sent over TLS, but not the bytes used
-      to send them.
-    - Support running the Tor service with a torrc not in the same
-      directory as tor.exe and default to using the torrc located in
-      the %appdata%\Tor\ of the user who installed the service. Patch
-      from Matt Edman.
-    - Servers now check for the case when common DNS requests are going to
-      wildcarded addresses (i.e. all getting the same answer), and change
-      their exit policy to reject *:* if it's happening.
-    - Implement BEGIN_DIR cells, so we can connect to the directory
-      server via TLS to do encrypted directory requests rather than
-      plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
-      config options if you like.
-
-  o Minor features (config and docs):
-    - Start using the state file to store bandwidth accounting data:
-      the bw_accounting file is now obsolete. We'll keep generating it
-      for a while for people who are still using 0.1.2.4-alpha.
-    - Try to batch changes to the state file so that we do as few
-      disk writes as possible while still storing important things in
-      a timely fashion.
-    - The state file and the bw_accounting file get saved less often when
-      the AvoidDiskWrites config option is set.
-    - Make PIDFile work on Windows (untested).
-    - Add internal descriptions for a bunch of configuration options:
-      accessible via controller interface and in comments in saved
-      options files.
-    - Reject *:563 (NNTPS) in the default exit policy. We already reject
-      NNTP by default, so this seems like a sensible addition.
-    - Clients now reject hostnames with invalid characters. This should
-      avoid some inadvertent info leaks. Add an option
-      AllowNonRFC953Hostnames to disable this behavior, in case somebody
-      is running a private network with hosts called @, !, and #.
-    - Add a maintainer script to tell us which options are missing
-      documentation: "make check-docs".
-    - Add a new address-spec.txt document to describe our special-case
-      addresses: .exit, .onion, and .noconnnect.
-
-  o Minor features (DNS):
-    - Ongoing work on eventdns infrastructure: now it has dns server
-      and ipv6 support. One day Tor will make use of it.
-    - Add client-side caching for reverse DNS lookups.
-    - Add support to tor-resolve tool for reverse lookups and SOCKS5.
-    - When we change nameservers or IP addresses, reset and re-launch
-      our tests for DNS hijacking.
-
-  o Minor features (directory):
-    - Authorities now specify server versions in networkstatus. This adds
-      about 2% to the size of compressed networkstatus docs, and allows
-      clients to tell which servers support BEGIN_DIR and which don't.
-      The implementation is forward-compatible with a proposed future
-      protocol version scheme not tied to Tor versions.
-    - DirServer configuration lines now have an orport= option so
-      clients can open encrypted tunnels to the authorities without
-      having downloaded their descriptors yet. Enabled for moria1,
-      moria2, tor26, and lefkada now in the default configuration.
-    - Directory servers are more willing to send a 503 "busy" if they
-      are near their write limit, especially for v1 directory requests.
-      Now they can use their limited bandwidth for actual Tor traffic.
-    - Clients track responses with status 503 from dirservers. After a
-      dirserver has given us a 503, we try not to use it until an hour has
-      gone by, or until we have no dirservers that haven't given us a 503.
-    - When we get a 503 from a directory, and we're not a server, we don't
-      count the failure against the total number of failures allowed
-      for the thing we're trying to download.
-    - Report X-Your-Address-Is correctly from tunneled directory
-      connections; don't report X-Your-Address-Is when it's an internal
-      address; and never believe reported remote addresses when they're
-      internal.
-    - Protect against an unlikely DoS attack on directory servers.
-    - Add a BadDirectory flag to network status docs so that authorities
-      can (eventually) tell clients about caches they believe to be
-      broken.
-
-  o Minor features (controller):
-    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
-    - Reimplement GETINFO so that info/names stays in sync with the
-      actual keys.
-    - Implement "GETINFO fingerprint".
-    - Implement "SETEVENTS GUARD" so controllers can get updates on
-      entry guard status as it changes.
-
-  o Minor features (clean up obsolete pieces):
-    - Remove some options that have been deprecated since at least
-      0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
-      SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
-      to set log options.
-    - We no longer look for identity and onion keys in "identity.key" and
-      "onion.key" -- these were replaced by secret_id_key and
-      secret_onion_key in 0.0.8pre1.
-    - We no longer require unrecognized directory entries to be
-      preceded by "opt".
-
-  o Major bugfixes (security):
-    - Stop sending the HttpProxyAuthenticator string to directory
-      servers when directory connections are tunnelled through Tor.
-    - Clients no longer store bandwidth history in the state file.
-    - Do not log introduction points for hidden services if SafeLogging
-      is set.
-    - When generating bandwidth history, round down to the nearest
-      1k. When storing accounting data, round up to the nearest 1k.
-    - When we're running as a server, remember when we last rotated onion
-      keys, so that we will rotate keys once they're a week old even if
-      we never stay up for a week ourselves.
-
-  o Major bugfixes (other):
-    - Fix a longstanding bug in eventdns that prevented the count of
-      timed-out resolves from ever being reset. This bug caused us to
-      give up on a nameserver the third time it timed out, and try it
-      10 seconds later... and to give up on it every time it timed out
-      after that.
-    - Take out the '5 second' timeout from the connection retry
-      schedule. Now the first connect attempt will wait a full 10
-      seconds before switching to a new circuit. Perhaps this will help
-      a lot. Based on observations from Mike Perry.
-    - Fix a bug on the Windows implementation of tor_mmap_file() that
-      would prevent the cached-routers file from ever loading. Reported
-      by John Kimble.
-
-  o Minor bugfixes:
-    - Fix an assert failure when a directory authority sets
-      AuthDirRejectUnlisted and then receives a descriptor from an
-      unlisted router. Reported by seeess.
-    - Avoid a double-free when parsing malformed DirServer lines.
-    - Fix a bug when a BSD-style PF socket is first used. Patch from
-      Fabian Keil.
-    - Fix a bug in 0.1.2.2-alpha that prevented clients from asking
-      to resolve an address at a given exit node even when they ask for
-      it by name.
-    - Servers no longer ever list themselves in their "family" line,
-      even if configured to do so. This makes it easier to configure
-      family lists conveniently.
-    - When running as a server, don't fall back to 127.0.0.1 when no
-      nameservers are configured in /etc/resolv.conf; instead, make the
-      user fix resolv.conf or specify nameservers explicitly. (Resolves
-      bug 363.)
-    - Stop accepting certain malformed ports in configured exit policies.
-    - Don't re-write the fingerprint file every restart, unless it has
-      changed.
-    - Stop warning when a single nameserver fails: only warn when _all_ of
-      our nameservers have failed. Also, when we only have one nameserver,
-      raise the threshold for deciding that the nameserver is dead.
-    - Directory authorities now only decide that routers are reachable
-      if their identity keys are as expected.
-    - When the user uses bad syntax in the Log config line, stop
-      suggesting other bad syntax as a replacement.
-    - Correctly detect ipv6 DNS capability on OpenBSD.
-
-  o Minor bugfixes (controller):
-    - Report the circuit number correctly in STREAM CLOSED events. Bug
-      reported by Mike Perry.
-    - Do not report bizarre values for results of accounting GETINFOs
-      when the last second's write or read exceeds the allotted bandwidth.
-    - Report "unrecognized key" rather than an empty string when the
-      controller tries to fetch a networkstatus that doesn't exist.
-
-
-Changes in version 0.1.1.26 - 2006-12-14
-  o Security bugfixes:
-    - Stop sending the HttpProxyAuthenticator string to directory
-      servers when directory connections are tunnelled through Tor.
-    - Clients no longer store bandwidth history in the state file.
-    - Do not log introduction points for hidden services if SafeLogging
-      is set.
-
-  o Minor bugfixes:
-    - Fix an assert failure when a directory authority sets
-      AuthDirRejectUnlisted and then receives a descriptor from an
-      unlisted router (reported by seeess).
-
-
-Changes in version 0.1.2.4-alpha - 2006-12-03
-  o Major features:
-    - Add support for using natd; this allows FreeBSDs earlier than
-      5.1.2 to have ipfw send connections through Tor without using
-      SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
-
-  o Minor features:
-    - Make all connections to addresses of the form ".noconnect"
-      immediately get closed. This lets application/controller combos
-      successfully test whether they're talking to the same Tor by
-      watching for STREAM events.
-    - Make cross.sh cross-compilation script work even when autogen.sh
-      hasn't been run. (Patch from Michael Mohr.)
-    - Statistics dumped by -USR2 now include a breakdown of public key
-      operations, for profiling.
-
-  o Major bugfixes:
-    - Fix a major leak when directory authorities parse their
-      approved-routers list, a minor memory leak when we fail to pick
-      an exit node, and a few rare leaks on errors.
-    - Handle TransPort connections even when the server sends data before
-      the client sends data. Previously, the connection would just hang
-      until the client sent data. (Patch from tup based on patch from
-      Zajcev Evgeny.)
-    - Avoid assert failure when our cached-routers file is empty on
-      startup.
-
-  o Minor bugfixes:
-    - Don't log spurious warnings when we see a circuit close reason we
-      don't recognize; it's probably just from a newer version of Tor.
-    - Have directory authorities allow larger amounts of drift in uptime
-      without replacing the server descriptor: previously, a server that
-      restarted every 30 minutes could have 48 "interesting" descriptors
-      per day.
-    - Start linking to the Tor specification and Tor reference manual
-      correctly in the Windows installer.
-    - Add Vidalia to the OS X uninstaller script, so when we uninstall
-      Tor/Privoxy we also uninstall Vidalia.
-    - Resume building on Irix64, and fix a lot of warnings from its
-      MIPSpro C compiler.
-    - Don't corrupt last_guessed_ip in router_new_address_suggestion()
-      when we're running as a client.
-
-
-Changes in version 0.1.1.25 - 2006-11-04
-  o Major bugfixes:
-    - When a client asks us to resolve (rather than connect to)
-      an address, and we have a cached answer, give them the cached
-      answer. Previously, we would give them no answer at all.
-    - We were building exactly the wrong circuits when we predict
-      hidden service requirements, meaning Tor would have to build all
-      its circuits on demand.
-    - If none of our live entry guards have a high uptime, but we
-      require a guard with a high uptime, try adding a new guard before
-      we give up on the requirement. This patch should make long-lived
-      connections more stable on average.
-    - When testing reachability of our DirPort, don't launch new
-      tests when there's already one in progress -- unreachable
-      servers were stacking up dozens of testing streams.
-
-  o Security bugfixes:
-    - When the user sends a NEWNYM signal, clear the client-side DNS
-      cache too. Otherwise we continue to act on previous information.
-
-  o Minor bugfixes:
-    - Avoid a memory corruption bug when creating a hash table for
-      the first time.
-    - Avoid possibility of controller-triggered crash when misusing
-      certain commands from a v0 controller on platforms that do not
-      handle printf("%s",NULL) gracefully.
-    - Avoid infinite loop on unexpected controller input.
-    - Don't log spurious warnings when we see a circuit close reason we
-      don't recognize; it's probably just from a newer version of Tor.
-    - Add Vidalia to the OS X uninstaller script, so when we uninstall
-      Tor/Privoxy we also uninstall Vidalia.
-
-
-Changes in version 0.1.2.3-alpha - 2006-10-29
-  o Minor features:
-    - Prepare for servers to publish descriptors less often: never
-      discard a descriptor simply for being too old until either it is
-      recommended by no authorities, or until we get a better one for
-      the same router. Make caches consider retaining old recommended
-      routers for even longer.
-    - If most authorities set a BadExit flag for a server, clients
-      don't think of it as a general-purpose exit. Clients only consider
-      authorities that advertise themselves as listing bad exits.
-    - Directory servers now provide 'Pragma: no-cache' and 'Expires'
-      headers for content, so that we can work better in the presence of
-      caching HTTP proxies.
-    - Allow authorities to list nodes as bad exits by fingerprint or by
-      address.
-
-  o Minor features, controller:
-    - Add a REASON field to CIRC events; for backward compatibility, this
-      field is sent only to controllers that have enabled the extended
-      event format.  Also, add additional reason codes to explain why
-      a given circuit has been destroyed or truncated. (Patches from
-      Mike Perry)
-    - Add a REMOTE_REASON field to extended CIRC events to tell the
-      controller about why a remote OR told us to close a circuit.
-    - Stream events also now have REASON and REMOTE_REASON fields,
-      working much like those for circuit events.
-    - There's now a GETINFO ns/... field so that controllers can ask Tor
-      about the current status of a router.
-    - A new event type "NS" to inform a controller when our opinion of
-      a router's status has changed.
-    - Add a GETINFO events/names and GETINFO features/names so controllers
-      can tell which events and features are supported.
-    - A new CLEARDNSCACHE signal to allow controllers to clear the
-      client-side DNS cache without expiring circuits.
-
-  o Security bugfixes:
-    - When the user sends a NEWNYM signal, clear the client-side DNS
-      cache too. Otherwise we continue to act on previous information.
-
-  o Minor bugfixes:
-    - Avoid sending junk to controllers or segfaulting when a controller
-      uses EVENT_NEW_DESC with verbose nicknames.
-    - Stop triggering asserts if the controller tries to extend hidden
-      service circuits (reported by mwenge).
-    - Avoid infinite loop on unexpected controller input.
-    - When the controller does a "GETINFO network-status", tell it
-      about even those routers whose descriptors are very old, and use
-      long nicknames where appropriate.
-    - Change NT service functions to be loaded on demand.  This lets us
-      build with MinGW without breaking Tor for Windows 98 users.
-    - Do DirPort reachability tests less often, since a single test
-      chews through many circuits before giving up.
-    - In the hidden service example in torrc.sample, stop recommending
-      esoteric and discouraged hidden service options.
-    - When stopping an NT service, wait up to 10 sec for it to actually
-      stop.  (Patch from Matt Edman; resolves bug 295.)
-    - Fix handling of verbose nicknames with ORCONN controller events:
-      make them show up exactly when requested, rather than exactly when
-      not requested.
-    - When reporting verbose nicknames in entry_guards_getinfo(), avoid
-      printing a duplicate "$" in the keys we send (reported by mwenge).
-    - Correctly set maximum connection limit on Cygwin. (This time
-      for sure!)
-    - Try to detect Windows correctly when cross-compiling.
-    - Detect the size of the routers file correctly even if it is
-      corrupted (on systems without mmap) or not page-aligned (on systems
-      with mmap). This bug was harmless.
-    - Sometimes we didn't bother sending a RELAY_END cell when an attempt
-      to open a stream fails; now we do in more cases. This should
-      make clients able to find a good exit faster in some cases, since
-      unhandleable requests will now get an error rather than timing out.
-    - Resolve two memory leaks when rebuilding the on-disk router cache
-      (reported by fookoowa).
-    - Clean up minor code warnings suggested by the MIPSpro C compiler,
-      and reported by some Centos users.
-    - Controller signals now work on non-Unix platforms that don't define
-      SIGUSR1 and SIGUSR2 the way we expect.
-    - Patch from Michael Mohr to contrib/cross.sh, so it checks more
-      values before failing, and always enables eventdns.
-    - Libevent-1.2 exports, but does not define in its headers, strlcpy.
-      Try to fix this in configure.in by checking for most functions
-      before we check for libevent.
-
-
-Changes in version 0.1.2.2-alpha - 2006-10-07
-  o Major features:
-    - Make our async eventdns library on-by-default for Tor servers,
-      and plan to deprecate the separate dnsworker threads.
-    - Add server-side support for "reverse" DNS lookups (using PTR
-      records so clients can determine the canonical hostname for a given
-      IPv4 address). Only supported by servers using eventdns; servers
-      now announce in their descriptors whether they support eventdns.
-    - Specify and implement client-side SOCKS5 interface for reverse DNS
-      lookups (see doc/socks-extensions.txt).
-    - Add a BEGIN_DIR relay cell type for an easier in-protocol way to
-      connect to directory servers through Tor. Previously, clients needed
-      to find Tor exits to make private connections to directory servers.
-    - Avoid choosing Exit nodes for entry or middle hops when the
-      total bandwidth available from non-Exit nodes is much higher than
-      the total bandwidth available from Exit nodes.
-    - Workaround for name servers (like Earthlink's) that hijack failing
-      DNS requests and replace the no-such-server answer with a "helpful"
-      redirect to an advertising-driven search portal. Also work around
-      DNS hijackers who "helpfully" decline to hijack known-invalid
-      RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
-      lets you turn it off.
-    - Send out a burst of long-range padding cells once we've established
-      that we're reachable. Spread them over 4 circuits, so hopefully
-      a few will be fast. This exercises our bandwidth and bootstraps
-      us into the directory more quickly.
-
-  o New/improved config options:
-    - Add new config option "ResolvConf" to let the server operator
-      choose an alternate resolve.conf file when using eventdns.
-    - Add an "EnforceDistinctSubnets" option to control our "exclude
-      servers on the same /16" behavior. It's still on by default; this
-      is mostly for people who want to operate private test networks with
-      all the machines on the same subnet.
-    - If one of our entry guards is on the ExcludeNodes list, or the
-      directory authorities don't think it's a good guard, treat it as
-      if it were unlisted: stop using it as a guard, and throw it off
-      the guards list if it stays that way for a long time.
-    - Allow directory authorities to be marked separately as authorities
-      for the v1 directory protocol, the v2 directory protocol, and
-      as hidden service directories, to make it easier to retire old
-      authorities. V1 authorities should set "HSAuthoritativeDir 1"
-      to continue being hidden service authorities too.
-    - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
-
-  o Minor features, controller:
-    - Fix CIRC controller events so that controllers can learn the
-      identity digests of non-Named servers used in circuit paths.
-    - Let controllers ask for more useful identifiers for servers. Instead
-      of learning identity digests for un-Named servers and nicknames
-      for Named servers, the new identifiers include digest, nickname,
-      and indication of Named status. Off by default; see control-spec.txt
-      for more information.
-    - Add a "getinfo address" controller command so it can display Tor's
-      best guess to the user.
-    - New controller event to alert the controller when our server
-      descriptor has changed.
-    - Give more meaningful errors on controller authentication failure.
-
-  o Minor features, other:
-    - When asked to resolve a hostname, don't use non-exit servers unless
-      requested to do so. This allows servers with broken DNS to be
-      useful to the network.
-    - Divide eventdns log messages into warn and info messages.
-    - Reserve the nickname "Unnamed" for routers that can't pick
-      a hostname: any router can call itself Unnamed; directory
-      authorities will never allocate Unnamed to any particular router;
-      clients won't believe that any router is the canonical Unnamed.
-    - Only include function names in log messages for info/debug messages.
-      For notice/warn/err, the content of the message should be clear on
-      its own, and printing the function name only confuses users.
-    - Avoid some false positives during reachability testing: don't try
-      to test via a server that's on the same /24 as us.
-    - If we fail to build a circuit to an intended enclave, and it's
-      not mandatory that we use that enclave, stop wanting it.
-    - When eventdns is enabled, allow multithreaded builds on NetBSD and
-      OpenBSD. (We had previously disabled threads on these platforms
-      because they didn't have working thread-safe resolver functions.)
-
-  o Major bugfixes, anonymity/security:
-    - If a client asked for a server by name, and there's a named server
-      in our network-status but we don't have its descriptor yet, we
-      could return an unnamed server instead.
-    - Fix NetBSD bug that could allow someone to force uninitialized RAM
-      to be sent to a server's DNS resolver. This only affects NetBSD
-      and other platforms that do not bounds-check tolower().
-    - Reject (most) attempts to use Tor circuits with length one. (If
-      many people start using Tor as a one-hop proxy, exit nodes become
-      a more attractive target for compromise.)
-    - Just because your DirPort is open doesn't mean people should be
-      able to remotely teach you about hidden service descriptors. Now
-      only accept rendezvous posts if you've got HSAuthoritativeDir set.
-
-  o Major bugfixes, other:
-    - Don't crash on race condition in dns.c: tor_assert(!resolve->expire)
-    - When a client asks the server to resolve (not connect to)
-      an address, and it has a cached answer, give them the cached answer.
-      Previously, the server would give them no answer at all.
-    - Allow really slow clients to not hang up five minutes into their
-      directory downloads (suggested by Adam J. Richter).
-    - We were building exactly the wrong circuits when we anticipated
-      hidden service requirements, meaning Tor would have to build all
-      its circuits on demand.
-    - Avoid crashing when we mmap a router cache file of size 0.
-    - When testing reachability of our DirPort, don't launch new
-      tests when there's already one in progress -- unreachable
-      servers were stacking up dozens of testing streams.
-
-  o Minor bugfixes, correctness:
-    - If we're a directory mirror and we ask for "all" network status
-      documents, we would discard status documents from authorities
-      we don't recognize.
-    - Avoid a memory corruption bug when creating a hash table for
-      the first time.
-    - Avoid controller-triggered crash when misusing certain commands
-      from a v0 controller on platforms that do not handle
-      printf("%s",NULL) gracefully.
-    - Don't crash when a controller sends a third argument to an
-      "extendcircuit" request.
-    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
-      response; fix error code when "getinfo dir/status/" fails.
-    - Avoid crash when telling controller stream-status and a stream
-      is detached.
-    - Patch from Adam Langley to fix assert() in eventdns.c.
-    - Fix a debug log message in eventdns to say "X resolved to Y"
-      instead of "X resolved to X".
-    - Make eventdns give strings for DNS errors, not just error numbers.
-    - Track unreachable entry guards correctly: don't conflate
-      'unreachable by us right now' with 'listed as down by the directory
-      authorities'. With the old code, if a guard was unreachable by
-      us but listed as running, it would clog our guard list forever.
-    - Behave correctly in case we ever have a network with more than
-      2GB/s total advertised capacity.
-    - Make TrackExitHosts case-insensitive, and fix the behavior of
-      ".suffix" TrackExitHosts items to avoid matching in the middle of
-      an address.
-    - Finally fix the openssl warnings from newer gccs that believe that
-      ignoring a return value is okay, but casting a return value and
-      then ignoring it is a sign of madness.
-    - Prevent the contrib/exitlist script from printing the same
-      result more than once.
-    - Patch from Steve Hildrey: Generate network status correctly on
-      non-versioning dirservers.
-    - Don't listen to the X-Your-Address-Is hint if you did the lookup
-      via Tor; otherwise you'll think you're the exit node's IP address.
-
-  o Minor bugfixes, performance:
-    - Two small performance improvements on parsing descriptors.
-    - Major performance improvement on inserting descriptors: change
-      algorithm from O(n^2) to O(n).
-    - Make the common memory allocation path faster on machines where
-      malloc(0) returns a pointer.
-    - Start remembering X-Your-Address-Is directory hints even if you're
-      a client, so you can become a server more smoothly.
-    - Avoid duplicate entries on MyFamily line in server descriptor.
-
-  o Packaging, features:
-    - Remove architecture from OS X builds. The official builds are
-      now universal binaries.
-    - The Debian package now uses --verify-config when (re)starting,
-      to distinguish configuration errors from other errors.
-    - Update RPMs to require libevent 1.1b.
-
-  o Packaging, bugfixes:
-    - Patches so Tor builds with MinGW on Windows.
-    - Patches so Tor might run on Cygwin again.
-    - Resume building on non-gcc compilers and ancient gcc. Resume
-      building with the -O0 compile flag. Resume building cleanly on
-      Debian woody.
-    - Run correctly on OS X platforms with case-sensitive filesystems.
-    - Correct includes for net/if.h and net/pfvar.h on OpenBSD (from Tup).
-    - Add autoconf checks so Tor can build on Solaris x86 again.
-
-  o Documentation
-    - Documented (and renamed) ServerDNSSearchDomains and
-      ServerDNSResolvConfFile options.
-    - Be clearer that the *ListenAddress directives can be repeated
-      multiple times.
-
-
-Changes in version 0.1.1.24 - 2006-09-29
-  o Major bugfixes:
-    - Allow really slow clients to not hang up five minutes into their
-      directory downloads (suggested by Adam J. Richter).
-    - Fix major performance regression from 0.1.0.x: instead of checking
-      whether we have enough directory information every time we want to
-      do something, only check when the directory information has changed.
-      This should improve client CPU usage by 25-50%.
-    - Don't crash if, after a server has been running for a while,
-      it can't resolve its hostname.
-
-  o Minor bugfixes:
-    - Allow Tor to start when RunAsDaemon is set but no logs are set.
-    - Don't crash when the controller receives a third argument to an
-      "extendcircuit" request.
-    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
-      response; fix error code when "getinfo dir/status/" fails.
-    - Fix configure.in to not produce broken configure files with
-      more recent versions of autoconf. Thanks to Clint for his auto*
-      voodoo.
-    - Fix security bug on NetBSD that could allow someone to force
-      uninitialized RAM to be sent to a server's DNS resolver. This
-      only affects NetBSD and other platforms that do not bounds-check
-      tolower().
-    - Warn user when using libevent 1.1a or earlier with win32 or kqueue
-      methods: these are known to be buggy.
-    - If we're a directory mirror and we ask for "all" network status
-      documents, we would discard status documents from authorities
-      we don't recognize.
-
-
-Changes in version 0.1.2.1-alpha - 2006-08-27
-  o Major features:
-    - Add "eventdns" async dns library from Adam Langley, tweaked to
-      build on OSX and Windows. Only enabled if you pass the
-      --enable-eventdns argument to configure.
-    - Allow servers with no hostname or IP address to learn their
-      IP address by asking the directory authorities. This code only
-      kicks in when you would normally have exited with a "no address"
-      error. Nothing's authenticated, so use with care.
-    - Rather than waiting a fixed amount of time between retrying
-      application connections, we wait only 5 seconds for the first,
-      10 seconds for the second, and 15 seconds for each retry after
-      that. Hopefully this will improve the expected user experience.
-    - Patch from Tup to add support for transparent AP connections:
-      this basically bundles the functionality of trans-proxy-tor
-      into the Tor mainline. Now hosts with compliant pf/netfilter
-      implementations can redirect TCP connections straight to Tor
-      without diverting through SOCKS. Needs docs.
-    - Busy directory servers save lots of memory by spooling server
-      descriptors, v1 directories, and v2 networkstatus docs to buffers
-      as needed rather than en masse. Also mmap the cached-routers
-      files, so we don't need to keep the whole thing in memory too.
-    - Automatically avoid picking more than one node from the same
-      /16 network when constructing a circuit.
-    - Revise and clean up the torrc.sample that we ship with; add
-      a section for BandwidthRate and BandwidthBurst.
-
-  o Minor features:
-    - Split circuit_t into origin_circuit_t and or_circuit_t, and
-      split connection_t into edge, or, dir, control, and base structs.
-      These will save quite a bit of memory on busy servers, and they'll
-      also help us track down bugs in the code and bugs in the spec.
-    - Experimentally re-enable kqueue on OSX when using libevent 1.1b
-      or later. Log when we are doing this, so we can diagnose it when
-      it fails. (Also, recommend libevent 1.1b for kqueue and
-      win32 methods; deprecate libevent 1.0b harder; make libevent
-      recommendation system saner.)
-    - Start being able to build universal binaries on OS X (thanks
-      to Phobos).
-    - Export the default exit policy via the control port, so controllers
-      don't need to guess what it is / will be later.
-    - Add a man page entry for ProtocolWarnings.
-    - Add TestVia config option to the man page.
-    - Remove even more protocol-related warnings from Tor server logs,
-      such as bad TLS handshakes and malformed begin cells.
-    - Stop fetching descriptors if you're not a dir mirror and you
-      haven't tried to establish any circuits lately. [This currently
-      causes some dangerous behavior, because when you start up again
-      you'll use your ancient server descriptors.]
-    - New DirPort behavior: if you have your dirport set, you download
-      descriptors aggressively like a directory mirror, whether or not
-      your ORPort is set.
-    - Get rid of the router_retry_connections notion. Now routers
-      no longer try to rebuild long-term connections to directory
-      authorities, and directory authorities no longer try to rebuild
-      long-term connections to all servers. We still don't hang up
-      connections in these two cases though -- we need to look at it
-      more carefully to avoid flapping, and we likely need to wait til
-      0.1.1.x is obsolete.
-    - Drop compatibility with obsolete Tors that permit create cells
-      to have the wrong circ_id_type.
-    - Re-enable per-connection rate limiting. Get rid of the "OP
-      bandwidth" concept. Lay groundwork for "bandwidth classes" --
-      separate global buckets that apply depending on what sort of conn
-      it is.
-    - Start publishing one minute or so after we find our ORPort
-      to be reachable. This will help reduce the number of descriptors
-      we have for ourselves floating around, since it's quite likely
-      other things (e.g. DirPort) will change during that minute too.
-    - Fork the v1 directory protocol into its own spec document,
-      and mark dir-spec.txt as the currently correct (v2) spec.
-
-  o Major bugfixes:
-    - When we find our DirPort to be reachable, publish a new descriptor
-      so we'll tell the world (reported by pnx).
-    - Publish a new descriptor after we hup/reload. This is important
-      if our config has changed such that we'll want to start advertising
-      our DirPort now, etc.
-    - Allow Tor to start when RunAsDaemon is set but no logs are set.
-    - When we have a state file we cannot parse, tell the user and
-      move it aside. Now we avoid situations where the user starts
-      Tor in 1904, Tor writes a state file with that timestamp in it,
-      the user fixes her clock, and Tor refuses to start.
-    - Fix configure.in to not produce broken configure files with
-      more recent versions of autoconf. Thanks to Clint for his auto*
-      voodoo.
-    - "tor --verify-config" now exits with -1(255) or 0 depending on
-      whether the config options are bad or good.
-    - Resolve bug 321 when using dnsworkers: append a period to every
-      address we resolve at the exit node, so that we do not accidentally
-      pick up local addresses, and so that failing searches are retried
-      in the resolver search domains. (This is already solved for
-      eventdns.) (This breaks Blossom servers for now.)
-    - If we are using an exit enclave and we can't connect, e.g. because
-      its webserver is misconfigured to not listen on localhost, then
-      back off and try connecting from somewhere else before we fail.
-
-  o Minor bugfixes:
-    - Start compiling on MinGW on Windows (patches from Mike Chiussi).
-    - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
-    - Fix bug 314: Tor clients issued "unsafe socks" warnings even
-      when the IP address is mapped through MapAddress to a hostname.
-    - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
-      useless IPv6 DNS resolves.
-    - Patch suggested by Karsten Loesing: respond to SIGNAL command
-      before we execute the signal, in case the signal shuts us down.
-    - Clean up AllowInvalidNodes man page entry.
-    - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
-    - Add more asserts to track down an assert error on a windows Tor
-      server with connection_add being called with socket == -1.
-    - Handle reporting OR_CONN_EVENT_NEW events to the controller.
-    - Fix misleading log messages: an entry guard that is "unlisted",
-      as well as not known to be "down" (because we've never heard
-      of it), is not therefore "up".
-    - Remove code to special-case "-cvs" ending, since it has not
-      actually mattered since 0.0.9.
-    - Make our socks5 handling more robust to broken socks clients:
-      throw out everything waiting on the buffer in between socks
-      handshake phases, since they can't possibly (so the theory
-      goes) have predicted what we plan to respond to them.
-
-
-Changes in version 0.1.1.23 - 2006-07-30
-  o Major bugfixes:
-    - Fast Tor servers, especially exit nodes, were triggering asserts
-      due to a bug in handling the list of pending DNS resolves. Some
-      bugs still remain here; we're hunting them.
-    - Entry guards could crash clients by sending unexpected input.
-    - More fixes on reachability testing: if you find yourself reachable,
-      then don't ever make any client requests (so you stop predicting
-      circuits), then hup or have your clock jump, then later your IP
-      changes, you won't think circuits are working, so you won't try to
-      test reachability, so you won't publish.
-
-  o Minor bugfixes:
-    - Avoid a crash if the controller does a resetconf firewallports
-      and then a setconf fascistfirewall=1.
-    - Avoid an integer underflow when the dir authority decides whether
-      a router is stable: we might wrongly label it stable, and compute
-      a slightly wrong median stability, when a descriptor is published
-      later than now.
-    - Fix a place where we might trigger an assert if we can't build our
-      own server descriptor yet.
-
-
-Changes in version 0.1.1.22 - 2006-07-05
-  o Major bugfixes:
-    - Fix a big bug that was causing servers to not find themselves
-      reachable if they changed IP addresses. Since only 0.1.1.22+
-      servers can do reachability testing correctly, now we automatically
-      make sure to test via one of these.
-    - Fix to allow clients and mirrors to learn directory info from
-      descriptor downloads that get cut off partway through.
-    - Directory authorities had a bug in deciding if a newly published
-      descriptor was novel enough to make everybody want a copy -- a few
-      servers seem to be publishing new descriptors many times a minute.
-  o Minor bugfixes:
-    - Fix a rare bug that was causing some servers to complain about
-      "closing wedged cpuworkers" and skip some circuit create requests.
-    - Make the Exit flag in directory status documents actually work.
-
-
-Changes in version 0.1.1.21 - 2006-06-10
-  o Crash and assert fixes from 0.1.1.20:
-    - Fix a rare crash on Tor servers that have enabled hibernation.
-    - Fix a seg fault on startup for Tor networks that use only one
-      directory authority.
-    - Fix an assert from a race condition that occurs on Tor servers
-      while exiting, where various threads are trying to log that they're
-      exiting, and delete the logs, at the same time.
-    - Make our unit tests pass again on certain obscure platforms.
-
-  o Other fixes:
-    - Add support for building SUSE RPM packages.
-    - Speed up initial bootstrapping for clients: if we are making our
-      first ever connection to any entry guard, then don't mark it down
-      right after that.
-    - When only one Tor server in the network is labelled as a guard,
-      and we've already picked him, we would cycle endlessly picking him
-      again, being unhappy about it, etc. Now we specifically exclude
-      current guards when picking a new guard.
-    - Servers send create cells more reliably after the TLS connection
-      is established: we were sometimes forgetting to send half of them
-      when we had more than one pending.
-    - If we get a create cell that asks us to extend somewhere, but the
-      Tor server there doesn't match the expected digest, we now send
-      a destroy cell back, rather than silently doing nothing.
-    - Make options->RedirectExit work again.
-    - Make cookie authentication for the controller work again.
-    - Stop being picky about unusual characters in the arguments to
-      mapaddress. It's none of our business.
-    - Add a new config option "TestVia" that lets you specify preferred
-      middle hops to use for test circuits. Perhaps this will let me
-      debug the reachability problems better.
-
-  o Log / documentation fixes:
-    - If we're a server and some peer has a broken TLS certificate, don't
-      log about it unless ProtocolWarnings is set, i.e., we want to hear
-      about protocol violations by others.
-    - Fix spelling of VirtualAddrNetwork in man page.
-    - Add a better explanation at the top of the autogenerated torrc file
-      about what happened to our old torrc.
-
-
-Changes in version 0.1.1.20 - 2006-05-23
-  o Bugfixes:
-    - Downgrade a log severity where servers complain that they're
-      invalid.
-    - Avoid a compile warning on FreeBSD.
-    - Remove string size limit on NEWDESC messages; solve bug 291.
-    - Correct the RunAsDaemon entry in the man page; ignore RunAsDaemon
-      more thoroughly when we're running on windows.
-
-
-Changes in version 0.1.1.19-rc - 2006-05-03
-  o Minor bugs:
-    - Regenerate our local descriptor if it's dirty and we try to use
-      it locally (e.g. if it changes during reachability detection).
-    - If we setconf our ORPort to 0, we continued to listen on the
-      old ORPort and receive connections.
-    - Avoid a second warning about machine/limits.h on Debian
-      GNU/kFreeBSD.
-    - Be willing to add our own routerinfo into the routerlist.
-      Now authorities will include themselves in their directories
-      and network-statuses.
-    - Stop trying to upload rendezvous descriptors to every
-      directory authority: only try the v1 authorities.
-    - Servers no longer complain when they think they're not
-      registered with the directory authorities. There were too many
-      false positives.
-    - Backport dist-rpm changes so rpms can be built without errors.
-
-  o Features:
-    - Implement an option, VirtualAddrMask, to set which addresses
-      get handed out in response to mapaddress requests. This works
-      around a bug in tsocks where 127.0.0.0/8 is never socksified.
-
-
-Changes in version 0.1.1.18-rc - 2006-04-10
-  o Major fixes:
-    - Work harder to download live network-statuses from all the
-      directory authorities we know about. Improve the threshold
-      decision logic so we're more robust to edge cases.
-    - When fetching rendezvous descriptors, we were willing to ask
-      v2 authorities too, which would always return 404.
-
-  o Minor fixes:
-    - Stop listing down or invalid nodes in the v1 directory. This will
-      reduce its bulk by about 1/3, and reduce load on directory
-      mirrors.
-    - When deciding whether a router is Fast or Guard-worthy, consider
-      his advertised BandwidthRate and not just the BandwidthCapacity.
-    - No longer ship INSTALL and README files -- they are useless now.
-    - Force rpmbuild to behave and honor target_cpu.
-    - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
-    - Start to include translated versions of the tor-doc-*.html
-      files, along with the screenshots. Still needs more work.
-    - Start sending back 512 and 451 errors if mapaddress fails,
-      rather than not sending anything back at all.
-    - When we fail to bind or listen on an incoming or outgoing
-      socket, we should close it before failing. otherwise we just
-      leak it. (thanks to weasel for finding.)
-    - Allow "getinfo dir/status/foo" to work, as long as your DirPort
-      is enabled. (This is a hack, and will be fixed in 0.1.2.x.)
-    - Make NoPublish (even though deprecated) work again.
-    - Fix a minor security flaw where a versioning auth dirserver
-      could list a recommended version many times in a row to make
-      clients more convinced that it's recommended.
-    - Fix crash bug if there are two unregistered servers running
-      with the same nickname, one of them is down, and you ask for
-      them by nickname in your EntryNodes or ExitNodes. Also, try
-      to pick the one that's running rather than an arbitrary one.
-    - Fix an infinite loop we could hit if we go offline for too long.
-    - Complain when we hit WSAENOBUFS on recv() or write() too.
-      Perhaps this will help us hunt the bug.
-    - If you're not a versioning dirserver, don't put the string
-      "client-versions \nserver-versions \n" in your network-status.
-    - Lower the minimum required number of file descriptors to 1000,
-      so we can have some overhead for Valgrind on Linux, where the
-      default ulimit -n is 1024.
-
-  o New features:
-    - Add tor.dizum.com as the fifth authoritative directory server.
-    - Add a new config option FetchUselessDescriptors, off by default,
-      for when you plan to run "exitlist" on your client and you want
-      to know about even the non-running descriptors.
-
-
-Changes in version 0.1.1.17-rc - 2006-03-28
-  o Major fixes:
-    - Clients and servers since 0.1.1.10-alpha have been expiring
-      connections whenever they are idle for 5 minutes and they *do*
-      have circuits on them. Oops. With this new version, clients will
-      discard their previous entry guard choices and avoid choosing
-      entry guards running these flawed versions.
-    - Fix memory leak when uncompressing concatenated zlib streams. This
-      was causing substantial leaks over time on Tor servers.
-    - The v1 directory was including servers as much as 48 hours old,
-      because that's how the new routerlist->routers works. Now only
-      include them if they're 20 hours old or less.
-
-  o Minor fixes:
-    - Resume building on irix64, netbsd 2.0, etc.
-    - On non-gcc compilers (e.g. solaris), use "-g -O" instead of
-      "-Wall -g -O2".
-    - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
-      and it is confusing some users.
-    - Mirrors stop caching the v1 directory so often.
-    - Make the max number of old descriptors that a cache will hold
-      rise with the number of directory authorities, so we can scale.
-    - Change our win32 uname() hack to be more forgiving about what
-      win32 versions it thinks it's found.
-
-  o New features:
-    - Add lefkada.eecs.harvard.edu as a fourth authoritative directory
-      server.
-    - When the controller's *setconf commands fail, collect an error
-      message in a string and hand it back to the controller.
-    - Make the v2 dir's "Fast" flag based on relative capacity, just
-      like "Stable" is based on median uptime. Name everything in the
-      top 7/8 Fast, and only the top 1/2 gets to be a Guard.
-    - Log server fingerprint on startup, so new server operators don't
-      have to go hunting around their filesystem for it.
-    - Return a robots.txt on our dirport to discourage google indexing.
-    - Let the controller ask for GETINFO dir/status/foo so it can ask
-      directly rather than connecting to the dir port. Only works when
-      dirport is set for now.
-
-  o New config options rather than constants in the code:
-    - SocksTimeout: How long do we let a socks connection wait
-      unattached before we fail it?
-    - CircuitBuildTimeout: Cull non-open circuits that were born
-      at least this many seconds ago.
-    - CircuitIdleTimeout: Cull open clean circuits that were born
-      at least this many seconds ago.
-
-
-Changes in version 0.1.1.16-rc - 2006-03-18
-  o Bugfixes on 0.1.1.15-rc:
-    - Fix assert when the controller asks to attachstream a connect-wait
-      or resolve-wait stream.
-    - Now do address rewriting when the controller asks us to attach
-      to a particular circuit too. This will let Blossom specify
-      "moria2.exit" without having to learn what moria2's IP address is.
-    - Make the "tor --verify-config" command-line work again, so people
-      can automatically check if their torrc will parse.
-    - Authoritative dirservers no longer require an open connection from
-      a server to consider him "reachable". We need this change because
-      when we add new auth dirservers, old servers won't know not to
-      hang up on them.
-    - Let Tor build on Sun CC again.
-    - Fix an off-by-one buffer size in dirserv.c that magically never
-      hit our three authorities but broke sjmurdoch's own tor network.
-    - If we as a directory mirror don't know of any v1 directory
-      authorities, then don't try to cache any v1 directories.
-    - Stop warning about unknown servers in our family when they are
-      given as hex digests.
-    - Stop complaining as quickly to the server operator that he
-      hasn't registered his nickname/key binding.
-    - Various cleanups so we can add new V2 Auth Dirservers.
-    - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
-      reflect the updated flags in our v2 dir protocol.
-    - Resume allowing non-printable characters for exit streams (both
-      for connecting and for resolving). Now we tolerate applications
-      that don't follow the RFCs. But continue to block malformed names
-      at the socks side.
-
-  o Bugfixes on 0.1.0.x:
-    - Fix assert bug in close_logs(): when we close and delete logs,
-      remove them all from the global "logfiles" list.
-    - Fix minor integer overflow in calculating when we expect to use up
-      our bandwidth allocation before hibernating.
-    - Fix a couple of bugs in OpenSSL detection. Also, deal better when
-      there are multiple SSLs installed with different versions.
-    - When we try to be a server and Address is not explicitly set and
-      our hostname resolves to a private IP address, try to use an
-      interface address if it has a public address. Now Windows machines
-      that think of themselves as localhost can work by default.
-
-  o New features:
-    - Let the controller ask for GETINFO dir/server/foo so it can ask
-      directly rather than connecting to the dir port.
-    - Let the controller tell us about certain router descriptors
-      that it doesn't want Tor to use in circuits. Implement
-      SETROUTERPURPOSE and modify +POSTDESCRIPTOR to do this.
-    - New config option SafeSocks to reject all application connections
-      using unsafe socks protocols. Defaults to off.
-
-
-Changes in version 0.1.1.15-rc - 2006-03-11
-  o Bugfixes and cleanups:
-    - When we're printing strings from the network, don't try to print
-      non-printable characters. This protects us against shell escape
-      sequence exploits, and also against attacks to fool humans into
-      misreading their logs.
-    - Fix a bug where Tor would fail to establish any connections if you
-      left it off for 24 hours and then started it: we were happy with
-      the obsolete network statuses, but they all referred to router
-      descriptors that were too old to fetch, so we ended up with no
-      valid router descriptors.
-    - Fix a seg fault in the controller's "getinfo orconn-status"
-      command while listing status on incoming handshaking connections.
-      Introduce a status name "NEW" for these connections.
-    - If we get a linelist or linelist_s config option from the torrc
-      (e.g. ExitPolicy) and it has no value, warn and skip rather than
-      silently resetting it to its default.
-    - Don't abandon entry guards until they've been down or gone for
-      a whole month.
-    - Cleaner and quieter log messages.
-
-  o New features:
-    - New controller signal NEWNYM that makes new application requests
-      use clean circuits.
-    - Add a new circuit purpose 'controller' to let the controller ask
-      for a circuit that Tor won't try to use. Extend the EXTENDCIRCUIT
-      controller command to let you specify the purpose if you're
-      starting a new circuit.  Add a new SETCIRCUITPURPOSE controller
-      command to let you change a circuit's purpose after it's been
-      created.
-    - Accept "private:*" in routerdesc exit policies; not generated yet
-      because older Tors do not understand it.
-    - Add BSD-style contributed startup script "rc.subr" from Peter
-      Thoenen.
-
-
-Changes in version 0.1.1.14-alpha - 2006-02-20
-  o Bugfixes on 0.1.1.x:
-    - Don't die if we ask for a stdout or stderr log (even implicitly)
-      and we're set to RunAsDaemon -- just warn.
-    - We still had a few bugs in the OR connection rotation code that
-      caused directory servers to slowly aggregate connections to other
-      fast Tor servers. This time for sure!
-    - Make log entries on Win32 include the name of the function again.
-    - We were treating a pair of exit policies if they were equal even
-      if one said accept and the other said reject -- causing us to
-      not always publish a new descriptor since we thought nothing
-      had changed.
-    - Retry pending server downloads as well as pending networkstatus
-      downloads when we unexpectedly get a socks request.
-    - We were ignoring the IS_FAST flag in the directory status,
-      meaning we were willing to pick trivial-bandwidth nodes for "fast"
-      connections.
-    - If the controller's SAVECONF command fails (e.g. due to file
-      permissions), let the controller know that it failed.
-
-  o Features:
-    - If we're trying to be a Tor server and running Windows 95/98/ME
-      as a server, explain that we'll likely crash.
-    - When we're a server, a client asks for an old-style directory,
-      and our write bucket is empty, don't give it to him. This way
-      small servers can continue to serve the directory *sometimes*,
-      without getting overloaded.
-    - Compress exit policies even more -- look for duplicate lines
-      and remove them.
-    - Clients now honor the "guard" flag in the router status when
-      picking entry guards, rather than looking at is_fast or is_stable.
-    - Retain unrecognized lines in $DATADIR/state file, so that we can
-      be forward-compatible.
-    - Generate 18.0.0.0/8 address policy format in descs when we can;
-      warn when the mask is not reducible to a bit-prefix.
-    - Let the user set ControlListenAddress in the torrc.  This can be
-      dangerous, but there are some cases (like a secured LAN) where it
-      makes sense.
-    - Split ReachableAddresses into ReachableDirAddresses and
-      ReachableORAddresses, so we can restrict Dir conns to port 80
-      and OR conns to port 443.
-    - Now we can target arch and OS in rpm builds (contributed by
-      Phobos). Also make the resulting dist-rpm filename match the
-      target arch.
-    - New config options to help controllers: FetchServerDescriptors
-      and FetchHidServDescriptors for whether to fetch server
-      info and hidserv info or let the controller do it, and
-      PublishServerDescriptor and PublishHidServDescriptors.
-    - Also let the controller set the __AllDirActionsPrivate config
-      option if you want all directory fetches/publishes to happen via
-      Tor (it assumes your controller bootstraps your circuits).
-
-
-Changes in version 0.1.0.17 - 2006-02-17
-  o Crash bugfixes on 0.1.0.x:
-    - When servers with a non-zero DirPort came out of hibernation,
-      sometimes they would trigger an assert.
-
-  o Other important bugfixes:
-    - On platforms that don't have getrlimit (like Windows), we were
-      artificially constraining ourselves to a max of 1024
-      connections. Now just assume that we can handle as many as 15000
-      connections. Hopefully this won't cause other problems.
-
-  o Backported features:
-    - When we're a server, a client asks for an old-style directory,
-      and our write bucket is empty, don't give it to him. This way
-      small servers can continue to serve the directory *sometimes*,
-      without getting overloaded.
-    - Whenever you get a 503 in response to a directory fetch, try
-      once more. This will become important once servers start sending
-      503's whenever they feel busy.
-    - Fetch a new directory every 120 minutes, not every 40 minutes.
-      Now that we have hundreds of thousands of users running the old
-      directory algorithm, it's starting to hurt a lot.
-    - Bump up the period for forcing a hidden service descriptor upload
-      from 20 minutes to 1 hour.
-
-
-Changes in version 0.1.1.13-alpha - 2006-02-09
-  o Crashes in 0.1.1.x:
-    - When you tried to setconf ORPort via the controller, Tor would
-      crash. So people using TorCP to become a server were sad.
-    - Solve (I hope) the stack-smashing bug that we were seeing on fast
-      servers. The problem appears to be something do with OpenSSL's
-      random number generation, or how we call it, or something. Let me
-      know if the crashes continue.
-    - Turn crypto hardware acceleration off by default, until we find
-      somebody smart who can test it for us. (It appears to produce
-      seg faults in at least some cases.)
-    - Fix a rare assert error when we've tried all intro points for
-      a hidden service and we try fetching the service descriptor again:
-      "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed"
-
-  o Major fixes:
-    - Fix a major load balance bug: we were round-robining in 16 KB
-      chunks, and servers with bandwidthrate of 20 KB, while downloading
-      a 600 KB directory, would starve their other connections. Now we
-      try to be a bit more fair.
-    - Dir authorities and mirrors were never expiring the newest
-      descriptor for each server, causing memory and directory bloat.
-    - Fix memory-bloating and connection-bloating bug on servers: We
-      were never closing any connection that had ever had a circuit on
-      it, because we were checking conn->n_circuits == 0, yet we had a
-      bug that let it go negative.
-    - Make Tor work using squid as your http proxy again -- squid
-      returns an error if you ask for a URL that's too long, and it uses
-      a really generic error message. Plus, many people are behind a
-      transparent squid so they don't even realize it.
-    - On platforms that don't have getrlimit (like Windows), we were
-      artificially constraining ourselves to a max of 1024
-      connections. Now just assume that we can handle as many as 15000
-      connections. Hopefully this won't cause other problems.
-    - Add a new config option ExitPolicyRejectPrivate which defaults to
-      1. This means all exit policies will begin with rejecting private
-      addresses, unless the server operator explicitly turns it off.
-
-  o Major features:
-    - Clients no longer download descriptors for non-running
-      descriptors.
-    - Before we add new directory authorities, we should make it
-      clear that only v1 authorities should receive/publish hidden
-      service descriptors.
-
-  o Minor features:
-    - As soon as we've fetched some more directory info, immediately
-      try to download more server descriptors. This way we don't have
-      a 10 second pause during initial bootstrapping.
-    - Remove even more loud log messages that the server operator can't
-      do anything about.
-    - When we're running an obsolete or un-recommended version, make
-      the log message more clear about what the problem is and what
-      versions *are* still recommended.
-    - Provide a more useful warn message when our onion queue gets full:
-      the CPU is too slow or the exit policy is too liberal.
-    - Don't warn when we receive a 503 from a dirserver/cache -- this
-      will pave the way for them being able to refuse if they're busy.
-    - When we fail to bind a listener, try to provide a more useful
-      log message: e.g., "Is Tor already running?"
-    - Adjust tor-spec to parameterize cell and key lengths. Now Ian
-      Goldberg can prove things about our handshake protocol more
-      easily.
-    - MaxConn has been obsolete for a while now. Document the ConnLimit
-      config option, which is a *minimum* number of file descriptors
-      that must be available else Tor refuses to start.
-    - Apply Matt Ghali's --with-syslog-facility patch to ./configure
-      if you log to syslog and want something other than LOG_DAEMON.
-    - Make dirservers generate a separate "guard" flag to mean,
-      "would make a good entry guard". Make clients parse it and vote
-      on it. Not used by clients yet.
-    - Implement --with-libevent-dir option to ./configure. Also, improve
-      search techniques to find libevent, and use those for openssl too.
-    - Bump the default bandwidthrate to 3 MB, and burst to 6 MB
-    - Only start testing reachability once we've established a
-      circuit. This will make startup on dirservers less noisy.
-    - Don't try to upload hidden service descriptors until we have
-      established a circuit.
-    - Fix the controller's "attachstream 0" command to treat conn like
-      it just connected, doing address remapping, handling .exit and
-      .onion idioms, and so on. Now we're more uniform in making sure
-      that the controller hears about new and closing connections.
-
-
-Changes in version 0.1.1.12-alpha - 2006-01-11
-  o Bugfixes on 0.1.1.x:
-    - The fix to close duplicate server connections was closing all
-      Tor client connections if they didn't establish a circuit
-      quickly enough. Oops.
-    - Fix minor memory issue (double-free) that happened on exit.
-
-  o Bugfixes on 0.1.0.x:
-    - Tor didn't warn when it failed to open a log file.
-
-
-Changes in version 0.1.1.11-alpha - 2006-01-10
-  o Crashes in 0.1.1.x:
-    - Include all the assert/crash fixes from 0.1.0.16.
-    - If you start Tor and then quit very quickly, there were some
-      races that tried to free things that weren't allocated yet.
-    - Fix a rare memory stomp if you're running hidden services.
-    - Fix segfault when specifying DirServer in config without nickname.
-    - Fix a seg fault when you finish connecting to a server but at
-      that moment you dump his server descriptor.
-    - Extendcircuit and Attachstream controller commands would
-      assert/crash if you don't give them enough arguments.
-    - Fix an assert error when we're out of space in the connection_list
-      and we try to post a hidden service descriptor (reported by weasel).
-    - If you specify a relative torrc path and you set RunAsDaemon in
-      your torrc, then it chdir()'s to the new directory. If you HUP,
-      it tries to load the new torrc location, fails, and exits.
-      The fix: no longer allow a relative path to torrc using -f.
-
-  o Major features:
-    - Implement "entry guards": automatically choose a handful of entry
-      nodes and stick with them for all circuits. Only pick new guards
-      when the ones you have are unsuitable, and if the old guards
-      become suitable again, switch back. This will increase security
-      dramatically against certain end-point attacks. The EntryNodes
-      config option now provides some hints about which entry guards you
-      want to use most; and StrictEntryNodes means to only use those.
-    - New directory logic: download by descriptor digest, not by
-      fingerprint. Caches try to download all listed digests from
-      authorities; clients try to download "best" digests from caches.
-      This avoids partitioning and isolating attacks better.
-    - Make the "stable" router flag in network-status be the median of
-      the uptimes of running valid servers, and make clients pay
-      attention to the network-status flags. Thus the cutoff adapts
-      to the stability of the network as a whole, making IRC, IM, etc
-      connections more reliable.
-
-  o Major fixes:
-    - Tor servers with dynamic IP addresses were needing to wait 18
-      hours before they could start doing reachability testing using
-      the new IP address and ports. This is because they were using
-      the internal descriptor to learn what to test, yet they were only
-      rebuilding the descriptor once they decided they were reachable.
-    - Tor 0.1.1.9 and 0.1.1.10 had a serious bug that caused clients
-      to download certain server descriptors, throw them away, and then
-      fetch them again after 30 minutes. Now mirrors throw away these
-      server descriptors so clients can't get them.
-    - We were leaving duplicate connections to other ORs open for a week,
-      rather than closing them once we detect a duplicate. This only
-      really affected authdirservers, but it affected them a lot.
-    - Spread the authdirservers' reachability testing over the entire
-      testing interval, so we don't try to do 500 TLS's at once every
-      20 minutes.
-
-  o Minor fixes:
-    - If the network is down, and we try to connect to a conn because
-      we have a circuit in mind, and we timeout (30 seconds) because the
-      network never answers, we were expiring the circuit, but we weren't
-      obsoleting the connection or telling the entry_guards functions.
-    - Some Tor servers process billions of cells per day. These statistics
-      need to be uint64_t's.
-    - Check for integer overflows in more places, when adding elements
-      to smartlists. This could possibly prevent a buffer overflow
-      on malicious huge inputs. I don't see any, but I haven't looked
-      carefully.
-    - ReachableAddresses kept growing new "reject *:*" lines on every
-      setconf/reload.
-    - When you "setconf log" via the controller, it should remove all
-      logs. We were automatically adding back in a "log notice stdout".
-    - Newly bootstrapped Tor networks couldn't establish hidden service
-      circuits until they had nodes with high uptime. Be more tolerant.
-    - We were marking servers down when they could not answer every piece
-      of the directory request we sent them. This was far too harsh.
-    - Fix the torify (tsocks) config file to not use Tor for localhost
-      connections.
-    - Directory authorities now go to the proper authority when asking for
-      a networkstatus, even when they want a compressed one.
-    - Fix a harmless bug that was causing Tor servers to log
-      "Got an end because of misc error, but we're not an AP. Closing."
-    - Authorities were treating their own descriptor changes as cosmetic,
-      meaning the descriptor available in the network-status and the
-      descriptor that clients downloaded were different.
-    - The OS X installer was adding a symlink for tor_resolve but
-      the binary was called tor-resolve (reported by Thomas Hardly).
-    - Workaround a problem with some http proxies where they refuse GET
-      requests that specify "Content-Length: 0" (reported by Adrian).
-    - Fix wrong log message when you add a "HiddenServiceNodes" config
-      line without any HiddenServiceDir line (reported by Chris Thomas).
-
-  o Minor features:
-    - Write the TorVersion into the state file so we have a prayer of
-      keeping forward and backward compatibility.
-    - Revive the FascistFirewall config option rather than eliminating it:
-      now it's a synonym for ReachableAddresses *:80,*:443.
-    - Clients choose directory servers from the network status lists,
-      not from their internal list of router descriptors. Now they can
-      go to caches directly rather than needing to go to authorities
-      to bootstrap.
-    - Directory authorities ignore router descriptors that have only
-      cosmetic differences: do this for 0.1.0.x servers now too.
-    - Add a new flag to network-status indicating whether the server
-      can answer v2 directory requests too.
-    - Authdirs now stop whining so loudly about bad descriptors that
-      they fetch from other dirservers. So when there's a log complaint,
-      it's for sure from a freshly uploaded descriptor.
-    - Reduce memory requirements in our structs by changing the order
-      of fields.
-    - There used to be two ways to specify your listening ports in a
-      server descriptor: on the "router" line and with a separate "ports"
-      line. Remove support for the "ports" line.
-    - New config option "AuthDirRejectUnlisted" for auth dirservers as
-      a panic button: if we get flooded with unusable servers we can
-      revert to only listing servers in the approved-routers file.
-    - Auth dir servers can now mark a fingerprint as "!reject" or
-      "!invalid" in the approved-routers file (as its nickname), to
-      refuse descriptors outright or include them but marked as invalid.
-    - Servers store bandwidth history across restarts/crashes.
-    - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
-      get a better idea of why their circuits failed. Not used yet.
-    - Directory mirrors now cache up to 16 unrecognized network-status
-      docs. Now we can add new authdirservers and they'll be cached too.
-    - When picking a random directory, prefer non-authorities if any
-      are known.
-    - New controller option "getinfo desc/all-recent" to fetch the
-      latest server descriptor for every router that Tor knows about.
-
-
-Changes in version 0.1.0.16 - 2006-01-02
-  o Crash bugfixes on 0.1.0.x:
-    - On Windows, build with a libevent patch from "I-M Weasel" to avoid
-      corrupting the heap, losing FDs, or crashing when we need to resize
-      the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
-    - It turns out sparc64 platforms crash on unaligned memory access
-      too -- so detect and avoid this.
-    - Handle truncated compressed data correctly (by detecting it and
-      giving an error).
-    - Fix possible-but-unlikely free(NULL) in control.c.
-    - When we were closing connections, there was a rare case that
-      stomped on memory, triggering seg faults and asserts.
-    - Avoid potential infinite recursion when building a descriptor. (We
-      don't know that it ever happened, but better to fix it anyway.)
-    - We were neglecting to unlink marked circuits from soon-to-close OR
-      connections, which caused some rare scribbling on freed memory.
-    - Fix a memory stomping race bug when closing the joining point of two
-      rendezvous circuits.
-    - Fix an assert in time parsing found by Steven Murdoch.
-
-  o Other bugfixes on 0.1.0.x:
-    - When we're doing reachability testing, provide more useful log
-      messages so the operator knows what to expect.
-    - Do not check whether DirPort is reachable when we are suppressing
-      advertising it because of hibernation.
-    - When building with -static or on Solaris, we sometimes needed -ldl.
-    - When we're deciding whether a stream has enough circuits around
-      that can handle it, count the freshly dirty ones and not the ones
-      that are so dirty they won't be able to handle it.
-    - When we're expiring old circuits, we had a logic error that caused
-      us to close new rendezvous circuits rather than old ones.
-    - Give a more helpful log message when you try to change ORPort via
-      the controller: you should upgrade Tor if you want that to work.
-    - We were failing to parse Tor versions that start with "Tor ".
-    - Tolerate faulty streams better: when a stream fails for reason
-      exitpolicy, stop assuming that the router is lying about his exit
-      policy. When a stream fails for reason misc, allow it to retry just
-      as if it was resolvefailed. When a stream has failed three times,
-      reset its failure count so we can try again and get all three tries.
-
-
-Changes in version 0.1.1.10-alpha - 2005-12-11
-  o Correctness bugfixes on 0.1.0.x:
-    - On Windows, build with a libevent patch from "I-M Weasel" to avoid
-      corrupting the heap, losing FDs, or crashing when we need to resize
-      the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
-    - Stop doing the complex voodoo overkill checking for insecure
-      Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
-    - When we were closing connections, there was a rare case that
-      stomped on memory, triggering seg faults and asserts.
-    - We were neglecting to unlink marked circuits from soon-to-close OR
-      connections, which caused some rare scribbling on freed memory.
-    - When we're deciding whether a stream has enough circuits around
-      that can handle it, count the freshly dirty ones and not the ones
-      that are so dirty they won't be able to handle it.
-    - Recover better from TCP connections to Tor servers that are
-      broken but don't tell you (it happens!); and rotate TLS
-      connections once a week.
-    - When we're expiring old circuits, we had a logic error that caused
-      us to close new rendezvous circuits rather than old ones.
-    - Fix a scary-looking but apparently harmless bug where circuits
-      would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
-      servers, and never switch to state CIRCUIT_STATE_OPEN.
-    - When building with -static or on Solaris, we sometimes needed to
-      build with -ldl.
-    - Give a useful message when people run Tor as the wrong user,
-      rather than telling them to start chowning random directories.
-    - We were failing to inform the controller about new .onion streams.
-
-  o Security bugfixes on 0.1.0.x:
-    - Refuse server descriptors if the fingerprint line doesn't match
-      the included identity key. Tor doesn't care, but other apps (and
-      humans) might actually be trusting the fingerprint line.
-    - We used to kill the circuit when we receive a relay command we
-      don't recognize. Now we just drop it.
-    - Start obeying our firewall options more rigorously:
-      . If we can't get to a dirserver directly, try going via Tor.
-      . Don't ever try to connect (as a client) to a place our
-        firewall options forbid.
-      . If we specify a proxy and also firewall options, obey the
-        firewall options even when we're using the proxy: some proxies
-        can only proxy to certain destinations.
-    - Fix a bug found by Lasse Overlier: when we were making internal
-      circuits (intended to be cannibalized later for rendezvous and
-      introduction circuits), we were picking them so that they had
-      useful exit nodes. There was no need for this, and it actually
-      aids some statistical attacks.
-    - Start treating internal circuits and exit circuits separately.
-      It's important to keep them separate because internal circuits
-      have their last hops picked like middle hops, rather than like
-      exit hops. So exiting on them will break the user's expectations.
-
-  o Bugfixes on 0.1.1.x:
-    - Take out the mis-feature where we tried to detect IP address
-      flapping for people with DynDNS, and chose not to upload a new
-      server descriptor sometimes.
-    - Try to be compatible with OpenSSL 0.9.6 again.
-    - Log fix: when the controller is logging about .onion addresses,
-      sometimes it didn't include the ".onion" part of the address.
-    - Don't try to modify options->DirServers internally -- if the
-      user didn't specify any, just add the default ones directly to
-      the trusted dirserver list. This fixes a bug where people running
-      controllers would use SETCONF on some totally unrelated config
-      option, and Tor would start yelling at them about changing their
-      DirServer lines.
-    - Let the controller's redirectstream command specify a port, in
-      case the controller wants to change that too.
-    - When we requested a pile of server descriptors, we sometimes
-      accidentally launched a duplicate request for the first one.
-    - Bugfix for trackhostexits: write down the fingerprint of the
-      chosen exit, not its nickname, because the chosen exit might not
-      be verified.
-    - When parsing foo.exit, if foo is unknown, and we are leaving
-      circuits unattached, set the chosen_exit field and leave the
-      address empty. This matters because controllers got confused
-      otherwise.
-    - Directory authorities no longer try to download server
-      descriptors that they know they will reject.
-
-  o Features and updates:
-    - Replace balanced trees with hash tables: this should make stuff
-      significantly faster.
-    - Resume using the AES counter-mode implementation that we ship,
-      rather than OpenSSL's. Ours is significantly faster.
-    - Many other CPU and memory improvements.
-    - Add a new config option FastFirstHopPK (on by default) so clients
-      do a trivial crypto handshake for their first hop, since TLS has
-      already taken care of confidentiality and authentication.
-    - Add a new config option TestSocks so people can see if their
-      applications are using socks4, socks4a, socks5-with-ip, or
-      socks5-with-hostname. This way they don't have to keep mucking
-      with tcpdump and wondering if something got cached somewhere.
-    - Warn when listening on a public address for socks. I suspect a
-      lot of people are setting themselves up as open socks proxies,
-      and they have no idea that jerks on the Internet are using them,
-      since they simply proxy the traffic into the Tor network.
-    - Add "private:*" as an alias in configuration for policies. Now
-      you can simplify your exit policy rather than needing to list
-      every single internal or nonroutable network space.
-    - Add a new controller event type that allows controllers to get
-      all server descriptors that were uploaded to a router in its role
-      as authoritative dirserver.
-    - Start shipping socks-extensions.txt, tor-doc-unix.html,
-      tor-doc-server.html, and stylesheet.css in the tarball.
-    - Stop shipping tor-doc.html in the tarball.
-
-
-Changes in version 0.1.1.9-alpha - 2005-11-15
-  o Usability improvements:
-    - Start calling it FooListenAddress rather than FooBindAddress,
-      since few of our users know what it means to bind an address
-      or port.
-    - Reduce clutter in server logs. We're going to try to make
-      them actually usable now. New config option ProtocolWarnings that
-      lets you hear about how _other Tors_ are breaking the protocol. Off
-      by default.
-    - Divide log messages into logging domains. Once we put some sort
-      of interface on this, it will let people looking at more verbose
-      log levels specify the topics they want to hear more about.
-    - Make directory servers return better http 404 error messages
-      instead of a generic "Servers unavailable".
-    - Check for even more Windows version flags when writing the platform
-      string in server descriptors, and note any we don't recognize.
-    - Clean up more of the OpenSSL memory when exiting, so we can detect
-      memory leaks better.
-    - Make directory authorities be non-versioning, non-naming by
-      default. Now we can add new directory servers without requiring
-      their operators to pay close attention.
-    - When logging via syslog, include the pid whenever we provide
-      a log entry. Suggested by Todd Fries.
-
-  o Performance improvements:
-    - Directory servers now silently throw away new descriptors that
-      haven't changed much if the timestamps are similar. We do this to
-      tolerate older Tor servers that upload a new descriptor every 15
-      minutes. (It seemed like a good idea at the time.)
-    - Inline bottleneck smartlist functions; use fast versions by default.
-    - Add a "Map from digest to void*" abstraction digestmap_t so we
-      can do less hex encoding/decoding. Use it in router_get_by_digest()
-      to resolve a performance bottleneck.
-    - Allow tor_gzip_uncompress to extract as much as possible from
-      truncated compressed data. Try to extract as many
-      descriptors as possible from truncated http responses (when
-      DIR_PURPOSE_FETCH_ROUTERDESC).
-    - Make circ->onionskin a pointer, not a static array. moria2 was using
-      125000 circuit_t's after it had been up for a few weeks, which
-      translates to 20+ megs of wasted space.
-    - The private half of our EDH handshake keys are now chosen out
-      of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
-
-  o Security improvements:
-    - Start making directory caches retain old routerinfos, so soon
-      clients can start asking by digest of descriptor rather than by
-      fingerprint of server.
-    - Add half our entropy from RAND_poll in OpenSSL.  This knows how
-      to use egd (if present), openbsd weirdness (if present), vms/os2
-      weirdness (if we ever port there), and more in the future.
-
-  o Bugfixes on 0.1.0.x:
-    - Do round-robin writes of at most 16 kB per write. This might be
-      more fair on loaded Tor servers, and it might resolve our Windows
-      crash bug. It might also slow things down.
-    - Our TLS handshakes were generating a single public/private
-      keypair for the TLS context, rather than making a new one for
-      each new connections. Oops. (But we were still rotating them
-      periodically, so it's not so bad.)
-    - When we were cannibalizing a circuit with a particular exit
-      node in mind, we weren't checking to see if that exit node was
-      already present earlier in the circuit. Oops.
-    - When a Tor server's IP changes (e.g. from a dyndns address),
-      upload a new descriptor so clients will learn too.
-    - Really busy servers were keeping enough circuits open on stable
-      connections that they were wrapping around the circuit_id
-      space. (It's only two bytes.) This exposed a bug where we would
-      feel free to reuse a circuit_id even if it still exists but has
-      been marked for close. Try to fix this bug. Some bug remains.
-    - If we would close a stream early (e.g. it asks for a .exit that
-      we know would refuse it) but the LeaveStreamsUnattached config
-      option is set by the controller, then don't close it.
-
-  o Bugfixes on 0.1.1.8-alpha:
-    - Fix a big pile of memory leaks, some of them serious.
-    - Do not try to download a routerdesc if we would immediately reject
-      it as obsolete.
-    - Resume inserting a newline between all router descriptors when
-      generating (old style) signed directories, since our spec says
-      we do.
-    - When providing content-type application/octet-stream for
-      server descriptors using .z, we were leaving out the
-      content-encoding header. Oops. (Everything tolerated this just
-      fine, but that doesn't mean we need to be part of the problem.)
-    - Fix a potential seg fault in getconf and getinfo using version 1
-      of the controller protocol.
-    - Avoid crash: do not check whether DirPort is reachable when we
-      are suppressing it because of hibernation.
-    - Make --hash-password not crash on exit.
-
-
-Changes in version 0.1.1.8-alpha - 2005-10-07
-  o New features (major):
-    - Clients don't download or use the directory anymore. Now they
-      download and use network-statuses from the trusted dirservers,
-      and fetch individual server descriptors as needed from mirrors.
-      See dir-spec.txt for all the gory details.
-    - Be more conservative about whether to advertise our DirPort.
-      The main change is to not advertise if we're running at capacity
-      and either a) we could hibernate or b) our capacity is low and
-      we're using a default DirPort.
-    - Use OpenSSL's AES when OpenSSL has version 0.9.7 or later.
-
-  o New features (minor):
-    - Try to be smart about when to retry network-status and
-      server-descriptor fetches. Still needs some tuning.
-    - Stop parsing, storing, or using running-routers output (but
-      mirrors still cache and serve it).
-    - Consider a threshold of versioning dirservers (dirservers who have
-      an opinion about which Tor versions are still recommended) before
-      deciding whether to warn the user that he's obsolete.
-    - Dirservers can now reject/invalidate by key and IP, with the
-      config options "AuthDirInvalid" and "AuthDirReject". This is
-      useful since currently we automatically list servers as running
-      and usable even if we know they're jerks.
-    - Provide dire warnings to any users who set DirServer; move it out
-      of torrc.sample and into torrc.complete.
-    - Add MyFamily to torrc.sample in the server section.
-    - Add nicknames to the DirServer line, so we can refer to them
-      without requiring all our users to memorize their IP addresses.
-    - When we get an EOF or a timeout on a directory connection, note
-      how many bytes of serverdesc we are dropping. This will help
-      us determine whether it is smart to parse incomplete serverdesc
-      responses.
-    - Add a new function to "change pseudonyms" -- that is, to stop
-      using any currently-dirty circuits for new streams, so we don't
-      link new actions to old actions. Currently it's only called on
-      HUP (or SIGNAL RELOAD).
-    - On sighup, if UseHelperNodes changed to 1, use new circuits.
-    - Start using RAND_bytes rather than RAND_pseudo_bytes from
-      OpenSSL. Also, reseed our entropy every hour, not just at
-      startup. And entropy in 512-bit chunks, not 160-bit chunks.
-
-  o Fixes on 0.1.1.7-alpha:
-    - Nobody ever implemented EVENT_ADDRMAP for control protocol
-      version 0, so don't let version 0 controllers ask for it.
-    - If you requested something with too many newlines via the
-      v1 controller protocol, you could crash tor.
-    - Fix a number of memory leaks, including some pretty serious ones.
-    - Re-enable DirPort testing again, so Tor servers will be willing
-      to advertise their DirPort if it's reachable.
-    - On TLS handshake, only check the other router's nickname against
-      its expected nickname if is_named is set.
-
-  o Fixes forward-ported from 0.1.0.15:
-    - Don't crash when we don't have any spare file descriptors and we
-      try to spawn a dns or cpu worker.
-    - Make the numbers in read-history and write-history into uint64s,
-      so they don't overflow and publish negatives in the descriptor.
-
-  o Fixes on 0.1.0.x:
-    - For the OS X package's modified privoxy config file, comment
-      out the "logfile" line so we don't log everything passed
-      through privoxy.
-    - We were whining about using socks4 or socks5-with-local-lookup
-      even when it's an IP in the "virtual" range we designed exactly
-      for this case.
-    - We were leaking some memory every time the client changes IPs.
-    - Never call free() on tor_malloc()d memory. This will help us
-      use dmalloc to detect memory leaks.
-    - Check for named servers when looking them up by nickname;
-      warn when we'recalling a non-named server by its nickname;
-      don't warn twice about the same name.
-    - Try to list MyFamily elements by key, not by nickname, and warn
-      if we've not heard of the server.
-    - Make windows platform detection (uname equivalent) smarter.
-    - It turns out sparc64 doesn't like unaligned access either.
-
-
-Changes in version 0.1.0.15 - 2005-09-23
-  o Bugfixes on 0.1.0.x:
-    - Reject ports 465 and 587 (spam targets) in default exit policy.
-    - Don't crash when we don't have any spare file descriptors and we
-      try to spawn a dns or cpu worker.
-    - Get rid of IgnoreVersion undocumented config option, and make us
-      only warn, never exit, when we're running an obsolete version.
-    - Don't try to print a null string when your server finds itself to
-      be unreachable and the Address config option is empty.
-    - Make the numbers in read-history and write-history into uint64s,
-      so they don't overflow and publish negatives in the descriptor.
-    - Fix a minor memory leak in smartlist_string_remove().
-    - We were only allowing ourselves to upload a server descriptor at
-      most every 20 minutes, even if it changed earlier than that.
-    - Clean up log entries that pointed to old URLs.
-
-
-Changes in version 0.1.1.7-alpha - 2005-09-14
-  o Fixes on 0.1.1.6-alpha:
-    - Exit servers were crashing when people asked them to make a
-      connection to an address not in their exit policy.
-    - Looking up a non-existent stream for a v1 control connection would
-      cause a segfault.
-    - Fix a seg fault if we ask a dirserver for a descriptor by
-      fingerprint but he doesn't know about him.
-    - SETCONF was appending items to linelists, not clearing them.
-    - SETCONF SocksBindAddress killed Tor if it fails to bind. Now back
-      out and refuse the setconf if it would fail.
-    - Downgrade the dirserver log messages when whining about
-      unreachability.
-
-  o New features:
-    - Add Peter Palfrader's check-tor script to tor/contrib/
-      It lets you easily check whether a given server (referenced by
-      nickname) is reachable by you.
-    - Numerous changes to move towards client-side v2 directories. Not
-      enabled yet.
-
-  o Fixes on 0.1.0.x:
-    - If the user gave tor an odd number of command-line arguments,
-      we were silently ignoring the last one. Now we complain and fail.
-      [This wins the oldest-bug prize -- this bug has been present since
-       November 2002, as released in Tor 0.0.0.]
-    - Do not use unaligned memory access on alpha, mips, or mipsel.
-      It *works*, but is very slow, so we treat them as if it doesn't.
-    - Retry directory requests if we fail to get an answer we like
-      from a given dirserver (we were retrying before, but only if
-      we fail to connect).
-    - When writing the RecommendedVersions line, sort them first.
-    - When the client asked for a rendezvous port that the hidden
-      service didn't want to provide, we were sending an IP address
-      back along with the end cell. Fortunately, it was zero. But stop
-      that anyway.
-    - Correct "your server is reachable" log entries to indicate that
-      it was self-testing that told us so.
-
-
-Changes in version 0.1.1.6-alpha - 2005-09-09
-  o Fixes on 0.1.1.5-alpha:
-    - We broke fascistfirewall in 0.1.1.5-alpha. Oops.
-    - Fix segfault in unit tests in 0.1.1.5-alpha. Oops.
-    - Fix bug with tor_memmem finding a match at the end of the string.
-    - Make unit tests run without segfaulting.
-    - Resolve some solaris x86 compile warnings.
-    - Handle duplicate lines in approved-routers files without warning.
-    - Fix bug where as soon as a server refused any requests due to his
-      exit policy (e.g. when we ask for localhost and he tells us that's
-      127.0.0.1 and he won't do it), we decided he wasn't obeying his
-      exit policy using him for any exits.
-    - Only do openssl hardware accelerator stuff if openssl version is
-      at least 0.9.7.
-
-  o New controller features/fixes:
-    - Add a "RESETCONF" command so you can set config options like
-      AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
-      a config option in the torrc with no value, then it clears it
-      entirely (rather than setting it to its default).
-    - Add a "GETINFO config-file" to tell us where torrc is.
-    - Avoid sending blank lines when GETINFO replies should be empty.
-    - Add a QUIT command for the controller (for using it manually).
-    - Fix a bug in SAVECONF that was adding default dirservers and
-      other redundant entries to the torrc file.
-
-  o Start on the new directory design:
-    - Generate, publish, cache, serve new network-status format.
-    - Publish individual descriptors (by fingerprint, by "all", and by
-      "tell me yours").
-    - Publish client and server recommended versions separately.
-    - Allow tor_gzip_uncompress() to handle multiple concatenated
-      compressed strings. Serve compressed groups of router
-      descriptors. The compression logic here could be more
-      memory-efficient.
-    - Distinguish v1 authorities (all currently trusted directories)
-      from v2 authorities (all trusted directories).
-    - Change DirServers config line to note which dirs are v1 authorities.
-    - Add configuration option "V1AuthoritativeDirectory 1" which
-      moria1, moria2, and tor26 should set.
-    - Remove option when getting directory cache to see whether they
-      support running-routers; they all do now. Replace it with one
-      to see whether caches support v2 stuff.
-
-  o New features:
-    - Dirservers now do their own external reachability testing of each
-      Tor server, and only list them as running if they've been found to
-      be reachable. We also send back warnings to the server's logs if
-      it uploads a descriptor that we already believe is unreachable.
-    - Implement exit enclaves: if we know an IP address for the
-      destination, and there's a running Tor server at that address
-      which allows exit to the destination, then extend the circuit to
-      that exit first. This provides end-to-end encryption and end-to-end
-      authentication. Also, if the user wants a .exit address or enclave,
-      use 4 hops rather than 3, and cannibalize a general circ for it
-      if you can.
-    - Permit transitioning from ORPort=0 to ORPort!=0, and back, from the
-      controller. Also, rotate dns and cpu workers if the controller
-      changes options that will affect them; and initialize the dns
-      worker cache tree whether or not we start out as a server.
-    - Only upload a new server descriptor when options change, 18
-      hours have passed, uptime is reset, or bandwidth changes a lot.
-    - Check [X-]Forwarded-For headers in HTTP requests when generating
-      log messages. This lets people run dirservers (and caches) behind
-      Apache but still know which IP addresses are causing warnings.
-
-  o Config option changes:
-    - Replace (Fascist)Firewall* config options with a new
-      ReachableAddresses option that understands address policies.
-      For example, "ReachableAddresses *:80,*:443"
-    - Get rid of IgnoreVersion undocumented config option, and make us
-      only warn, never exit, when we're running an obsolete version.
-    - Make MonthlyAccountingStart config option truly obsolete now.
-
-  o Fixes on 0.1.0.x:
-    - Reject ports 465 and 587 in the default exit policy, since
-      people have started using them for spam too.
-    - It turns out we couldn't bootstrap a network since we added
-      reachability detection in 0.1.0.1-rc. Good thing the Tor network
-      has never gone down. Add an AssumeReachable config option to let
-      servers and dirservers bootstrap. When we're trying to build a
-      high-uptime or high-bandwidth circuit but there aren't enough
-      suitable servers, try being less picky rather than simply failing.
-    - Our logic to decide if the OR we connected to was the right guy
-      was brittle and maybe open to a mitm for unverified routers.
-    - We weren't cannibalizing circuits correctly for
-      CIRCUIT_PURPOSE_C_ESTABLISH_REND and
-      CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
-      build those from scratch. This should make hidden services faster.
-    - Predict required circuits better, with an eye toward making hidden
-      services faster on the service end.
-    - Retry streams if the exit node sends back a 'misc' failure. This
-      should result in fewer random failures. Also, after failing
-      from resolve failed or misc, reset the num failures, so we give
-      it a fair shake next time we try.
-    - Clean up the rendezvous warn log msgs, and downgrade some to info.
-    - Reduce severity on logs about dns worker spawning and culling.
-    - When we're shutting down and we do something like try to post a
-      server descriptor or rendezvous descriptor, don't complain that
-      we seem to be unreachable. Of course we are, we're shutting down.
-    - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
-      We don't use them yet, but maybe one day our DNS resolver will be
-      able to discover them.
-    - Make ContactInfo mandatory for authoritative directory servers.
-    - Require server descriptors to list IPv4 addresses -- hostnames
-      are no longer allowed. This also fixes some potential security
-      problems with people providing hostnames as their address and then
-      preferentially resolving them to partition users.
-    - Change log line for unreachability to explicitly suggest /etc/hosts
-      as the culprit. Also make it clearer what IP address and ports we're
-      testing for reachability.
-    - Put quotes around user-supplied strings when logging so users are
-      more likely to realize if they add bad characters (like quotes)
-      to the torrc.
-    - Let auth dir servers start without specifying an Address config
-      option.
-    - Make unit tests (and other invocations that aren't the real Tor)
-      run without launching listeners, creating subdirectories, and so on.
-
-
-Changes in version 0.1.1.5-alpha - 2005-08-08
-  o Bugfixes included in 0.1.0.14.
-
-  o Bugfixes on 0.1.0.x:
-    - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
-      torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
-      it would silently using ignore the 6668.
-
-
-Changes in version 0.1.0.14 - 2005-08-08
-  o Bugfixes on 0.1.0.x:
-      - Fix the other half of the bug with crypto handshakes
-        (CVE-2005-2643).
-      - Fix an assert trigger if you send a 'signal term' via the
-        controller when it's listening for 'event info' messages.
-
-
-Changes in version 0.1.1.4-alpha - 2005-08-04
-  o Bugfixes included in 0.1.0.13.
-
-  o Features:
-    - Improve tor_gettimeofday() granularity on windows.
-    - Make clients regenerate their keys when their IP address changes.
-    - Implement some more GETINFO goodness: expose helper nodes, config
-      options, getinfo keys.
-
-
-Changes in version 0.1.0.13 - 2005-08-04
-  o Bugfixes on 0.1.0.x:
-    - Fix a critical bug in the security of our crypto handshakes.
-    - Fix a size_t underflow in smartlist_join_strings2() that made
-      it do bad things when you hand it an empty smartlist.
-    - Fix Windows installer to ship Tor license (thanks to Aphex for
-      pointing out this oversight) and put a link to the doc directory
-      in the start menu.
-    - Explicitly set no-unaligned-access for sparc: it turns out the
-      new gcc's let you compile broken code, but that doesn't make it
-      not-broken.
-
-
-Changes in version 0.1.1.3-alpha - 2005-07-23
-  o Bugfixes on 0.1.1.2-alpha:
-    - Fix a bug in handling the controller's "post descriptor"
-      function.
-    - Fix several bugs in handling the controller's "extend circuit"
-      function.
-    - Fix a bug in handling the controller's "stream status" event.
-    - Fix an assert failure if we have a controller listening for
-      circuit events and we go offline.
-    - Re-allow hidden service descriptors to publish 0 intro points.
-    - Fix a crash when generating your hidden service descriptor if
-      you don't have enough intro points already.
-
-  o New features on 0.1.1.2-alpha:
-    - New controller function "getinfo accounting", to ask how
-      many bytes we've used in this time period.
-    - Experimental support for helper nodes: a lot of the risk from
-      a small static adversary comes because users pick new random
-      nodes every time they rebuild a circuit. Now users will try to
-      stick to the same small set of entry nodes if they can. Not
-      enabled by default yet.
-
-  o Bugfixes on 0.1.0.12:
-    - If you're an auth dir server, always publish your dirport,
-      even if you haven't yet found yourself to be reachable.
-    - Fix a size_t underflow in smartlist_join_strings2() that made
-      it do bad things when you hand it an empty smartlist.
-
-
-Changes in version 0.1.0.12 - 2005-07-18
-  o New directory servers:
-      - tor26 has changed IP address.
-
-  o Bugfixes on 0.1.0.x:
-    - Fix a possible double-free in tor_gzip_uncompress().
-    - When --disable-threads is set, do not search for or link against
-      pthreads libraries.
-    - Don't trigger an assert if an authoritative directory server
-      claims its dirport is 0.
-    - Fix bug with removing Tor as an NT service: some people were
-      getting "The service did not return an error." Thanks to Matt
-      Edman for the fix.
-
-
-Changes in version 0.1.1.2-alpha - 2005-07-15
-  o New directory servers:
-    - tor26 has changed IP address.
-
-  o Bugfixes on 0.1.0.x, crashes/leaks:
-    - Port the servers-not-obeying-their-exit-policies fix from
-      0.1.0.11.
-    - Fix an fd leak in start_daemon().
-    - On Windows, you can't always reopen a port right after you've
-      closed it. So change retry_listeners() to only close and re-open
-      ports that have changed.
-    - Fix a possible double-free in tor_gzip_uncompress().
-
-  o Bugfixes on 0.1.0.x, usability:
-    - When tor_socketpair() fails in Windows, give a reasonable
-      Windows-style errno back.
-    - Let people type "tor --install" as well as "tor -install" when
-      they
-      want to make it an NT service.
-    - NT service patch from Matt Edman to improve error messages.
-    - When the controller asks for a config option with an abbreviated
-      name, give the full name in our response.
-    - Correct the man page entry on TrackHostExitsExpire.
-    - Looks like we were never delivering deflated (i.e. compressed)
-      running-routers lists, even when asked. Oops.
-    - When --disable-threads is set, do not search for or link against
-      pthreads libraries.
-
-  o Bugfixes on 0.1.1.x:
-    - Fix a seg fault with autodetecting which controller version is
-      being used.
-
-  o Features:
-    - New hidden service descriptor format: put a version in it, and
-      let people specify introduction/rendezvous points that aren't
-      in "the directory" (which is subjective anyway).
-    - Allow the DEBUG controller event to work again. Mark certain log
-      entries as "don't tell this to controllers", so we avoid cycles.
-
-
-Changes in version 0.1.0.11 - 2005-06-30
-  o Bugfixes on 0.1.0.x:
-    - Fix major security bug: servers were disregarding their
-      exit policies if clients behaved unexpectedly.
-    - Make OS X init script check for missing argument, so we don't
-      confuse users who invoke it incorrectly.
-    - Fix a seg fault in "tor --hash-password foo".
-    - The MAPADDRESS control command was broken.
-
-
-Changes in version 0.1.1.1-alpha - 2005-06-29
-  o Bugfixes:
-    - Make OS X init script check for missing argument, so we don't
-      confuse users who invoke it incorrectly.
-    - Fix a seg fault in "tor --hash-password foo".
-    - Fix a possible way to DoS dirservers.
-    - When we complain that your exit policy implicitly allows local or
-      private address spaces, name them explicitly so operators can
-      fix it.
-    - Make the log message less scary when all the dirservers are
-      temporarily unreachable.
-    - We were printing the number of idle dns workers incorrectly when
-      culling them.
-
-  o Features:
-    - Revised controller protocol (version 1) that uses ascii rather
-      than binary. Add supporting libraries in python and java so you
-      can use the controller from your applications without caring how
-      our protocol works.
-    - Spiffy new support for crypto hardware accelerators. Can somebody
-      test this?
-
-
-Changes in version 0.0.9.10 - 2005-06-16
-  o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
-    - Refuse relay cells that claim to have a length larger than the
-      maximum allowed. This prevents a potential attack that could read
-      arbitrary memory (e.g. keys) from an exit server's process
-      (CVE-2005-2050).
-
-
-Changes in version 0.1.0.10 - 2005-06-14
-  o Allow a few EINVALs from libevent before dying. Warn on kqueue with
-    libevent before 1.1a.
-
-
-Changes in version 0.1.0.9-rc - 2005-06-09
-  o Bugfixes:
-    - Reset buf->highwater every time buf_shrink() is called, not just on
-      a successful shrink. This was causing significant memory bloat.
-    - Fix buffer overflow when checking hashed passwords.
-    - Security fix: if seeding the RNG on Win32 fails, quit.
-    - Allow seeding the RNG on Win32 even when you're not running as
-      Administrator.
-    - Disable threading on Solaris too. Something is wonky with it,
-      cpuworkers, and reentrant libs.
-    - Reenable the part of the code that tries to flush as soon as an
-      OR outbuf has a full TLS record available. Perhaps this will make
-      OR outbufs not grow as huge except in rare cases, thus saving lots
-      of CPU time plus memory.
-    - Reject malformed .onion addresses rather then passing them on as
-      normal web requests.
-    - Adapt patch from Adam Langley: fix possible memory leak in
-      tor_lookup_hostname().
-    - Initialize libevent later in the startup process, so the logs are
-      already established by the time we start logging libevent warns.
-    - Use correct errno on win32 if libevent fails.
-    - Check and warn about known-bad/slow libevent versions.
-    - Pay more attention to the ClientOnly config option.
-    - Have torctl.in/tor.sh.in check for location of su binary (needed
-      on FreeBSD)
-    - Correct/add man page entries for LongLivedPorts, ExitPolicy,
-      KeepalivePeriod, ClientOnly, NoPublish, HttpProxy, HttpsProxy,
-      HttpProxyAuthenticator
-    - Stop warning about sigpipes in the logs. We're going to
-      pretend that getting these occassionally is normal and fine.
-    - Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in
-      certain
-      installer screens; and don't put stuff into StartupItems unless
-      the user asks you to.
-    - Require servers that use the default dirservers to have public IP
-      addresses. We have too many servers that are configured with private
-      IPs and their admins never notice the log entries complaining that
-      their descriptors are being rejected.
-    - Add OSX uninstall instructions. An actual uninstall script will
-      come later.
-
-
-Changes in version 0.1.0.8-rc - 2005-05-23
-  o Bugfixes:
-    - It turns out that kqueue on OS X 10.3.9 was causing kernel
-      panics. Disable kqueue on all OS X Tors.
-    - Fix RPM: remove duplicate line accidentally added to the rpm
-      spec file.
-    - Disable threads on openbsd too, since its gethostaddr is not
-      reentrant either.
-    - Tolerate libevent 0.8 since it still works, even though it's
-      ancient.
-    - Enable building on Red Hat 9.0 again.
-    - Allow the middle hop of the testing circuit to be running any
-      version, now that most of them have the bugfix to let them connect
-      to unknown servers. This will allow reachability testing to work
-      even when 0.0.9.7-0.0.9.9 become obsolete.
-    - Handle relay cells with rh.length too large. This prevents
-      a potential attack that could read arbitrary memory (maybe even
-      keys) from the exit server's process.
-    - We screwed up the dirport reachability testing when we don't yet
-      have a cached version of the directory. Hopefully now fixed.
-    - Clean up router_load_single_router() (used by the controller),
-      so it doesn't seg fault on error.
-    - Fix a minor memory leak when somebody establishes an introduction
-      point at your Tor server.
-    - If a socks connection ends because read fails, don't warn that
-      you're not sending a socks reply back.
-
-  o Features:
-    - Add HttpProxyAuthenticator config option too, that works like
-      the HttpsProxyAuthenticator config option.
-    - Encode hashed controller passwords in hex instead of base64,
-      to make it easier to write controllers.
-
-
-Changes in version 0.1.0.7-rc - 2005-05-17
-  o Bugfixes:
-    - Fix a bug in the OS X package installer that prevented it from
-      installing on Tiger.
-    - Fix a script bug in the OS X package installer that made it
-      complain during installation.
-    - Find libevent even if it's hiding in /usr/local/ and your
-      CFLAGS and LDFLAGS don't tell you to look there.
-    - Be able to link with libevent as a shared library (the default
-      after 1.0d), even if it's hiding in /usr/local/lib and even
-      if you haven't added /usr/local/lib to your /etc/ld.so.conf,
-      assuming you're running gcc. Otherwise fail and give a useful
-      error message.
-    - Fix a bug in the RPM packager: set home directory for _tor to
-      something more reasonable when first installing.
-    - Free a minor amount of memory that is still reachable on exit.
-
-
-Changes in version 0.1.0.6-rc - 2005-05-14
-  o Bugfixes:
-    - Implement --disable-threads configure option. Disable threads on
-      netbsd by default, because it appears to have no reentrant resolver
-      functions.
-    - Apple's OS X 10.4.0 ships with a broken kqueue. The new libevent
-      release (1.1) detects and disables kqueue if it's broken.
-    - Append default exit policy before checking for implicit internal
-      addresses. Now we don't log a bunch of complaints on startup
-      when using the default exit policy.
-    - Some people were putting "Address  " in their torrc, and they had
-      a buggy resolver that resolved " " to 0.0.0.0. Oops.
-    - If DataDir is ~/.tor, and that expands to /.tor, then default to
-      LOCALSTATEDIR/tor instead.
-    - Fix fragmented-message bug in TorControl.py.
-    - Resolve a minor bug which would prevent unreachable dirports
-      from getting suppressed in the published descriptor.
-    - When the controller gave us a new descriptor, we weren't resolving
-      it immediately, so Tor would think its address was 0.0.0.0 until
-      we fetched a new directory.
-    - Fix an uppercase/lowercase case error in suppressing a bogus
-      libevent warning on some Linuxes.
-
-  o Features:
-    - Begin scrubbing sensitive strings from logs by default. Turn off
-      the config option SafeLogging if you need to do debugging.
-    - Switch to a new buffer management algorithm, which tries to avoid
-      reallocing and copying quite as much. In first tests it looks like
-      it uses *more* memory on average, but less cpu.
-    - First cut at support for "create-fast" cells. Clients can use
-      these when extending to their first hop, since the TLS already
-      provides forward secrecy and authentication. Not enabled on
-      clients yet.
-    - When dirservers refuse a router descriptor, we now log its
-      contactinfo, platform, and the poster's IP address.
-    - Call tor_free_all instead of connections_free_all after forking, to
-      save memory on systems that need to fork.
-    - Whine at you if you're a server and you don't set your contactinfo.
-    - Implement --verify-config command-line option to check if your torrc
-      is valid without actually launching Tor.
-    - Rewrite address "serifos.exit" to "localhost.serifos.exit"
-      rather than just rejecting it.
-
-
-Changes in version 0.1.0.5-rc - 2005-04-27
-  o Bugfixes:
-    - Stop trying to print a null pointer if an OR conn fails because
-      we didn't like its cert.
-  o Features:
-    - Switch our internal buffers implementation to use a ring buffer,
-      to hopefully improve performance for fast servers a lot.
-    - Add HttpsProxyAuthenticator support (basic auth only), based
-      on patch from Adam Langley.
-    - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
-      the fast servers that have been joining lately.
-    - Give hidden service accesses extra time on the first attempt,
-      since 60 seconds is often only barely enough. This might improve
-      robustness more.
-    - Improve performance for dirservers: stop re-parsing the whole
-      directory every time you regenerate it.
-    - Add more debugging info to help us find the weird dns freebsd
-      pthreads bug; cleaner debug messages to help track future issues.
-
-
-Changes in version 0.0.9.9 - 2005-04-23
-  o Bugfixes on 0.0.9.x:
-    - If unofficial Tor clients connect and send weird TLS certs, our
-      Tor server triggers an assert. This release contains a minimal
-      backport from the broader fix that we put into 0.1.0.4-rc.
-
-
-Changes in version 0.1.0.4-rc - 2005-04-23
-  o Bugfixes:
-    - If unofficial Tor clients connect and send weird TLS certs, our
-      Tor server triggers an assert. Stop asserting, and start handling
-      TLS errors better in other situations too.
-    - When the controller asks us to tell it about all the debug-level
-      logs, it turns out we were generating debug-level logs while
-      telling it about them, which turns into a bad loop. Now keep
-      track of whether you're sending a debug log to the controller,
-      and don't log when you are.
-    - Fix the "postdescriptor" feature of the controller interface: on
-      non-complete success, only say "done" once.
-  o Features:
-    - Clients are now willing to load balance over up to 2mB, not 1mB,
-      of advertised bandwidth capacity.
-    - Add a NoPublish config option, so you can be a server (e.g. for
-      testing running Tor servers in other Tor networks) without
-      publishing your descriptor to the primary dirservers.
-
-
-Changes in version 0.1.0.3-rc - 2005-04-08
-  o Improvements on 0.1.0.2-rc:
-    - Client now retries when streams end early for 'hibernating' or
-      'resource limit' reasons, rather than failing them.
-    - More automated handling for dirserver operators:
-      - Automatically approve nodes running 0.1.0.2-rc or later,
-        now that the the reachability detection stuff is working.
-      - Now we allow two unverified servers with the same nickname
-        but different keys. But if a nickname is verified, only that
-        nickname+key are allowed.
-      - If you're an authdirserver connecting to an address:port,
-        and it's not the OR you were expecting, forget about that
-        descriptor. If he *was* the one you were expecting, then forget
-        about all other descriptors for that address:port.
-      - Allow servers to publish descriptors from 12 hours in the future.
-        Corollary: only whine about clock skew from the dirserver if
-        he's a trusted dirserver (since now even verified servers could
-        have quite wrong clocks).
-    - Adjust maximum skew and age for rendezvous descriptors: let skew
-      be 48 hours rather than 90 minutes.
-    - Efficiency improvements:
-      - Keep a big splay tree of (circid,orconn)->circuit mappings to make
-        it much faster to look up a circuit for each relay cell.
-      - Remove most calls to assert_all_pending_dns_resolves_ok(),
-        since they're eating our cpu on exit nodes.
-      - Stop wasting time doing a case insensitive comparison for every
-        dns name every time we do any lookup. Canonicalize the names to
-        lowercase and be done with it.
-    - Start sending 'truncated' cells back rather than destroy cells,
-      if the circuit closes in front of you. This means we won't have
-      to abandon partially built circuits.
-    - Only warn once per nickname from add_nickname_list_to_smartlist
-      per failure, so an entrynode or exitnode choice that's down won't
-      yell so much.
-    - Put a note in the torrc about abuse potential with the default
-      exit policy.
-    - Revise control spec and implementation to allow all log messages to
-      be sent to controller with their severities intact (suggested by
-      Matt Edman). Update TorControl to handle new log event types.
-    - Provide better explanation messages when controller's POSTDESCRIPTOR
-      fails.
-    - Stop putting nodename in the Platform string in server descriptors.
-      It doesn't actually help, and it is confusing/upsetting some people.
-
-  o Bugfixes on 0.1.0.2-rc:
-    - We were printing the host mask wrong in exit policies in server
-      descriptors. This isn't a critical bug though, since we were still
-      obeying the exit policy internally.
-    - Fix Tor when compiled with libevent but without pthreads: move
-      connection_unregister() from _connection_free() to
-      connection_free().
-    - Fix an assert trigger (already fixed in 0.0.9.x): when we have
-      the rare mysterious case of accepting a conn on 0.0.0.0:0, then
-      when we look through the connection array, we'll find any of the
-      cpu/dnsworkers. This is no good.
-
-  o Bugfixes on 0.0.9.8:
-    - Fix possible bug on threading platforms (e.g. win32) which was
-      leaking a file descriptor whenever a cpuworker or dnsworker died.
-    - When using preferred entry or exit nodes, ignore whether the
-      circuit wants uptime or capacity. They asked for the nodes, they
-      get the nodes.
-    - chdir() to your datadirectory at the *end* of the daemonize process,
-      not the beginning. This was a problem because the first time you
-      run tor, if your datadir isn't there, and you have runasdaemon set
-      to 1, it will try to chdir to it before it tries to create it. Oops.
-    - Handle changed router status correctly when dirserver reloads
-      fingerprint file. We used to be dropping all unverified descriptors
-      right then. The bug was hidden because we would immediately
-      fetch a directory from another dirserver, which would include the
-      descriptors we just dropped.
-    - When we're connecting to an OR and he's got a different nickname/key
-      than we were expecting, only complain loudly if we're an OP or a
-      dirserver. Complaining loudly to the OR admins just confuses them.
-    - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
-      artificially capped at 500kB.
-
-
-Changes in version 0.0.9.8 - 2005-04-07
-  o Bugfixes on 0.0.9.x:
-    - We have a bug that I haven't found yet. Sometimes, very rarely,
-      cpuworkers get stuck in the 'busy' state, even though the cpuworker
-      thinks of itself as idle. This meant that no new circuits ever got
-      established. Here's a workaround to kill any cpuworker that's been
-      busy for more than 100 seconds.
-
-
-Changes in version 0.1.0.2-rc - 2005-04-01
-  o Bugfixes on 0.1.0.1-rc:
-    - Fixes on reachability detection:
-      - Don't check for reachability while hibernating.
-      - If ORPort is reachable but DirPort isn't, still publish the
-        descriptor, but zero out DirPort until it's found reachable.
-      - When building testing circs for ORPort testing, use only
-        high-bandwidth nodes, so fewer circuits fail.
-      - Complain about unreachable ORPort separately from unreachable
-        DirPort, so the user knows what's going on.
-      - Make sure we only conclude ORPort reachability if we didn't
-        initiate the conn. Otherwise we could falsely conclude that
-        we're reachable just because we connected to the guy earlier
-        and he used that same pipe to extend to us.
-      - Authdirservers shouldn't do ORPort reachability detection,
-        since they're in clique mode, so it will be rare to find a
-        server not already connected to them.
-      - When building testing circuits, always pick middle hops running
-        Tor 0.0.9.7, so we avoid the "can't extend to unknown routers"
-        bug. (This is a kludge; it will go away when 0.0.9.x becomes
-        obsolete.)
-      - When we decide we're reachable, actually publish our descriptor
-        right then.
-    - Fix bug in redirectstream in the controller.
-    - Fix the state descriptor strings so logs don't claim edge streams
-      are in a different state than they actually are.
-    - Use recent libevent features when possible (this only really affects
-      win32 and osx right now, because the new libevent with these
-      features hasn't been released yet). Add code to suppress spurious
-      libevent log msgs.
-    - Prevent possible segfault in connection_close_unattached_ap().
-    - Fix newlines on torrc in win32.
-    - Improve error msgs when tor-resolve fails.
-
-  o Improvements on 0.0.9.x:
-    - New experimental script tor/contrib/ExerciseServer.py (needs more
-      work) that uses the controller interface to build circuits and
-      fetch pages over them. This will help us bootstrap servers that
-      have lots of capacity but haven't noticed it yet.
-    - New experimental script tor/contrib/PathDemo.py (needs more work)
-      that uses the controller interface to let you choose whole paths
-      via addresses like
-      "<hostname>.<path,separated by dots>.<length of path>.path"
-    - When we've connected to an OR and handshaked but didn't like
-      the result, we were closing the conn without sending destroy
-      cells back for pending circuits. Now send those destroys.
-
-
-Changes in version 0.0.9.7 - 2005-04-01
-  o Bugfixes on 0.0.9.x:
-    - Fix another race crash bug (thanks to Glenn Fink for reporting).
-    - Compare identity to identity, not to nickname, when extending to
-      a router not already in the directory. This was preventing us from
-      extending to unknown routers. Oops.
-    - Make sure to create OS X Tor user in <500 range, so we aren't
-      creating actual system users.
-    - Note where connection-that-hasn't-sent-end was marked, and fix
-      a few really loud instances of this harmless bug (it's fixed more
-      in 0.1.0.x).
-
-
-Changes in version 0.1.0.1-rc - 2005-03-28
-  o New features:
-    - Add reachability testing. Your Tor server will automatically try
-      to see if its ORPort and DirPort are reachable from the outside,
-      and it won't upload its descriptor until it decides they are.
-    - Handle unavailable hidden services better. Handle slow or busy
-      hidden services better.
-    - Add support for CONNECTing through https proxies, with "HttpsProxy"
-      config option.
-    - New exit policy: accept most low-numbered ports, rather than
-      rejecting most low-numbered ports.
-    - More Tor controller support (still experimental). See
-      http://tor.eff.org/doc/control-spec.txt for all the new features,
-      including signals to emulate unix signals from any platform;
-      redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
-      closestream; closecircuit; etc.
-    - Make nt services work and start on startup on win32 (based on
-      patch by Matt Edman).
-    - Add a new AddressMap config directive to rewrite incoming socks
-      addresses. This lets you, for example, declare an implicit
-      required exit node for certain sites.
-    - Add a new TrackHostExits config directive to trigger addressmaps
-      for certain incoming socks addresses -- for sites that break when
-      your exit keeps changing (based on patch by Mike Perry).
-    - Redo the client-side dns cache so it's just an addressmap too.
-    - Notice when our IP changes, and reset stats/uptime/reachability.
-    - When an application is using socks5, give him the whole variety of
-      potential socks5 responses (connect refused, host unreachable, etc),
-      rather than just "success" or "failure".
-    - A more sane version numbering system. See
-      http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
-    - New contributed script "exitlist": a simple python script to
-      parse directories and find Tor nodes that exit to listed
-      addresses/ports.
-    - New contributed script "privoxy-tor-toggle" to toggle whether
-      Privoxy uses Tor. Seems to be configured for Debian by default.
-    - Report HTTP reasons to client when getting a response from directory
-      servers -- so you can actually know what went wrong.
-    - New config option MaxAdvertisedBandwidth which lets you advertise
-      a low bandwidthrate (to not attract as many circuits) while still
-      allowing a higher bandwidthrate in reality.
-
-  o Robustness/stability fixes:
-    - Make Tor use Niels Provos's libevent instead of its current
-      poll-but-sometimes-select mess.  This will let us use faster async
-      cores (like epoll, kpoll, and /dev/poll), and hopefully work better
-      on Windows too.
-    - pthread support now too. This was forced because when we forked,
-      we ended up wasting a lot of duplicate ram over time. Also switch
-      to foo_r versions of some library calls to allow reentry and
-      threadsafeness.
-    - Better handling for heterogeneous / unreliable nodes:
-      - Annotate circuits w/ whether they aim to contain high uptime nodes
-        and/or high capacity nodes. When building circuits, choose
-        appropriate nodes.
-      - This means that every single node in an intro rend circuit,
-        not just the last one, will have a minimum uptime.
-      - New config option LongLivedPorts to indicate application streams
-        that will want high uptime circuits.
-      - Servers reset uptime when a dir fetch entirely fails. This
-        hopefully reflects stability of the server's network connectivity.
-      - If somebody starts his tor server in Jan 2004 and then fixes his
-        clock, don't make his published uptime be a year.
-      - Reset published uptime when you wake up from hibernation.
-    - Introduce a notion of 'internal' circs, which are chosen without
-      regard to the exit policy of the last hop. Intro and rendezvous
-      circs must be internal circs, to avoid leaking information. Resolve
-      and connect streams can use internal circs if they want.
-    - New circuit pooling algorithm: make sure to have enough circs around
-      to satisfy any predicted ports, and also make sure to have 2 internal
-      circs around if we've required internal circs lately (and with high
-      uptime if we've seen that lately too).
-    - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
-      which describes how often we retry making new circuits if current
-      ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
-      how long we're willing to make use of an already-dirty circuit.
-    - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
-      circ as necessary, if there are any completed ones lying around
-      when we try to launch one.
-    - Make hidden services try to establish a rendezvous for 30 seconds,
-      rather than for n (where n=3) attempts to build a circuit.
-    - Change SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to a config option
-      "ShutdownWaitLength".
-    - Try to be more zealous about calling connection_edge_end when
-      things go bad with edge conns in connection.c.
-    - Revise tor-spec to add more/better stream end reasons.
-    - Revise all calls to connection_edge_end to avoid sending "misc",
-      and to take errno into account where possible.
-
-  o Bug fixes:
-    - Fix a race condition that can trigger an assert, when we have a
-      pending create cell and an OR connection fails right then.
-    - Fix several double-mark-for-close bugs, e.g. where we were finding
-      a conn for a cell even if that conn is already marked for close.
-    - Make sequence of log messages when starting on win32 with no config
-      file more reasonable.
-    - When choosing an exit node for a new non-internal circ, don't take
-      into account whether it'll be useful for any pending x.onion
-      addresses -- it won't.
-    - Turn addr_policy_compare from a tristate to a quadstate; this should
-      help address our "Ah, you allow 1.2.3.4:80. You are a good choice
-      for google.com" problem.
-    - Make "platform" string in descriptor more accurate for Win32 servers,
-      so it's not just "unknown platform".
-    - Fix an edge case in parsing config options (thanks weasel).
-      If they say "--" on the commandline, it's not an option.
-    - Reject odd-looking addresses at the client (e.g. addresses that
-      contain a colon), rather than having the server drop them because
-      they're malformed.
-    - tor-resolve requests were ignoring .exit if there was a working circuit
-      they could use instead.
-    - REUSEADDR on normal platforms means you can rebind to the port
-      right after somebody else has let it go. But REUSEADDR on win32
-      means to let you bind to the port _even when somebody else
-      already has it bound_! So, don't do that on Win32.
-    - Change version parsing logic: a version is "obsolete" if it is not
-      recommended and (1) there is a newer recommended version in the
-      same series, or (2) there are no recommended versions in the same
-      series, but there are some recommended versions in a newer series.
-      A version is "new" if it is newer than any recommended version in
-      the same series.
-    - Stop most cases of hanging up on a socks connection without sending
-      the socks reject.
-
-  o Helpful fixes:
-    - Require BandwidthRate to be at least 20kB/s for servers.
-    - When a dirserver causes you to give a warn, mention which dirserver
-      it was.
-    - New config option DirAllowPrivateAddresses for authdirservers.
-      Now by default they refuse router descriptors that have non-IP or
-      private-IP addresses.
-    - Stop publishing socksport in the directory, since it's not
-      actually meant to be public. For compatibility, publish a 0 there
-      for now.
-    - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
-      smart" value, that is low for servers and high for clients.
-    - If our clock jumps forward by 100 seconds or more, assume something
-      has gone wrong with our network and abandon all not-yet-used circs.
-    - Warn when exit policy implicitly allows local addresses.
-    - If we get an incredibly skewed timestamp from a dirserver mirror
-      that isn't a verified OR, don't warn -- it's probably him that's
-      wrong.
-    - Since we ship our own Privoxy on OS X, tweak it so it doesn't write
-      cookies to disk and doesn't log each web request to disk. (Thanks
-      to Brett Carrington for pointing this out.)
-    - When a client asks us for a dir mirror and we don't have one,
-      launch an attempt to get a fresh one.
-    - If we're hibernating and we get a SIGINT, exit immediately.
-    - Add --with-dmalloc ./configure option, to track memory leaks.
-    - And try to free all memory on closing, so we can detect what
-      we're leaking.
-    - Cache local dns resolves correctly even when they're .exit
-      addresses.
-    - Give a better warning when some other server advertises an
-      ORPort that is actually an apache running ssl.
-    - Add "opt hibernating 1" to server descriptor to make it clearer
-      whether the server is hibernating.
-
-
-Changes in version 0.0.9.6 - 2005-03-24
-  o Bugfixes on 0.0.9.x (crashes and asserts):
-    - Add new end stream reasons to maintainance branch. Fix bug where
-      reason (8) could trigger an assert.  Prevent bug from recurring.
-    - Apparently win32 stat wants paths to not end with a slash.
-    - Fix assert triggers in assert_cpath_layer_ok(), where we were
-      blowing away the circuit that conn->cpath_layer points to, then
-      checking to see if the circ is well-formed. Backport check to make
-      sure we dont use the cpath on a closed connection.
-    - Prevent circuit_resume_edge_reading_helper() from trying to package
-      inbufs for marked-for-close streams.
-    - Don't crash on hup if your options->address has become unresolvable.
-    - Some systems (like OS X) sometimes accept() a connection and tell
-      you the remote host is 0.0.0.0:0. If this happens, due to some
-      other mis-features, we get confused; so refuse the conn for now.
-
-  o Bugfixes on 0.0.9.x (other):
-    - Fix harmless but scary "Unrecognized content encoding" warn message.
-    - Add new stream error reason: TORPROTOCOL reason means "you are not
-      speaking a version of Tor I understand; say bye-bye to your stream."
-    - Be willing to cache directories from up to ROUTER_MAX_AGE seconds
-      into the future, now that we are more tolerant of skew. This
-      resolves a bug where a Tor server would refuse to cache a directory
-      because all the directories it gets are too far in the future;
-      yet the Tor server never logs any complaints about clock skew.
-    - Mac packaging magic: make man pages useable, and do not overwrite
-      existing torrc files.
-    - Make OS X log happily to /var/log/tor/tor.log
-
-
-Changes in version 0.0.9.5 - 2005-02-22
-  o Bugfixes on 0.0.9.x:
-    - Fix an assert race at exit nodes when resolve requests fail.
-    - Stop picking unverified dir mirrors--it only leads to misery.
-    - Patch from Matt Edman to make NT services work better. Service
-      support is still not compiled into the executable by default.
-    - Patch from Dmitri Bely so the Tor service runs better under
-      the win32 SYSTEM account.
-    - Make tor-resolve actually work (?) on Win32.
-    - Fix a sign bug when getrlimit claims to have 4+ billion
-      file descriptors available.
-    - Stop refusing to start when bandwidthburst == bandwidthrate.
-    - When create cells have been on the onion queue more than five
-      seconds, just send back a destroy and take them off the list.
-
-
-Changes in version 0.0.9.4 - 2005-02-03
-  o Bugfixes on 0.0.9:
-    - Fix an assert bug that took down most of our servers: when
-      a server claims to have 1 GB of bandwidthburst, don't
-      freak out.
-    - Don't crash as badly if we have spawned the max allowed number
-      of dnsworkers, or we're out of file descriptors.
-    - Block more file-sharing ports in the default exit policy.
-    - MaxConn is now automatically set to the hard limit of max
-      file descriptors we're allowed (ulimit -n), minus a few for
-      logs, etc.
-    - Give a clearer message when servers need to raise their
-      ulimit -n when they start running out of file descriptors.
-    - SGI Compatibility patches from Jan Schaumann.
-    - Tolerate a corrupt cached directory better.
-    - When a dirserver hasn't approved your server, list which one.
-    - Go into soft hibernation after 95% of the bandwidth is used,
-      not 99%. This is especially important for daily hibernators who
-      have a small accounting max. Hopefully it will result in fewer
-      cut connections when the hard hibernation starts.
-    - Load-balance better when using servers that claim more than
-      800kB/s of capacity.
-    - Make NT services work (experimental, only used if compiled in).
-
-
-Changes in version 0.0.9.3 - 2005-01-21
-  o Bugfixes on 0.0.9:
-    - Backport the cpu use fixes from main branch, so busy servers won't
-      need as much processor time.
-    - Work better when we go offline and then come back, or when we
-      run Tor at boot before the network is up. We do this by
-      optimistically trying to fetch a new directory whenever an
-      application request comes in and we think we're offline -- the
-      human is hopefully a good measure of when the network is back.
-    - Backport some minimal hidserv bugfixes: keep rend circuits open as
-      long as you keep using them; actually publish hidserv descriptors
-      shortly after they change, rather than waiting 20-40 minutes.
-    - Enable Mac startup script by default.
-    - Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
-    - When you update AllowUnverifiedNodes or FirewallPorts via the
-      controller's setconf feature, we were always appending, never
-      resetting.
-    - When you update HiddenServiceDir via setconf, it was screwing up
-      the order of reading the lines, making it fail.
-    - Do not rewrite a cached directory back to the cache; otherwise we
-      will think it is recent and not fetch a newer one on startup.
-    - Workaround for webservers that lie about Content-Encoding: Tor
-      now tries to autodetect compressed directories and compression
-      itself. This lets us Proxypass dir fetches through apache.
-
-
-Changes in version 0.0.9.2 - 2005-01-04
-  o Bugfixes on 0.0.9 (crashes and asserts):
-    - Fix an assert on startup when the disk is full and you're logging
-      to a file.
-    - If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
-      style address, then we'd crash.
-    - Fix an assert trigger when the running-routers string we get from
-      a dirserver is broken.
-    - Make worker threads start and run on win32. Now win32 servers
-      may work better.
-    - Bandaid (not actually fix, but now it doesn't crash) an assert
-      where the dns worker dies mysteriously and the main Tor process
-      doesn't remember anything about the address it was resolving.
-
-  o Bugfixes on 0.0.9 (Win32):
-    - Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
-      name out of the warning/assert messages.
-    - Fix a superficial "unhandled error on read" bug on win32.
-    - The win32 installer no longer requires a click-through for our
-      license, since our Free Software license grants rights but does not
-      take any away.
-    - Win32: When connecting to a dirserver fails, try another one
-      immediately. (This was already working for non-win32 Tors.)
-    - Stop trying to parse $HOME on win32 when hunting for default
-      DataDirectory.
-    - Make tor-resolve.c work on win32 by calling network_init().
-
-  o Bugfixes on 0.0.9 (other):
-    - Make 0.0.9.x build on Solaris again.
-    - Due to a fencepost error, we were blowing away the \n when reporting
-      confvalue items in the controller. So asking for multiple config
-      values at once couldn't work.
-    - When listing circuits that are pending on an opening OR connection,
-      if we're an OR we were listing circuits that *end* at us as
-      being pending on every listener, dns/cpu worker, etc. Stop that.
-    - Dirservers were failing to create 'running-routers' or 'directory'
-      strings if we had more than some threshold of routers. Fix them so
-      they can handle any number of routers.
-    - Fix a superficial "Duplicate mark for close" bug.
-    - Stop checking for clock skew for OR connections, even for servers.
-    - Fix a fencepost error that was chopping off the last letter of any
-      nickname that is the maximum allowed nickname length.
-    - Update URLs in log messages so they point to the new website.
-    - Fix a potential problem in mangling server private keys while
-      writing to disk (not triggered yet, as far as we know).
-    - Include the licenses for other free software we include in Tor,
-      now that we're shipping binary distributions more regularly.
-
-
-Changes in version 0.0.9.1 - 2004-12-15
-  o Bugfixes on 0.0.9:
-    - Make hibernation actually work.
-    - Make HashedControlPassword config option work.
-    - When we're reporting event circuit status to a controller,
-      don't use the stream status code.
-
-
-Changes in version 0.0.9 - 2004-12-12
-  o Cleanups:
-    - Clean up manpage and torrc.sample file.
-    - Clean up severities and text of log warnings.
-  o Mistakes:
-    - Make servers trigger an assert when they enter hibernation.
-
-
-Changes in version 0.0.9rc7 - 2004-12-08
-  o Bugfixes on 0.0.9rc:
-    - Fix a stack-trashing crash when an exit node begins hibernating.
-    - Avoid looking at unallocated memory while considering which
-      ports we need to build circuits to cover.
-    - Stop a sigpipe: when an 'end' cell races with eof from the app,
-      we shouldn't hold-open-until-flush if the eof arrived first.
-    - Fix a bug with init_cookie_authentication() in the controller.
-    - When recommending new-format log lines, if the upper bound is
-      LOG_ERR, leave it implicit.
-
-  o Bugfixes on 0.0.8.1:
-    - Fix a whole slew of memory leaks.
-    - Fix isspace() and friends so they still make Solaris happy
-      but also so they don't trigger asserts on win32.
-    - Fix parse_iso_time on platforms without strptime (eg win32).
-    - win32: tolerate extra "readable" events better.
-    - win32: when being multithreaded, leave parent fdarray open.
-    - Make unit tests work on win32.
-
-
-Changes in version 0.0.9rc6 - 2004-12-06
-  o Bugfixes on 0.0.9pre:
-    - Clean up some more integer underflow opportunities (not exploitable
-      we think).
-    - While hibernating, hup should not regrow our listeners.
-    - Send an end to the streams we close when we hibernate, rather
-      than just chopping them off.
-    - React to eof immediately on non-open edge connections.
-
-  o Bugfixes on 0.0.8.1:
-    - Calculate timeout for waiting for a connected cell from the time
-      we sent the begin cell, not from the time the stream started. If
-      it took a long time to establish the circuit, we would time out
-      right after sending the begin cell.
-    - Fix router_compare_addr_to_addr_policy: it was not treating a port
-      of * as always matching, so we were picking reject *:* nodes as
-      exit nodes too. Oops.
-
-  o Features:
-    - New circuit building strategy: keep a list of ports that we've
-      used in the past 6 hours, and always try to have 2 circuits open
-      or on the way that will handle each such port. Seed us with port
-      80 so web users won't complain that Tor is "slow to start up".
-    - Make kill -USR1 dump more useful stats about circuits.
-    - When warning about retrying or giving up, print the address, so
-      the user knows which one it's talking about.
-    - If you haven't used a clean circuit in an hour, throw it away,
-      just to be on the safe side. (This means after 6 hours a totally
-      unused Tor client will have no circuits open.)
-
-
-Changes in version 0.0.9rc5 - 2004-12-01
-  o Bugfixes on 0.0.8.1:
-    - Disallow NDEBUG. We don't ever want anybody to turn off debug.
-    - Let resolve conns retry/expire also, rather than sticking around
-      forever.
-    - If we are using select, make sure we stay within FD_SETSIZE.
-
-  o Bugfixes on 0.0.9pre:
-    - Fix integer underflow in tor_vsnprintf() that may be exploitable,
-      but doesn't seem to be currently; thanks to Ilja van Sprundel for
-      finding it.
-    - If anybody set DirFetchPostPeriod, give them StatusFetchPeriod
-      instead.  Impose minima and maxima for all *Period options; impose
-      even tighter maxima for fetching if we are a caching dirserver.
-      Clip rather than rejecting.
-    - Fetch cached running-routers from servers that serve it (that is,
-      authdirservers and servers running 0.0.9rc5-cvs or later.)
-
-  o Features:
-    - Accept *:706 (silc) in default exit policy.
-    - Implement new versioning format for post 0.1.
-    - Support "foo.nickname.exit" addresses, to let Alice request the
-      address "foo" as viewed by exit node "nickname". Based on a patch
-      by Geoff Goodell.
-    - Make tor --version --version dump the cvs Id of every file.
-
-
-Changes in version 0.0.9rc4 - 2004-11-28
-  o Bugfixes on 0.0.8.1:
-    - Make windows sockets actually non-blocking (oops), and handle
-      win32 socket errors better.
-
-  o Bugfixes on 0.0.9rc1:
-    - Actually catch the -USR2 signal.
-
-
-Changes in version 0.0.9rc3 - 2004-11-25
-  o Bugfixes on 0.0.8.1:
-    - Flush the log file descriptor after we print "Tor opening log file",
-      so we don't see those messages days later.
-
-  o Bugfixes on 0.0.9rc1:
-    - Make tor-resolve work again.
-    - Avoid infinite loop in tor-resolve if tor hangs up on it.
-    - Fix an assert trigger for clients/servers handling resolves.
-
-
-Changes in version 0.0.9rc2 - 2004-11-24
-  o Bugfixes on 0.0.9rc1:
-    - I broke socks5 support while fixing the eof bug.
-    - Allow unitless bandwidths and intervals; they default to bytes
-      and seconds.
-    - New servers don't start out hibernating; they are active until
-      they run out of bytes, so they have a better estimate of how
-      long it takes, and so their operators can know they're working.
-
-
-Changes in version 0.0.9rc1 - 2004-11-23
-  o Bugfixes on 0.0.8.1:
-    - Finally fix a bug that's been plaguing us for a year:
-      With high load, circuit package window was reaching 0. Whenever
-      we got a circuit-level sendme, we were reading a lot on each
-      socket, but only writing out a bit. So we would eventually reach
-      eof. This would be noticed and acted on even when there were still
-      bytes sitting in the inbuf.
-    - When poll() is interrupted, we shouldn't believe the revents values.
-
-  o Bugfixes on 0.0.9pre6:
-    - Fix hibernate bug that caused pre6 to be broken.
-    - Don't keep rephist info for routers that haven't had activity for
-      24 hours. (This matters now that clients have keys, since we track
-      them too.)
-    - Never call close_temp_logs while validating log options.
-    - Fix backslash-escaping on tor.sh.in and torctl.in.
-
-  o Features:
-    - Implement weekly/monthly/daily accounting: now you specify your
-      hibernation properties by
-      AccountingMax N bytes|KB|MB|GB|TB
-      AccountingStart day|week|month [day] HH:MM
-        Defaults to "month 1 0:00".
-    - Let bandwidth and interval config options be specified as 5 bytes,
-      kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
-    - kill -USR2 now moves all logs to loglevel debug (kill -HUP to
-      get back to normal.)
-    - If your requested entry or exit node has advertised bandwidth 0,
-      pick it anyway.
-    - Be more greedy about filling up relay cells -- we try reading again
-      once we've processed the stuff we read, in case enough has arrived
-      to fill the last cell completely.
-    - Apply NT service patch from Osamu Fujino. Still needs more work.
-
-
-Changes in version 0.0.9pre6 - 2004-11-15
-  o Bugfixes on 0.0.8.1:
-    - Fix assert failure on malformed socks4a requests.
-    - Use identity comparison, not nickname comparison, to choose which
-      half of circuit-ID-space each side gets to use. This is needed
-      because sometimes we think of a router as a nickname, and sometimes
-      as a hex ID, and we can't predict what the other side will do.
-    - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
-      write() call will fail and we handle it there.
-    - Add a FAST_SMARTLIST define to optionally inline smartlist_get
-      and smartlist_len, which are two major profiling offenders.
-
-  o Bugfixes on 0.0.9pre5:
-    - Fix a bug in read_all that was corrupting config files on windows.
-    - When we're raising the max number of open file descriptors to
-      'unlimited', don't log that we just raised it to '-1'.
-    - Include event code with events, as required by control-spec.txt.
-    - Don't give a fingerprint when clients do --list-fingerprint:
-      it's misleading, because it will never be the same again.
-    - Stop using strlcpy in tor_strndup, since it was slowing us
-      down a lot.
-    - Remove warn on startup about missing cached-directory file.
-    - Make kill -USR1 work again.
-    - Hibernate if we start tor during the "wait for wakeup-time" phase
-      of an accounting interval. Log our hibernation plans better.
-    - Authoritative dirservers now also cache their directory, so they
-      have it on start-up.
-
-  o Features:
-    - Fetch running-routers; cache running-routers; compress
-      running-routers; serve compressed running-routers.z
-    - Add NSI installer script contributed by J Doe.
-    - Commit VC6 and VC7 workspace/project files.
-    - Commit a tor.spec for making RPM files, with help from jbash.
-    - Add contrib/torctl.in contributed by Glenn Fink.
-    - Implement the control-spec's SAVECONF command, to write your
-      configuration to torrc.
-    - Get cookie authentication for the controller closer to working.
-    - Include control-spec.txt in the tarball.
-    - When set_conf changes our server descriptor, upload a new copy.
-      But don't upload it too often if there are frequent changes.
-    - Document authentication config in man page, and document signals
-      we catch.
-    - Clean up confusing parts of man page and torrc.sample.
-    - Make expand_filename handle ~ and ~username.
-    - Use autoconf to enable largefile support where necessary. Use
-      ftello where available, since ftell can fail at 2GB.
-    - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
-      log more informatively.
-    - Give a slightly more useful output for "tor -h".
-    - Refuse application socks connections to port 0.
-    - Check clock skew for verified servers, but allow unverified
-      servers and clients to have any clock skew.
-    - Break DirFetchPostPeriod into:
-      - DirFetchPeriod for fetching full directory,
-      - StatusFetchPeriod for fetching running-routers,
-      - DirPostPeriod for posting server descriptor,
-      - RendPostPeriod for posting hidden service descriptors.
-    - Make sure the hidden service descriptors are at a random offset
-      from each other, to hinder linkability.
-
-
-Changes in version 0.0.9pre5 - 2004-11-09
-  o Bugfixes on 0.0.9pre4:
-    - Fix a seg fault in unit tests (doesn't affect main program).
-    - Fix an assert bug where a hidden service provider would fail if
-      the first hop of his rendezvous circuit was down.
-    - Hidden service operators now correctly handle version 1 style
-      INTRODUCE1 cells (nobody generates them still, so not a critical
-      bug).
-    - If do_hup fails, actually notice.
-    - Handle more errnos from accept() without closing the listener.
-      Some OpenBSD machines were closing their listeners because
-      they ran out of file descriptors.
-    - Send resolve cells to exit routers that are running a new
-      enough version of the resolve code to work right.
-    - Better handling of winsock includes on non-MSV win32 compilers.
-    - Some people had wrapped their tor client/server in a script
-      that would restart it whenever it died. This did not play well
-      with our "shut down if your version is obsolete" code. Now people
-      don't fetch a new directory if their local cached version is
-      recent enough.
-    - Make our autogen.sh work on ksh as well as bash.
-
-  o Major Features:
-    - Hibernation: New config option "AccountingMaxKB" lets you
-      set how many KBytes per month you want to allow your server to
-      consume. Rather than spreading those bytes out evenly over the
-      month, we instead hibernate for some of the month and pop up
-      at a deterministic time, work until the bytes are consumed, then
-      hibernate again. Config option "MonthlyAccountingStart" lets you
-      specify which day of the month your billing cycle starts on.
-    - Control interface: a separate program can now talk to your
-      client/server over a socket, and get/set config options, receive
-      notifications of circuits and streams starting/finishing/dying,
-      bandwidth used, etc. The next step is to get some GUIs working.
-      Let us know if you want to help out. See doc/control-spec.txt .
-    - Ship a contrib/tor-control.py as an example script to interact
-      with the control port.
-    - "tor --hash-password zzyxz" will output a salted password for
-      use in authenticating to the control interface.
-    - New log format in config:
-      "Log minsev[-maxsev] stdout|stderr|syslog" or
-      "Log minsev[-maxsev] file /var/foo"
-
-  o Minor Features:
-    - DirPolicy config option, to let people reject incoming addresses
-      from their dirserver.
-    - "tor --list-fingerprint" will list your identity key fingerprint
-      and then exit.
-    - Add "pass" target for RedirectExit, to make it easier to break
-      out of a sequence of RedirectExit rules.
-    - Clients now generate a TLS cert too, in preparation for having
-      them act more like real nodes.
-    - Ship src/win32/ in the tarball, so people can use it to build.
-    - Make old win32 fall back to CWD if SHGetSpecialFolderLocation
-      is broken.
-    - New "router-status" line in directory, to better bind each verified
-      nickname to its identity key.
-    - Deprecate unofficial config option abbreviations, and abbreviations
-      not on the command line.
-    - Add a pure-C tor-resolve implementation.
-    - Use getrlimit and friends to ensure we can reach MaxConn (currently
-      1024) file descriptors.
-
-  o Code security improvements, inspired by Ilja:
-    - Replace sprintf with snprintf. (I think they were all safe, but
-      hey.)
-    - Replace strcpy/strncpy with strlcpy in more places.
-    - Avoid strcat; use snprintf or strlcat instead.
-    - snprintf wrapper with consistent (though not C99) overflow behavior.
-
-
-Changes in version 0.0.9pre4 - 2004-10-17
-  o Bugfixes on 0.0.9pre3:
-    - If the server doesn't specify an exit policy, use the real default
-      exit policy, not reject *:*.
-    - Ignore fascistfirewall when uploading/downloading hidden service
-      descriptors, since we go through Tor for those; and when using
-      an HttpProxy, since we assume it can reach them all.
-    - When looking for an authoritative dirserver, use only the ones
-      configured at boot. Don't bother looking in the directory.
-    - The rest of the fix for get_default_conf_file() on older win32.
-    - Make 'Routerfile' config option obsolete.
-
-  o Features:
-    - New 'MyFamily nick1,...' config option for a server to
-      specify other servers that shouldn't be used in the same circuit
-      with it. Only believed if nick1 also specifies us.
-    - New 'NodeFamily nick1,nick2,...' config option for a client to
-      specify nodes that it doesn't want to use in the same circuit.
-    - New 'Redirectexit pattern address:port' config option for a
-      server to redirect exit connections, e.g. to a local squid.
-
-
-Changes in version 0.0.9pre3 - 2004-10-13
-  o Bugfixes on 0.0.8.1:
-    - Better torrc example lines for dirbindaddress and orbindaddress.
-    - Improved bounds checking on parsed ints (e.g. config options and
-      the ones we find in directories.)
-    - Better handling of size_t vs int, so we're more robust on 64
-      bit platforms.
-    - Fix the rest of the bug where a newly started OR would appear
-      as unverified even after we've added his fingerprint and hupped
-      the dirserver.
-    - Fix a bug from 0.0.7: when read() failed on a stream, we would
-      close it without sending back an end. So 'connection refused'
-      would simply be ignored and the user would get no response.
-
-  o Bugfixes on 0.0.9pre2:
-    - Serving the cached-on-disk directory to people is bad. We now
-      provide no directory until we've fetched a fresh one.
-    - Workaround for bug on windows where cached-directories get crlf
-      corruption.
-    - Make get_default_conf_file() work on older windows too.
-    - If we write a *:* exit policy line in the descriptor, don't write
-      any more exit policy lines.
-
-  o Features:
-    - Use only 0.0.9pre1 and later servers for resolve cells.
-    - Make the dirservers file obsolete.
-      - Include a dir-signing-key token in directories to tell the
-        parsing entity which key is being used to sign.
-      - Remove the built-in bulky default dirservers string.
-      - New config option "Dirserver %s:%d [fingerprint]", which can be
-        repeated as many times as needed. If no dirservers specified,
-        default to moria1,moria2,tor26.
-    - Make moria2 advertise a dirport of 80, so people behind firewalls
-      will be able to get a directory.
-    - Http proxy support
-      - Dirservers translate requests for http://%s:%d/x to /x
-      - You can specify "HttpProxy %s[:%d]" and all dir fetches will
-        be routed through this host.
-      - Clients ask for /tor/x rather than /x for new enough dirservers.
-        This way we can one day coexist peacefully with apache.
-      - Clients specify a "Host: %s%d" http header, to be compatible
-        with more proxies, and so running squid on an exit node can work.
-
-
-Changes in version 0.0.8.1 - 2004-10-13
-  o Bugfixes:
-    - Fix a seg fault that can be triggered remotely for Tor
-      clients/servers with an open dirport.
-    - Fix a rare assert trigger, where routerinfos for entries in
-      our cpath would expire while we're building the path.
-    - Fix a bug in OutboundBindAddress so it (hopefully) works.
-    - Fix a rare seg fault for people running hidden services on
-      intermittent connections.
-    - Fix a bug in parsing opt keywords with objects.
-    - Fix a stale pointer assert bug when a stream detaches and
-      reattaches.
-    - Fix a string format vulnerability (probably not exploitable)
-      in reporting stats locally.
-    - Fix an assert trigger: sometimes launching circuits can fail
-      immediately, e.g. because too many circuits have failed recently.
-    - Fix a compile warning on 64 bit platforms.
-
-
-Changes in version 0.0.9pre2 - 2004-10-03
-  o Bugfixes:
-    - Make fetching a cached directory work for 64-bit platforms too.
-    - Make zlib.h a required header, not an optional header.
-
-
-Changes in version 0.0.9pre1 - 2004-10-01
-  o Bugfixes:
-    - Stop using separate defaults for no-config-file and
-      empty-config-file. Now you have to explicitly turn off SocksPort,
-      if you don't want it open.
-    - Fix a bug in OutboundBindAddress so it (hopefully) works.
-    - Improve man page to mention more of the 0.0.8 features.
-    - Fix a rare seg fault for people running hidden services on
-      intermittent connections.
-    - Change our file IO stuff (especially wrt OpenSSL) so win32 is
-      happier.
-    - Fix more dns related bugs: send back resolve_failed and end cells
-      more reliably when the resolve fails, rather than closing the
-      circuit and then trying to send the cell. Also attach dummy resolve
-      connections to a circuit *before* calling dns_resolve(), to fix
-      a bug where cached answers would never be sent in RESOLVED cells.
-    - When we run out of disk space, or other log writing error, don't
-      crash. Just stop logging to that log and continue.
-    - We were starting to daemonize before we opened our logs, so if
-      there were any problems opening logs, we would complain to stderr,
-      which wouldn't work, and then mysteriously exit.
-    - Fix a rare bug where sometimes a verified OR would connect to us
-      before he'd uploaded his descriptor, which would cause us to
-      assign conn->nickname as though he's unverified. Now we look through
-      the fingerprint list to see if he's there.
-    - Fix a rare assert trigger, where routerinfos for entries in
-      our cpath would expire while we're building the path.
-
-  o Features:
-    - Clients can ask dirservers for /dir.z to get a compressed version
-      of the directory. Only works for servers running 0.0.9, of course.
-    - Make clients cache directories and use them to seed their router
-      lists at startup. This means clients have a datadir again.
-    - Configuration infrastructure support for warning on obsolete
-      options.
-    - Respond to content-encoding headers by trying to uncompress as
-      appropriate.
-    - Reply with a deflated directory when a client asks for "dir.z".
-      We could use allow-encodings instead, but allow-encodings isn't
-      specified in HTTP 1.0.
-    - Raise the max dns workers from 50 to 100.
-    - Discourage people from setting their dirfetchpostperiod more often
-      than once per minute.
-    - Protect dirservers from overzealous descriptor uploading -- wait
-      10 seconds after directory gets dirty, before regenerating.
-
-
-Changes in version 0.0.8 - 2004-08-25
-  o Port it to SunOS 5.9 / Athena
-
-
-Changes in version 0.0.8rc2 - 2004-08-20
-  o Make it compile on cygwin again.
-  o When picking unverified routers, skip those with low uptime and/or
-    low bandwidth, depending on what properties you care about.
-
-
-Changes in version 0.0.8rc1 - 2004-08-18
-  o Changes from 0.0.7.3:
-    - Bugfixes:
-      - Fix assert triggers: if the other side returns an address 0.0.0.0,
-        don't put it into the client dns cache.
-      - If a begin failed due to exit policy, but we believe the IP address
-        should have been allowed, switch that router to exitpolicy reject *:*
-        until we get our next directory.
-    - Features:
-      - Clients choose nodes proportional to advertised bandwidth.
-      - Avoid using nodes with low uptime as introduction points.
-      - Handle servers with dynamic IP addresses: don't replace
-        options->Address with the resolved one at startup, and
-        detect our address right before we make a routerinfo each time.
-      - 'FascistFirewall' option to pick dirservers and ORs on specific
-        ports; plus 'FirewallPorts' config option to tell FascistFirewall
-        which ports are open. (Defaults to 80,443)
-      - Be more aggressive about trying to make circuits when the network
-        has changed (e.g. when you unsuspend your laptop).
-      - Check for time skew on http headers; report date in response to
-        "GET /".
-      - If the entrynode config line has only one node, don't pick it as
-        an exitnode.
-      - Add strict{entry|exit}nodes config options. If set to 1, then
-        we refuse to build circuits that don't include the specified entry
-        or exit nodes.
-      - OutboundBindAddress config option, to bind to a specific
-        IP address for outgoing connect()s.
-      - End truncated log entries (e.g. directories) with "[truncated]".
-
-  o Patches to 0.0.8preX:
-    - Bugfixes:
-      - Patches to compile and run on win32 again (maybe)?
-      - Fix crash when looking for ~/.torrc with no $HOME set.
-      - Fix a race bug in the unit tests.
-      - Handle verified/unverified name collisions better when new
-        routerinfo's arrive in a directory.
-      - Sometimes routers were getting entered into the stats before
-        we'd assigned their identity_digest. Oops.
-      - Only pick and establish intro points after we've gotten a
-        directory.
-    - Features:
-      - AllowUnverifiedNodes config option to let circuits choose no-name
-        routers in entry,middle,exit,introduction,rendezvous positions.
-        Allow middle and rendezvous positions by default.
-      - Add a man page for tor-resolve.
-
-
-Changes in version 0.0.7.3 - 2004-08-12
-  o Stop dnsworkers from triggering an assert failure when you
-    ask them to resolve the host "".
-
-
-Changes in version 0.0.8pre3 - 2004-08-09
-  o Changes from 0.0.7.2:
-    - Allow multiple ORs with same nickname in routerlist -- now when
-      people give us one identity key for a nickname, then later
-      another, we don't constantly complain until the first expires.
-    - Remember used bandwidth (both in and out), and publish 15-minute
-      snapshots for the past day into our descriptor.
-    - You can now fetch $DIRURL/running-routers to get just the
-      running-routers line, not the whole descriptor list. (But
-      clients don't use this yet.)
-    - When people mistakenly use Tor as an http proxy, point them
-      at the tor-doc.html rather than the INSTALL.
-    - Remove our mostly unused -- and broken -- hex_encode()
-      function. Use base16_encode() instead. (Thanks to Timo Lindfors
-      for pointing out this bug.)
-    - Rotate onion keys every 12 hours, not every 2 hours, so we have
-      fewer problems with people using the wrong key.
-    - Change the default exit policy to reject the default edonkey,
-      kazaa, gnutella ports.
-    - Add replace_file() to util.[ch] to handle win32's rename().
-
-  o Changes from 0.0.8preX:
-    - Fix two bugs in saving onion keys to disk when rotating, so
-      hopefully we'll get fewer people using old onion keys.
-    - Fix an assert error that was making SocksPolicy not work.
-    - Be willing to expire routers that have an open dirport -- it's
-      just the authoritative dirservers we want to not forget.
-    - Reject tor-resolve requests for .onion addresses early, so we
-      don't build a whole rendezvous circuit and then fail.
-    - When you're warning a server that he's unverified, don't cry
-      wolf unpredictably.
-    - Fix a race condition: don't try to extend onto a connection
-      that's still handshaking.
-    - For servers in clique mode, require the conn to be open before
-      you'll choose it for your path.
-    - Fix some cosmetic bugs about duplicate mark-for-close, lack of
-      end relay cell, etc.
-    - Measure bandwidth capacity over the last 24 hours, not just 12
-    - Bugfix: authoritative dirservers were making and signing a new
-      directory for each client, rather than reusing the cached one.
-
-
-Changes in version 0.0.8pre2 - 2004-08-04
-  o Changes from 0.0.7.2:
-    - Security fixes:
-      - Check directory signature _before_ you decide whether you're
-        you're running an obsolete version and should exit.
-      - Check directory signature _before_ you parse the running-routers
-        list to decide who's running or verified.
-    - Bugfixes and features:
-      - Check return value of fclose while writing to disk, so we don't
-        end up with broken files when servers run out of disk space.
-      - Log a warning if the user uses an unsafe socks variant, so people
-        are more likely to learn about privoxy or socat.
-      - Dirservers now include RFC1123-style dates in the HTTP headers,
-        which one day we will use to better detect clock skew.
-
-  o Changes from 0.0.8pre1:
-    - Make it compile without warnings again on win32.
-    - Log a warning if you're running an unverified server, to let you
-      know you might want to get it verified.
-    - Only pick a default nickname if you plan to be a server.
-
-
-Changes in version 0.0.8pre1 - 2004-07-23
-  o Bugfixes:
-    - Made our unit tests compile again on OpenBSD 3.5, and tor
-      itself compile again on OpenBSD on a sparc64.
-    - We were neglecting milliseconds when logging on win32, so
-      everything appeared to happen at the beginning of each second.
-
-  o Protocol changes:
-    - 'Extend' relay cell payloads now include the digest of the
-      intended next hop's identity key. Now we can verify that we're
-      extending to the right router, and also extend to routers we
-      hadn't heard of before.
-
-  o Features:
-    - Tor nodes can now act as relays (with an advertised ORPort)
-      without being manually verified by the dirserver operators.
-      - Uploaded descriptors of unverified routers are now accepted
-        by the dirservers, and included in the directory.
-      - Verified routers are listed by nickname in the running-routers
-        list; unverified routers are listed as "$<fingerprint>".
-      - We now use hash-of-identity-key in most places rather than
-        nickname or addr:port, for improved security/flexibility.
-      - To avoid Sybil attacks, paths still use only verified servers.
-        But now we have a chance to play around with hybrid approaches.
-      - Nodes track bandwidth usage to estimate capacity (not used yet).
-      - ClientOnly option for nodes that never want to become servers.
-    - Directory caching.
-      - "AuthoritativeDir 1" option for the official dirservers.
-      - Now other nodes (clients and servers) will cache the latest
-        directory they've pulled down.
-      - They can enable their DirPort to serve it to others.
-      - Clients will pull down a directory from any node with an open
-        DirPort, and check the signature/timestamp correctly.
-      - Authoritative dirservers now fetch directories from other
-        authdirservers, to stay better synced.
-      - Running-routers list tells who's down also, along with noting
-        if they're verified (listed by nickname) or unverified (listed
-        by hash-of-key).
-      - Allow dirservers to serve running-router list separately.
-        This isn't used yet.
-    - ORs connect-on-demand to other ORs
-      - If you get an extend cell to an OR you're not connected to,
-        connect, handshake, and forward the create cell.
-      - The authoritative dirservers stay connected to everybody,
-        and everybody stays connected to 0.0.7 servers, but otherwise
-        clients/servers expire unused connections after 5 minutes.
-    - When servers get a sigint, they delay 30 seconds (refusing new
-      connections) then exit. A second sigint causes immediate exit.
-    - File and name management:
-      - Look for .torrc if no CONFDIR "torrc" is found.
-      - If no datadir is defined, then choose, make, and secure ~/.tor
-        as datadir.
-      - If torrc not found, exitpolicy reject *:*.
-      - Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
-      - If no nickname is defined, derive default from hostname.
-      - Rename secret key files, e.g. identity.key -> secret_id_key,
-        to discourage people from mailing their identity key to tor-ops.
-    - Refuse to build a circuit before the directory has arrived --
-      it won't work anyway, since you won't know the right onion keys
-      to use.
-    - Try other dirservers immediately if the one you try is down. This
-      should tolerate down dirservers better now.
-    - Parse tor version numbers so we can do an is-newer-than check
-      rather than an is-in-the-list check.
-    - New socks command 'resolve', to let us shim gethostbyname()
-      locally.
-      - A 'tor_resolve' script to access the socks resolve functionality.
-      - A new socks-extensions.txt doc file to describe our
-        interpretation and extensions to the socks protocols.
-    - Add a ContactInfo option, which gets published in descriptor.
-    - Publish OR uptime in descriptor (and thus in directory) too.
-    - Write tor version at the top of each log file
-    - New docs in the tarball:
-      - tor-doc.html.
-      - Document that you should proxy your SSL traffic too.
-
-
-Changes in version 0.0.7.2 - 2004-07-07
-  o A better fix for the 0.0.0.0 problem, that will hopefully
-    eliminate the remaining related assertion failures.
-
-
-Changes in version 0.0.7.1 - 2004-07-04
-  o When an address resolves to 0.0.0.0, treat it as a failed resolve,
-    since internally we use 0.0.0.0 to signify "not yet resolved".
-
-
-Changes in version 0.0.7 - 2004-06-07
-  o Updated the man page to reflect the new features.
-
-
-Changes in version 0.0.7rc2 - 2004-06-06
-  o Changes from 0.0.7rc1:
-    - Make it build on Win32 again.
-  o Changes from 0.0.6.2:
-    - Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
-      settings too.
-
-
-Changes in version 0.0.7rc1 - 2004-06-02
-  o Bugfixes:
-    - On sighup, we were adding another log without removing the first
-      one. So log messages would get duplicated n times for n sighups.
-    - Several cases of using a connection after we'd freed it. The
-      problem was that connections that are pending resolve are in both
-      the pending_resolve tree, and also the circuit's resolving_streams
-      list. When you want to remove one, you must remove it from both.
-    - Fix a double-mark-for-close where an end cell arrived for a
-      resolving stream, and then the resolve failed.
-    - Check directory signatures based on name of signer, not on whom
-      we got the directory from. This will let us cache directories more
-      easily.
-  o Features:
-    - Crank up some of our constants to handle more users.
-
-
-Changes in version 0.0.7pre1 - 2004-06-02
-  o Fixes for crashes and other obnoxious bugs:
-    - Fix an epipe bug: sometimes when directory connections failed
-      to connect, we would give them a chance to flush before closing
-      them.
-    - When we detached from a circuit because of resolvefailed, we
-      would immediately try the same circuit twice more, and then
-      give up on the resolve thinking we'd tried three different
-      exit nodes.
-    - Limit the number of intro circuits we'll attempt to build for a
-      hidden service per 15-minute period.
-    - Check recommended-software string *early*, before actually parsing
-      the directory. Thus we can detect an obsolete version and exit,
-      even if the new directory format doesn't parse.
-  o Fixes for security bugs:
-    - Remember which nodes are dirservers when you startup, and if a
-      random OR enables his dirport, don't automatically assume he's
-      a trusted dirserver.
-  o Other bugfixes:
-    - Directory connections were asking the wrong poll socket to
-      start writing, and not asking themselves to start writing.
-    - When we detached from a circuit because we sent a begin but
-      didn't get a connected, we would use it again the first time;
-      but after that we would correctly switch to a different one.
-    - Stop warning when the first onion decrypt attempt fails; they
-      will sometimes legitimately fail now that we rotate keys.
-    - Override unaligned-access-ok check when $host_cpu is ia64 or
-      arm. Apparently they allow it but the kernel whines.
-    - Dirservers try to reconnect periodically too, in case connections
-      have failed.
-    - Fix some memory leaks in directory servers.
-    - Allow backslash in Win32 filenames.
-    - Made Tor build complain-free on FreeBSD, hopefully without
-      breaking other BSD builds. We'll see.
-  o Features:
-    - Doxygen markup on all functions and global variables.
-    - Make directory functions update routerlist, not replace it. So
-      now directory disagreements are not so critical a problem.
-    - Remove the upper limit on number of descriptors in a dirserver's
-      directory (not that we were anywhere close).
-    - Allow multiple logfiles at different severity ranges.
-    - Allow *BindAddress to specify ":port" rather than setting *Port
-      separately. Allow multiple instances of each BindAddress config
-      option, so you can bind to multiple interfaces if you want.
-    - Allow multiple exit policy lines, which are processed in order.
-      Now we don't need that huge line with all the commas in it.
-    - Enable accept/reject policies on SOCKS connections, so you can bind
-      to 0.0.0.0 but still control who can use your OP.
-
-
-Changes in version 0.0.6.2 - 2004-05-16
-  o Our integrity-checking digest was checking only the most recent cell,
-    not the previous cells like we'd thought.
-    Thanks to Stefan Mark for finding the flaw!
-
-
-Changes in version 0.0.6.1 - 2004-05-06
-  o Fix two bugs in our AES counter-mode implementation (this affected
-    onion-level stream encryption, but not TLS-level). It turns
-    out we were doing something much more akin to a 16-character
-    polyalphabetic cipher. Oops.
-    Thanks to Stefan Mark for finding the flaw!
-  o Retire moria3 as a directory server, and add tor26 as a directory
-    server.
-
-
-Changes in version 0.0.6 - 2004-05-02
-  [version bump only]
-
-
-Changes in version 0.0.6rc4 - 2004-05-01
-  o Update the built-in dirservers list to use the new directory format
-  o Fix a rare seg fault: if a node offering a hidden service attempts
-    to build a circuit to Alice's rendezvous point and fails before it
-    reaches the last hop, it retries with a different circuit, but
-    then dies.
-  o Handle windows socket errors correctly.
-
-
-Changes in version 0.0.6rc3 - 2004-04-28
-  o Don't expire non-general excess circuits (if we had enough
-    circuits open, we were expiring rendezvous circuits -- even
-    when they had a stream attached. oops.)
-  o Fetch randomness from /dev/urandom better (not via fopen/fread)
-  o Better debugging for tls errors
-  o Some versions of openssl have an SSL_pending function that erroneously
-    returns bytes when there is a non-application record pending.
-  o Set Content-Type on the directory and hidserv descriptor.
-  o Remove IVs from cipher code, since AES-ctr has none.
-  o Win32 fixes. Tor now compiles on win32 with no warnings/errors.
-    o We were using an array of length zero in a few places.
-    o win32's gethostbyname can't resolve an IP to an IP.
-    o win32's close can't close a socket.
-
-
-Changes in version 0.0.6rc2 - 2004-04-26
-  o Fix a bug where we were closing tls connections intermittently.
-    It turns out openssl keeps its errors around -- so if an error
-    happens, and you don't ask about it, and then another openssl
-    operation happens and succeeds, and you ask if there was an error,
-    it tells you about the first error. Fun fun.
-  o Fix a bug that's been lurking since 27 may 03 (!)
-    When passing back a destroy cell, we would use the wrong circ id.
-    'Mostly harmless', but still worth fixing.
-  o Since we don't support truncateds much, don't bother sending them;
-    just close the circ.
-  o check for <machine/limits.h> so we build on NetBSD again (I hope).
-  o don't crash if a conn that sent a begin has suddenly lost its circuit
-    (this was quite rare).
-
-
-Changes in version 0.0.6rc1 - 2004-04-25
-  o We now rotate link (tls context) keys and onion keys.
-  o CREATE cells now include oaep padding, so you can tell
-    if you decrypted them correctly.
-  o Add bandwidthburst to server descriptor.
-  o Directories now say which dirserver signed them.
-  o Use a tor_assert macro that logs failed assertions too.
-
-
-Changes in version 0.0.6pre5 - 2004-04-18
-  o changes from 0.0.6pre4:
-    - make tor build on broken freebsd 5.2 installs
-    - fix a failed assert when you try an intro point, get a nack, and try
-      a second one and it works.
-    - when alice uses a port that the hidden service doesn't accept,
-      it now sends back an end cell (denied by exit policy). otherwise
-      alice would just have to wait to time out.
-    - fix another rare bug: when we had tried all the intro
-      points for a hidden service, we fetched the descriptor
-      again, but we left our introcirc thinking it had already
-      sent an intro, so it kept waiting for a response...
-    - bugfix: when you sleep your hidden-service laptop, as soon
-      as it wakes up it tries to upload a service descriptor, but
-      socketpair fails for some reason (localhost not up yet?).
-      now we simply give up on that upload, and we'll try again later.
-      i'd still like to find the bug though.
-    - if an intro circ waiting for an ack dies before getting one, then
-      count it as a nack
-    - we were reusing stale service descriptors and refetching usable
-      ones. oops.
-
-
-Changes in version 0.0.6pre4 - 2004-04-14
-  o changes from 0.0.6pre3:
-    - when bob fails to connect to the rendezvous point, and his
-      circ didn't fail because of the rendezvous point itself, then
-      he retries a couple of times
-    - we expire introduction and rendezvous circs more thoroughly
-      (sometimes they were hanging around forever)
-    - we expire unattached rendezvous streams that have been around
-      too long (they were sticking around forever).
-    - fix a measly fencepost error that was crashing everybody with
-      a strict glibc.
-
-
-Changes in version 0.0.6pre3 - 2004-04-14
-  o changes from 0.0.6pre2:
-    - make hup work again
-    - fix some memory leaks for dirservers
-    - allow more skew in rendezvous descriptor timestamps, to help
-      handle people like blanu who don't know what time it is
-    - normal circs are 3 hops, but some rend/intro circs are 4, if
-      the initiator doesn't get to choose the last hop
-    - send acks for introductions, so alice can know whether to try
-      again
-    - bob publishes intro points more correctly
-  o changes from 0.0.5:
-    - fix an assert trigger that's been plaguing us since the days
-      of 0.0.2prexx (thanks weasel!)
-    - retry stream correctly when we fail to connect because of
-      exit-policy-reject (should try another) or can't-resolve-address
-      (also should try another, because dns on random internet servers
-      is flaky).
-    - when we hup a dirserver and we've *removed* a server from the
-      approved-routers list, now we remove that server from the
-      in-memory directories too
-
-
-Changes in version 0.0.6pre2 - 2004-04-08
-  o We fixed our base32 implementation. Now it works on all architectures.
-
-
-Changes in version 0.0.6pre1 - 2004-04-08
-  o Features:
-    - Hidden services and rendezvous points are implemented. Go to
-      http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
-      hidden services. (This only works via a socks4a proxy such as
-      Privoxy, and currently it's quite slow.)
-
-
-Changes in version 0.0.5 - 2004-03-30
-  [version bump only]
-
-
-Changes in version 0.0.5rc3 - 2004-03-29
-  o Install torrc as torrc.sample -- we no longer clobber your
-    torrc. (Woo!)
-  o Re-enable recommendedversion checking (we broke it in rc2, oops)
-  o Add in a 'notice' log level for things the operator should hear
-    but that aren't warnings
-
-
-Changes in version 0.0.5rc2 - 2004-03-29
-  o Hold socks connection open until reply is flushed (if possible)
-  o Make exit nodes resolve IPs to IPs immediately, rather than asking
-    the dns farm to do it.
-  o Fix c99 aliasing warnings in rephist.c
-  o Don't include server descriptors that are older than 24 hours in the
-    directory.
-  o Give socks 'reject' replies their whole 15s to attempt to flush,
-    rather than seeing the 60s timeout and assuming the flush had failed.
-  o Clean automake droppings from the cvs repository
-
-
-Changes in version 0.0.5rc1 - 2004-03-28
-  o Fix mangled-state bug in directory fetching (was causing sigpipes).
-  o Only build circuits after we've fetched the directory: clients were
-    using only the directory servers before they'd fetched a directory.
-    This also means longer startup time; so it goes.
-  o Fix an assert trigger where an OP would fail to handshake, and we'd
-    expect it to have a nickname.
-  o Work around a tsocks bug: do a socks reject when AP connection dies
-    early, else tsocks goes into an infinite loop.
-
-
-Changes in version 0.0.4 - 2004-03-26
-  o When connecting to a dirserver or OR and the network is down,
-    we would crash.
-
-
-Changes in version 0.0.3 - 2004-03-26
-  o Warn and fail if server chose a nickname with illegal characters
-  o Port to Solaris and Sparc:
-    - include missing header fcntl.h
-    - have autoconf find -lsocket -lnsl automatically
-    - deal with hardware word alignment
-    - make uname() work (solaris has a different return convention)
-    - switch from using signal() to sigaction()
-  o Preliminary work on reputation system:
-    - Keep statistics on success/fail of connect attempts; they're published
-      by kill -USR1 currently.
-    - Add a RunTesting option to try to learn link state by creating test
-      circuits, even when SocksPort is off.
-    - Remove unused open circuits when there are too many.
-
-
-Changes in version 0.0.2 - 2004-03-19
-    - Include strlcpy and strlcat for safer string ops
-    - define INADDR_NONE so we compile (but still not run) on solaris
-
-
-Changes in version 0.0.2pre27 - 2004-03-14
-  o Bugfixes:
-    - Allow internal tor networks (we were rejecting internal IPs,
-      now we allow them if they're set explicitly).
-    - And fix a few endian issues.
-
-
-Changes in version 0.0.2pre26 - 2004-03-14
-  o New features:
-    - If a stream times out after 15s without a connected cell, don't
-      try that circuit again: try a new one.
-    - Retry streams at most 4 times. Then give up.
-    - When a dirserver gets a descriptor from an unknown router, it
-      logs its fingerprint (so the dirserver operator can choose to
-      accept it even without mail from the server operator).
-    - Inform unapproved servers when we reject their descriptors.
-    - Make tor build on Windows again. It works as a client, who knows
-      about as a server.
-    - Clearer instructions in the torrc for how to set up a server.
-    - Be more efficient about reading fd's when our global token bucket
-      (used for rate limiting) becomes empty.
-  o Bugfixes:
-    - Stop asserting that computers always go forward in time. It's
-      simply not true.
-    - When we sent a cell (e.g. destroy) and then marked an OR connection
-      expired, we might close it before finishing a flush if the other
-      side isn't reading right then.
-    - Don't allow dirservers to start if they haven't defined
-      RecommendedVersions
-    - We were caching transient dns failures. Oops.
-    - Prevent servers from publishing an internal IP as their address.
-    - Address a strcat vulnerability in circuit.c
-
-
-Changes in version 0.0.2pre25 - 2004-03-04
-  o New features:
-    - Put the OR's IP in its router descriptor, not its fqdn. That way
-      we'll stop being stalled by gethostbyname for nodes with flaky dns,
-      e.g. poblano.
-  o Bugfixes:
-    - If the user typed in an address that didn't resolve, the server
-      crashed.
-
-
-Changes in version 0.0.2pre24 - 2004-03-03
-  o Bugfixes:
-    - Fix an assertion failure in dns.c, where we were trying to dequeue
-      a pending dns resolve even if it wasn't pending
-    - Fix a spurious socks5 warning about still trying to write after the
-      connection is finished.
-    - Hold certain marked_for_close connections open until they're finished
-      flushing, rather than losing bytes by closing them too early.
-    - Correctly report the reason for ending a stream
-    - Remove some duplicate calls to connection_mark_for_close
-    - Put switch_id and start_daemon earlier in the boot sequence, so it
-      will actually try to chdir() to options.DataDirectory
-    - Make 'make test' exit(1) if a test fails; fix some unit tests
-    - Make tor fail when you use a config option it doesn't know about,
-      rather than warn and continue.
-    - Make --version work
-    - Bugfixes on the rpm spec file and tor.sh, so it's more up to date
-
-
-Changes in version 0.0.2pre23 - 2004-02-29
-  o New features:
-    - Print a statement when the first circ is finished, so the user
-      knows it's working.
-    - If a relay cell is unrecognized at the end of the circuit,
-      send back a destroy. (So attacks to mutate cells are more
-      clearly thwarted.)
-    - New config option 'excludenodes' to avoid certain nodes for circuits.
-    - When it daemonizes, it chdir's to the DataDirectory rather than "/",
-      so you can collect coredumps there.
- o Bugfixes:
-    - Fix a bug in tls flushing where sometimes data got wedged and
-      didn't flush until more data got sent. Hopefully this bug was
-      a big factor in the random delays we were seeing.
-    - Make 'connected' cells include the resolved IP, so the client
-      dns cache actually gets populated.
-    - Disallow changing from ORPort=0 to ORPort>0 on hup.
-    - When we time-out on a stream and detach from the circuit, send an
-      end cell down it first.
-    - Only warn about an unknown router (in exitnodes, entrynodes,
-      excludenodes) after we've fetched a directory.
-
-
-Changes in version 0.0.2pre22 - 2004-02-26
-  o New features:
-    - Servers publish less revealing uname information in descriptors.
-    - More memory tracking and assertions, to crash more usefully when
-      errors happen.
-    - If the default torrc isn't there, just use some default defaults.
-      Plus provide an internal dirservers file if they don't have one.
-    - When the user tries to use Tor as an http proxy, give them an http
-      501 failure explaining that we're a socks proxy.
-    - Dump a new router.desc on hup, to help confused people who change
-      their exit policies and then wonder why router.desc doesn't reflect
-      it.
-    - Clean up the generic tor.sh init script that we ship with.
-  o Bugfixes:
-    - If the exit stream is pending on the resolve, and a destroy arrives,
-      then the stream wasn't getting removed from the pending list. I
-      think this was the one causing recent server crashes.
-    - Use a more robust poll on OSX 10.3, since their poll is flaky.
-    - When it couldn't resolve any dirservers, it was useless from then on.
-      Now it reloads the RouterFile (or default dirservers) if it has no
-      dirservers.
-    - Move the 'tor' binary back to /usr/local/bin/ -- it turns out
-      many users don't even *have* a /usr/local/sbin/.
-
-
-Changes in version 0.0.2pre21 - 2004-02-18
-  o New features:
-    - There's a ChangeLog file that actually reflects the changelog.
-    - There's a 'torify' wrapper script, with an accompanying
-      tor-tsocks.conf, that simplifies the process of using tsocks for
-      tor. It even has a man page.
-    - The tor binary gets installed to sbin rather than bin now.
-    - Retry streams where the connected cell hasn't arrived in 15 seconds
-    - Clean up exit policy handling -- get the default out of the torrc,
-      so we can update it without forcing each server operator to fix
-      his/her torrc.
-    - Allow imaps and pop3s in default exit policy
-  o Bugfixes:
-    - Prevent picking middleman nodes as the last node in the circuit
-
-
-Changes in version 0.0.2pre20 - 2004-01-30
-  o New features:
-    - We now have a deb package, and it's in debian unstable. Go to
-      it, apt-getters. :)
-    - I've split the TotalBandwidth option into BandwidthRate (how many
-      bytes per second you want to allow, long-term) and
-      BandwidthBurst (how many bytes you will allow at once before the cap
-      kicks in).  This better token bucket approach lets you, say, set
-      BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
-      performance while not exceeding your monthly bandwidth quota.
-    - Push out a tls record's worth of data once you've got it, rather
-      than waiting until you've read everything waiting to be read. This
-      may improve performance by pipelining better. We'll see.
-    - Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
-      from failed circuits (if they haven't been connected yet) and attach
-      to new ones.
-    - Expire old streams that haven't managed to connect. Some day we'll
-      have them reattach to new circuits instead.
-
-  o Bugfixes:
-    - Fix several memory leaks that were causing servers to become bloated
-      after a while.
-    - Fix a few very rare assert triggers. A few more remain.
-    - Setuid to User _before_ complaining about running as root.
-
-
-Changes in version 0.0.2pre19 - 2004-01-07
-  o Bugfixes:
-    - Fix deadlock condition in dns farm. We were telling a child to die by
-      closing the parent's file descriptor to him. But newer children were
-      inheriting the open file descriptor from the parent, and since they
-      weren't closing it, the socket never closed, so the child never read
-      eof, so he never knew to exit. Similarly, dns workers were holding
-      open other sockets, leading to all sorts of chaos.
-    - New cleaner daemon() code for forking and backgrounding.
-    - If you log to a file, it now prints an entry at the top of the
-      logfile so you know it's working.
-    - The onionskin challenge length was 30 bytes longer than necessary.
-    - Started to patch up the spec so it's not quite so out of date.
-
-
-Changes in version 0.0.2pre18 - 2004-01-02
-  o Bugfixes:
-    - Fix endian issues with the 'integrity' field in the relay header.
-    - Fix a potential bug where connections in state
-      AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
-
-
-Changes in version 0.0.2pre17 - 2003-12-30
-  o Bugfixes:
-    - Made --debuglogfile (or any second log file, actually) work.
-    - Resolved an edge case in get_unique_circ_id_by_conn where a smart
-      adversary could force us into an infinite loop.
-
-  o Features:
-    - Each onionskin handshake now includes a hash of the computed key,
-      to prove the server's identity and help perfect forward secrecy.
-    - Changed cell size from 256 to 512 bytes (working toward compatibility
-      with MorphMix).
-    - Changed cell length to 2 bytes, and moved it to the relay header.
-    - Implemented end-to-end integrity checking for the payloads of
-      relay cells.
-    - Separated streamid from 'recognized' (otherwise circuits will get
-      messed up when we try to have streams exit from the middle). We
-      use the integrity-checking to confirm that a cell is addressed to
-      this hop.
-    - Randomize the initial circid and streamid values, so an adversary who
-      breaks into a node can't learn how many circuits or streams have
-      been made so far.
-
-
-Changes in version 0.0.2pre16 - 2003-12-14
-  o Bugfixes:
-    - Fixed a bug that made HUP trigger an assert
-    - Fixed a bug where a circuit that immediately failed wasn't being
-      counted as a failed circuit in counting retries.
-
-  o Features:
-    - Now we close the circuit when we get a truncated cell: otherwise we're
-      open to an anonymity attack where a bad node in the path truncates
-      the circuit and then we open streams at him.
-    - Add port ranges to exit policies
-    - Add a conservative default exit policy
-    - Warn if you're running tor as root
-    - on HUP, retry OR connections and close/rebind listeners
-    - options.EntryNodes: try these nodes first when picking the first node
-    - options.ExitNodes: if your best choices happen to include any of
-      your preferred exit nodes, you choose among just those preferred
-      exit nodes.
-    - options.ExcludedNodes: nodes that are never picked in path building
-
-
-Changes in version 0.0.2pre15 - 2003-12-03
-  o Robustness and bugfixes:
-    - Sometimes clients would cache incorrect DNS resolves, which would
-      really screw things up.
-    - An OP that goes offline would slowly leak all its sockets and stop
-      working.
-    - A wide variety of bugfixes in exit node selection, exit policy
-      handling, and processing pending streams when a new circuit is
-      established.
-    - Pick nodes for a path only from those the directory says are up
-    - Choose randomly from all running dirservers, not always the first one
-    - Increase allowed http header size for directory fetch.
-    - Stop writing to stderr (if we're daemonized it will be closed).
-    - Enable -g always, so cores will be more useful to me.
-    - Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
-
-  o Documentation:
-    - Wrote a man page. It lists commonly used options.
-
-  o Configuration:
-    - Change default loglevel to warn.
-    - Make PidFile default to null rather than littering in your CWD.
-    - OnionRouter config option is now obsolete. Instead it just checks
-      ORPort>0.
-    - Moved to a single unified torrc file for both clients and servers.
-
-
-Changes in version 0.0.2pre14 - 2003-11-29
-  o Robustness and bugfixes:
-    - Force the admin to make the DataDirectory himself
-      - to get ownership/permissions right
-      - so clients no longer make a DataDirectory and then never use it
-    - fix bug where a client who was offline for 45 minutes would never
-      pull down a directory again
-    - fix (or at least hide really well) the dns assert bug that was
-      causing server crashes
-    - warnings and improved robustness wrt clockskew for certs
-    - use the native daemon(3) to daemonize, when available
-    - exit if bind() fails
-    - exit if neither socksport nor orport is defined
-    - include our own tor_timegm (Win32 doesn't have its own)
-    - bugfix for win32 with lots of connections
-    - fix minor bias in PRNG
-    - make dirserver more robust to corrupt cached directory
-
-  o Documentation:
-    - Wrote the design document (woo)
-
-  o Circuit building and exit policies:
-    - Circuits no longer try to use nodes that the directory has told them
-      are down.
-    - Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
-      bitcounts (18.0.0.0/8).
-    - Make AP connections standby for a circuit if no suitable circuit
-      exists, rather than failing
-    - Circuits choose exit node based on addr/port, exit policies, and
-      which AP connections are standing by
-    - Bump min pathlen from 2 to 3
-    - Relay end cells have a payload to describe why the stream ended.
-    - If the stream failed because of exit policy, try again with a new
-      circuit.
-    - Clients have a dns cache to remember resolved addresses.
-    - Notice more quickly when we have no working circuits
-
-  o Configuration:
-    - APPort is now called SocksPort
-    - SocksBindAddress, ORBindAddress, DirBindAddress let you configure
-      where to bind
-    - RecommendedVersions is now a config variable rather than
-      hardcoded (for dirservers)
-    - Reloads config on HUP
-    - Usage info on -h or --help
-    - If you set User and Group config vars, it'll setu/gid to them.
-
-
-Changes in version 0.0.2pre13 - 2003-10-19
-  o General stability:
-    - SSL_write no longer fails when it returns WANTWRITE and the number
-      of bytes in the buf has changed by the next SSL_write call.
-    - Fix segfault fetching directory when network is down
-    - Fix a variety of minor memory leaks
-    - Dirservers reload the fingerprints file on HUP, so I don't have
-      to take down the network when I approve a new router
-    - Default server config file has explicit Address line to specify fqdn
-
-  o Buffers:
-    - Buffers grow and shrink as needed (Cut process size from 20M to 2M)
-    - Make listener connections not ever alloc bufs
-
-  o Autoconf improvements:
-    - don't clobber an external CFLAGS in ./configure
-    - Make install now works
-    - create var/lib/tor on make install
-    - autocreate a tor.sh initscript to help distribs
-    - autocreate the torrc and sample-server-torrc with correct paths
-
-  o Log files and Daemonizing now work:
-    - If --DebugLogFile is specified, log to it at -l debug
-    - If --LogFile is specified, use it instead of commandline
-    - If --RunAsDaemon is set, tor forks and backgrounds on startup
-

Deleted: tor/trunk/Doxyfile.in
===================================================================
--- tor/trunk/Doxyfile.in	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/Doxyfile.in	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,1254 +0,0 @@
-# Doxyfile 1.5.1
-
-# This file describes the settings to be used by the documentation system
-# doxygen (www.doxygen.org) for a project
-#
-# All text after a hash (#) is considered a comment and will be ignored
-# The format is:
-#       TAG = value [value, ...]
-# For lists items can also be appended using:
-#       TAG += value [value, ...]
-# Values that contain spaces should be placed between quotes (" ")
-
-#---------------------------------------------------------------------------
-# Project related configuration options
-#---------------------------------------------------------------------------
-
-# The PROJECT_NAME tag is a single word (or a sequence of words surrounded 
-# by quotes) that should identify the project.
-
-PROJECT_NAME           = tor
-
-# The PROJECT_NUMBER tag can be used to enter a project or revision number. 
-# This could be handy for archiving the generated documentation or 
-# if some version control system is used.
-
-PROJECT_NUMBER         = @VERSION@
-
-# The OUTPUT_DIRECTORY tag is used to specify the (relative or absolute) 
-# base path where the generated documentation will be put. 
-# If a relative path is entered, it will be relative to the location 
-# where doxygen was started. If left blank the current directory will be used.
-
-OUTPUT_DIRECTORY       = ./doc/doxygen
-
-# If the CREATE_SUBDIRS tag is set to YES, then doxygen will create 
-# 4096 sub-directories (in 2 levels) under the output directory of each output 
-# format and will distribute the generated files over these directories. 
-# Enabling this option can be useful when feeding doxygen a huge amount of 
-# source files, where putting all generated files in the same directory would 
-# otherwise cause performance problems for the file system.
-
-CREATE_SUBDIRS         = NO
-
-# The OUTPUT_LANGUAGE tag is used to specify the language in which all 
-# documentation generated by doxygen is written. Doxygen will use this 
-# information to generate all constant output in the proper language. 
-# The default language is English, other supported languages are: 
-# Afrikaans, Arabic, Brazilian, Catalan, Chinese, Chinese-Traditional, 
-# Croatian, Czech, Danish, Dutch, Finnish, French, German, Greek, Hungarian, 
-# Italian, Japanese, Japanese-en (Japanese with English messages), Korean, 
-# Korean-en, Lithuanian, Norwegian, Polish, Portuguese, Romanian, Russian, 
-# Serbian, Slovak, Slovene, Spanish, Swedish, and Ukrainian.
-
-OUTPUT_LANGUAGE        = English
-
-# This tag can be used to specify the encoding used in the generated output. 
-# The encoding is not always determined by the language that is chosen, 
-# but also whether or not the output is meant for Windows or non-Windows users. 
-# In case there is a difference, setting the USE_WINDOWS_ENCODING tag to YES 
-# forces the Windows encoding (this is the default for the Windows binary), 
-# whereas setting the tag to NO uses a Unix-style encoding (the default for 
-# all platforms other than Windows).
-
-USE_WINDOWS_ENCODING   = NO
-
-# If the BRIEF_MEMBER_DESC tag is set to YES (the default) Doxygen will 
-# include brief member descriptions after the members that are listed in 
-# the file and class documentation (similar to JavaDoc). 
-# Set to NO to disable this.
-
-BRIEF_MEMBER_DESC      = NO
-
-# If the REPEAT_BRIEF tag is set to YES (the default) Doxygen will prepend 
-# the brief description of a member or function before the detailed description. 
-# Note: if both HIDE_UNDOC_MEMBERS and BRIEF_MEMBER_DESC are set to NO, the 
-# brief descriptions will be completely suppressed.
-
-REPEAT_BRIEF           = YES
-
-# This tag implements a quasi-intelligent brief description abbreviator 
-# that is used to form the text in various listings. Each string 
-# in this list, if found as the leading text of the brief description, will be 
-# stripped from the text and the result after processing the whole list, is 
-# used as the annotated text. Otherwise, the brief description is used as-is. 
-# If left blank, the following values are used ("$name" is automatically 
-# replaced with the name of the entity): "The $name class" "The $name widget" 
-# "The $name file" "is" "provides" "specifies" "contains" 
-# "represents" "a" "an" "the"
-
-ABBREVIATE_BRIEF       = 
-
-# If the ALWAYS_DETAILED_SEC and REPEAT_BRIEF tags are both set to YES then 
-# Doxygen will generate a detailed section even if there is only a brief 
-# description.
-
-ALWAYS_DETAILED_SEC    = NO
-
-# If the INLINE_INHERITED_MEMB tag is set to YES, doxygen will show all 
-# inherited members of a class in the documentation of that class as if those 
-# members were ordinary class members. Constructors, destructors and assignment 
-# operators of the base classes will not be shown.
-
-INLINE_INHERITED_MEMB  = NO
-
-# If the FULL_PATH_NAMES tag is set to YES then Doxygen will prepend the full 
-# path before files name in the file list and in the header files. If set 
-# to NO the shortest path that makes the file name unique will be used.
-
-FULL_PATH_NAMES        = NO
-
-# If the FULL_PATH_NAMES tag is set to YES then the STRIP_FROM_PATH tag 
-# can be used to strip a user-defined part of the path. Stripping is 
-# only done if one of the specified strings matches the left-hand part of 
-# the path. The tag can be used to show relative paths in the file list. 
-# If left blank the directory from which doxygen is run is used as the 
-# path to strip.
-
-STRIP_FROM_PATH        = 
-
-# The STRIP_FROM_INC_PATH tag can be used to strip a user-defined part of 
-# the path mentioned in the documentation of a class, which tells 
-# the reader which header file to include in order to use a class. 
-# If left blank only the name of the header file containing the class 
-# definition is used. Otherwise one should specify the include paths that 
-# are normally passed to the compiler using the -I flag.
-
-STRIP_FROM_INC_PATH    = 
-
-# If the SHORT_NAMES tag is set to YES, doxygen will generate much shorter 
-# (but less readable) file names. This can be useful is your file systems 
-# doesn't support long names like on DOS, Mac, or CD-ROM.
-
-SHORT_NAMES            = NO
-
-# If the JAVADOC_AUTOBRIEF tag is set to YES then Doxygen 
-# will interpret the first line (until the first dot) of a JavaDoc-style 
-# comment as the brief description. If set to NO, the JavaDoc 
-# comments will behave just like the Qt-style comments (thus requiring an 
-# explicit @brief command for a brief description.
-
-JAVADOC_AUTOBRIEF      = NO
-
-# The MULTILINE_CPP_IS_BRIEF tag can be set to YES to make Doxygen 
-# treat a multi-line C++ special comment block (i.e. a block of //! or /// 
-# comments) as a brief description. This used to be the default behaviour. 
-# The new default is to treat a multi-line C++ comment block as a detailed 
-# description. Set this tag to YES if you prefer the old behaviour instead.
-
-MULTILINE_CPP_IS_BRIEF = NO
-
-# If the DETAILS_AT_TOP tag is set to YES then Doxygen 
-# will output the detailed description near the top, like JavaDoc.
-# If set to NO, the detailed description appears after the member 
-# documentation.
-
-DETAILS_AT_TOP         = NO
-
-# If the INHERIT_DOCS tag is set to YES (the default) then an undocumented 
-# member inherits the documentation from any documented member that it 
-# re-implements.
-
-INHERIT_DOCS           = YES
-
-# If the SEPARATE_MEMBER_PAGES tag is set to YES, then doxygen will produce 
-# a new page for each member. If set to NO, the documentation of a member will 
-# be part of the file/class/namespace that contains it.
-
-SEPARATE_MEMBER_PAGES  = NO
-
-# The TAB_SIZE tag can be used to set the number of spaces in a tab. 
-# Doxygen uses this value to replace tabs by spaces in code fragments.
-
-TAB_SIZE               = 8
-
-# This tag can be used to specify a number of aliases that acts 
-# as commands in the documentation. An alias has the form "name=value". 
-# For example adding "sideeffect=\par Side Effects:\n" will allow you to 
-# put the command \sideeffect (or @sideeffect) in the documentation, which 
-# will result in a user-defined paragraph with heading "Side Effects:". 
-# You can put \n's in the value part of an alias to insert newlines.
-
-ALIASES                = 
-
-# Set the OPTIMIZE_OUTPUT_FOR_C tag to YES if your project consists of C 
-# sources only. Doxygen will then generate output that is more tailored for C. 
-# For instance, some of the names that are used will be different. The list 
-# of all members will be omitted, etc.
-
-OPTIMIZE_OUTPUT_FOR_C  = YES
-
-# Set the OPTIMIZE_OUTPUT_JAVA tag to YES if your project consists of Java 
-# sources only. Doxygen will then generate output that is more tailored for Java. 
-# For instance, namespaces will be presented as packages, qualified scopes 
-# will look different, etc.
-
-OPTIMIZE_OUTPUT_JAVA   = NO
-
-# If you use STL classes (i.e. std::string, std::vector, etc.) but do not want to 
-# include (a tag file for) the STL sources as input, then you should 
-# set this tag to YES in order to let doxygen match functions declarations and 
-# definitions whose arguments contain STL classes (e.g. func(std::string); v.s. 
-# func(std::string) {}). This also make the inheritance and collaboration 
-# diagrams that involve STL classes more complete and accurate.
-
-BUILTIN_STL_SUPPORT    = NO
-
-# If member grouping is used in the documentation and the DISTRIBUTE_GROUP_DOC 
-# tag is set to YES, then doxygen will reuse the documentation of the first 
-# member in the group (if any) for the other members of the group. By default 
-# all members of a group must be documented explicitly.
-
-DISTRIBUTE_GROUP_DOC   = NO
-
-# Set the SUBGROUPING tag to YES (the default) to allow class member groups of 
-# the same type (for instance a group of public functions) to be put as a 
-# subgroup of that type (e.g. under the Public Functions section). Set it to 
-# NO to prevent subgrouping. Alternatively, this can be done per class using 
-# the \nosubgrouping command.
-
-SUBGROUPING            = YES
-
-#---------------------------------------------------------------------------
-# Build related configuration options
-#---------------------------------------------------------------------------
-
-# If the EXTRACT_ALL tag is set to YES doxygen will assume all entities in 
-# documentation are documented, even if no documentation was available. 
-# Private class members and static file members will be hidden unless 
-# the EXTRACT_PRIVATE and EXTRACT_STATIC tags are set to YES
-
-EXTRACT_ALL            = NO
-
-# If the EXTRACT_PRIVATE tag is set to YES all private members of a class 
-# will be included in the documentation.
-
-EXTRACT_PRIVATE        = NO
-
-# If the EXTRACT_STATIC tag is set to YES all static members of a file 
-# will be included in the documentation.
-
-EXTRACT_STATIC         = YES
-
-# If the EXTRACT_LOCAL_CLASSES tag is set to YES classes (and structs) 
-# defined locally in source files will be included in the documentation. 
-# If set to NO only classes defined in header files are included.
-
-EXTRACT_LOCAL_CLASSES  = YES
-
-# This flag is only useful for Objective-C code. When set to YES local 
-# methods, which are defined in the implementation section but not in 
-# the interface are included in the documentation. 
-# If set to NO (the default) only methods in the interface are included.
-
-EXTRACT_LOCAL_METHODS  = NO
-
-# If the HIDE_UNDOC_MEMBERS tag is set to YES, Doxygen will hide all 
-# undocumented members of documented classes, files or namespaces. 
-# If set to NO (the default) these members will be included in the 
-# various overviews, but no documentation section is generated. 
-# This option has no effect if EXTRACT_ALL is enabled.
-
-HIDE_UNDOC_MEMBERS     = NO
-
-# If the HIDE_UNDOC_CLASSES tag is set to YES, Doxygen will hide all 
-# undocumented classes that are normally visible in the class hierarchy. 
-# If set to NO (the default) these classes will be included in the various 
-# overviews. This option has no effect if EXTRACT_ALL is enabled.
-
-HIDE_UNDOC_CLASSES     = NO
-
-# If the HIDE_FRIEND_COMPOUNDS tag is set to YES, Doxygen will hide all 
-# friend (class|struct|union) declarations. 
-# If set to NO (the default) these declarations will be included in the 
-# documentation.
-
-HIDE_FRIEND_COMPOUNDS  = NO
-
-# If the HIDE_IN_BODY_DOCS tag is set to YES, Doxygen will hide any 
-# documentation blocks found inside the body of a function. 
-# If set to NO (the default) these blocks will be appended to the 
-# function's detailed documentation block.
-
-HIDE_IN_BODY_DOCS      = NO
-
-# The INTERNAL_DOCS tag determines if documentation 
-# that is typed after a \internal command is included. If the tag is set 
-# to NO (the default) then the documentation will be excluded. 
-# Set it to YES to include the internal documentation.
-
-INTERNAL_DOCS          = NO
-
-# If the CASE_SENSE_NAMES tag is set to NO then Doxygen will only generate 
-# file names in lower-case letters. If set to YES upper-case letters are also 
-# allowed. This is useful if you have classes or files whose names only differ 
-# in case and if your file system supports case sensitive file names. Windows 
-# and Mac users are advised to set this option to NO.
-
-CASE_SENSE_NAMES       = YES
-
-# If the HIDE_SCOPE_NAMES tag is set to NO (the default) then Doxygen 
-# will show members with their full class and namespace scopes in the 
-# documentation. If set to YES the scope will be hidden.
-
-HIDE_SCOPE_NAMES       = NO
-
-# If the SHOW_INCLUDE_FILES tag is set to YES (the default) then Doxygen 
-# will put a list of the files that are included by a file in the documentation 
-# of that file.
-
-SHOW_INCLUDE_FILES     = YES
-
-# If the INLINE_INFO tag is set to YES (the default) then a tag [inline] 
-# is inserted in the documentation for inline members.
-
-INLINE_INFO            = YES
-
-# If the SORT_MEMBER_DOCS tag is set to YES (the default) then doxygen 
-# will sort the (detailed) documentation of file and class members 
-# alphabetically by member name. If set to NO the members will appear in 
-# declaration order.
-
-SORT_MEMBER_DOCS       = YES
-
-# If the SORT_BRIEF_DOCS tag is set to YES then doxygen will sort the 
-# brief documentation of file, namespace and class members alphabetically 
-# by member name. If set to NO (the default) the members will appear in 
-# declaration order.
-
-SORT_BRIEF_DOCS        = NO
-
-# If the SORT_BY_SCOPE_NAME tag is set to YES, the class list will be 
-# sorted by fully-qualified names, including namespaces. If set to 
-# NO (the default), the class list will be sorted only by class name, 
-# not including the namespace part. 
-# Note: This option is not very useful if HIDE_SCOPE_NAMES is set to YES.
-# Note: This option applies only to the class list, not to the 
-# alphabetical list.
-
-SORT_BY_SCOPE_NAME     = NO
-
-# The GENERATE_TODOLIST tag can be used to enable (YES) or 
-# disable (NO) the todo list. This list is created by putting \todo 
-# commands in the documentation.
-
-GENERATE_TODOLIST      = YES
-
-# The GENERATE_TESTLIST tag can be used to enable (YES) or 
-# disable (NO) the test list. This list is created by putting \test 
-# commands in the documentation.
-
-GENERATE_TESTLIST      = YES
-
-# The GENERATE_BUGLIST tag can be used to enable (YES) or 
-# disable (NO) the bug list. This list is created by putting \bug 
-# commands in the documentation.
-
-GENERATE_BUGLIST       = YES
-
-# The GENERATE_DEPRECATEDLIST tag can be used to enable (YES) or 
-# disable (NO) the deprecated list. This list is created by putting 
-# \deprecated commands in the documentation.
-
-GENERATE_DEPRECATEDLIST= YES
-
-# The ENABLED_SECTIONS tag can be used to enable conditional 
-# documentation sections, marked by \if sectionname ... \endif.
-
-ENABLED_SECTIONS       = 
-
-# The MAX_INITIALIZER_LINES tag determines the maximum number of lines 
-# the initial value of a variable or define consists of for it to appear in 
-# the documentation. If the initializer consists of more lines than specified 
-# here it will be hidden. Use a value of 0 to hide initializers completely. 
-# The appearance of the initializer of individual variables and defines in the 
-# documentation can be controlled using \showinitializer or \hideinitializer 
-# command in the documentation regardless of this setting.
-
-MAX_INITIALIZER_LINES  = 30
-
-# Set the SHOW_USED_FILES tag to NO to disable the list of files generated 
-# at the bottom of the documentation of classes and structs. If set to YES the 
-# list will mention the files that were used to generate the documentation.
-
-SHOW_USED_FILES        = YES
-
-# If the sources in your project are distributed over multiple directories 
-# then setting the SHOW_DIRECTORIES tag to YES will show the directory hierarchy 
-# in the documentation. The default is NO.
-
-SHOW_DIRECTORIES       = NO
-
-# The FILE_VERSION_FILTER tag can be used to specify a program or script that 
-# doxygen should invoke to get the current version for each file (typically from the 
-# version control system). Doxygen will invoke the program by executing (via 
-# popen()) the command <command> <input-file>, where <command> is the value of 
-# the FILE_VERSION_FILTER tag, and <input-file> is the name of an input file 
-# provided by doxygen. Whatever the program writes to standard output 
-# is used as the file version. See the manual for examples.
-
-FILE_VERSION_FILTER    = 
-
-#---------------------------------------------------------------------------
-# configuration options related to warning and progress messages
-#---------------------------------------------------------------------------
-
-# The QUIET tag can be used to turn on/off the messages that are generated 
-# by doxygen. Possible values are YES and NO. If left blank NO is used.
-
-QUIET                  = NO
-
-# The WARNINGS tag can be used to turn on/off the warning messages that are 
-# generated by doxygen. Possible values are YES and NO. If left blank 
-# NO is used.
-
-WARNINGS               = YES
-
-# If WARN_IF_UNDOCUMENTED is set to YES, then doxygen will generate warnings 
-# for undocumented members. If EXTRACT_ALL is set to YES then this flag will 
-# automatically be disabled.
-
-WARN_IF_UNDOCUMENTED   = YES
-
-# If WARN_IF_DOC_ERROR is set to YES, doxygen will generate warnings for 
-# potential errors in the documentation, such as not documenting some 
-# parameters in a documented function, or documenting parameters that 
-# don't exist or using markup commands wrongly.
-
-WARN_IF_DOC_ERROR      = YES
-
-# This WARN_NO_PARAMDOC option can be abled to get warnings for 
-# functions that are documented, but have no documentation for their parameters 
-# or return value. If set to NO (the default) doxygen will only warn about 
-# wrong or incomplete parameter documentation, but not about the absence of 
-# documentation.
-
-WARN_NO_PARAMDOC       = NO
-
-# The WARN_FORMAT tag determines the format of the warning messages that 
-# doxygen can produce. The string should contain the $file, $line, and $text 
-# tags, which will be replaced by the file and line number from which the 
-# warning originated and the warning text. Optionally the format may contain 
-# $version, which will be replaced by the version of the file (if it could 
-# be obtained via FILE_VERSION_FILTER)
-
-WARN_FORMAT            = "$file:$line: $text"
-
-# The WARN_LOGFILE tag can be used to specify a file to which warning 
-# and error messages should be written. If left blank the output is written 
-# to stderr.
-
-WARN_LOGFILE           = 
-
-#---------------------------------------------------------------------------
-# configuration options related to the input files
-#---------------------------------------------------------------------------
-
-# The INPUT tag can be used to specify the files and/or directories that contain 
-# documented source files. You may enter file names like "myfile.cpp" or 
-# directories like "/usr/src/myproject". Separate the files or directories 
-# with spaces.
-
-INPUT                  = src/common \
-                         src/or
-
-# If the value of the INPUT tag contains directories, you can use the 
-# FILE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
-# and *.h) to filter out the source-files in the directories. If left 
-# blank the following patterns are tested: 
-# *.c *.cc *.cxx *.cpp *.c++ *.java *.ii *.ixx *.ipp *.i++ *.inl *.h *.hh *.hxx 
-# *.hpp *.h++ *.idl *.odl *.cs *.php *.php3 *.inc *.m *.mm *.py
-
-FILE_PATTERNS          = *.c \
-                         *.h
-
-# The RECURSIVE tag can be used to turn specify whether or not subdirectories 
-# should be searched for input files as well. Possible values are YES and NO. 
-# If left blank NO is used.
-
-RECURSIVE              = NO
-
-# The EXCLUDE tag can be used to specify files and/or directories that should 
-# excluded from the INPUT source files. This way you can easily exclude a 
-# subdirectory from a directory tree whose root is specified with the INPUT tag.
-
-EXCLUDE                = tree.h
-
-# The EXCLUDE_SYMLINKS tag can be used select whether or not files or 
-# directories that are symbolic links (a Unix filesystem feature) are excluded 
-# from the input.
-
-EXCLUDE_SYMLINKS       = NO
-
-# If the value of the INPUT tag contains directories, you can use the 
-# EXCLUDE_PATTERNS tag to specify one or more wildcard patterns to exclude 
-# certain files from those directories. Note that the wildcards are matched 
-# against the file with absolute path, so to exclude all test directories 
-# for example use the pattern */test/*
-
-EXCLUDE_PATTERNS       = 
-
-# The EXAMPLE_PATH tag can be used to specify one or more files or 
-# directories that contain example code fragments that are included (see 
-# the \include command).
-
-EXAMPLE_PATH           = 
-
-# If the value of the EXAMPLE_PATH tag contains directories, you can use the 
-# EXAMPLE_PATTERNS tag to specify one or more wildcard pattern (like *.cpp 
-# and *.h) to filter out the source-files in the directories. If left 
-# blank all files are included.
-
-EXAMPLE_PATTERNS       = 
-
-# If the EXAMPLE_RECURSIVE tag is set to YES then subdirectories will be 
-# searched for input files to be used with the \include or \dontinclude 
-# commands irrespective of the value of the RECURSIVE tag. 
-# Possible values are YES and NO. If left blank NO is used.
-
-EXAMPLE_RECURSIVE      = NO
-
-# The IMAGE_PATH tag can be used to specify one or more files or 
-# directories that contain image that are included in the documentation (see 
-# the \image command).
-
-IMAGE_PATH             = 
-
-# The INPUT_FILTER tag can be used to specify a program that doxygen should 
-# invoke to filter for each input file. Doxygen will invoke the filter program 
-# by executing (via popen()) the command <filter> <input-file>, where <filter> 
-# is the value of the INPUT_FILTER tag, and <input-file> is the name of an 
-# input file. Doxygen will then use the output that the filter program writes 
-# to standard output.  If FILTER_PATTERNS is specified, this tag will be 
-# ignored.
-
-INPUT_FILTER           = 
-
-# The FILTER_PATTERNS tag can be used to specify filters on a per file pattern 
-# basis.  Doxygen will compare the file name with each pattern and apply the 
-# filter if there is a match.  The filters are a list of the form: 
-# pattern=filter (like *.cpp=my_cpp_filter). See INPUT_FILTER for further 
-# info on how filters are used. If FILTER_PATTERNS is empty, INPUT_FILTER 
-# is applied to all files.
-
-FILTER_PATTERNS        = 
-
-# If the FILTER_SOURCE_FILES tag is set to YES, the input filter (if set using 
-# INPUT_FILTER) will be used to filter the input files when producing source 
-# files to browse (i.e. when SOURCE_BROWSER is set to YES).
-
-FILTER_SOURCE_FILES    = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to source browsing
-#---------------------------------------------------------------------------
-
-# If the SOURCE_BROWSER tag is set to YES then a list of source files will 
-# be generated. Documented entities will be cross-referenced with these sources. 
-# Note: To get rid of all source code in the generated output, make sure also 
-# VERBATIM_HEADERS is set to NO.
-
-SOURCE_BROWSER         = NO
-
-# Setting the INLINE_SOURCES tag to YES will include the body 
-# of functions and classes directly in the documentation.
-
-INLINE_SOURCES         = NO
-
-# Setting the STRIP_CODE_COMMENTS tag to YES (the default) will instruct 
-# doxygen to hide any special comment blocks from generated source code 
-# fragments. Normal C and C++ comments will always remain visible.
-
-STRIP_CODE_COMMENTS    = YES
-
-# If the REFERENCED_BY_RELATION tag is set to YES (the default) 
-# then for each documented function all documented 
-# functions referencing it will be listed.
-
-REFERENCED_BY_RELATION = YES
-
-# If the REFERENCES_RELATION tag is set to YES (the default) 
-# then for each documented function all documented entities 
-# called/used by that function will be listed.
-
-REFERENCES_RELATION    = YES
-
-# If the REFERENCES_LINK_SOURCE tag is set to YES (the default)
-# and SOURCE_BROWSER tag is set to YES, then the hyperlinks from
-# functions in REFERENCES_RELATION and REFERENCED_BY_RELATION lists will
-# link to the source code.  Otherwise they will link to the documentstion.
-
-REFERENCES_LINK_SOURCE = YES
-
-# If the USE_HTAGS tag is set to YES then the references to source code 
-# will point to the HTML generated by the htags(1) tool instead of doxygen 
-# built-in source browser. The htags tool is part of GNU's global source 
-# tagging system (see http://www.gnu.org/software/global/global.html). You 
-# will need version 4.8.6 or higher.
-
-USE_HTAGS              = NO
-
-# If the VERBATIM_HEADERS tag is set to YES (the default) then Doxygen 
-# will generate a verbatim copy of the header file for each class for 
-# which an include is specified. Set to NO to disable this.
-
-VERBATIM_HEADERS       = YES
-
-#---------------------------------------------------------------------------
-# configuration options related to the alphabetical class index
-#---------------------------------------------------------------------------
-
-# If the ALPHABETICAL_INDEX tag is set to YES, an alphabetical index 
-# of all compounds will be generated. Enable this if the project 
-# contains a lot of classes, structs, unions or interfaces.
-
-ALPHABETICAL_INDEX     = NO
-
-# If the alphabetical index is enabled (see ALPHABETICAL_INDEX) then 
-# the COLS_IN_ALPHA_INDEX tag can be used to specify the number of columns 
-# in which this list will be split (can be a number in the range [1..20])
-
-COLS_IN_ALPHA_INDEX    = 5
-
-# In case all classes in a project start with a common prefix, all 
-# classes will be put under the same header in the alphabetical index. 
-# The IGNORE_PREFIX tag can be used to specify one or more prefixes that 
-# should be ignored while generating the index headers.
-
-IGNORE_PREFIX          = 
-
-#---------------------------------------------------------------------------
-# configuration options related to the HTML output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_HTML tag is set to YES (the default) Doxygen will 
-# generate HTML output.
-
-GENERATE_HTML          = YES
-
-# The HTML_OUTPUT tag is used to specify where the HTML docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `html' will be used as the default path.
-
-HTML_OUTPUT            = html
-
-# The HTML_FILE_EXTENSION tag can be used to specify the file extension for 
-# each generated HTML page (for example: .htm,.php,.asp). If it is left blank 
-# doxygen will generate files with .html extension.
-
-HTML_FILE_EXTENSION    = .html
-
-# The HTML_HEADER tag can be used to specify a personal HTML header for 
-# each generated HTML page. If it is left blank doxygen will generate a 
-# standard header.
-
-HTML_HEADER            = 
-
-# The HTML_FOOTER tag can be used to specify a personal HTML footer for 
-# each generated HTML page. If it is left blank doxygen will generate a 
-# standard footer.
-
-HTML_FOOTER            = 
-
-# The HTML_STYLESHEET tag can be used to specify a user-defined cascading 
-# style sheet that is used by each HTML page. It can be used to 
-# fine-tune the look of the HTML output. If the tag is left blank doxygen 
-# will generate a default style sheet. Note that doxygen will try to copy 
-# the style sheet file to the HTML output directory, so don't put your own 
-# stylesheet in the HTML output directory as well, or it will be erased!
-
-HTML_STYLESHEET        = 
-
-# If the HTML_ALIGN_MEMBERS tag is set to YES, the members of classes, 
-# files or namespaces will be aligned in HTML using tables. If set to 
-# NO a bullet list will be used.
-
-HTML_ALIGN_MEMBERS     = YES
-
-# If the GENERATE_HTMLHELP tag is set to YES, additional index files 
-# will be generated that can be used as input for tools like the 
-# Microsoft HTML help workshop to generate a compressed HTML help file (.chm) 
-# of the generated HTML documentation.
-
-GENERATE_HTMLHELP      = NO
-
-# If the GENERATE_HTMLHELP tag is set to YES, the CHM_FILE tag can 
-# be used to specify the file name of the resulting .chm file. You 
-# can add a path in front of the file if the result should not be 
-# written to the html output directory.
-
-CHM_FILE               = 
-
-# If the GENERATE_HTMLHELP tag is set to YES, the HHC_LOCATION tag can 
-# be used to specify the location (absolute path including file name) of 
-# the HTML help compiler (hhc.exe). If non-empty doxygen will try to run 
-# the HTML help compiler on the generated index.hhp.
-
-HHC_LOCATION           = 
-
-# If the GENERATE_HTMLHELP tag is set to YES, the GENERATE_CHI flag 
-# controls if a separate .chi index file is generated (YES) or that 
-# it should be included in the master .chm file (NO).
-
-GENERATE_CHI           = NO
-
-# If the GENERATE_HTMLHELP tag is set to YES, the BINARY_TOC flag 
-# controls whether a binary table of contents is generated (YES) or a 
-# normal table of contents (NO) in the .chm file.
-
-BINARY_TOC             = NO
-
-# The TOC_EXPAND flag can be set to YES to add extra items for group members 
-# to the contents of the HTML help documentation and to the tree view.
-
-TOC_EXPAND             = NO
-
-# The DISABLE_INDEX tag can be used to turn on/off the condensed index at 
-# top of each HTML page. The value NO (the default) enables the index and 
-# the value YES disables it.
-
-DISABLE_INDEX          = NO
-
-# This tag can be used to set the number of enum values (range [1..20]) 
-# that doxygen will group on one line in the generated HTML documentation.
-
-ENUM_VALUES_PER_LINE   = 4
-
-# If the GENERATE_TREEVIEW tag is set to YES, a side panel will be
-# generated containing a tree-like index structure (just like the one that 
-# is generated for HTML Help). For this to work a browser that supports 
-# JavaScript, DHTML, CSS and frames is required (for instance Mozilla 1.0+, 
-# Netscape 6.0+, Internet explorer 5.0+, or Konqueror). Windows users are 
-# probably better off using the HTML help feature.
-
-GENERATE_TREEVIEW      = NO
-
-# If the treeview is enabled (see GENERATE_TREEVIEW) then this tag can be 
-# used to set the initial width (in pixels) of the frame in which the tree 
-# is shown.
-
-TREEVIEW_WIDTH         = 250
-
-#---------------------------------------------------------------------------
-# configuration options related to the LaTeX output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_LATEX tag is set to YES (the default) Doxygen will 
-# generate Latex output.
-
-GENERATE_LATEX         = YES
-
-# The LATEX_OUTPUT tag is used to specify where the LaTeX docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `latex' will be used as the default path.
-
-LATEX_OUTPUT           = latex
-
-# The LATEX_CMD_NAME tag can be used to specify the LaTeX command name to be 
-# invoked. If left blank `latex' will be used as the default command name.
-
-LATEX_CMD_NAME         = latex
-
-# The MAKEINDEX_CMD_NAME tag can be used to specify the command name to 
-# generate index for LaTeX. If left blank `makeindex' will be used as the 
-# default command name.
-
-MAKEINDEX_CMD_NAME     = makeindex
-
-# If the COMPACT_LATEX tag is set to YES Doxygen generates more compact 
-# LaTeX documents. This may be useful for small projects and may help to 
-# save some trees in general.
-
-COMPACT_LATEX          = NO
-
-# The PAPER_TYPE tag can be used to set the paper type that is used 
-# by the printer. Possible values are: a4, a4wide, letter, legal and 
-# executive. If left blank a4wide will be used.
-
-PAPER_TYPE             = a4wide
-
-# The EXTRA_PACKAGES tag can be to specify one or more names of LaTeX 
-# packages that should be included in the LaTeX output.
-
-EXTRA_PACKAGES         = 
-
-# The LATEX_HEADER tag can be used to specify a personal LaTeX header for 
-# the generated latex document. The header should contain everything until 
-# the first chapter. If it is left blank doxygen will generate a 
-# standard header. Notice: only use this tag if you know what you are doing!
-
-LATEX_HEADER           = 
-
-# If the PDF_HYPERLINKS tag is set to YES, the LaTeX that is generated 
-# is prepared for conversion to pdf (using ps2pdf). The pdf file will 
-# contain links (just like the HTML output) instead of page references 
-# This makes the output suitable for online browsing using a pdf viewer.
-
-PDF_HYPERLINKS         = NO
-
-# If the USE_PDFLATEX tag is set to YES, pdflatex will be used instead of 
-# plain latex in the generated Makefile. Set this option to YES to get a 
-# higher quality PDF documentation.
-
-USE_PDFLATEX           = NO
-
-# If the LATEX_BATCHMODE tag is set to YES, doxygen will add the \\batchmode. 
-# command to the generated LaTeX files. This will instruct LaTeX to keep 
-# running if errors occur, instead of asking the user for help. 
-# This option is also used when generating formulas in HTML.
-
-LATEX_BATCHMODE        = NO
-
-# If LATEX_HIDE_INDICES is set to YES then doxygen will not 
-# include the index chapters (such as File Index, Compound Index, etc.) 
-# in the output.
-
-LATEX_HIDE_INDICES     = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the RTF output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_RTF tag is set to YES Doxygen will generate RTF output 
-# The RTF output is optimized for Word 97 and may not look very pretty with 
-# other RTF readers or editors.
-
-GENERATE_RTF           = NO
-
-# The RTF_OUTPUT tag is used to specify where the RTF docs will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `rtf' will be used as the default path.
-
-RTF_OUTPUT             = rtf
-
-# If the COMPACT_RTF tag is set to YES Doxygen generates more compact 
-# RTF documents. This may be useful for small projects and may help to 
-# save some trees in general.
-
-COMPACT_RTF            = NO
-
-# If the RTF_HYPERLINKS tag is set to YES, the RTF that is generated 
-# will contain hyperlink fields. The RTF file will 
-# contain links (just like the HTML output) instead of page references. 
-# This makes the output suitable for online browsing using WORD or other 
-# programs which support those fields. 
-# Note: wordpad (write) and others do not support links.
-
-RTF_HYPERLINKS         = NO
-
-# Load stylesheet definitions from file. Syntax is similar to doxygen's 
-# config file, i.e. a series of assignments. You only have to provide 
-# replacements, missing definitions are set to their default value.
-
-RTF_STYLESHEET_FILE    = 
-
-# Set optional variables used in the generation of an rtf document. 
-# Syntax is similar to doxygen's config file.
-
-RTF_EXTENSIONS_FILE    = 
-
-#---------------------------------------------------------------------------
-# configuration options related to the man page output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_MAN tag is set to YES (the default) Doxygen will 
-# generate man pages
-
-GENERATE_MAN           = NO
-
-# The MAN_OUTPUT tag is used to specify where the man pages will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `man' will be used as the default path.
-
-MAN_OUTPUT             = man
-
-# The MAN_EXTENSION tag determines the extension that is added to 
-# the generated man pages (default is the subroutine's section .3)
-
-MAN_EXTENSION          = .3
-
-# If the MAN_LINKS tag is set to YES and Doxygen generates man output, 
-# then it will generate one additional man file for each entity 
-# documented in the real man page(s). These additional files 
-# only source the real man page, but without them the man command 
-# would be unable to find the correct page. The default is NO.
-
-MAN_LINKS              = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the XML output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_XML tag is set to YES Doxygen will 
-# generate an XML file that captures the structure of 
-# the code including all documentation.
-
-GENERATE_XML           = NO
-
-# The XML_OUTPUT tag is used to specify where the XML pages will be put. 
-# If a relative path is entered the value of OUTPUT_DIRECTORY will be 
-# put in front of it. If left blank `xml' will be used as the default path.
-
-XML_OUTPUT             = xml
-
-# The XML_SCHEMA tag can be used to specify an XML schema, 
-# which can be used by a validating XML parser to check the 
-# syntax of the XML files.
-
-XML_SCHEMA             = 
-
-# The XML_DTD tag can be used to specify an XML DTD, 
-# which can be used by a validating XML parser to check the 
-# syntax of the XML files.
-
-XML_DTD                = 
-
-# If the XML_PROGRAMLISTING tag is set to YES Doxygen will 
-# dump the program listings (including syntax highlighting 
-# and cross-referencing information) to the XML output. Note that 
-# enabling this will significantly increase the size of the XML output.
-
-XML_PROGRAMLISTING     = YES
-
-#---------------------------------------------------------------------------
-# configuration options for the AutoGen Definitions output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_AUTOGEN_DEF tag is set to YES Doxygen will 
-# generate an AutoGen Definitions (see autogen.sf.net) file 
-# that captures the structure of the code including all 
-# documentation. Note that this feature is still experimental 
-# and incomplete at the moment.
-
-GENERATE_AUTOGEN_DEF   = NO
-
-#---------------------------------------------------------------------------
-# configuration options related to the Perl module output
-#---------------------------------------------------------------------------
-
-# If the GENERATE_PERLMOD tag is set to YES Doxygen will 
-# generate a Perl module file that captures the structure of 
-# the code including all documentation. Note that this 
-# feature is still experimental and incomplete at the 
-# moment.
-
-GENERATE_PERLMOD       = NO
-
-# If the PERLMOD_LATEX tag is set to YES Doxygen will generate 
-# the necessary Makefile rules, Perl scripts and LaTeX code to be able 
-# to generate PDF and DVI output from the Perl module output.
-
-PERLMOD_LATEX          = NO
-
-# If the PERLMOD_PRETTY tag is set to YES the Perl module output will be 
-# nicely formatted so it can be parsed by a human reader.  This is useful 
-# if you want to understand what is going on.  On the other hand, if this 
-# tag is set to NO the size of the Perl module output will be much smaller 
-# and Perl will parse it just the same.
-
-PERLMOD_PRETTY         = YES
-
-# The names of the make variables in the generated doxyrules.make file 
-# are prefixed with the string contained in PERLMOD_MAKEVAR_PREFIX. 
-# This is useful so different doxyrules.make files included by the same 
-# Makefile don't overwrite each other's variables.
-
-PERLMOD_MAKEVAR_PREFIX = 
-
-#---------------------------------------------------------------------------
-# Configuration options related to the preprocessor   
-#---------------------------------------------------------------------------
-
-# If the ENABLE_PREPROCESSING tag is set to YES (the default) Doxygen will 
-# evaluate all C-preprocessor directives found in the sources and include 
-# files.
-
-ENABLE_PREPROCESSING   = YES
-
-# If the MACRO_EXPANSION tag is set to YES Doxygen will expand all macro 
-# names in the source code. If set to NO (the default) only conditional 
-# compilation will be performed. Macro expansion can be done in a controlled 
-# way by setting EXPAND_ONLY_PREDEF to YES.
-
-MACRO_EXPANSION        = NO
-
-# If the EXPAND_ONLY_PREDEF and MACRO_EXPANSION tags are both set to YES 
-# then the macro expansion is limited to the macros specified with the 
-# PREDEFINED and EXPAND_AS_DEFINED tags.
-
-EXPAND_ONLY_PREDEF     = NO
-
-# If the SEARCH_INCLUDES tag is set to YES (the default) the includes files 
-# in the INCLUDE_PATH (see below) will be search if a #include is found.
-
-SEARCH_INCLUDES        = YES
-
-# The INCLUDE_PATH tag can be used to specify one or more directories that 
-# contain include files that are not input files but should be processed by 
-# the preprocessor.
-
-INCLUDE_PATH           = 
-
-# You can use the INCLUDE_FILE_PATTERNS tag to specify one or more wildcard 
-# patterns (like *.h and *.hpp) to filter out the header-files in the 
-# directories. If left blank, the patterns specified with FILE_PATTERNS will 
-# be used.
-
-INCLUDE_FILE_PATTERNS  = 
-
-# The PREDEFINED tag can be used to specify one or more macro names that 
-# are defined before the preprocessor is started (similar to the -D option of 
-# gcc). The argument of the tag is a list of macros of the form: name 
-# or name=definition (no spaces). If the definition and the = are 
-# omitted =1 is assumed. To prevent a macro definition from being 
-# undefined via #undef or recursively expanded use the := operator 
-# instead of the = operator.
-
-PREDEFINED             = 
-
-# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then 
-# this tag can be used to specify a list of macro names that should be expanded. 
-# The macro definition that is found in the sources will be used. 
-# Use the PREDEFINED tag if you want to use a different macro definition.
-
-EXPAND_AS_DEFINED      = 
-
-# If the SKIP_FUNCTION_MACROS tag is set to YES (the default) then 
-# doxygen's preprocessor will remove all function-like macros that are alone 
-# on a line, have an all uppercase name, and do not end with a semicolon. Such 
-# function macros are typically used for boiler-plate code, and will confuse 
-# the parser if not removed.
-
-SKIP_FUNCTION_MACROS   = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to external references   
-#---------------------------------------------------------------------------
-
-# The TAGFILES option can be used to specify one or more tagfiles. 
-# Optionally an initial location of the external documentation 
-# can be added for each tagfile. The format of a tag file without 
-# this location is as follows: 
-#   TAGFILES = file1 file2 ... 
-# Adding location for the tag files is done as follows: 
-#   TAGFILES = file1=loc1 "file2 = loc2" ... 
-# where "loc1" and "loc2" can be relative or absolute paths or 
-# URLs. If a location is present for each tag, the installdox tool 
-# does not have to be run to correct the links.
-# Note that each tag file must have a unique name
-# (where the name does NOT include the path)
-# If a tag file is not located in the directory in which doxygen 
-# is run, you must also specify the path to the tagfile here.
-
-TAGFILES               = 
-
-# When a file name is specified after GENERATE_TAGFILE, doxygen will create 
-# a tag file that is based on the input files it reads.
-
-GENERATE_TAGFILE       = 
-
-# If the ALLEXTERNALS tag is set to YES all external classes will be listed 
-# in the class index. If set to NO only the inherited external classes 
-# will be listed.
-
-ALLEXTERNALS           = NO
-
-# If the EXTERNAL_GROUPS tag is set to YES all external groups will be listed 
-# in the modules index. If set to NO, only the current project's groups will 
-# be listed.
-
-EXTERNAL_GROUPS        = YES
-
-# The PERL_PATH should be the absolute path and name of the perl script 
-# interpreter (i.e. the result of `which perl').
-
-PERL_PATH              = /usr/bin/perl
-
-#---------------------------------------------------------------------------
-# Configuration options related to the dot tool   
-#---------------------------------------------------------------------------
-
-# If the CLASS_DIAGRAMS tag is set to YES (the default) Doxygen will 
-# generate a inheritance diagram (in HTML, RTF and LaTeX) for classes with base 
-# or super classes. Setting the tag to NO turns the diagrams off. Note that 
-# this option is superseded by the HAVE_DOT option below. This is only a 
-# fallback. It is recommended to install and use dot, since it yields more 
-# powerful graphs.
-
-CLASS_DIAGRAMS         = YES
-
-# If set to YES, the inheritance and collaboration graphs will hide 
-# inheritance and usage relations if the target is undocumented 
-# or is not a class.
-
-HIDE_UNDOC_RELATIONS   = YES
-
-# If you set the HAVE_DOT tag to YES then doxygen will assume the dot tool is 
-# available from the path. This tool is part of Graphviz, a graph visualization 
-# toolkit from AT&T and Lucent Bell Labs. The other options in this section 
-# have no effect if this option is set to NO (the default)
-
-HAVE_DOT               = NO
-
-# If the CLASS_GRAPH and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for each documented class showing the direct and 
-# indirect inheritance relations. Setting this tag to YES will force the 
-# the CLASS_DIAGRAMS tag to NO.
-
-CLASS_GRAPH            = YES
-
-# If the COLLABORATION_GRAPH and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for each documented class showing the direct and 
-# indirect implementation dependencies (inheritance, containment, and 
-# class references variables) of the class with other documented classes.
-
-COLLABORATION_GRAPH    = YES
-
-# If the GROUP_GRAPHS and HAVE_DOT tags are set to YES then doxygen 
-# will generate a graph for groups, showing the direct groups dependencies
-
-GROUP_GRAPHS           = YES
-
-# If the UML_LOOK tag is set to YES doxygen will generate inheritance and 
-# collaboration diagrams in a style similar to the OMG's Unified Modeling 
-# Language.
-
-UML_LOOK               = NO
-
-# If set to YES, the inheritance and collaboration graphs will show the 
-# relations between templates and their instances.
-
-TEMPLATE_RELATIONS     = YES
-
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDE_GRAPH, and HAVE_DOT 
-# tags are set to YES then doxygen will generate a graph for each documented 
-# file showing the direct and indirect include dependencies of the file with 
-# other documented files.
-
-INCLUDE_GRAPH          = YES
-
-# If the ENABLE_PREPROCESSING, SEARCH_INCLUDES, INCLUDED_BY_GRAPH, and 
-# HAVE_DOT tags are set to YES then doxygen will generate a graph for each 
-# documented header file showing the documented files that directly or 
-# indirectly include this file.
-
-INCLUDED_BY_GRAPH      = YES
-
-# If the CALL_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
-# generate a call dependency graph for every global function or class method. 
-# Note that enabling this option will significantly increase the time of a run. 
-# So in most cases it will be better to enable call graphs for selected 
-# functions only using the \callgraph command.
-
-CALL_GRAPH             = NO
-
-# If the CALLER_GRAPH and HAVE_DOT tags are set to YES then doxygen will 
-# generate a caller dependency graph for every global function or class method. 
-# Note that enabling this option will significantly increase the time of a run. 
-# So in most cases it will be better to enable caller graphs for selected 
-# functions only using the \callergraph command.
-
-CALLER_GRAPH           = NO
-
-# If the GRAPHICAL_HIERARCHY and HAVE_DOT tags are set to YES then doxygen 
-# will graphical hierarchy of all classes instead of a textual one.
-
-GRAPHICAL_HIERARCHY    = YES
-
-# If the DIRECTORY_GRAPH, SHOW_DIRECTORIES and HAVE_DOT tags are set to YES 
-# then doxygen will show the dependencies a directory has on other directories 
-# in a graphical way. The dependency relations are determined by the #include
-# relations between the files in the directories.
-
-DIRECTORY_GRAPH        = YES
-
-# The DOT_IMAGE_FORMAT tag can be used to set the image format of the images 
-# generated by dot. Possible values are png, jpg, or gif
-# If left blank png will be used.
-
-DOT_IMAGE_FORMAT       = png
-
-# The tag DOT_PATH can be used to specify the path where the dot tool can be 
-# found. If left blank, it is assumed the dot tool can be found in the path.
-
-DOT_PATH               = 
-
-# The DOTFILE_DIRS tag can be used to specify one or more directories that 
-# contain dot files that are included in the documentation (see the 
-# \dotfile command).
-
-DOTFILE_DIRS           = 
-
-# The MAX_DOT_GRAPH_WIDTH tag can be used to set the maximum allowed width 
-# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
-# this value, doxygen will try to truncate the graph, so that it fits within 
-# the specified constraint. Beware that most browsers cannot cope with very 
-# large images.
-
-MAX_DOT_GRAPH_WIDTH    = 1024
-
-# The MAX_DOT_GRAPH_HEIGHT tag can be used to set the maximum allows height 
-# (in pixels) of the graphs generated by dot. If a graph becomes larger than 
-# this value, doxygen will try to truncate the graph, so that it fits within 
-# the specified constraint. Beware that most browsers cannot cope with very 
-# large images.
-
-MAX_DOT_GRAPH_HEIGHT   = 1024
-
-# The MAX_DOT_GRAPH_DEPTH tag can be used to set the maximum depth of the 
-# graphs generated by dot. A depth value of 3 means that only nodes reachable 
-# from the root by following a path via at most 3 edges will be shown. Nodes 
-# that lay further from the root node will be omitted. Note that setting this 
-# option to 1 or 2 may greatly reduce the computation time needed for large 
-# code bases. Also note that a graph may be further truncated if the graph's 
-# image dimensions are not sufficient to fit the graph (see MAX_DOT_GRAPH_WIDTH 
-# and MAX_DOT_GRAPH_HEIGHT). If 0 is used for the depth value (the default), 
-# the graph is not depth-constrained.
-
-MAX_DOT_GRAPH_DEPTH    = 0
-
-# Set the DOT_TRANSPARENT tag to YES to generate images with a transparent 
-# background. This is disabled by default, which results in a white background. 
-# Warning: Depending on the platform used, enabling this option may lead to 
-# badly anti-aliased labels on the edges of a graph (i.e. they become hard to 
-# read).
-
-DOT_TRANSPARENT        = NO
-
-# Set the DOT_MULTI_TARGETS tag to YES allow dot to generate multiple output 
-# files in one run (i.e. multiple -o and -T options on the command line). This 
-# makes dot run faster, but since only newer versions of dot (>1.8.10) 
-# support this, this feature is disabled by default.
-
-DOT_MULTI_TARGETS      = NO
-
-# If the GENERATE_LEGEND tag is set to YES (the default) Doxygen will 
-# generate a legend page explaining the meaning of the various boxes and 
-# arrows in the dot generated graphs.
-
-GENERATE_LEGEND        = YES
-
-# If the DOT_CLEANUP tag is set to YES (the default) Doxygen will 
-# remove the intermediate dot files that are used to generate 
-# the various graphs.
-
-DOT_CLEANUP            = YES
-
-#---------------------------------------------------------------------------
-# Configuration::additions related to the search engine   
-#---------------------------------------------------------------------------
-
-# The SEARCHENGINE tag specifies whether or not a search engine should be 
-# used. If set to NO the values of all tags below this one will be ignored.
-
-SEARCHENGINE           = NO

Deleted: tor/trunk/INSTALL
===================================================================
--- tor/trunk/INSTALL	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/INSTALL	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,25 +0,0 @@
-
-Most users who realize that INSTALL files still exist should simply
-follow the directions at
-https://www.torproject.org/docs/tor-doc-unix
-
-If you got the source from Subversion, run "./autogen.sh", which will
-run the various auto* programs. Then you can run ./configure, and
-refer to the above instructions.
-
-If it doesn't build for you:
-
-  If you have problems finding libraries, try
-    CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" \
-    ./configure
-  or
-    ./configure --with-libevent-dir=/usr/local
-  rather than simply ./configure.
-
-  If you have mysterious autoconf failures while linking openssl,
-  consider setting your LD_LIBRARY_PATH to the openssl lib directory.
-  For example, "setenv LD_LIBRARY_PATH /usr/athena/lib".
-
-  Lastly, check out
-  http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ#ItDoesntWork
-

Deleted: tor/trunk/LICENSE
===================================================================
--- tor/trunk/LICENSE	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/LICENSE	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,85 +0,0 @@
-                    This file contains the license for Tor,
-        a free software project to provide anonymity on the Internet.
-
-        It also lists the licenses for other components used by Tor.
-
-       For more information about Tor, see https://www.torproject.org/.
-
-             If you got this file as a part of a larger bundle,
-        there may be other license terms that you should be aware of.
-
-
-===============================================================================
-Tor is distributed under this license:
-
-Copyright (c) 2001-2004, Roger Dingledine
-Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-Copyright (c) 2007-2009, The Tor Project, Inc.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are
-met:
-
-    * Redistributions of source code must retain the above copyright
-notice, this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above
-copyright notice, this list of conditions and the following disclaimer
-in the documentation and/or other materials provided with the
-distribution.
-
-    * Neither the names of the copyright owners nor the names of its
-contributors may be used to endorse or promote products derived from
-this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-===============================================================================
-src/common/strlcat.c and src/common/strlcpy.c by Todd C. Miller are licensed
-under the following license:
-
- * Copyright (c) 1998 Todd C. Miller <Todd.Miller@xxxxxxxxxxxxx>
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. The name of the author may not be used to endorse or promote products
- *    derived from this software without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-===============================================================================
-If you got Tor as a static binary with OpenSSL included, then you should know:
- "This product includes software developed by the OpenSSL Project
- for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-===============================================================================
-"This program uses the IP-to-Country Database provided by
-WebHosting.Info (http://www.webhosting.info), available from
-http://ip-to-country.webhosting.info.";
-See the src/config/geoip file in particular.
-===============================================================================
-

Deleted: tor/trunk/Makefile.am
===================================================================
--- tor/trunk/Makefile.am	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/Makefile.am	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,78 +0,0 @@
-# Copyright (c) 2001-2004, Roger Dingledine
-# Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-# Copyright (c) 2007-2009, The Tor Project, Inc.
-# See LICENSE for licensing information
-
-AUTOMAKE_OPTIONS = foreign
- # else it keeps trying to put COPYING back in
-
-SUBDIRS = src doc contrib
-
-DIST_SUBDIRS = src doc contrib
-
-EXTRA_DIST = INSTALL README AUTHORS LICENSE ChangeLog          \
-             ReleaseNotes tor.spec tor.spec.in
-
-#install-data-local:
-#	$(INSTALL) -m 755 -d $(LOCALSTATEDIR)/lib/tor
-
-# Assume a tarball is in .. for now.
-dist-rpm:
-	RPM_BUILD_DIR="/tmp/tor-rpm-build-$$$$";                \
-	rm -rf $$RPM_BUILD_DIR;                                 \
-	mkdir $$RPM_BUILD_DIR || exit 1;                        \
-	for subdir in BUILD RPMS SOURCES SPECS SRPMS; do        \
-	    mkdir $$RPM_BUILD_DIR/$$subdir;                     \
-	done;                                                   \
-	mkdir $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION);           \
-	cp -R ./ $$RPM_BUILD_DIR/SOURCES/tor-$(VERSION)/;       \
-	pushd $$RPM_BUILD_DIR/SOURCES/;                         \
-	tar zcf tor-$(VERSION).tar.gz ./;                       \
-	popd;                                                   \
-	LIBS=-lrt rpmbuild -ba --define "_topdir $$RPM_BUILD_DIR" tor.spec; \
-	mv $$RPM_BUILD_DIR/SRPMS/* .;                           \
-	mv $$RPM_BUILD_DIR/RPMS/* .;                            \
-	rm -rf $$RPM_BUILD_DIR
-
-dist-osx:
-	@if [ "x$(prefix)" != 'x/Library/Tor' ]; then \
-	  echo "Configure with --prefix=/Library/Tor, please"; \
-	  exit 1; \
-	fi; \
-	if [ "x$(bindir)" != 'x/Library/Tor' ]; then \
-	  echo "Configure with --bindir=/Library/Tor, please"; \
-	  exit 1; \
-	fi; \
-	if [ "x$(sysconfdir)" != 'x/Library' ]; then \
-	  echo "Configure with --sysconfdir=/Library, please"; \
-	  exit 1; \
-	fi; \
-	if [ "x$(CONFDIR)" != 'x/Library/Tor' ]; then \
-	  echo "Configure with CONFDIR=/Library/Tor, please"; \
-	fi
-	$(MAKE) all
-	VERSION=$(VERSION) sh ./contrib/osx/package.sh
-
-dist: check
-
-doxygen:
-	doxygen && cd doc/doxygen/latex && make
-
-test: all
-	./src/test/test
-
-# Avoid strlcpy.c, strlcat.c, tree.h
-check-spaces:
-	./contrib/checkSpace.pl -C                    \
-	        src/common/*.h                        \
-		src/common/[^asO]*.c src/common/address.c \
-		src/or/[^et]*.[ch] src/or/t*.c src/or/eventdns_tor.h \
-		src/test/test*.[ch]
-
-check-docs:
-	./contrib/checkOptionDocs.pl
-
-check-logs:
-	./contrib/checkLogs.pl                        \
-		src/*/*.[ch] | sort -n
-

Deleted: tor/trunk/README
===================================================================
--- tor/trunk/README	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/README	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,23 +0,0 @@
-Tor protects your privacy on the internet by hiding the connection
-between your Internet address and the services you use. We believe Tor
-is reasonably secure, but please ensure you read the instructions and
-configure it properly.
-
-To build Tor from source:
-        ./configure; make; make install
-
-Home page:
-        https://www.torproject.org/
-
-Download new versions:
-        https://www.torproject.org/download.html
-
-Documentation, including links to installation and setup instructions:
-        https://www.torproject.org/documentation.html
-
-Making applications work with Tor:
-        https://wiki.torproject.org/noreply/TheOnionRouter/TorifyHOWTO
-
-Frequently Asked Questions:
-        https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ
-

Added: tor/trunk/README
===================================================================
--- tor/trunk/README	                        (rev 0)
+++ tor/trunk/README	2010-09-25 10:44:30 UTC (rev 23306)
@@ -0,0 +1,7 @@
+Did you come here looking for Tor's source code repository?
+
+Tor is no longer using subversion, instead it migrated to Git.
+
+Find the official Tor git repository at git://git.torproject.org/tor
+
+For web-based access, use https://gitweb.torproject.org/tor.git

Deleted: tor/trunk/ReleaseNotes
===================================================================
--- tor/trunk/ReleaseNotes	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/ReleaseNotes	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,4831 +0,0 @@
-
-This document summarizes new features and bugfixes in each stable release
-of Tor. If you want to see more detailed descriptions of the changes in
-each development snapshot, see the ChangeLog file.
-
-Changes in version 0.2.1.19 - 2009-07-28
-  Tor 0.2.1.19 fixes a major bug with accessing and providing hidden
-  services.
-
-  o Major bugfixes:
-    - Make accessing hidden services on 0.2.1.x work right again.
-      Bugfix on 0.2.1.3-alpha; workaround for bug 1038. Diagnosis and
-      part of patch provided by "optimist".
-
-  o Minor features:
-    - When a relay/bridge is writing out its identity key fingerprint to
-      the "fingerprint" file and to its logs, write it without spaces. Now
-      it will look like the fingerprints in our bridges documentation,
-      and confuse fewer users.
-
-  o Minor bugfixes:
-    - Relays no longer publish a new server descriptor if they change
-      their MaxAdvertisedBandwidth config option but it doesn't end up
-      changing their advertised bandwidth numbers. Bugfix on 0.2.0.28-rc;
-      fixes bug 1026. Patch from Sebastian.
-    - Avoid leaking memory every time we get a create cell but we have
-      so many already queued that we refuse it. Bugfix on 0.2.0.19-alpha;
-      fixes bug 1034. Reported by BarkerJr.
-
-
-Changes in version 0.2.1.18 - 2009-07-24
-  Tor 0.2.1.18 lays the foundations for performance improvements,
-  adds status events to help users diagnose bootstrap problems, adds
-  optional authentication/authorization for hidden services, fixes a
-  variety of potential anonymity problems, and includes a huge pile of
-  other features and bug fixes.
-
-  o Major features (clients):
-    - Start sending "bootstrap phase" status events to the controller,
-      so it can keep the user informed of progress fetching directory
-      information and establishing circuits. Also inform the controller
-      if we think we're stuck at a particular bootstrap phase. Implements
-      proposal 137.
-    - Clients replace entry guards that were chosen more than a few months
-      ago. This change should significantly improve client performance,
-      especially once more people upgrade, since relays that have been
-      a guard for a long time are currently overloaded.
-    - Network status consensus documents and votes now contain bandwidth
-      information for each relay. Clients use the bandwidth values
-      in the consensus, rather than the bandwidth values in each
-      relay descriptor. This approach opens the door to more accurate
-      bandwidth estimates once the directory authorities start doing
-      active measurements. Implements part of proposal 141.
-
-  o Major features (relays):
-    - Disable and refactor some debugging checks that forced a linear scan
-      over the whole server-side DNS cache. These accounted for over 50%
-      of CPU time on a relatively busy exit node's gprof profile. Also,
-      disable some debugging checks that appeared in exit node profile
-      data. Found by Jacob.
-    - New DirPortFrontPage option that takes an html file and publishes
-      it as "/" on the DirPort. Now relay operators can provide a
-      disclaimer without needing to set up a separate webserver. There's
-      a sample disclaimer in contrib/tor-exit-notice.html.
-
-  o Major features (hidden services):
-    - Make it possible to build hidden services that only certain clients
-      are allowed to connect to. This is enforced at several points,
-      so that unauthorized clients are unable to send INTRODUCE cells
-      to the service, or even (depending on the type of authentication)
-      to learn introduction points. This feature raises the bar for
-      certain kinds of active attacks against hidden services. Design
-      and code by Karsten Loesing. Implements proposal 121.
-    - Relays now store and serve v2 hidden service descriptors by default,
-      i.e., the new default value for HidServDirectoryV2 is 1. This is
-      the last step in proposal 114, which aims to make hidden service
-      lookups more reliable.
-
-  o Major features (path selection):
-    - ExitNodes and Exclude*Nodes config options now allow you to restrict
-      by country code ("{US}") or IP address or address pattern
-      ("255.128.0.0/16"). Patch from Robert Hogan. It still needs some
-      refinement to decide what config options should take priority if
-      you ask to both use a particular node and exclude it.
-
-  o Major features (misc):
-    - When building a consensus, do not include routers that are down.
-      This cuts down 30% to 40% on consensus size. Implements proposal
-      138.
-    - New TestingTorNetwork config option to allow adjustment of
-      previously constant values that could slow bootstrapping. Implements
-      proposal 135. Patch from Karsten.
-    - Convert many internal address representations to optionally hold
-      IPv6 addresses. Generate and accept IPv6 addresses in many protocol
-      elements. Make resolver code handle nameservers located at IPv6
-      addresses.
-    - More work on making our TLS handshake blend in: modify the list
-      of ciphers advertised by OpenSSL in client mode to even more
-      closely resemble a common web browser. We cheat a little so that
-      we can advertise ciphers that the locally installed OpenSSL doesn't
-      know about.
-    - Use the TLS1 hostname extension to more closely resemble browser
-      behavior.
-
-  o Security fixes (anonymity/entropy):
-    - Never use a connection with a mismatched address to extend a
-      circuit, unless that connection is canonical. A canonical
-      connection is one whose address is authenticated by the router's
-      identity key, either in a NETINFO cell or in a router descriptor.
-    - Implement most of proposal 110: The first K cells to be sent
-      along a circuit are marked as special "early" cells; only K "early"
-      cells will be allowed. Once this code is universal, we can block
-      certain kinds of denial-of-service attack by requiring that EXTEND
-      commands must be sent using an "early" cell.
-    - Resume using OpenSSL's RAND_poll() for better (and more portable)
-      cross-platform entropy collection again. We used to use it, then
-      stopped using it because of a bug that could crash systems that
-      called RAND_poll when they had a lot of fds open. It looks like the
-      bug got fixed in late 2006. Our new behavior is to call RAND_poll()
-      at startup, and to call RAND_poll() when we reseed later only if
-      we have a non-buggy OpenSSL version.
-    - When the client is choosing entry guards, now it selects at most
-      one guard from a given relay family. Otherwise we could end up with
-      all of our entry points into the network run by the same operator.
-      Suggested by Camilo Viecco. Fix on 0.1.1.11-alpha.
-    - Do not use or believe expired v3 authority certificates. Patch
-      from Karsten. Bugfix in 0.2.0.x. Fixes bug 851.
-    - Drop begin cells to a hidden service if they come from the middle
-      of a circuit. Patch from lark.
-    - When we erroneously receive two EXTEND cells for the same circuit
-      ID on the same connection, drop the second. Patch from lark.
-    - Authorities now vote for the Stable flag for any router whose
-      weighted MTBF is at least 5 days, regardless of the mean MTBF.
-    - Clients now never report any stream end reason except 'MISC'.
-      Implements proposal 148.
-
-  o Major bugfixes (crashes):
-    - Parse dates and IPv4 addresses in a locale- and libc-independent
-      manner, to avoid platform-dependent behavior on malformed input.
-    - Fix a crash that occurs on exit nodes when a nameserver request
-      timed out. Bugfix on 0.1.2.1-alpha; our CLEAR debugging code had
-      been suppressing the bug since 0.1.2.10-alpha. Partial fix for
-      bug 929.
-    - Do not assume that a stack-allocated character array will be
-      64-bit aligned on platforms that demand that uint64_t access is
-      aligned. Possible fix for bug 604.
-    - Resolve a very rare crash bug that could occur when the user forced
-      a nameserver reconfiguration during the middle of a nameserver
-      probe. Fixes bug 526. Bugfix on 0.1.2.1-alpha.
-    - Avoid a "0 divided by 0" calculation when calculating router uptime
-      at directory authorities. Bugfix on 0.2.0.8-alpha.
-    - Fix an assertion bug in parsing policy-related options; possible fix
-      for bug 811.
-    - Rate-limit too-many-sockets messages: when they happen, they happen
-      a lot and end up filling up the disk. Resolves bug 748.
-    - Fix a race condition that could cause crashes or memory corruption
-      when running as a server with a controller listening for log
-      messages.
-    - Avoid crashing when we have a policy specified in a DirPolicy or
-      SocksPolicy or ReachableAddresses option with ports set on it,
-      and we re-load the policy. May fix bug 996.
-    - Fix an assertion failure on 64-bit platforms when we allocated
-      memory right up to the end of a memarea, then realigned the memory
-      one step beyond the end. Fixes a possible cause of bug 930.
-    - Protect the count of open sockets with a mutex, so we can't
-      corrupt it when two threads are closing or opening sockets at once.
-      Fix for bug 939. Bugfix on 0.2.0.1-alpha.
-
-  o Major bugfixes (clients):
-    - Discard router descriptors as we load them if they are more than
-      five days old. Otherwise if Tor is off for a long time and then
-      starts with cached descriptors, it will try to use the onion keys
-      in those obsolete descriptors when building circuits. Fixes bug 887.
-    - When we choose to abandon a new entry guard because we think our
-      older ones might be better, close any circuits pending on that
-      new entry guard connection. This fix should make us recover much
-      faster when our network is down and then comes back. Bugfix on
-      0.1.2.8-beta; found by lodger.
-    - When Tor clients restart after 1-5 days, they discard all their
-      cached descriptors as too old, but they still use the cached
-      consensus document. This approach is good for robustness, but
-      bad for performance: since they don't know any bandwidths, they
-      end up choosing at random rather than weighting their choice by
-      speed. Fixed by the above feature of putting bandwidths in the
-      consensus.
-
-  o Major bugfixes (relays):
-    - Relays were falling out of the networkstatus consensus for
-      part of a day if they changed their local config but the
-      authorities discarded their new descriptor as "not sufficiently
-      different". Now directory authorities accept a descriptor as changed
-      if BandwidthRate or BandwidthBurst changed. Partial fix for bug 962;
-      patch by Sebastian.
-    - Ensure that two circuits can never exist on the same connection
-      with the same circuit ID, even if one is marked for close. This
-      is conceivably a bugfix for bug 779; fixes a bug on 0.1.0.4-rc.
-    - Directory authorities were neglecting to mark relays down in their
-      internal histories if the relays fall off the routerlist without
-      ever being found unreachable. So there were relays in the histories
-      that haven't been seen for eight months, and are listed as being
-      up for eight months. This wreaked havoc on the "median wfu" and
-      "median mtbf" calculations, in turn making Guard and Stable flags
-      wrong, hurting network performance. Fixes bugs 696 and 969. Bugfix
-      on 0.2.0.6-alpha.
-
-  o Major bugfixes (hidden services):
-    - When establishing a hidden service, introduction points that
-      originate from cannibalized circuits were completely ignored
-      and not included in rendezvous service descriptors. This might
-      have been another reason for delay in making a hidden service
-      available. Bugfix from long ago (0.0.9.x?)
-
-  o Major bugfixes (memory and resource management):
-    - Fixed some memory leaks -- some quite frequent, some almost
-      impossible to trigger -- based on results from Coverity.
-    - Speed up parsing and cut down on memory fragmentation by using
-      stack-style allocations for parsing directory objects. Previously,
-      this accounted for over 40% of allocations from within Tor's code
-      on a typical directory cache.
-    - Use a Bloom filter rather than a digest-based set to track which
-      descriptors we need to keep around when we're cleaning out old
-      router descriptors. This speeds up the computation significantly,
-      and may reduce fragmentation.
-
-  o New/changed config options:
-    - Now NodeFamily and MyFamily config options allow spaces in
-      identity fingerprints, so it's easier to paste them in.
-      Suggested by Lucky Green.
-    - Allow ports 465 and 587 in the default exit policy again. We had
-      rejected them in 0.1.0.15, because back in 2005 they were commonly
-      misconfigured and ended up as spam targets. We hear they are better
-      locked down these days.
-    - Make TrackHostExit mappings expire a while after their last use, not
-      after their creation. Patch from Robert Hogan.
-    - Add an ExcludeExitNodes option so users can list a set of nodes
-      that should be be excluded from the exit node position, but
-      allowed elsewhere. Implements proposal 151.
-    - New --hush command-line option similar to --quiet. While --quiet
-      disables all logging to the console on startup, --hush limits the
-      output to messages of warning and error severity.
-    - New configure/torrc options (--enable-geoip-stats,
-      DirRecordUsageByCountry) to record how many IPs we've served
-      directory info to in each country code, how many status documents
-      total we've sent to each country code, and what share of the total
-      directory requests we should expect to see.
-    - Make outbound DNS packets respect the OutboundBindAddress setting.
-      Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
-    - Allow separate log levels to be configured for different logging
-      domains. For example, this allows one to log all notices, warnings,
-      or errors, plus all memory management messages of level debug or
-      higher, with: Log [MM] debug-err [*] notice-err file /var/log/tor.
-    - Update to the "June 3 2009" ip-to-country file.
-
-  o Minor features (relays):
-    - Raise the minimum rate limiting to be a relay from 20000 bytes
-      to 20480 bytes (aka 20KB/s), to match our documentation. Also
-      update directory authorities so they always assign the Fast flag
-      to relays with 20KB/s of capacity. Now people running relays won't
-      suddenly find themselves not seeing any use, if the network gets
-      faster on average.
-    - If we're a relay and we change our IP address, be more verbose
-      about the reason that made us change. Should help track down
-      further bugs for relays on dynamic IP addresses.
-    - Exit servers can now answer resolve requests for ip6.arpa addresses.
-    - Implement most of Proposal 152: allow specialized servers to permit
-      single-hop circuits, and clients to use those servers to build
-      single-hop circuits when using a specialized controller. Patch
-      from Josh Albrecht. Resolves feature request 768.
-    - When relays do their initial bandwidth measurement, don't limit
-      to just our entry guards for the test circuits. Otherwise we tend
-      to have multiple test circuits going through a single entry guard,
-      which makes our bandwidth test less accurate. Fixes part of bug 654;
-      patch contributed by Josh Albrecht.
-
-  o Minor features (directory authorities):
-    - Try not to open more than one descriptor-downloading connection
-      to an authority at once. This should reduce load on directory
-      authorities. Fixes bug 366.
-    - Add cross-certification to newly generated certificates, so that
-      a signing key is enough information to look up a certificate. Start
-      serving certificates by <identity digest, signing key digest>
-      pairs. Implements proposal 157.
-    - When a directory authority downloads a descriptor that it then
-      immediately rejects, do not retry downloading it right away. Should
-      save some bandwidth on authorities. Fix for bug 888. Patch by
-      Sebastian Hahn.
-    - Directory authorities now serve a /tor/dbg-stability.txt URL to
-      help debug WFU and MTBF calculations.
-    - In directory authorities' approved-routers files, allow
-      fingerprints with or without space.
-
-  o Minor features (directory mirrors):
-    - When a download gets us zero good descriptors, do not notify
-      Tor that new directory information has arrived.
-    - Servers support a new URL scheme for consensus downloads that
-      allows the client to specify which authorities are trusted.
-      The server then only sends the consensus if the client will trust
-      it. Otherwise a 404 error is sent back. Clients use this
-      new scheme when the server supports it (meaning it's running
-      0.2.1.1-alpha or later). Implements proposal 134.
-
-  o Minor features (bridges):
-    - If the bridge config line doesn't specify a port, assume 443.
-      This makes bridge lines a bit smaller and easier for users to
-      understand.
-    - If we're using bridges and our network goes away, be more willing
-      to forgive our bridges and try again when we get an application
-      request.
-
-  o Minor features (hidden services):
-    - When the client launches an introduction circuit, retry with a
-      new circuit after 30 seconds rather than 60 seconds.
-    - Launch a second client-side introduction circuit in parallel
-      after a delay of 15 seconds (based on work by Christian Wilms).
-    - Hidden services start out building five intro circuits rather
-      than three, and when the first three finish they publish a service
-      descriptor using those. Now we publish our service descriptor much
-      faster after restart.
-    - Drop the requirement to have an open dir port for storing and
-      serving v2 hidden service descriptors.
-
-  o Minor features (build and packaging):
-    - On Linux, use the prctl call to re-enable core dumps when the User
-      option is set.
-    - Try to make sure that the version of Libevent we're running with
-      is binary-compatible with the one we built with. May address bug
-      897 and others.
-    - Add a new --enable-local-appdata configuration switch to change
-      the default location of the datadir on win32 from APPDATA to
-      LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
-      entirely. Patch from coderman.
-    - Build correctly against versions of OpenSSL 0.9.8 or later that
-      are built without support for deprecated functions.
-    - On platforms with a maximum syslog string length, truncate syslog
-      messages to that length ourselves, rather than relying on the
-      system to do it for us.
-    - Automatically detect MacOSX versions earlier than 10.4.0, and
-      disable kqueue from inside Tor when running with these versions.
-      We previously did this from the startup script, but that was no
-      help to people who didn't use the startup script. Resolves bug 863.
-    - Build correctly when configured to build outside the main source
-      path. Patch from Michael Gold.
-    - Disable GCC's strict alias optimization by default, to avoid the
-      likelihood of its introducing subtle bugs whenever our code violates
-      the letter of C99's alias rules.
-    - Change the contrib/tor.logrotate script so it makes the new
-      logs as "_tor:_tor" rather than the default, which is generally
-      "root:wheel". Fixes bug 676, reported by Serge Koksharov.
-    - Change our header file guard macros to be less likely to conflict
-      with system headers. Adam Langley noticed that we were conflicting
-      with log.h on Android.
-    - Add a couple of extra warnings to --enable-gcc-warnings for GCC 4.3,
-      and stop using a warning that had become unfixably verbose under
-      GCC 4.3.
-    - Use a lockfile to make sure that two Tor processes are not
-      simultaneously running with the same datadir.
-    - Allow OpenSSL to use dynamic locks if it wants.
-    - Add LIBS=-lrt to Makefile.am so the Tor RPMs use a static libevent.
-
-  o Minor features (controllers):
-    - When generating circuit events with verbose nicknames for
-      controllers, try harder to look up nicknames for routers on a
-      circuit. (Previously, we would look in the router descriptors we had
-      for nicknames, but not in the consensus.) Partial fix for bug 941.
-    - New controller event NEWCONSENSUS that lists the networkstatus
-      lines for every recommended relay. Now controllers like Torflow
-      can keep up-to-date on which relays they should be using.
-    - New controller event "clients_seen" to report a geoip-based summary
-      of which countries we've seen clients from recently. Now controllers
-      like Vidalia can show bridge operators that they're actually making
-      a difference.
-    - Add a 'getinfo status/clients-seen' controller command, in case
-      controllers want to hear clients_seen events but connect late.
-    - New CONSENSUS_ARRIVED event to note when a new consensus has
-      been fetched and validated.
-    - Add an internal-use-only __ReloadTorrcOnSIGHUP option for
-      controllers to prevent SIGHUP from reloading the configuration.
-      Fixes bug 856.
-    - Return circuit purposes in response to GETINFO circuit-status.
-      Fixes bug 858.
-    - Serve the latest v3 networkstatus consensus via the control
-      port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
-    - Add a "GETINFO /status/bootstrap-phase" controller option, so the
-      controller can query our current bootstrap state in case it attaches
-      partway through and wants to catch up.
-    - Provide circuit purposes along with circuit events to the controller.
-
-  o Minor features (tools):
-    - Do not have tor-resolve automatically refuse all .onion addresses;
-      if AutomapHostsOnResolve is set in your torrc, this will work fine.
-    - Add a -p option to tor-resolve for specifying the SOCKS port: some
-      people find host:port too confusing.
-    - Print the SOCKS5 error message string as well as the error code
-      when a tor-resolve request fails. Patch from Jacob.
-
-  o Minor bugfixes (memory and resource management):
-    - Clients no longer cache certificates for authorities they do not
-      recognize. Bugfix on 0.2.0.9-alpha.
-    - Do not use C's stdio library for writing to log files. This will
-      improve logging performance by a minute amount, and will stop
-      leaking fds when our disk is full. Fixes bug 861.
-    - Stop erroneous use of O_APPEND in cases where we did not in fact
-      want to re-seek to the end of a file before every last write().
-    - Fix a small alignment and memory-wasting bug on buffer chunks.
-      Spotted by rovv.
-    - Add a malloc_good_size implementation to OpenBSD_malloc_linux.c,
-      to avoid unused RAM in buffer chunks and memory pools.
-    - Reduce the default smartlist size from 32 to 16; it turns out that
-      most smartlists hold around 8-12 elements tops.
-    - Make dumpstats() log the fullness and size of openssl-internal
-      buffers.
-    - If the user has applied the experimental SSL_MODE_RELEASE_BUFFERS
-      patch to their OpenSSL, turn it on to save memory on servers. This
-      patch will (with any luck) get included in a mainline distribution
-      before too long.
-    - Fix a memory leak when v3 directory authorities load their keys
-      and cert from disk. Bugfix on 0.2.0.1-alpha.
-    - Stop using malloc_usable_size() to use more area than we had
-      actually allocated: it was safe, but made valgrind really unhappy.
-    - Make the assert_circuit_ok() function work correctly on circuits that
-      have already been marked for close.
-    - Fix uninitialized size field for memory area allocation: may improve
-      memory performance during directory parsing.
-
-  o Minor bugfixes (clients):
-    - Stop reloading the router list from disk for no reason when we
-      run out of reachable directory mirrors. Once upon a time reloading
-      it would set the 'is_running' flag back to 1 for them. It hasn't
-      done that for a long time.
-    - When we had picked an exit node for a connection, but marked it as
-      "optional", and it turned out we had no onion key for the exit,
-      stop wanting that exit and try again. This situation may not
-      be possible now, but will probably become feasible with proposal
-      158. Spotted by rovv. Fixes another case of bug 752.
-    - Fix a bug in address parsing that was preventing bridges or hidden
-      service targets from being at IPv6 addresses.
-    - Do not remove routers as too old if we do not have any consensus
-      document. Bugfix on 0.2.0.7-alpha.
-    - When an exit relay resolves a stream address to a local IP address,
-      do not just keep retrying that same exit relay over and
-      over. Instead, just close the stream. Addresses bug 872. Bugfix
-      on 0.2.0.32. Patch from rovv.
-    - Made Tor a little less aggressive about deleting expired
-      certificates. Partial fix for bug 854.
-    - Treat duplicate certificate fetches as failures, so that we do
-      not try to re-fetch an expired certificate over and over and over.
-    - Do not say we're fetching a certificate when we'll in fact skip it
-      because of a pending download.
-    - If we have correct permissions on $datadir, we complain to stdout
-      and fail to start. But dangerous permissions on
-      $datadir/cached-status/ would cause us to open a log and complain
-      there. Now complain to stdout and fail to start in both cases. Fixes
-      bug 820, reported by seeess.
-
-  o Minor bugfixes (bridges):
-    - When we made bridge authorities stop serving bridge descriptors over
-      unencrypted links, we also broke DirPort reachability testing for
-      bridges. So bridges with a non-zero DirPort were printing spurious
-      warns to their logs. Bugfix on 0.2.0.16-alpha. Fixes bug 709.
-    - Don't allow a bridge to publish its router descriptor to a
-      non-bridge directory authority. Fixes part of bug 932.
-    - When we change to or from being a bridge, reset our counts of
-      client usage by country. Fixes bug 932.
-
-  o Minor bugfixes (relays):
-    - Log correct error messages for DNS-related network errors on
-      Windows.
-    - Actually return -1 in the error case for read_bandwidth_usage().
-      Harmless bug, since we currently don't care about the return value
-      anywhere. Bugfix on 0.2.0.9-alpha.
-    - Provide a more useful log message if bug 977 (related to buffer
-      freelists) ever reappears, and do not crash right away.
-    - We were already rejecting relay begin cells with destination port
-      of 0. Now also reject extend cells with destination port or address
-      of 0. Suggested by lark.
-    - When we can't transmit a DNS request due to a network error, retry
-      it after a while, and eventually transmit a failing response to
-      the RESOLVED cell. Bugfix on 0.1.2.5-alpha.
-    - Solve a bug that kept hardware crypto acceleration from getting
-      enabled when accounting was turned on. Fixes bug 907. Bugfix on
-      0.0.9pre6.
-    - When a canonical connection appears later in our internal list
-      than a noncanonical one for a given OR ID, always use the
-      canonical one. Bugfix on 0.2.0.12-alpha. Fixes bug 805.
-      Spotted by rovv.
-    - Avoid some nasty corner cases in the logic for marking connections
-      as too old or obsolete or noncanonical for circuits. Partial
-      bugfix on bug 891.
-    - Fix another interesting corner-case of bug 891 spotted by rovv:
-      Previously, if two hosts had different amounts of clock drift, and
-      one of them created a new connection with just the wrong timing,
-      the other might decide to deprecate the new connection erroneously.
-      Bugfix on 0.1.1.13-alpha.
-    - If one win32 nameserver fails to get added, continue adding the
-      rest, and don't automatically fail.
-    - Fix a bug where an unreachable relay would establish enough
-      reachability testing circuits to do a bandwidth test -- if
-      we already have a connection to the middle hop of the testing
-      circuit, then it could establish the last hop by using the existing
-      connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
-      circuits no longer use entry guards in 0.2.1.3-alpha.
-
-  o Minor bugfixes (directory authorities):
-    - Limit uploaded directory documents to be 16M rather than 500K.
-      The directory authorities were refusing v3 consensus votes from
-      other authorities, since the votes are now 504K. Fixes bug 959;
-      bugfix on 0.0.2pre17 (where we raised it from 50K to 500K ;).
-    - Directory authorities should never send a 503 "busy" response to
-      requests for votes or keys. Bugfix on 0.2.0.8-alpha; exposed by
-      bug 959.
-    - Fix code so authorities _actually_ send back X-Descriptor-Not-New
-      headers. Bugfix on 0.2.0.10-alpha.
-
-  o Minor bugfixes (hidden services):
-    - When we can't find an intro key for a v2 hidden service descriptor,
-      fall back to the v0 hidden service descriptor and log a bug message.
-      Workaround for bug 1024.
-    - In very rare situations new hidden service descriptors were
-      published earlier than 30 seconds after the last change to the
-      service. (We currently think that a hidden service descriptor
-      that's been stable for 30 seconds is worth publishing.)
-    - If a hidden service sends us an END cell, do not consider
-      retrying the connection; just close it. Patch from rovv.
-    - If we are not using BEGIN_DIR cells, don't attempt to contact hidden
-      service directories if they have no advertised dir port. Bugfix
-      on 0.2.0.10-alpha.
-
-  o Minor bugfixes (tools):
-    - In the torify(1) manpage, mention that tsocks will leak your
-      DNS requests.
-
-  o Minor bugfixes (controllers):
-    - If the controller claimed responsibility for a stream, but that
-      stream never finished making its connection, it would live
-      forever in circuit_wait state. Now we close it after SocksTimeout
-      seconds. Bugfix on 0.1.2.7-alpha; reported by Mike Perry.
-    - Make DNS resolved controller events into "CLOSED", not
-      "FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
-      bug 807.
-    - The control port would close the connection before flushing long
-      replies, such as the network consensus, if a QUIT command was issued
-      before the reply had completed. Now, the control port flushes all
-      pending replies before closing the connection. Also fix a spurious
-      warning when a QUIT command is issued after a malformed or rejected
-      AUTHENTICATE command, but before the connection was closed. Patch
-      by Marcus Griep. Fixes bugs 1015 and 1016.
-    - Fix a bug that made stream bandwidth get misreported to the
-      controller.
-
-  o Deprecated and removed features:
-    - The old "tor --version --version" command, which would print out
-      the subversion "Id" of most of the source files, is now removed. It
-      turned out to be less useful than we'd expected, and harder to
-      maintain.
-    - RedirectExits has been removed. It was deprecated since
-      0.2.0.3-alpha.
-    - Finally remove deprecated "EXTENDED_FORMAT" controller feature. It
-      has been called EXTENDED_EVENTS since 0.1.2.4-alpha.
-    - Cell pools are now always enabled; --disable-cell-pools is ignored.
-    - Directory mirrors no longer fetch the v1 directory or
-      running-routers files. They are obsolete, and nobody asks for them
-      anymore. This is the first step to making v1 authorities obsolete.
-    - Take out the TestVia config option, since it was a workaround for
-      a bug that was fixed in Tor 0.1.1.21.
-    - Mark RendNodes, RendExcludeNodes, HiddenServiceNodes, and
-      HiddenServiceExcludeNodes as obsolete: they never worked properly,
-      and nobody seems to be using them. Fixes bug 754. Bugfix on
-      0.1.0.1-rc. Patch from Christian Wilms.
-    - Remove all backward-compatibility code for relays running
-      versions of Tor so old that they no longer work at all on the
-      Tor network.
-
-  o Code simplifications and refactoring:
-    - Tool-assisted documentation cleanup. Nearly every function or
-      static variable in Tor should have its own documentation now.
-    - Rename the confusing or_is_obsolete field to the more appropriate
-      is_bad_for_new_circs, and move it to or_connection_t where it
-      belongs.
-    - Move edge-only flags from connection_t to edge_connection_t: not
-      only is this better coding, but on machines of plausible alignment,
-      it should save 4-8 bytes per connection_t. "Every little bit helps."
-    - Rename ServerDNSAllowBrokenResolvConf to ServerDNSAllowBrokenConfig
-      for consistency; keep old option working for backward compatibility.
-    - Simplify the code for finding connections to use for a circuit.
-    - Revise the connection_new functions so that a more typesafe variant
-      exists. This will work better with Coverity, and let us find any
-      actual mistakes we're making here.
-    - Refactor unit testing logic so that dmalloc can be used sensibly
-      with unit tests to check for memory leaks.
-    - Move all hidden-service related fields from connection and circuit
-      structure to substructures: this way they won't eat so much memory.
-    - Squeeze 2-5% out of client performance (according to oprofile) by
-      improving the implementation of some policy-manipulation functions.
-    - Change the implementation of ExcludeNodes and ExcludeExitNodes to
-      be more efficient. Formerly it was quadratic in the number of
-      servers; now it should be linear. Fixes bug 509.
-    - Save 16-22 bytes per open circuit by moving the n_addr, n_port,
-      and n_conn_id_digest fields into a separate structure that's
-      only needed when the circuit has not yet attached to an n_conn.
-    - Optimize out calls to time(NULL) that occur for every IO operation,
-      or for every cell. On systems like Windows where time() is a
-      slow syscall, this fix will be slightly helpful.
-
-
-Changes in version 0.2.0.35 - 2009-06-24
-  o Security fix:
-    - Avoid crashing in the presence of certain malformed descriptors.
-      Found by lark, and by automated fuzzing.
-    - Fix an edge case where a malicious exit relay could convince a
-      controller that the client's DNS question resolves to an internal IP
-      address. Bug found and fixed by "optimist"; bugfix on 0.1.2.8-beta.
-
-  o Major bugfixes:
-    - Finally fix the bug where dynamic-IP relays disappear when their
-      IP address changes: directory mirrors were mistakenly telling
-      them their old address if they asked via begin_dir, so they
-      never got an accurate answer about their new address, so they
-      just vanished after a day. For belt-and-suspenders, relays that
-      don't set Address in their config now avoid using begin_dir for
-      all direct connections. Should fix bugs 827, 883, and 900.
-    - Fix a timing-dependent, allocator-dependent, DNS-related crash bug
-      that would occur on some exit nodes when DNS failures and timeouts
-      occurred in certain patterns. Fix for bug 957.
-
-  o Minor bugfixes:
-    - When starting with a cache over a few days old, do not leak
-      memory for the obsolete router descriptors in it. Bugfix on
-      0.2.0.33; fixes bug 672.
-    - Hidden service clients didn't use a cached service descriptor that
-      was older than 15 minutes, but wouldn't fetch a new one either,
-      because there was already one in the cache. Now, fetch a v2
-      descriptor unless the same descriptor was added to the cache within
-      the last 15 minutes. Fixes bug 997; reported by Marcus Griep.
-
-
-Changes in version 0.2.0.34 - 2009-02-08
-  Tor 0.2.0.34 features several more security-related fixes. You should
-  upgrade, especially if you run an exit relay (remote crash) or a
-  directory authority (remote infinite loop), or you're on an older
-  (pre-XP) or not-recently-patched Windows (remote exploit).
-
-  This release marks end-of-life for Tor 0.1.2.x. Those Tor versions
-  have many known flaws, and nobody should be using them. You should
-  upgrade. If you're using a Linux or BSD and its packages are obsolete,
-  stop using those packages and upgrade anyway.
-
-  o Security fixes:
-    - Fix an infinite-loop bug on handling corrupt votes under certain
-      circumstances. Bugfix on 0.2.0.8-alpha.
-    - Fix a temporary DoS vulnerability that could be performed by
-      a directory mirror. Bugfix on 0.2.0.9-alpha; reported by lark.
-    - Avoid a potential crash on exit nodes when processing malformed
-      input. Remote DoS opportunity. Bugfix on 0.2.0.33.
-    - Do not accept incomplete ipv4 addresses (like 192.168.0) as valid.
-      Spec conformance issue. Bugfix on Tor 0.0.2pre27.
-
-  o Minor bugfixes:
-    - Fix compilation on systems where time_t is a 64-bit integer.
-      Patch from Matthias Drochner.
-    - Don't consider expiring already-closed client connections. Fixes
-      bug 893. Bugfix on 0.0.2pre20.
-
-
-Changes in version 0.2.0.33 - 2009-01-21
-  Tor 0.2.0.33 fixes a variety of bugs that were making relays less
-  useful to users. It also finally fixes a bug where a relay or client
-  that's been off for many days would take a long time to bootstrap.
-
-  This update also fixes an important security-related bug reported by
-  Ilja van Sprundel. You should upgrade. (We'll send out more details
-  about the bug once people have had some time to upgrade.)
-
-  o Security fixes:
-    - Fix a heap-corruption bug that may be remotely triggerable on
-      some platforms. Reported by Ilja van Sprundel.
-
-  o Major bugfixes:
-    - When a stream at an exit relay is in state "resolving" or
-      "connecting" and it receives an "end" relay cell, the exit relay
-      would silently ignore the end cell and not close the stream. If
-      the client never closes the circuit, then the exit relay never
-      closes the TCP connection. Bug introduced in Tor 0.1.2.1-alpha;
-      reported by "wood".
-    - When sending CREATED cells back for a given circuit, use a 64-bit
-      connection ID to find the right connection, rather than an addr:port
-      combination. Now that we can have multiple OR connections between
-      the same ORs, it is no longer possible to use addr:port to uniquely
-      identify a connection.
-    - Bridge relays that had DirPort set to 0 would stop fetching
-      descriptors shortly after startup, and then briefly resume
-      after a new bandwidth test and/or after publishing a new bridge
-      descriptor. Bridge users that try to bootstrap from them would
-      get a recent networkstatus but would get descriptors from up to
-      18 hours earlier, meaning most of the descriptors were obsolete
-      already. Reported by Tas; bugfix on 0.2.0.13-alpha.
-    - Prevent bridge relays from serving their 'extrainfo' document
-      to anybody who asks, now that extrainfo docs include potentially
-      sensitive aggregated client geoip summaries. Bugfix on
-      0.2.0.13-alpha.
-    - If the cached networkstatus consensus is more than five days old,
-      discard it rather than trying to use it. In theory it could be
-      useful because it lists alternate directory mirrors, but in practice
-      it just means we spend many minutes trying directory mirrors that
-      are long gone from the network. Also discard router descriptors as
-      we load them if they are more than five days old, since the onion
-      key is probably wrong by now. Bugfix on 0.2.0.x. Fixes bug 887.
-
-  o Minor bugfixes:
-    - Do not mark smartlist_bsearch_idx() function as ATTR_PURE. This bug
-      could make gcc generate non-functional binary search code. Bugfix
-      on 0.2.0.10-alpha.
-    - Build correctly on platforms without socklen_t.
-    - Compile without warnings on solaris.
-    - Avoid potential crash on internal error during signature collection.
-      Fixes bug 864. Patch from rovv.
-    - Correct handling of possible malformed authority signing key
-      certificates with internal signature types. Fixes bug 880.
-      Bugfix on 0.2.0.3-alpha.
-    - Fix a hard-to-trigger resource leak when logging credential status.
-      CID 349.
-    - When we can't initialize DNS because the network is down, do not
-      automatically stop Tor from starting. Instead, we retry failed
-      dns_init() every 10 minutes, and change the exit policy to reject
-      *:* until one succeeds. Fixes bug 691.
-    - Use 64 bits instead of 32 bits for connection identifiers used with
-      the controller protocol, to greatly reduce risk of identifier reuse.
-    - When we're choosing an exit node for a circuit, and we have
-      no pending streams, choose a good general exit rather than one that
-      supports "all the pending streams". Bugfix on 0.1.1.x. Fix by rovv.
-    - Fix another case of assuming, when a specific exit is requested,
-      that we know more than the user about what hosts it allows.
-      Fixes one case of bug 752. Patch from rovv.
-    - Clip the MaxCircuitDirtiness config option to a minimum of 10
-      seconds. Warn the user if lower values are given in the
-      configuration. Bugfix on 0.1.0.1-rc. Patch by Sebastian.
-    - Clip the CircuitBuildTimeout to a minimum of 30 seconds. Warn the
-      user if lower values are given in the configuration. Bugfix on
-      0.1.1.17-rc. Patch by Sebastian.
-    - Fix a memory leak when we decline to add a v2 rendezvous descriptor to
-      the cache because we already had a v0 descriptor with the same ID.
-      Bugfix on 0.2.0.18-alpha.
-    - Fix a race condition when freeing keys shared between main thread
-      and CPU workers that could result in a memory leak. Bugfix on
-      0.1.0.1-rc. Fixes bug 889.
-    - Send a valid END cell back when a client tries to connect to a
-      nonexistent hidden service port. Bugfix on 0.1.2.15. Fixes bug
-      840. Patch from rovv.
-    - Check which hops rendezvous stream cells are associated with to
-      prevent possible guess-the-streamid injection attacks from
-      intermediate hops. Fixes another case of bug 446. Based on patch
-      from rovv.
-    - If a broken client asks a non-exit router to connect somewhere,
-      do not even do the DNS lookup before rejecting the connection.
-      Fixes another case of bug 619. Patch from rovv.
-    - When a relay gets a create cell it can't decrypt (e.g. because it's
-      using the wrong onion key), we were dropping it and letting the
-      client time out. Now actually answer with a destroy cell. Fixes
-      bug 904. Bugfix on 0.0.2pre8.
-
-  o Minor bugfixes (hidden services):
-    - Do not throw away existing introduction points on SIGHUP. Bugfix on
-      0.0.6pre1. Patch by Karsten. Fixes bug 874.
-
-  o Minor features:
-    - Report the case where all signatures in a detached set are rejected
-      differently than the case where there is an error handling the
-      detached set.
-    - When we realize that another process has modified our cached
-      descriptors, print out a more useful error message rather than
-      triggering an assertion. Fixes bug 885. Patch from Karsten.
-    - Implement the 0x20 hack to better resist DNS poisoning: set the
-      case on outgoing DNS requests randomly, and reject responses that do
-      not match the case correctly. This logic can be disabled with the
-      ServerDNSRamdomizeCase setting, if you are using one of the 0.3%
-      of servers that do not reliably preserve case in replies. See
-      "Increased DNS Forgery Resistance through 0x20-Bit Encoding"
-      for more info.
-    - Check DNS replies for more matching fields to better resist DNS
-      poisoning.
-    - Never use OpenSSL compression: it wastes RAM and CPU trying to
-      compress cells, which are basically all encrypted, compressed, or
-      both.
-
-
-Changes in version 0.2.0.32 - 2008-11-20
-  Tor 0.2.0.32 fixes a major security problem in Debian and Ubuntu
-  packages (and maybe other packages) noticed by Theo de Raadt, fixes
-  a smaller security flaw that might allow an attacker to access local
-  services, further improves hidden service performance, and fixes a
-  variety of other issues.
-
-  o Security fixes:
-    - The "User" and "Group" config options did not clear the
-      supplementary group entries for the Tor process. The "User" option
-      is now more robust, and we now set the groups to the specified
-      user's primary group. The "Group" option is now ignored. For more
-      detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
-      in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
-      and Steven Murdoch. Bugfix on 0.0.2pre14. Fixes bug 848 and 857.
-    - The "ClientDNSRejectInternalAddresses" config option wasn't being
-      consistently obeyed: if an exit relay refuses a stream because its
-      exit policy doesn't allow it, we would remember what IP address
-      the relay said the destination address resolves to, even if it's
-      an internal IP address. Bugfix on 0.2.0.7-alpha; patch by rovv.
-
-  o Major bugfixes:
-    - Fix a DOS opportunity during the voting signature collection process
-      at directory authorities. Spotted by rovv. Bugfix on 0.2.0.x.
-
-  o Major bugfixes (hidden services):
-    - When fetching v0 and v2 rendezvous service descriptors in parallel,
-      we were failing the whole hidden service request when the v0
-      descriptor fetch fails, even if the v2 fetch is still pending and
-      might succeed. Similarly, if the last v2 fetch fails, we were
-      failing the whole hidden service request even if a v0 fetch is
-      still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
-    - When extending a circuit to a hidden service directory to upload a
-      rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
-      requests failed, because the router descriptor has not been
-      downloaded yet. In these cases, do not attempt to upload the
-      rendezvous descriptor, but wait until the router descriptor is
-      downloaded and retry. Likewise, do not attempt to fetch a rendezvous
-      descriptor from a hidden service directory for which the router
-      descriptor has not yet been downloaded. Fixes bug 767. Bugfix
-      on 0.2.0.10-alpha.
-
-  o Minor bugfixes:
-    - Fix several infrequent memory leaks spotted by Coverity.
-    - When testing for libevent functions, set the LDFLAGS variable
-      correctly. Found by Riastradh.
-    - Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
-      bootstrapping with tunneled directory connections. Bugfix on
-      0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
-    - When asked to connect to A.B.exit:80, if we don't know the IP for A
-      and we know that server B rejects most-but-not all connections to
-      port 80, we would previously reject the connection. Now, we assume
-      the user knows what they were asking for. Fixes bug 752. Bugfix
-      on 0.0.9rc5. Diagnosed by BarkerJr.
-    - If we overrun our per-second write limits a little, count this as
-      having used up our write allocation for the second, and choke
-      outgoing directory writes. Previously, we had only counted this when
-      we had met our limits precisely. Fixes bug 824. Patch from by rovv.
-      Bugfix on 0.2.0.x (??).
-    - Remove the old v2 directory authority 'lefkada' from the default
-      list. It has been gone for many months.
-    - Stop doing unaligned memory access that generated bus errors on
-      sparc64. Bugfix on 0.2.0.10-alpha. Fixes bug 862.
-    - Make USR2 log-level switch take effect immediately. Bugfix on
-      0.1.2.8-beta.
-
-  o Minor bugfixes (controller):
-    - Make DNS resolved events into "CLOSED", not "FAILED". Bugfix on
-      0.1.2.5-alpha. Fix by Robert Hogan. Resolves bug 807.
-
-
-Changes in version 0.2.0.31 - 2008-09-03
-  Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
-  a big bug we're seeing where in rare cases traffic from one Tor stream
-  gets mixed into another stream, and fixes a variety of smaller issues.
-
-  o Major bugfixes:
-    - Make sure that two circuits can never exist on the same connection
-      with the same circuit ID, even if one is marked for close. This
-      is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
-    - Relays now reject risky extend cells: if the extend cell includes
-      a digest of all zeroes, or asks to extend back to the relay that
-      sent the extend cell, tear down the circuit. Ideas suggested
-      by rovv.
-    - If not enough of our entry guards are available so we add a new
-      one, we might use the new one even if it overlapped with the
-      current circuit's exit relay (or its family). Anonymity bugfix
-      pointed out by rovv.
-
-  o Minor bugfixes:
-    - Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
-      794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
-    - Correctly detect the presence of the linux/netfilter_ipv4.h header
-      when building against recent kernels. Bugfix on 0.1.2.1-alpha.
-    - Pick size of default geoip filename string correctly on windows.
-      Fixes bug 806. Bugfix on 0.2.0.30.
-    - Make the autoconf script accept the obsolete --with-ssl-dir
-      option as an alias for the actually-working --with-openssl-dir
-      option. Fix the help documentation to recommend --with-openssl-dir.
-      Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
-    - When using the TransPort option on OpenBSD, and using the User
-      option to change UID and drop privileges, make sure to open
-      /dev/pf before dropping privileges. Fixes bug 782. Patch from
-      Christopher Davis. Bugfix on 0.1.2.1-alpha.
-    - Try to attach connections immediately upon receiving a RENDEZVOUS2
-      or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
-      on the client side when connecting to a hidden service. Bugfix
-      on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
-    - When closing an application-side connection because its circuit is
-      getting torn down, generate the stream event correctly. Bugfix on
-      0.1.2.x. Anonymous patch.
-
-
-Changes in version 0.2.0.30 - 2008-07-15
-  This new stable release switches to a more efficient directory
-  distribution design, adds features to make connections to the Tor
-  network harder to block, allows Tor to act as a DNS proxy, adds separate
-  rate limiting for relayed traffic to make it easier for clients to
-  become relays, fixes a variety of potential anonymity problems, and
-  includes the usual huge pile of other features and bug fixes.
-
-  o New v3 directory design:
-    - Tor now uses a new way to learn about and distribute information
-      about the network: the directory authorities vote on a common
-      network status document rather than each publishing their own
-      opinion. Now clients and caches download only one networkstatus
-      document to bootstrap, rather than downloading one for each
-      authority. Clients only download router descriptors listed in
-      the consensus. Implements proposal 101; see doc/spec/dir-spec.txt
-      for details.
-    - Set up moria1, tor26, and dizum as v3 directory authorities
-      in addition to being v2 authorities. Also add three new ones:
-      ides (run by Mike Perry), gabelmoo (run by Karsten Loesing), and
-      dannenberg (run by CCC).
-    - Switch to multi-level keys for directory authorities: now their
-      long-term identity key can be kept offline, and they periodically
-      generate a new signing key. Clients fetch the "key certificates"
-      to keep up to date on the right keys. Add a standalone tool
-      "tor-gencert" to generate key certificates. Implements proposal 103.
-    - Add a new V3AuthUseLegacyKey config option to make it easier for
-      v3 authorities to change their identity keys if another bug like
-      Debian's OpenSSL RNG flaw appears.
-    - Authorities and caches fetch the v2 networkstatus documents
-      less often, now that v3 is recommended.
-
-  o Make Tor connections stand out less on the wire:
-    - Use an improved TLS handshake designed by Steven Murdoch in proposal
-      124, as revised in proposal 130. The new handshake is meant to
-      be harder for censors to fingerprint, and it adds the ability
-      to detect certain kinds of man-in-the-middle traffic analysis
-      attacks. The new handshake format includes version negotiation for
-      OR connections as described in proposal 105, which will allow us
-      to improve Tor's link protocol more safely in the future.
-    - Enable encrypted directory connections by default for non-relays,
-      so censor tools that block Tor directory connections based on their
-      plaintext patterns will no longer work. This means Tor works in
-      certain censored countries by default again.
-    - Stop including recognizeable strings in the commonname part of
-      Tor's x509 certificates.
-
-  o Implement bridge relays:
-    - Bridge relays (or "bridges" for short) are Tor relays that aren't
-      listed in the main Tor directory. Since there is no complete public
-      list of them, even an ISP that is filtering connections to all the
-      known Tor relays probably won't be able to block all the bridges.
-      See doc/design-paper/blocking.pdf and proposal 125 for details.
-    - New config option BridgeRelay that specifies you want to be a
-      bridge relay rather than a normal relay. When BridgeRelay is set
-      to 1, then a) you cache dir info even if your DirPort ins't on,
-      and b) the default for PublishServerDescriptor is now "bridge"
-      rather than "v2,v3".
-    - New config option "UseBridges 1" for clients that want to use bridge
-      relays instead of ordinary entry guards. Clients then specify
-      bridge relays by adding "Bridge" lines to their config file. Users
-      can learn about a bridge relay either manually through word of
-      mouth, or by one of our rate-limited mechanisms for giving out
-      bridge addresses without letting an attacker easily enumerate them
-      all. See https://www.torproject.org/bridges for details.
-    - Bridge relays behave like clients with respect to time intervals
-      for downloading new v3 consensus documents -- otherwise they
-      stand out. Bridge users now wait until the end of the interval,
-      so their bridge relay will be sure to have a new consensus document.
-
-  o Implement bridge directory authorities:
-    - Bridge authorities are like normal directory authorities, except
-      they don't serve a list of known bridges. Therefore users that know
-      a bridge's fingerprint can fetch a relay descriptor for that bridge,
-      including fetching updates e.g. if the bridge changes IP address,
-      yet an attacker can't just fetch a list of all the bridges.
-    - Set up Tonga as the default bridge directory authority.
-    - Bridge authorities refuse to serve bridge descriptors or other
-      bridge information over unencrypted connections (that is, when
-      responding to direct DirPort requests rather than begin_dir cells.)
-    - Bridge directory authorities do reachability testing on the
-      bridges they know. They provide router status summaries to the
-      controller via "getinfo ns/purpose/bridge", and also dump summaries
-      to a file periodically, so we can keep internal stats about which
-      bridges are functioning.
-    - If bridge users set the UpdateBridgesFromAuthority config option,
-      but the digest they ask for is a 404 on the bridge authority,
-      they fall back to contacting the bridge directly.
-    - Bridges always use begin_dir to publish their server descriptor to
-      the bridge authority using an anonymous encrypted tunnel.
-    - Early work on a "bridge community" design: if bridge authorities set
-      the BridgePassword config option, they will serve a snapshot of
-      known bridge routerstatuses from their DirPort to anybody who
-      knows that password. Unset by default.
-    - Tor now includes an IP-to-country GeoIP file, so bridge relays can
-      report sanitized aggregated summaries in their extra-info documents
-      privately to the bridge authority, listing which countries are
-      able to reach them. We hope this mechanism will let us learn when
-      certain countries start trying to block bridges.
-    - Bridge authorities write bridge descriptors to disk, so they can
-      reload them after a reboot. They can also export the descriptors
-      to other programs, so we can distribute them to blocked users via
-      the BridgeDB interface, e.g. via https://bridges.torproject.org/
-      and bridges@xxxxxxxxxxxxxxx
-
-  o Tor can be a DNS proxy:
-    - The new client-side DNS proxy feature replaces the need for
-      dns-proxy-tor: Just set "DNSPort 9999", and Tor will now listen
-      for DNS requests on port 9999, use the Tor network to resolve them
-      anonymously, and send the reply back like a regular DNS server.
-      The code still only implements a subset of DNS.
-    - Add a new AutomapHostsOnResolve option: when it is enabled, any
-      resolve request for hosts matching a given pattern causes Tor to
-      generate an internal virtual address mapping for that host. This
-      allows DNSPort to work sensibly with hidden service users. By
-      default, .exit and .onion addresses are remapped; the list of
-      patterns can be reconfigured with AutomapHostsSuffixes.
-    - Add an "-F" option to tor-resolve to force a resolve for a .onion
-      address. Thanks to the AutomapHostsOnResolve option, this is no
-      longer a completely silly thing to do.
-
-  o Major features (relay usability):
-    - New config options RelayBandwidthRate and RelayBandwidthBurst:
-      a separate set of token buckets for relayed traffic. Right now
-      relayed traffic is defined as answers to directory requests, and
-      OR connections that don't have any local circuits on them. See
-      proposal 111 for details.
-    - Create listener connections before we setuid to the configured
-      User and Group. Now non-Windows users can choose port values
-      under 1024, start Tor as root, and have Tor bind those ports
-      before it changes to another UID. (Windows users could already
-      pick these ports.)
-    - Added a new ConstrainedSockets config option to set SO_SNDBUF and
-      SO_RCVBUF on TCP sockets. Hopefully useful for Tor servers running
-      on "vserver" accounts. Patch from coderman.
-
-  o Major features (directory authorities):
-    - Directory authorities track weighted fractional uptime and weighted
-      mean-time-between failures for relays. WFU is suitable for deciding
-      whether a node is "usually up", while MTBF is suitable for deciding
-      whether a node is "likely to stay up." We need both, because
-      "usually up" is a good requirement for guards, while "likely to
-      stay up" is a good requirement for long-lived connections.
-    - Directory authorities use a new formula for selecting which relays
-      to advertise as Guards: they must be in the top 7/8 in terms of
-      how long we have known about them, and above the median of those
-      nodes in terms of weighted fractional uptime.
-    - Directory authorities use a new formula for selecting which relays
-      to advertise as Stable: when we have 4 or more days of data, use
-      median measured MTBF rather than median declared uptime. Implements
-      proposal 108.
-    - Directory authorities accept and serve "extra info" documents for
-      routers. Routers now publish their bandwidth-history lines in the
-      extra-info docs rather than the main descriptor. This step saves
-      60% (!) on compressed router descriptor downloads. Servers upload
-      extra-info docs to any authority that accepts them; directory
-      authorities now allow multiple router descriptors and/or extra
-      info documents to be uploaded in a single go. Authorities, and
-      caches that have been configured to download extra-info documents,
-      download them as needed. Implements proposal 104.
-    - Authorities now list relays who have the same nickname as
-      a different named relay, but list them with a new flag:
-      "Unnamed". Now we can make use of relays that happen to pick the
-      same nickname as a server that registered two years ago and then
-      disappeared. Implements proposal 122.
-    - Store routers in a file called cached-descriptors instead of in
-      cached-routers. Initialize cached-descriptors from cached-routers
-      if the old format is around. The new format allows us to store
-      annotations along with descriptors, to record the time we received
-      each descriptor, its source, and its purpose: currently one of
-      general, controller, or bridge.
-
-  o Major features (other):
-    - New config options WarnPlaintextPorts and RejectPlaintextPorts so
-      Tor can warn and/or refuse connections to ports commonly used with
-      vulnerable-plaintext protocols. Currently we warn on ports 23,
-      109, 110, and 143, but we don't reject any. Based on proposal 129
-      by Kevin Bauer and Damon McCoy.
-    - Integrate Karsten Loesing's Google Summer of Code project to publish
-      hidden service descriptors on a set of redundant relays that are a
-      function of the hidden service address. Now we don't have to rely
-      on three central hidden service authorities for publishing and
-      fetching every hidden service descriptor. Implements proposal 114.
-    - Allow tunnelled directory connections to ask for an encrypted
-      "begin_dir" connection or an anonymized "uses a full Tor circuit"
-      connection independently. Now we can make anonymized begin_dir
-      connections for (e.g.) more secure hidden service posting and
-      fetching.
-
-  o Major bugfixes (crashes and assert failures):
-    - Stop imposing an arbitrary maximum on the number of file descriptors
-      used for busy servers. Bug reported by Olaf Selke; patch from
-      Sebastian Hahn.
-    - Avoid possible failures when generating a directory with routers
-      with over-long versions strings, or too many flags set.
-    - Fix a rare assert error when we're closing one of our threads:
-      use a mutex to protect the list of logs, so we never write to the
-      list as it's being freed. Fixes the very rare bug 575, which is
-      kind of the revenge of bug 222.
-    - Avoid segfault in the case where a badly behaved v2 versioning
-      directory sends a signed networkstatus with missing client-versions.
-    - When we hit an EOF on a log (probably because we're shutting down),
-      don't try to remove the log from the list: just mark it as
-      unusable. (Bulletproofs against bug 222.)
-
-  o Major bugfixes (code security fixes):
-    - Detect size overflow in zlib code. Reported by Justin Ferguson and
-      Dan Kaminsky.
-    - Rewrite directory tokenization code to never run off the end of
-      a string. Fixes bug 455. Patch from croup.
-    - Be more paranoid about overwriting sensitive memory on free(),
-      as a defensive programming tactic to ensure forward secrecy.
-
-  o Major bugfixes (anonymity fixes):
-    - Reject requests for reverse-dns lookup of names that are in
-      a private address space. Patch from lodger.
-    - Never report that we've used more bandwidth than we're willing to
-      relay: it leaks how much non-relay traffic we're using. Resolves
-      bug 516.
-    - As a client, do not believe any server that tells us that an
-      address maps to an internal address space.
-    - Warn about unsafe ControlPort configurations.
-    - Directory authorities now call routers Fast if their bandwidth is
-      at least 100KB/s, and consider their bandwidth adequate to be a
-      Guard if it is at least 250KB/s, no matter the medians. This fix
-      complements proposal 107.
-    - Directory authorities now never mark more than 2 servers per IP as
-      Valid and Running (or 5 on addresses shared by authorities).
-      Implements proposal 109, by Kevin Bauer and Damon McCoy.
-    - If we're a relay, avoid picking ourselves as an introduction point,
-      a rendezvous point, or as the final hop for internal circuits. Bug
-      reported by taranis and lodger.
-    - Exit relays that are used as a client can now reach themselves
-      using the .exit notation, rather than just launching an infinite
-      pile of circuits. Fixes bug 641. Reported by Sebastian Hahn.
-    - Fix a bug where, when we were choosing the 'end stream reason' to
-      put in our relay end cell that we send to the exit relay, Tor
-      clients on Windows were sometimes sending the wrong 'reason'. The
-      anonymity problem is that exit relays may be able to guess whether
-      the client is running Windows, thus helping partition the anonymity
-      set. Down the road we should stop sending reasons to exit relays,
-      or otherwise prevent future versions of this bug.
-    - Only update guard status (usable / not usable) once we have
-      enough directory information. This was causing us to discard all our
-      guards on startup if we hadn't been running for a few weeks. Fixes
-      bug 448.
-    - When our directory information has been expired for a while, stop
-      being willing to build circuits using it. Fixes bug 401.
-
-  o Major bugfixes (peace of mind for relay operators)
-    - Non-exit relays no longer answer "resolve" relay cells, so they
-      can't be induced to do arbitrary DNS requests. (Tor clients already
-      avoid using non-exit relays for resolve cells, but now servers
-      enforce this too.) Fixes bug 619. Patch from lodger.
-    - When we setconf ClientOnly to 1, close any current OR and Dir
-      listeners. Reported by mwenge.
-
-  o Major bugfixes (other):
-    - If we only ever used Tor for hidden service lookups or posts, we
-      would stop building circuits and start refusing connections after
-      24 hours, since we falsely believed that Tor was dormant. Reported
-      by nwf.
-    - Add a new __HashedControlSessionPassword option for controllers
-      to use for one-off session password hashes that shouldn't get
-      saved to disk by SAVECONF --- Vidalia users were accumulating a
-      pile of HashedControlPassword lines in their torrc files, one for
-      each time they had restarted Tor and then clicked Save. Make Tor
-      automatically convert "HashedControlPassword" to this new option but
-      only when it's given on the command line. Partial fix for bug 586.
-    - Patch from "Andrew S. Lists" to catch when we contact a directory
-      mirror at IP address X and he says we look like we're coming from
-      IP address X. Otherwise this would screw up our address detection.
-    - Reject uploaded descriptors and extrainfo documents if they're
-      huge. Otherwise we'll cache them all over the network and it'll
-      clog everything up. Suggested by Aljosha Judmayer.
-    - When a hidden service was trying to establish an introduction point,
-      and Tor *did* manage to reuse one of the preemptively built
-      circuits, it didn't correctly remember which one it used,
-      so it asked for another one soon after, until there were no
-      more preemptive circuits, at which point it launched one from
-      scratch. Bugfix on 0.0.9.x.
-
-  o Rate limiting and load balancing improvements:
-    - When we add data to a write buffer in response to the data on that
-      write buffer getting low because of a flush, do not consider the
-      newly added data as a candidate for immediate flushing, but rather
-      make it wait until the next round of writing. Otherwise, we flush
-      and refill recursively, and a single greedy TLS connection can
-      eat all of our bandwidth.
-    - When counting the number of bytes written on a TLS connection,
-      look at the BIO actually used for writing to the network, not
-      at the BIO used (sometimes) to buffer data for the network.
-      Looking at different BIOs could result in write counts on the
-      order of ULONG_MAX. Fixes bug 614.
-    - If we change our MaxAdvertisedBandwidth and then reload torrc,
-      Tor won't realize it should publish a new relay descriptor. Fixes
-      bug 688, reported by mfr.
-    - Avoid using too little bandwidth when our clock skips a few seconds.
-    - Choose which bridge to use proportional to its advertised bandwidth,
-      rather than uniformly at random. This should speed up Tor for
-      bridge users. Also do this for people who set StrictEntryNodes.
-
-  o Bootstrapping faster and building circuits more intelligently:
-    - Fix bug 660 that was preventing us from knowing that we should
-      preemptively build circuits to handle expected directory requests.
-    - When we're checking if we have enough dir info for each relay
-      to begin establishing circuits, make sure that we actually have
-      the descriptor listed in the consensus, not just any descriptor.
-    - Correctly notify one-hop connections when a circuit build has
-      failed. Possible fix for bug 669. Found by lodger.
-    - Clients now hold circuitless TLS connections open for 1.5 times
-      MaxCircuitDirtiness (15 minutes), since it is likely that they'll
-      rebuild a new circuit over them within that timeframe. Previously,
-      they held them open only for KeepalivePeriod (5 minutes).
-
-  o Performance improvements (memory):
-    - Add OpenBSD malloc code from "phk" as an optional malloc
-      replacement on Linux: some glibc libraries do very poorly with
-      Tor's memory allocation patterns. Pass --enable-openbsd-malloc to
-      ./configure to get the replacement malloc code.
-    - Switch our old ring buffer implementation for one more like that
-      used by free Unix kernels. The wasted space in a buffer with 1mb
-      of data will now be more like 8k than 1mb. The new implementation
-      also avoids realloc();realloc(); patterns that can contribute to
-      memory fragmentation.
-    - Change the way that Tor buffers data that it is waiting to write.
-      Instead of queueing data cells in an enormous ring buffer for each
-      client->OR or OR->OR connection, we now queue cells on a separate
-      queue for each circuit. This lets us use less slack memory, and
-      will eventually let us be smarter about prioritizing different kinds
-      of traffic.
-    - Reference-count and share copies of address policy entries; only 5%
-      of them were actually distinct.
-    - Tune parameters for cell pool allocation to minimize amount of
-      RAM overhead used.
-    - Keep unused 4k and 16k buffers on free lists, rather than wasting 8k
-      for every single inactive connection_t. Free items from the
-      4k/16k-buffer free lists when they haven't been used for a while.
-    - Make memory debugging information describe more about history
-      of cell allocation, so we can help reduce our memory use.
-    - Be even more aggressive about releasing RAM from small
-      empty buffers. Thanks to our free-list code, this shouldn't be too
-      performance-intensive.
-    - Log malloc statistics from mallinfo() on platforms where it exists.
-    - Use memory pools to allocate cells with better speed and memory
-      efficiency, especially on platforms where malloc() is inefficient.
-    - Add a --with-tcmalloc option to the configure script to link
-      against tcmalloc (if present). Does not yet search for non-system
-      include paths.
-
-  o Performance improvements (socket management):
-    - Count the number of open sockets separately from the number of
-      active connection_t objects. This will let us avoid underusing
-      our allocated connection limit.
-    - We no longer use socket pairs to link an edge connection to an
-      anonymous directory connection or a DirPort test connection.
-      Instead, we track the link internally and transfer the data
-      in-process. This saves two sockets per "linked" connection (at the
-      client and at the server), and avoids the nasty Windows socketpair()
-      workaround.
-    - We were leaking a file descriptor if Tor started with a zero-length
-      cached-descriptors file. Patch by "freddy77".
-
-  o Performance improvements (CPU use):
-    - Never walk through the list of logs if we know that no log target
-      is interested in a given message.
-    - Call routerlist_remove_old_routers() much less often. This should
-      speed startup, especially on directory caches.
-    - Base64 decoding was actually showing up on our profile when parsing
-      the initial descriptor file; switch to an in-process all-at-once
-      implementation that's about 3.5x times faster than calling out to
-      OpenSSL.
-    - Use a slightly simpler string hashing algorithm (copying Python's
-      instead of Java's) and optimize our digest hashing algorithm to take
-      advantage of 64-bit platforms and to remove some possibly-costly
-      voodoo.
-    - When implementing AES counter mode, update only the portions of the
-      counter buffer that need to change, and don't keep separate
-      network-order and host-order counters on big-endian hosts (where
-      they are the same).
-    - Add an in-place version of aes_crypt() so that we can avoid doing a
-      needless memcpy() call on each cell payload.
-    - Use Critical Sections rather than Mutexes for synchronizing threads
-      on win32; Mutexes are heavier-weight, and designed for synchronizing
-      between processes.
-
-  o Performance improvements (bandwidth use):
-    - Don't try to launch new descriptor downloads quite so often when we
-      already have enough directory information to build circuits.
-    - Version 1 directories are no longer generated in full. Instead,
-      authorities generate and serve "stub" v1 directories that list
-      no servers. This will stop Tor versions 0.1.0.x and earlier from
-      working, but (for security reasons) nobody should be running those
-      versions anyway.
-    - Avoid going directly to the directory authorities even if you're a
-      relay, if you haven't found yourself reachable yet or if you've
-      decided not to advertise your dirport yet. Addresses bug 556.
-    - If we've gone 12 hours since our last bandwidth check, and we
-      estimate we have less than 50KB bandwidth capacity but we could
-      handle more, do another bandwidth test.
-    - Support "If-Modified-Since" when answering HTTP requests for
-      directories, running-routers documents, and v2 and v3 networkstatus
-      documents. (There's no need to support it for router descriptors,
-      since those are downloaded by descriptor digest.)
-    - Stop fetching directory info so aggressively if your DirPort is
-      on but your ORPort is off; stop fetching v2 dir info entirely.
-      You can override these choices with the new FetchDirInfoEarly
-      config option.
-
-  o Changed config option behavior (features):
-    - Configuration files now accept C-style strings as values. This
-      helps encode characters not allowed in the current configuration
-      file format, such as newline or #. Addresses bug 557.
-    - Add hidden services and DNSPorts to the list of things that make
-      Tor accept that it has running ports. Change starting Tor with no
-      ports from a fatal error to a warning; we might change it back if
-      this turns out to confuse anybody. Fixes bug 579.
-    - Make PublishServerDescriptor default to 1, so the default doesn't
-      have to change as we invent new directory protocol versions.
-    - Allow people to say PreferTunnelledDirConns rather than
-      PreferTunneledDirConns, for those alternate-spellers out there.
-    - Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
-      accommodate the growing number of servers that use the default
-      and are reaching it.
-    - Make it possible to enable HashedControlPassword and
-      CookieAuthentication at the same time.
-    - When a TrackHostExits-chosen exit fails too many times in a row,
-      stop using it. Fixes bug 437.
-
-  o Changed config option behavior (bugfixes):
-    - Do not read the configuration file when we've only been told to
-      generate a password hash. Fixes bug 643. Bugfix on 0.0.9pre5. Fix
-      based on patch from Sebastian Hahn.
-    - Actually validate the options passed to AuthDirReject,
-      AuthDirInvalid, AuthDirBadDir, and AuthDirBadExit.
-    - Make "ClientOnly 1" config option disable directory ports too.
-    - Don't stop fetching descriptors when FetchUselessDescriptors is
-      set, even if we stop asking for circuits. Bug reported by tup
-      and ioerror.
-    - Servers used to decline to publish their DirPort if their
-      BandwidthRate or MaxAdvertisedBandwidth were below a threshold. Now
-      they look only at BandwidthRate and RelayBandwidthRate.
-    - Treat "2gb" when given in torrc for a bandwidth as meaning 2gb,
-      minus 1 byte: the actual maximum declared bandwidth.
-    - Make "TrackHostExits ." actually work. Bugfix on 0.1.0.x.
-    - Make the NodeFamilies config option work. (Reported by
-      lodger -- it has never actually worked, even though we added it
-      in Oct 2004.)
-    - If Tor is invoked from something that isn't a shell (e.g. Vidalia),
-      now we expand "-f ~/.tor/torrc" correctly. Suggested by Matt Edman.
-
-  o New config options:
-    - New configuration options AuthDirMaxServersPerAddr and
-      AuthDirMaxServersperAuthAddr to override default maximum number
-      of servers allowed on a single IP address. This is important for
-      running a test network on a single host.
-    - Three new config options (AlternateDirAuthority,
-      AlternateBridgeAuthority, and AlternateHSAuthority) that let the
-      user selectively replace the default directory authorities by type,
-      rather than the all-or-nothing replacement that DirServer offers.
-    - New config options AuthDirBadDir and AuthDirListBadDirs for
-      authorities to mark certain relays as "bad directories" in the
-      networkstatus documents. Also supports the "!baddir" directive in
-      the approved-routers file.
-    - New config option V2AuthoritativeDirectory that all v2 directory
-      authorities must set. This lets v3 authorities choose not to serve
-      v2 directory information.
-
-  o Minor features (other):
-    - When we're not serving v2 directory information, there is no reason
-      to actually keep any around. Remove the obsolete files and directory
-      on startup if they are very old and we aren't going to serve them.
-    - When we negotiate a v2 link-layer connection (not yet implemented),
-      accept RELAY_EARLY cells and turn them into RELAY cells if we've
-      negotiated a v1 connection for their next step. Initial steps for
-      proposal 110.
-    - When we have no consensus, check FallbackNetworkstatusFile (defaults
-      to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
-      we can start out knowing some directory caches. We don't ship with
-      a fallback consensus by default though, because it was making
-      bootstrapping take too long while we tried many down relays.
-    - Authorities send back an X-Descriptor-Not-New header in response to
-      an accepted-but-discarded descriptor upload. Partially implements
-      fix for bug 535.
-    - If we find a cached-routers file that's been sitting around for more
-      than 28 days unmodified, then most likely it's a leftover from
-      when we upgraded to 0.2.0.8-alpha. Remove it. It has no good
-      routers anyway.
-    - When we (as a cache) download a descriptor because it was listed
-      in a consensus, remember when the consensus was supposed to expire,
-      and don't expire the descriptor until then.
-    - Optionally (if built with -DEXPORTMALLINFO) export the output
-      of mallinfo via http, as tor/mallinfo.txt. Only accessible
-      from localhost.
-    - Tag every guard node in our state file with the version that
-      we believe added it, or with our own version if we add it. This way,
-      if a user temporarily runs an old version of Tor and then switches
-      back to a new one, she doesn't automatically lose her guards.
-    - When somebody requests a list of statuses or servers, and we have
-      none of those, return a 404 rather than an empty 200.
-    - Merge in some (as-yet-unused) IPv6 address manipulation code. (Patch
-      from croup.)
-    - Add an HSAuthorityRecordStats option that hidden service authorities
-      can use to track statistics of overall hidden service usage without
-      logging information that would be as useful to an attacker.
-    - Allow multiple HiddenServicePort directives with the same virtual
-      port; when they occur, the user is sent round-robin to one
-      of the target ports chosen at random.  Partially fixes bug 393 by
-      adding limited ad-hoc round-robining.
-    - Revamp file-writing logic so we don't need to have the entire
-      contents of a file in memory at once before we write to disk. Tor,
-      meet stdio.
-
-  o Minor bugfixes (other):
-    - Alter the code that tries to recover from unhandled write
-      errors, to not try to flush onto a socket that's given us
-      unhandled errors.
-    - Directory mirrors no longer include a guess at the client's IP
-      address if the connection appears to be coming from the same /24
-      network; it was producing too many wrong guesses.
-    - If we're trying to flush the last bytes on a connection (for
-      example, when answering a directory request), reset the
-      time-to-give-up timeout every time we manage to write something
-      on the socket.
-    - Reject router descriptors with out-of-range bandwidthcapacity or
-      bandwidthburst values.
-    - If we can't expand our list of entry guards (e.g. because we're
-      using bridges or we have StrictEntryNodes set), don't mark relays
-      down when they fail a directory request. Otherwise we're too quick
-      to mark all our entry points down.
-    - Authorities no longer send back "400 you're unreachable please fix
-      it" errors to Tor servers that aren't online all the time. We're
-      supposed to tolerate these servers now.
-    - Let directory authorities startup even when they can't generate
-      a descriptor immediately, e.g. because they don't know their
-      address.
-    - Correctly enforce that elements of directory objects do not appear
-      more often than they are allowed to appear.
-    - Stop allowing hibernating servers to be "stable" or "fast".
-    - On Windows, we were preventing other processes from reading
-      cached-routers while Tor was running. (Reported by janbar)
-    - Check return values from pthread_mutex functions.
-    - When opening /dev/null in finish_daemonize(), do not pass the
-      O_CREAT flag. Fortify was complaining, and correctly so. Fixes
-      bug 742; fix from Michael Scherer. Bugfix on 0.0.2pre19.
-
-  o Controller features:
-    - The GETCONF command now escapes and quotes configuration values
-      that don't otherwise fit into the torrc file.
-    - The SETCONF command now handles quoted values correctly.
-    - Add "GETINFO/desc-annotations/id/<OR digest>" so controllers can
-      ask about source, timestamp of arrival, purpose, etc. We need
-      something like this to help Vidalia not do GeoIP lookups on bridge
-      addresses.
-    - Allow multiple HashedControlPassword config lines, to support
-      multiple controller passwords.
-    - Accept LF instead of CRLF on controller, since some software has a
-      hard time generating real Internet newlines.
-    - Add GETINFO values for the server status events
-      "REACHABILITY_SUCCEEDED" and "GOOD_SERVER_DESCRIPTOR". Patch from
-      Robert Hogan.
-    - There is now an ugly, temporary "desc/all-recent-extrainfo-hack"
-      GETINFO for Torstat to use until it can switch to using extrainfos.
-    - New config option CookieAuthFile to choose a new location for the
-      cookie authentication file, and config option
-      CookieAuthFileGroupReadable to make it group-readable.
-    - Add a SOURCE_ADDR field to STREAM NEW events so that controllers can
-      match requests to applications. Patch from Robert Hogan.
-    - Add a RESOLVE command to launch hostname lookups. Original patch
-      from Robert Hogan.
-    - Add GETINFO status/enough-dir-info to let controllers tell whether
-      Tor has downloaded sufficient directory information. Patch from Tup.
-    - You can now use the ControlSocket option to tell Tor to listen for
-      controller connections on Unix domain sockets on systems that
-      support them. Patch from Peter Palfrader.
-    - New "GETINFO address-mappings/*" command to get address mappings
-      with expiry information. "addr-mappings/*" is now deprecated.
-      Patch from Tup.
-    - Add a new config option __DisablePredictedCircuits designed for
-      use by the controller, when we don't want Tor to build any circuits
-      preemptively.
-    - Let the controller specify HOP=%d as an argument to ATTACHSTREAM,
-      so we can exit from the middle of the circuit.
-    - Implement "getinfo status/circuit-established".
-    - Implement "getinfo status/version/..." so a controller can tell
-      whether the current version is recommended, and whether any versions
-      are good, and how many authorities agree. Patch from "shibz".
-    - Controllers should now specify cache=no or cache=yes when using
-      the +POSTDESCRIPTOR command.
-    - Add a "PURPOSE=" argument to "STREAM NEW" events, as suggested by
-      Robert Hogan. Fixes the first part of bug 681.
-    - When reporting clock skew, and we know that the clock is _at least
-      as skewed_ as some value, but we don't know the actual value,
-      report the value as a "minimum skew."
-
-  o Controller bugfixes:
-    - Generate "STATUS_SERVER" events rather than misspelled
-      "STATUS_SEVER" events. Caught by mwenge.
-    - Reject controller commands over 1MB in length, so rogue
-      processes can't run us out of memory.
-    - Change the behavior of "getinfo status/good-server-descriptor"
-      so it doesn't return failure when any authority disappears.
-    - Send NAMESERVER_STATUS messages for a single failed nameserver
-      correctly.
-    - When the DANGEROUS_VERSION controller status event told us we're
-      running an obsolete version, it used the string "OLD" to describe
-      it. Yet the "getinfo" interface used the string "OBSOLETE". Now use
-      "OBSOLETE" in both cases.
-    - Respond to INT and TERM SIGNAL commands before we execute the
-      signal, in case the signal shuts us down. We had a patch in
-      0.1.2.1-alpha that tried to do this by queueing the response on
-      the connection's buffer before shutting down, but that really
-      isn't the same thing at all. Bug located by Matt Edman.
-    - Provide DNS expiry times in GMT, not in local time. For backward
-      compatibility, ADDRMAP events only provide GMT expiry in an extended
-      field. "GETINFO address-mappings" always does the right thing.
-    - Use CRLF line endings properly in NS events.
-    - Make 'getinfo fingerprint' return a 551 error if we're not a
-      server, so we match what the control spec claims we do. Reported
-      by daejees.
-    - Fix a typo in an error message when extendcircuit fails that
-      caused us to not follow the \r\n-based delimiter protocol. Reported
-      by daejees.
-    - When tunneling an encrypted directory connection, and its first
-      circuit fails, do not leave it unattached and ask the controller
-      to deal. Fixes the second part of bug 681.
-    - Treat some 403 responses from directory servers as INFO rather than
-      WARN-severity events.
-
-  o Portability / building / compiling:
-    - When building with --enable-gcc-warnings, check for whether Apple's
-      warning "-Wshorten-64-to-32" is available.
-    - Support compilation to target iPhone; patch from cjacker huang.
-      To build for iPhone, pass the --enable-iphone option to configure.
-    - Detect non-ASCII platforms (if any still exist) and refuse to
-      build there: some of our code assumes that 'A' is 65 and so on.
-    - Clear up some MIPSPro compiler warnings.
-    - Make autoconf search for libevent, openssl, and zlib consistently.
-    - Update deprecated macros in configure.in.
-    - When warning about missing headers, tell the user to let us
-      know if the compile succeeds anyway, so we can downgrade the
-      warning.
-    - Include the current subversion revision as part of the version
-      string: either fetch it directly if we're in an SVN checkout, do
-      some magic to guess it if we're in an SVK checkout, or use
-      the last-detected version if we're building from a .tar.gz.
-      Use this version consistently in log messages.
-    - Correctly report platform name on Windows 95 OSR2 and Windows 98 SE.
-    - Read resolv.conf files correctly on platforms where read() returns
-      partial results on small file reads.
-    - Build without verbose warnings even on gcc 4.2 and 4.3.
-    - On Windows, correctly detect errors when listing the contents of
-      a directory. Fix from lodger.
-    - Run 'make test' as part of 'make dist', so we stop releasing so
-      many development snapshots that fail their unit tests.
-    - Add support to detect Libevent versions in the 1.4.x series
-      on mingw.
-    - Add command-line arguments to unit-test executable so that we can
-      invoke any chosen test from the command line rather than having
-      to run the whole test suite at once; and so that we can turn on
-      logging for the unit tests.
-    - Do not automatically run configure from autogen.sh. This
-      non-standard behavior tended to annoy people who have built other
-      programs.
-    - Fix a macro/CPP interaction that was confusing some compilers:
-      some GCCs don't like #if/#endif pairs inside macro arguments.
-      Fixes bug 707.
-    - Fix macro collision between OpenSSL 0.9.8h and Windows headers.
-      Fixes bug 704; fix from Steven Murdoch.
-    - Correctly detect transparent proxy support on Linux hosts that
-      require in.h to be included before netfilter_ipv4.h.  Patch
-      from coderman.
-
-  o Logging improvements:
-    - When we haven't had any application requests lately, don't bother
-      logging that we have expired a bunch of descriptors.
-    - When attempting to open a logfile fails, tell us why.
-    - Only log guard node status when guard node status has changed.
-    - Downgrade the 3 most common "INFO" messages to "DEBUG". This will
-      make "INFO" 75% less verbose.
-    - When SafeLogging is disabled, log addresses along with all TLS
-      errors.
-    - Report TLS "zero return" case as a "clean close" and "IO error"
-      as a "close". Stop calling closes "unexpected closes": existing
-      Tors don't use SSL_close(), so having a connection close without
-      the TLS shutdown handshake is hardly unexpected.
-    - When we receive a consensus from the future, warn about skew.
-    - Make "not enough dir info yet" warnings describe *why* Tor feels
-      it doesn't have enough directory info yet.
-    - On the USR1 signal, when dmalloc is in use, log the top 10 memory
-      consumers. (We already do this on HUP.)
-    - Give more descriptive well-formedness errors for out-of-range
-      hidden service descriptor/protocol versions.
-    - Stop recommending that every server operator send mail to tor-ops.
-      Resolves bug 597. Bugfix on 0.1.2.x.
-    - Improve skew reporting: try to give the user a better log message
-      about how skewed they are, and how much this matters.
-    - New --quiet command-line option to suppress the default console log.
-      Good in combination with --hash-password.
-    - Don't complain that "your server has not managed to confirm that its
-      ports are reachable" if we haven't been able to build any circuits
-      yet.
-    - Detect the reason for failing to mmap a descriptor file we just
-      wrote, and give a more useful log message.  Fixes bug 533.
-    - Always prepend "Bug: " to any log message about a bug.
-    - When dumping memory usage, list bytes used in buffer memory
-      free-lists.
-    - When running with dmalloc, dump more stats on hup and on exit.
-    - Put a platform string (e.g. "Linux i686") in the startup log
-      message, so when people paste just their logs, we know if it's
-      OpenBSD or Windows or what.
-    - When logging memory usage, break down memory used in buffers by
-      buffer type.
-    - When we are reporting the DirServer line we just parsed, we were
-      logging the second stanza of the key fingerprint, not the first.
-    - Even though Windows is equally happy with / and \ as path separators,
-      try to use \ consistently on Windows and / consistently on Unix: it
-      makes the log messages nicer.
-     - On OSX, stop warning the user that kqueue support in libevent is
-      "experimental", since it seems to have worked fine for ages.
-
-  o Contributed scripts and tools:
-    - Update linux-tor-prio.sh script to allow QoS based on the uid of
-      the Tor process. Patch from Marco Bonetti with tweaks from Mike
-      Perry.
-    - Include the "tor-ctrl.sh" bash script by Stefan Behte to provide
-      Unix users an easy way to script their Tor process (e.g. by
-      adjusting bandwidth based on the time of the day).
-    - In the exitlist script, only consider the most recently published
-      server descriptor for each server. Also, when the user requests
-      a list of servers that _reject_ connections to a given address,
-      explicitly exclude the IPs that also have servers that accept
-      connections to that address. Resolves bug 405.
-    - Include a new contrib/tor-exit-notice.html file that exit relay
-      operators can put on their website to help reduce abuse queries.
-
-  o Newly deprecated features:
-    - The status/version/num-versioning and status/version/num-concurring
-      GETINFO controller options are no longer useful in the v3 directory
-      protocol: treat them as deprecated, and warn when they're used.
-    - The RedirectExits config option is now deprecated.
-
-  o Removed features:
-    - Drop the old code to choke directory connections when the
-      corresponding OR connections got full: thanks to the cell queue
-      feature, OR conns don't get full any more.
-    - Remove the old "dns worker" server DNS code: it hasn't been default
-      since 0.1.2.2-alpha, and all the servers are using the new
-      eventdns code.
-    - Remove the code to generate the oldest (v1) directory format.
-    - Remove support for the old bw_accounting file: we've been storing
-      bandwidth accounting information in the state file since
-      0.1.2.5-alpha. This may result in bandwidth accounting errors
-      if you try to upgrade from 0.1.1.x or earlier, or if you try to
-      downgrade to 0.1.1.x or earlier.
-    - Drop support for OpenSSL version 0.9.6. Just about nobody was using
-      it, it had no AES, and it hasn't seen any security patches since
-      2004.
-    - Stop overloading the circuit_t.onionskin field for both "onionskin
-      from a CREATE cell that we are waiting for a cpuworker to be
-      assigned" and "onionskin from an EXTEND cell that we are going to
-      send to an OR as soon as we are connected". Might help with bug 600.
-    - Remove the tor_strpartition() function: its logic was confused,
-      and it was only used for one thing that could be implemented far
-      more easily.
-    - Remove the contrib scripts ExerciseServer.py, PathDemo.py,
-      and TorControl.py, as they use the old v0 controller protocol,
-      and are obsoleted by TorFlow anyway.
-    - Drop support for v1 rendezvous descriptors, since we never used
-      them anyway, and the code has probably rotted by now. Based on
-      patch from Karsten Loesing.
-    - Stop allowing address masks that do not correspond to bit prefixes.
-      We have warned about these for a really long time; now it's time
-      to reject them. (Patch from croup.)
-    - Remove an optimization in the AES counter-mode code that assumed
-      that the counter never exceeded 2^68. When the counter can be set
-      arbitrarily as an IV (as it is by Karsten's new hidden services
-      code), this assumption no longer holds.
-    - Disable the SETROUTERPURPOSE controller command: it is now
-      obsolete.
-
-
-Changes in version 0.1.2.19 - 2008-01-17
-  Tor 0.1.2.19 fixes a huge memory leak on exit relays, makes the default
-  exit policy a little bit more conservative so it's safer to run an
-  exit relay on a home system, and fixes a variety of smaller issues.
-
-  o Security fixes:
-    - Exit policies now reject connections that are addressed to a
-      relay's public (external) IP address too, unless
-      ExitPolicyRejectPrivate is turned off. We do this because too
-      many relays are running nearby to services that trust them based
-      on network address.
-
-  o Major bugfixes:
-    - When the clock jumps forward a lot, do not allow the bandwidth
-      buckets to become negative. Fixes bug 544.
-    - Fix a memory leak on exit relays; we were leaking a cached_resolve_t
-      on every successful resolve. Reported by Mike Perry.
-    - Purge old entries from the "rephist" database and the hidden
-      service descriptor database even when DirPort is zero.
-    - Stop thinking that 0.1.2.x directory servers can handle "begin_dir"
-      requests. Should ease bugs 406 and 419 where 0.1.2.x relays are
-      crashing or mis-answering these requests.
-    - When we decide to send a 503 response to a request for servers, do
-      not then also send the server descriptors: this defeats the whole
-      purpose. Fixes bug 539.
-
-  o Minor bugfixes:
-    - Changing the ExitPolicyRejectPrivate setting should cause us to
-      rebuild our server descriptor.
-    - Fix handling of hex nicknames when answering controller requests for
-      networkstatus by name, or when deciding whether to warn about
-      unknown routers in a config option. (Patch from mwenge.)
-    - Fix a couple of hard-to-trigger autoconf problems that could result
-      in really weird results on platforms whose sys/types.h files define
-      nonstandard integer types.
-    - Don't try to create the datadir when running --verify-config or
-      --hash-password. Resolves bug 540.
-    - If we were having problems getting a particular descriptor from the
-      directory caches, and then we learned about a new descriptor for
-      that router, we weren't resetting our failure count. Reported
-      by lodger.
-    - Although we fixed bug 539 (where servers would send HTTP status 503
-      responses _and_ send a body too), there are still servers out there
-      that haven't upgraded. Therefore, make clients parse such bodies
-      when they receive them.
-    - Run correctly on systems where rlim_t is larger than unsigned long.
-      This includes some 64-bit systems.
-    - Run correctly on platforms (like some versions of OS X 10.5) where
-      the real limit for number of open files is OPEN_FILES, not rlim_max
-      from getrlimit(RLIMIT_NOFILES).
-    - Avoid a spurious free on base64 failure.
-    - Avoid segfaults on certain complex invocations of
-      router_get_by_hexdigest().
-    - Fix rare bug on REDIRECTSTREAM control command when called with no
-      port set: it could erroneously report an error when none had
-      happened.
-
-
-Changes in version 0.1.2.18 - 2007-10-28
-  Tor 0.1.2.18 fixes many problems including crash bugs, problems with
-  hidden service introduction that were causing huge delays, and a big
-  bug that was causing some servers to disappear from the network status
-  lists for a few hours each day.
-
-  o Major bugfixes (crashes):
-    - If a connection is shut down abruptly because of something that
-      happened inside connection_flushed_some(), do not call
-      connection_finished_flushing(). Should fix bug 451:
-      "connection_stop_writing: Assertion conn->write_event failed"
-      Bugfix on 0.1.2.7-alpha.
-    - Fix possible segfaults in functions called from
-      rend_process_relay_cell().
-
-  o Major bugfixes (hidden services):
-    - Hidden services were choosing introduction points uniquely by
-      hexdigest, but when constructing the hidden service descriptor
-      they merely wrote the (potentially ambiguous) nickname.
-    - Clients now use the v2 intro format for hidden service
-      connections: they specify their chosen rendezvous point by identity
-      digest rather than by (potentially ambiguous) nickname. These
-      changes could speed up hidden service connections dramatically.
-
-  o Major bugfixes (other):
-    - Stop publishing a new server descriptor just because we get a
-      HUP signal. This led (in a roundabout way) to some servers getting
-      dropped from the networkstatus lists for a few hours each day.
-    - When looking for a circuit to cannibalize, consider family as well
-      as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
-      circuit cannibalization).
-    - When a router wasn't listed in a new networkstatus, we were leaving
-      the flags for that router alone -- meaning it remained Named,
-      Running, etc -- even though absence from the networkstatus means
-      that it shouldn't be considered to exist at all anymore. Now we
-      clear all the flags for routers that fall out of the networkstatus
-      consensus. Fixes bug 529.
-
-  o Minor bugfixes:
-    - Don't try to access (or alter) the state file when running
-      --list-fingerprint or --verify-config or --hash-password. Resolves
-      bug 499.
-    - When generating information telling us how to extend to a given
-      router, do not try to include the nickname if it is
-      absent. Resolves bug 467.
-    - Fix a user-triggerable segfault in expand_filename(). (There isn't
-      a way to trigger this remotely.)
-    - When sending a status event to the controller telling it that an
-      OR address is reachable, set the port correctly. (Previously we
-      were reporting the dir port.)
-    - Fix a minor memory leak whenever a controller sends the PROTOCOLINFO
-      command. Bugfix on 0.1.2.17.
-    - When loading bandwidth history, do not believe any information in
-      the future. Fixes bug 434.
-    - When loading entry guard information, do not believe any information
-      in the future.
-    - When we have our clock set far in the future and generate an
-      onion key, then re-set our clock to be correct, we should not stop
-      the onion key from getting rotated.
-    - On some platforms, accept() can return a broken address. Detect
-      this more quietly, and deal accordingly. Fixes bug 483.
-    - It's not actually an error to find a non-pending entry in the DNS
-      cache when canceling a pending resolve. Don't log unless stuff
-      is fishy. Resolves bug 463.
-    - Don't reset trusted dir server list when we set a configuration
-      option. Patch from Robert Hogan.
-
-
-Changes in version 0.1.2.17 - 2007-08-30
-  Tor 0.1.2.17 features a new Vidalia version in the Windows and OS
-  X bundles. Vidalia 0.0.14 makes authentication required for the
-  ControlPort in the default configuration, which addresses important
-  security risks. Everybody who uses Vidalia (or another controller)
-  should upgrade.
-
-  In addition, this Tor update fixes major load balancing problems with
-  path selection, which should speed things up a lot once many people
-  have upgraded.
-
-  o Major bugfixes (security):
-    - We removed support for the old (v0) control protocol. It has been
-      deprecated since Tor 0.1.1.1-alpha, and keeping it secure has
-      become more of a headache than it's worth.
-
-  o Major bugfixes (load balancing):
-    - When choosing nodes for non-guard positions, weight guards
-      proportionally less, since they already have enough load. Patch
-      from Mike Perry.
-    - Raise the "max believable bandwidth" from 1.5MB/s to 10MB/s. This
-      will allow fast Tor servers to get more attention.
-    - When we're upgrading from an old Tor version, forget our current
-      guards and pick new ones according to the new weightings. These
-      three load balancing patches could raise effective network capacity
-      by a factor of four. Thanks to Mike Perry for measurements.
-
-  o Major bugfixes (stream expiration):
-    - Expire not-yet-successful application streams in all cases if
-      they've been around longer than SocksTimeout. Right now there are
-      some cases where the stream will live forever, demanding a new
-      circuit every 15 seconds. Fixes bug 454; reported by lodger.
-
-  o Minor features (controller):
-    - Add a PROTOCOLINFO controller command. Like AUTHENTICATE, it
-      is valid before any authentication has been received. It tells
-      a controller what kind of authentication is expected, and what
-      protocol is spoken. Implements proposal 119.
-
-  o Minor bugfixes (performance):
-    - Save on most routerlist_assert_ok() calls in routerlist.c, thus
-      greatly speeding up loading cached-routers from disk on startup.
-    - Disable sentinel-based debugging for buffer code: we squashed all
-      the bugs that this was supposed to detect a long time ago, and now
-      its only effect is to change our buffer sizes from nice powers of
-      two (which platform mallocs tend to like) to values slightly over
-      powers of two (which make some platform mallocs sad).
-
-  o Minor bugfixes (misc):
-    - If exit bandwidth ever exceeds one third of total bandwidth, then
-      use the correct formula to weight exit nodes when choosing paths.
-      Based on patch from Mike Perry.
-    - Choose perfectly fairly among routers when choosing by bandwidth and
-      weighting by fraction of bandwidth provided by exits. Previously, we
-      would choose with only approximate fairness, and correct ourselves
-      if we ran off the end of the list.
-    - If we require CookieAuthentication but we fail to write the
-      cookie file, we would warn but not exit, and end up in a state
-      where no controller could authenticate. Now we exit.
-    - If we require CookieAuthentication, stop generating a new cookie
-      every time we change any piece of our config.
-    - Refuse to start with certain directory authority keys, and
-      encourage people using them to stop.
-    - Terminate multi-line control events properly. Original patch
-      from tup.
-    - Fix a minor memory leak when we fail to find enough suitable
-      servers to choose a circuit.
-    - Stop leaking part of the descriptor when we run into a particularly
-      unparseable piece of it.
-
-
-Changes in version 0.1.2.16 - 2007-08-01
-  Tor 0.1.2.16 fixes a critical security vulnerability that allows a
-  remote attacker in certain situations to rewrite the user's torrc
-  configuration file. This can completely compromise anonymity of users
-  in most configurations, including those running the Vidalia bundles,
-  TorK, etc. Or worse.
-
-  o Major security fixes:
-    - Close immediately after missing authentication on control port;
-      do not allow multiple authentication attempts.
-
-
-Changes in version 0.1.2.15 - 2007-07-17
-  Tor 0.1.2.15 fixes several crash bugs, fixes some anonymity-related
-  problems, fixes compilation on BSD, and fixes a variety of other
-  bugs. Everybody should upgrade.
-
-  o Major bugfixes (compilation):
-    - Fix compile on FreeBSD/NetBSD/OpenBSD. Oops.
-
-  o Major bugfixes (crashes):
-    - Try even harder not to dereference the first character after
-      an mmap(). Reported by lodger.
-    - Fix a crash bug in directory authorities when we re-number the
-      routerlist while inserting a new router.
-    - When the cached-routers file is an even multiple of the page size,
-      don't run off the end and crash. (Fixes bug 455; based on idea
-      from croup.)
-    - Fix eventdns.c behavior on Solaris: It is critical to include
-      orconfig.h _before_ sys/types.h, so that we can get the expected
-      definition of _FILE_OFFSET_BITS.
-
-  o Major bugfixes (security):
-    - Fix a possible buffer overrun when using BSD natd support. Bug
-      found by croup.
-    - When sending destroy cells from a circuit's origin, don't include
-      the reason for tearing down the circuit. The spec says we didn't,
-      and now we actually don't. Reported by lodger.
-    - Keep streamids from different exits on a circuit separate. This
-      bug may have allowed other routers on a given circuit to inject
-      cells into streams. Reported by lodger; fixes bug 446.
-    - If there's a never-before-connected-to guard node in our list,
-      never choose any guards past it. This way we don't expand our
-      guard list unless we need to.
-
-  o Minor bugfixes (guard nodes):
-    - Weight guard selection by bandwidth, so that low-bandwidth nodes
-      don't get overused as guards.
-
-  o Minor bugfixes (directory):
-    - Correctly count the number of authorities that recommend each
-      version. Previously, we were under-counting by 1.
-    - Fix a potential crash bug when we load many server descriptors at
-      once and some of them make others of them obsolete. Fixes bug 458.
-
-  o Minor bugfixes (hidden services):
-    - Stop tearing down the whole circuit when the user asks for a
-      connection to a port that the hidden service didn't configure.
-      Resolves bug 444.
-
-  o Minor bugfixes (misc):
-    - On Windows, we were preventing other processes from reading
-      cached-routers while Tor was running. Reported by janbar.
-    - Fix a possible (but very unlikely) bug in picking routers by
-      bandwidth. Add a log message to confirm that it is in fact
-      unlikely. Patch from lodger.
-    - Backport a couple of memory leak fixes.
-    - Backport miscellaneous cosmetic bugfixes.
-
-
-Changes in version 0.1.2.14 - 2007-05-25
-  Tor 0.1.2.14 changes the addresses of two directory authorities (this
-  change especially affects those who serve or use hidden services),
-  and fixes several other crash- and security-related bugs.
-
-  o Directory authority changes:
-    - Two directory authorities (moria1 and moria2) just moved to new
-      IP addresses. This change will particularly affect those who serve
-      or use hidden services.
-
-  o Major bugfixes (crashes):
-    - If a directory server runs out of space in the connection table
-      as it's processing a begin_dir request, it will free the exit stream
-      but leave it attached to the circuit, leading to unpredictable
-      behavior. (Reported by seeess, fixes bug 425.)
-    - Fix a bug in dirserv_remove_invalid() that would cause authorities
-      to corrupt memory under some really unlikely scenarios.
-    - Tighten router parsing rules. (Bugs reported by Benedikt Boss.)
-    - Avoid segfaults when reading from mmaped descriptor file. (Reported
-      by lodger.)
-
-  o Major bugfixes (security):
-    - When choosing an entry guard for a circuit, avoid using guards
-      that are in the same family as the chosen exit -- not just guards
-      that are exactly the chosen exit. (Reported by lodger.)
-
-  o Major bugfixes (resource management):
-    - If a directory authority is down, skip it when deciding where to get
-      networkstatus objects or descriptors. Otherwise we keep asking
-      every 10 seconds forever. Fixes bug 384.
-    - Count it as a failure if we fetch a valid network-status but we
-      don't want to keep it. Otherwise we'll keep fetching it and keep
-      not wanting to keep it. Fixes part of bug 422.
-    - If all of our dirservers have given us bad or no networkstatuses
-      lately, then stop hammering them once per minute even when we
-      think they're failed. Fixes another part of bug 422.
-
-  o Minor bugfixes:
-    - Actually set the purpose correctly for descriptors inserted with
-      purpose=controller.
-    - When we have k non-v2 authorities in our DirServer config,
-      we ignored the last k authorities in the list when updating our
-      network-statuses.
-    - Correctly back-off from requesting router descriptors that we are
-      having a hard time downloading.
-    - Read resolv.conf files correctly on platforms where read() returns
-      partial results on small file reads.
-    - Don't rebuild the entire router store every time we get 32K of
-      routers: rebuild it when the journal gets very large, or when
-      the gaps in the store get very large.
-
-  o Minor features:
-    - When routers publish SVN revisions in their router descriptors,
-      authorities now include those versions correctly in networkstatus
-      documents.
-    - Warn when using a version of libevent before 1.3b to run a server on
-      OSX or BSD: these versions interact badly with userspace threads.
-
-
-Changes in version 0.1.2.13 - 2007-04-24
-  This release features some major anonymity fixes, such as safer path
-  selection; better client performance; faster bootstrapping, better
-  address detection, and better DNS support for servers; write limiting as
-  well as read limiting to make servers easier to run; and a huge pile of
-  other features and bug fixes. The bundles also ship with Vidalia 0.0.11.
-
-  Tor 0.1.2.13 is released in memory of Rob Levin (1955-2006), aka lilo
-  of the Freenode IRC network, remembering his patience and vision for
-  free speech on the Internet.
-
-  o Major features, client performance:
-    - Weight directory requests by advertised bandwidth. Now we can
-      let servers enable write limiting but still allow most clients to
-      succeed at their directory requests. (We still ignore weights when
-      choosing a directory authority; I hope this is a feature.)
-    - Stop overloading exit nodes -- avoid choosing them for entry or
-      middle hops when the total bandwidth available from non-exit nodes
-      is much higher than the total bandwidth available from exit nodes.
-    - Rather than waiting a fixed amount of time between retrying
-      application connections, we wait only 10 seconds for the first,
-      10 seconds for the second, and 15 seconds for each retry after
-      that. Hopefully this will improve the expected user experience.
-    - Sometimes we didn't bother sending a RELAY_END cell when an attempt
-      to open a stream fails; now we do in more cases. This should
-      make clients able to find a good exit faster in some cases, since
-      unhandleable requests will now get an error rather than timing out.
-
-  o Major features, client functionality:
-    - Implement BEGIN_DIR cells, so we can connect to a directory
-      server via TLS to do encrypted directory requests rather than
-      plaintext. Enable via the TunnelDirConns and PreferTunneledDirConns
-      config options if you like. For now, this feature only works if
-      you already have a descriptor for the destination dirserver.
-    - Add support for transparent application connections: this basically
-      bundles the functionality of trans-proxy-tor into the Tor
-      mainline. Now hosts with compliant pf/netfilter implementations
-      can redirect TCP connections straight to Tor without diverting
-      through SOCKS. (Based on patch from tup.)
-    - Add support for using natd; this allows FreeBSDs earlier than
-      5.1.2 to have ipfw send connections through Tor without using
-      SOCKS. (Patch from Zajcev Evgeny with tweaks from tup.)
-
-  o Major features, servers:
-    - Setting up a dyndns name for your server is now optional: servers
-      with no hostname or IP address will learn their IP address by
-      asking the directory authorities. This code only kicks in when you
-      would normally have exited with a "no address" error. Nothing's
-      authenticated, so use with care.
-    - Directory servers now spool server descriptors, v1 directories,
-      and v2 networkstatus objects to buffers as needed rather than en
-      masse. They also mmap the cached-routers files. These steps save
-      lots of memory.
-    - Stop requiring clients to have well-formed certificates, and stop
-      checking nicknames in certificates. (Clients have certificates so
-      that they can look like Tor servers, but in the future we might want
-      to allow them to look like regular TLS clients instead. Nicknames
-      in certificates serve no purpose other than making our protocol
-      easier to recognize on the wire.) Implements proposal 106.
-
-  o Improvements on DNS support:
-    - Add "eventdns" asynchronous dns library originally based on code
-      from Adam Langley. Now we can discard the old rickety dnsworker
-      concept, and support a wider variety of DNS functions. Allows
-      multithreaded builds on NetBSD and OpenBSD again.
-    - Add server-side support for "reverse" DNS lookups (using PTR
-      records so clients can determine the canonical hostname for a given
-      IPv4 address). Only supported by servers using eventdns; servers
-      now announce in their descriptors if they don't support eventdns.
-    - Workaround for name servers (like Earthlink's) that hijack failing
-      DNS requests and replace the no-such-server answer with a "helpful"
-      redirect to an advertising-driven search portal. Also work around
-      DNS hijackers who "helpfully" decline to hijack known-invalid
-      RFC2606 addresses. Config option "ServerDNSDetectHijacking 0"
-      lets you turn it off.
-    - Servers now check for the case when common DNS requests are going to
-      wildcarded addresses (i.e. all getting the same answer), and change
-      their exit policy to reject *:* if it's happening.
-    - When asked to resolve a hostname, don't use non-exit servers unless
-      requested to do so. This allows servers with broken DNS to be
-      useful to the network.
-    - Start passing "ipv4" hints to getaddrinfo(), so servers don't do
-      useless IPv6 DNS resolves.
-    - Specify and implement client-side SOCKS5 interface for reverse DNS
-      lookups (see doc/socks-extensions.txt). Also cache them.
-    - When we change nameservers or IP addresses, reset and re-launch
-      our tests for DNS hijacking.
-
-  o Improvements on reachability testing:
-    - Servers send out a burst of long-range padding cells once they've
-      established that they're reachable. Spread them over 4 circuits,
-      so hopefully a few will be fast. This exercises bandwidth and
-      bootstraps them into the directory more quickly.
-    - When we find our DirPort to be reachable, publish a new descriptor
-      so we'll tell the world (reported by pnx).
-    - Directory authorities now only decide that routers are reachable
-      if their identity keys are as expected.
-    - Do DirPort reachability tests less often, since a single test
-      chews through many circuits before giving up.
-    - Avoid some false positives during reachability testing: don't try
-      to test via a server that's on the same /24 network as us.
-    - Start publishing one minute or so after we find our ORPort
-      to be reachable. This will help reduce the number of descriptors
-      we have for ourselves floating around, since it's quite likely
-      other things (e.g. DirPort) will change during that minute too.
-    - Routers no longer try to rebuild long-term connections to directory
-      authorities, and directory authorities no longer try to rebuild
-      long-term connections to all servers. We still don't hang up
-      connections in these two cases though -- we need to look at it
-      more carefully to avoid flapping, and we likely need to wait til
-      0.1.1.x is obsolete.
-
-  o Improvements on rate limiting:
-    - Enable write limiting as well as read limiting. Now we sacrifice
-      capacity if we're pushing out lots of directory traffic, rather
-      than overrunning the user's intended bandwidth limits.
-    - Include TLS overhead when counting bandwidth usage; previously, we
-      would count only the bytes sent over TLS, but not the bytes used
-      to send them.
-    - Servers decline directory requests much more aggressively when
-      they're low on bandwidth. Otherwise they end up queueing more and
-      more directory responses, which can't be good for latency.
-    - But never refuse directory requests from local addresses.
-    - Be willing to read or write on local connections (e.g. controller
-      connections) even when the global rate limiting buckets are empty.
-    - Flush local controller connection buffers periodically as we're
-      writing to them, so we avoid queueing 4+ megabytes of data before
-      trying to flush.
-    - Revise and clean up the torrc.sample that we ship with; add
-      a section for BandwidthRate and BandwidthBurst.
-
-  o Major features, NT services:
-    - Install as NT_AUTHORITY\LocalService rather than as SYSTEM; add a
-      command-line flag so that admins can override the default by saying
-      "tor --service install --user "SomeUser"". This will not affect
-      existing installed services. Also, warn the user that the service
-      will look for its configuration file in the service user's
-      %appdata% directory. (We can't do the "hardwire the user's appdata
-      directory" trick any more, since we may not have read access to that
-      directory.)
-    - Support running the Tor service with a torrc not in the same
-      directory as tor.exe and default to using the torrc located in
-      the %appdata%\Tor\ of the user who installed the service. Patch
-      from Matt Edman.
-    - Add an --ignore-missing-torrc command-line option so that we can
-      get the "use sensible defaults if the configuration file doesn't
-      exist" behavior even when specifying a torrc location on the
-      command line.
-    - When stopping an NT service, wait up to 10 sec for it to actually
-      stop. (Patch from Matt Edman; resolves bug 295.)
-
-  o Directory authority improvements:
-    - Stop letting hibernating or obsolete servers affect uptime and
-      bandwidth cutoffs.
-    - Stop listing hibernating servers in the v1 directory.
-    - Authorities no longer recommend exits as guards if this would shift
-      too much load to the exit nodes.
-    - Authorities now specify server versions in networkstatus. This adds
-      about 2% to the size of compressed networkstatus docs, and allows
-      clients to tell which servers support BEGIN_DIR and which don't.
-      The implementation is forward-compatible with a proposed future
-      protocol version scheme not tied to Tor versions.
-    - DirServer configuration lines now have an orport= option so
-      clients can open encrypted tunnels to the authorities without
-      having downloaded their descriptors yet. Enabled for moria1,
-      moria2, tor26, and lefkada now in the default configuration.
-    - Add a BadDirectory flag to network status docs so that authorities
-      can (eventually) tell clients about caches they believe to be
-      broken. Not used yet.
-    - Allow authorities to list nodes as bad exits in their
-      approved-routers file by fingerprint or by address. If most
-      authorities set a BadExit flag for a server, clients don't think
-      of it as a general-purpose exit. Clients only consider authorities
-      that advertise themselves as listing bad exits.
-    - Patch from Steve Hildrey: Generate network status correctly on
-      non-versioning dirservers.
-    - Have directory authorities allow larger amounts of drift in uptime
-      without replacing the server descriptor: previously, a server that
-      restarted every 30 minutes could have 48 "interesting" descriptors
-      per day.
-    - Reserve the nickname "Unnamed" for routers that can't pick
-      a hostname: any router can call itself Unnamed; directory
-      authorities will never allocate Unnamed to any particular router;
-      clients won't believe that any router is the canonical Unnamed.
-
-  o Directory mirrors and clients:
-    - Discard any v1 directory info that's over 1 month old (for
-      directories) or over 1 week old (for running-routers lists).
-    - Clients track responses with status 503 from dirservers. After a
-      dirserver has given us a 503, we try not to use it until an hour has
-      gone by, or until we have no dirservers that haven't given us a 503.
-    - When we get a 503 from a directory, and we're not a server, we no
-      longer count the failure against the total number of failures
-      allowed for the object we're trying to download.
-    - Prepare for servers to publish descriptors less often: never
-      discard a descriptor simply for being too old until either it is
-      recommended by no authorities, or until we get a better one for
-      the same router. Make caches consider retaining old recommended
-      routers for even longer.
-    - Directory servers now provide 'Pragma: no-cache' and 'Expires'
-      headers for content, so that we can work better in the presence of
-      caching HTTP proxies.
-    - Stop fetching descriptors if you're not a dir mirror and you
-      haven't tried to establish any circuits lately. (This currently
-      causes some dangerous behavior, because when you start up again
-      you'll use your ancient server descriptors.)
-
-  o Major fixes, crashes:
-    - Stop crashing when the controller asks us to resetconf more than
-      one config option at once. (Vidalia 0.0.11 does this.)
-    - Fix a longstanding obscure crash bug that could occur when we run
-      out of DNS worker processes, if we're not using eventdns. (Resolves
-      bug 390.)
-    - Fix an assert that could trigger if a controller quickly set then
-      cleared EntryNodes. (Bug found by Udo van den Heuvel.)
-    - Avoid crash when telling controller about stream-status and a
-      stream is detached.
-    - Avoid sending junk to controllers or segfaulting when a controller
-      uses EVENT_NEW_DESC with verbose nicknames.
-    - Stop triggering asserts if the controller tries to extend hidden
-      service circuits (reported by mwenge).
-    - If we start a server with ClientOnly 1, then set ClientOnly to 0
-      and hup, stop triggering an assert based on an empty onion_key.
-    - Mask out all signals in sub-threads; only the libevent signal
-      handler should be processing them. This should prevent some crashes
-      on some machines using pthreads. (Patch from coderman.)
-    - Disable kqueue on OS X 10.3 and earlier, to fix bug 371.
-
-  o Major fixes, anonymity/security:
-    - Automatically avoid picking more than one node from the same
-      /16 network when constructing a circuit. Add an
-      "EnforceDistinctSubnets" option to let people disable it if they
-      want to operate private test networks on a single subnet.
-    - When generating bandwidth history, round down to the nearest
-      1k. When storing accounting data, round up to the nearest 1k.
-    - When we're running as a server, remember when we last rotated onion
-      keys, so that we will rotate keys once they're a week old even if
-      we never stay up for a week ourselves.
-    - If a client asked for a server by name, and there's a named server
-      in our network-status but we don't have its descriptor yet, we
-      could return an unnamed server instead.
-    - Reject (most) attempts to use Tor circuits with length one. (If
-      many people start using Tor as a one-hop proxy, exit nodes become
-      a more attractive target for compromise.)
-    - Just because your DirPort is open doesn't mean people should be
-      able to remotely teach you about hidden service descriptors. Now
-      only accept rendezvous posts if you've got HSAuthoritativeDir set.
-    - Fix a potential race condition in the rpm installer. Found by
-      Stefan Nordhausen.
-    - Do not log IPs with TLS failures for incoming TLS
-      connections. (Fixes bug 382.)
-
-  o Major fixes, other:
-    - If our system clock jumps back in time, don't publish a negative
-      uptime in the descriptor.
-    - When we start during an accounting interval before it's time to wake
-      up, remember to wake up at the correct time. (May fix bug 342.)
-    - Previously, we would cache up to 16 old networkstatus documents
-      indefinitely, if they came from nontrusted authorities. Now we
-      discard them if they are more than 10 days old.
-    - When we have a state file we cannot parse, tell the user and
-      move it aside. Now we avoid situations where the user starts
-      Tor in 1904, Tor writes a state file with that timestamp in it,
-      the user fixes her clock, and Tor refuses to start.
-    - Publish a new descriptor after we hup/reload. This is important
-      if our config has changed such that we'll want to start advertising
-      our DirPort now, etc.
-    - If we are using an exit enclave and we can't connect, e.g. because
-      its webserver is misconfigured to not listen on localhost, then
-      back off and try connecting from somewhere else before we fail.
-
-  o New config options or behaviors:
-    - When EntryNodes are configured, rebuild the guard list to contain,
-      in order: the EntryNodes that were guards before; the rest of the
-      EntryNodes; the nodes that were guards before.
-    - Do not warn when individual nodes in the configuration's EntryNodes,
-      ExitNodes, etc are down: warn only when all possible nodes
-      are down. (Fixes bug 348.)
-    - Put a lower-bound on MaxAdvertisedBandwidth.
-    - Start using the state file to store bandwidth accounting data:
-      the bw_accounting file is now obsolete. We'll keep generating it
-      for a while for people who are still using 0.1.2.4-alpha.
-    - Try to batch changes to the state file so that we do as few
-      disk writes as possible while still storing important things in
-      a timely fashion.
-    - The state file and the bw_accounting file get saved less often when
-      the AvoidDiskWrites config option is set.
-    - Make PIDFile work on Windows.
-    - Add internal descriptions for a bunch of configuration options:
-      accessible via controller interface and in comments in saved
-      options files.
-    - Reject *:563 (NNTPS) in the default exit policy. We already reject
-      NNTP by default, so this seems like a sensible addition.
-    - Clients now reject hostnames with invalid characters. This should
-      avoid some inadvertent info leaks. Add an option
-      AllowNonRFC953Hostnames to disable this behavior, in case somebody
-      is running a private network with hosts called @, !, and #.
-    - Check for addresses with invalid characters at the exit as well,
-      and warn less verbosely when they fail. You can override this by
-      setting ServerDNSAllowNonRFC953Addresses to 1.
-    - Remove some options that have been deprecated since at least
-      0.1.0.x: AccountingMaxKB, LogFile, DebugLogFile, LogLevel, and
-      SysLog. Use AccountingMax instead of AccountingMaxKB, and use Log
-      to set log options. Mark PathlenCoinWeight as obsolete.
-    - Stop accepting certain malformed ports in configured exit policies.
-    - When the user uses bad syntax in the Log config line, stop
-      suggesting other bad syntax as a replacement.
-    - Add new config option "ResolvConf" to let the server operator
-      choose an alternate resolve.conf file when using eventdns.
-    - If one of our entry guards is on the ExcludeNodes list, or the
-      directory authorities don't think it's a good guard, treat it as
-      if it were unlisted: stop using it as a guard, and throw it off
-      the guards list if it stays that way for a long time.
-    - Allow directory authorities to be marked separately as authorities
-      for the v1 directory protocol, the v2 directory protocol, and
-      as hidden service directories, to make it easier to retire old
-      authorities. V1 authorities should set "HSAuthoritativeDir 1"
-      to continue being hidden service authorities too.
-    - Remove 8888 as a LongLivedPort, and add 6697 (IRCS).
-    - Make TrackExitHosts case-insensitive, and fix the behavior of
-      ".suffix" TrackExitHosts items to avoid matching in the middle of
-      an address.
-    - New DirPort behavior: if you have your dirport set, you download
-      descriptors aggressively like a directory mirror, whether or not
-      your ORPort is set.
-
-  o Docs:
-    - Create a new file ReleaseNotes which was the old ChangeLog. The
-      new ChangeLog file now includes the notes for all development
-      versions too.
-    - Add a new address-spec.txt document to describe our special-case
-      addresses: .exit, .onion, and .noconnnect.
-    - Fork the v1 directory protocol into its own spec document,
-      and mark dir-spec.txt as the currently correct (v2) spec.
-
-  o Packaging, porting, and contrib
-    - "tor --verify-config" now exits with -1(255) or 0 depending on
-      whether the config options are bad or good.
-    - The Debian package now uses --verify-config when (re)starting,
-      to distinguish configuration errors from other errors.
-    - Adapt a patch from goodell to let the contrib/exitlist script
-      take arguments rather than require direct editing.
-    - Prevent the contrib/exitlist script from printing the same
-      result more than once.
-    - Add support to tor-resolve tool for reverse lookups and SOCKS5.
-    - In the hidden service example in torrc.sample, stop recommending
-      esoteric and discouraged hidden service options.
-    - Patch from Michael Mohr to contrib/cross.sh, so it checks more
-      values before failing, and always enables eventdns.
-    - Try to detect Windows correctly when cross-compiling.
-    - Libevent-1.2 exports, but does not define in its headers, strlcpy.
-      Try to fix this in configure.in by checking for most functions
-      before we check for libevent.
-    - Update RPMs to require libevent 1.2.
-    - Experimentally re-enable kqueue on OSX when using libevent 1.1b
-      or later. Log when we are doing this, so we can diagnose it when
-      it fails. (Also, recommend libevent 1.1b for kqueue and
-      win32 methods; deprecate libevent 1.0b harder; make libevent
-      recommendation system saner.)
-    - Build with recent (1.3+) libevents on platforms that do not
-      define the nonstandard types "u_int8_t" and friends.
-    - Remove architecture from OS X builds. The official builds are
-      now universal binaries.
-    - Run correctly on OS X platforms with case-sensitive filesystems.
-    - Correctly set maximum connection limit on Cygwin. (This time
-      for sure!)
-    - Start compiling on MinGW on Windows (patches from Mike Chiussi
-      and many others).
-    - Start compiling on MSVC6 on Windows (patches from Frediano Ziglio).
-    - Finally fix the openssl warnings from newer gccs that believe that
-      ignoring a return value is okay, but casting a return value and
-      then ignoring it is a sign of madness.
-    - On architectures where sizeof(int)>4, still clamp declarable
-      bandwidth to INT32_MAX.
-
-  o Minor features, controller:
-    - Warn the user when an application uses the obsolete binary v0
-      control protocol. We're planning to remove support for it during
-      the next development series, so it's good to give people some
-      advance warning.
-    - Add STREAM_BW events to report per-entry-stream bandwidth
-      use. (Patch from Robert Hogan.)
-    - Rate-limit SIGNEWNYM signals in response to controllers that
-      impolitely generate them for every single stream. (Patch from
-      mwenge; closes bug 394.)
-    - Add a REMAP status to stream events to note that a stream's
-      address has changed because of a cached address or a MapAddress
-      directive.
-    - Make REMAP stream events have a SOURCE (cache or exit), and
-      make them generated in every case where we get a successful
-      connected or resolved cell.
-    - Track reasons for OR connection failure; make these reasons
-      available via the controller interface. (Patch from Mike Perry.)
-    - Add a SOCKS_BAD_HOSTNAME client status event so controllers
-      can learn when clients are sending malformed hostnames to Tor.
-    - Specify and implement some of the controller status events.
-    - Have GETINFO dir/status/* work on hosts with DirPort disabled.
-    - Reimplement GETINFO so that info/names stays in sync with the
-      actual keys.
-    - Implement "GETINFO fingerprint".
-    - Implement "SETEVENTS GUARD" so controllers can get updates on
-      entry guard status as it changes.
-    - Make all connections to addresses of the form ".noconnect"
-      immediately get closed. This lets application/controller combos
-      successfully test whether they're talking to the same Tor by
-      watching for STREAM events.
-    - Add a REASON field to CIRC events; for backward compatibility, this
-      field is sent only to controllers that have enabled the extended
-      event format. Also, add additional reason codes to explain why
-      a given circuit has been destroyed or truncated. (Patches from
-      Mike Perry)
-    - Add a REMOTE_REASON field to extended CIRC events to tell the
-      controller why a remote OR told us to close a circuit.
-    - Stream events also now have REASON and REMOTE_REASON fields,
-      working much like those for circuit events.
-    - There's now a GETINFO ns/... field so that controllers can ask Tor
-      about the current status of a router.
-    - A new event type "NS" to inform a controller when our opinion of
-      a router's status has changed.
-    - Add a GETINFO events/names and GETINFO features/names so controllers
-      can tell which events and features are supported.
-    - A new CLEARDNSCACHE signal to allow controllers to clear the
-      client-side DNS cache without expiring circuits.
-    - Fix CIRC controller events so that controllers can learn the
-      identity digests of non-Named servers used in circuit paths.
-    - Let controllers ask for more useful identifiers for servers. Instead
-      of learning identity digests for un-Named servers and nicknames
-      for Named servers, the new identifiers include digest, nickname,
-      and indication of Named status. Off by default; see control-spec.txt
-      for more information.
-    - Add a "getinfo address" controller command so it can display Tor's
-      best guess to the user.
-    - New controller event to alert the controller when our server
-      descriptor has changed.
-    - Give more meaningful errors on controller authentication failure.
-    - Export the default exit policy via the control port, so controllers
-      don't need to guess what it is / will be later.
-
-  o Minor bugfixes, controller:
-    - When creating a circuit via the controller, send a 'launched'
-      event when we're done, so we follow the spec better.
-    - Correct the control spec to match how the code actually responds
-      to 'getinfo addr-mappings/*'. Reported by daejees.
-    - The control spec described a GUARDS event, but the code
-      implemented a GUARD event. Standardize on GUARD, but let people
-      ask for GUARDS too. Reported by daejees.
-    - Give the controller END_STREAM_REASON_DESTROY events _before_ we
-      clear the corresponding on_circuit variable, and remember later
-      that we don't need to send a redundant CLOSED event. (Resolves part
-      3 of bug 367.)
-    - Report events where a resolve succeeded or where we got a socks
-      protocol error correctly, rather than calling both of them
-      "INTERNAL".
-    - Change reported stream target addresses to IP consistently when
-      we finally get the IP from an exit node.
-    - Send log messages to the controller even if they happen to be very
-      long.
-    - Flush ERR-level controller status events just like we currently
-      flush ERR-level log events, so that a Tor shutdown doesn't prevent
-      the controller from learning about current events.
-    - Report the circuit number correctly in STREAM CLOSED events. Bug
-      reported by Mike Perry.
-    - Do not report bizarre values for results of accounting GETINFOs
-      when the last second's write or read exceeds the allotted bandwidth.
-    - Report "unrecognized key" rather than an empty string when the
-      controller tries to fetch a networkstatus that doesn't exist.
-    - When the controller does a "GETINFO network-status", tell it
-      about even those routers whose descriptors are very old, and use
-      long nicknames where appropriate.
-    - Fix handling of verbose nicknames with ORCONN controller events:
-      make them show up exactly when requested, rather than exactly when
-      not requested.
-    - Controller signals now work on non-Unix platforms that don't define
-      SIGUSR1 and SIGUSR2 the way we expect.
-    - Respond to SIGNAL command before we execute the signal, in case
-      the signal shuts us down. Suggested by Karsten Loesing.
-    - Handle reporting OR_CONN_EVENT_NEW events to the controller.
-
-  o Minor features, code performance:
-    - Major performance improvement on inserting descriptors: change
-      algorithm from O(n^2) to O(n).
-    - Do not rotate onion key immediately after setting it for the first
-      time.
-    - Call router_have_min_dir_info half as often. (This is showing up in
-      some profiles, but not others.)
-    - When using GCC, make log_debug never get called at all, and its
-      arguments never get evaluated, when no debug logs are configured.
-      (This is showing up in some profiles, but not others.)
-    - Statistics dumped by -USR2 now include a breakdown of public key
-      operations, for profiling.
-    - Make the common memory allocation path faster on machines where
-      malloc(0) returns a pointer.
-    - Split circuit_t into origin_circuit_t and or_circuit_t, and
-      split connection_t into edge, or, dir, control, and base structs.
-      These will save quite a bit of memory on busy servers, and they'll
-      also help us track down bugs in the code and bugs in the spec.
-    - Use OpenSSL's AES implementation on platforms where it's faster.
-      This could save us as much as 10% CPU usage.
-
-  o Minor features, descriptors and descriptor handling:
-    - Avoid duplicate entries on MyFamily line in server descriptor.
-    - When Tor receives a router descriptor that it asked for, but
-      no longer wants (because it has received fresh networkstatuses
-      in the meantime), do not warn the user. Cache the descriptor if
-      we're a cache; drop it if we aren't.
-    - Servers no longer ever list themselves in their "family" line,
-      even if configured to do so. This makes it easier to configure
-      family lists conveniently.
-
-  o Minor fixes, confusing/misleading log messages:
-    - Display correct results when reporting which versions are
-      recommended, and how recommended they are. (Resolves bug 383.)
-    - Inform the server operator when we decide not to advertise a
-      DirPort due to AccountingMax enabled or a low BandwidthRate.
-    - Only include function names in log messages for info/debug messages.
-      For notice/warn/err, the content of the message should be clear on
-      its own, and printing the function name only confuses users.
-    - Remove even more protocol-related warnings from Tor server logs,
-      such as bad TLS handshakes and malformed begin cells.
-    - Fix bug 314: Tor clients issued "unsafe socks" warnings even
-      when the IP address is mapped through MapAddress to a hostname.
-    - Fix misleading log messages: an entry guard that is "unlisted",
-      as well as not known to be "down" (because we've never heard
-      of it), is not therefore "up".
-
-  o Minor fixes, old/obsolete behavior:
-    - Start assuming we can use a create_fast cell if we don't know
-      what version a router is running.
-    - We no longer look for identity and onion keys in "identity.key" and
-      "onion.key" -- these were replaced by secret_id_key and
-      secret_onion_key in 0.0.8pre1.
-    - We no longer require unrecognized directory entries to be
-      preceded by "opt".
-    - Drop compatibility with obsolete Tors that permit create cells
-      to have the wrong circ_id_type.
-    - Remove code to special-case "-cvs" ending, since it has not
-      actually mattered since 0.0.9.
-    - Don't re-write the fingerprint file every restart, unless it has
-      changed.
-
-  o Minor fixes, misc client-side behavior:
-    - Always remove expired routers and networkstatus docs before checking
-      whether we have enough information to build circuits. (Fixes
-      bug 373.)
-    - When computing clock skew from directory HTTP headers, consider what
-      time it was when we finished asking for the directory, not what
-      time it is now.
-    - Make our socks5 handling more robust to broken socks clients:
-      throw out everything waiting on the buffer in between socks
-      handshake phases, since they can't possibly (so the theory
-      goes) have predicted what we plan to respond to them.
-    - Expire socks connections if they spend too long waiting for the
-      handshake to finish. Previously we would let them sit around for
-      days, if the connecting application didn't close them either.
-    - And if the socks handshake hasn't started, don't send a
-      "DNS resolve socks failed" handshake reply; just close it.
-    - If the user asks to use invalid exit nodes, be willing to use
-      unstable ones.
-    - Track unreachable entry guards correctly: don't conflate
-      'unreachable by us right now' with 'listed as down by the directory
-      authorities'. With the old code, if a guard was unreachable by us
-      but listed as running, it would clog our guard list forever.
-    - Behave correctly in case we ever have a network with more than
-      2GB/s total advertised capacity.
-    - Claim a commonname of Tor, rather than TOR, in TLS handshakes.
-    - Fix a memory leak when we ask for "all" networkstatuses and we
-      get one we don't recognize.
-
-
-Changes in version 0.1.1.26 - 2006-12-14
-  o Security bugfixes:
-    - Stop sending the HttpProxyAuthenticator string to directory
-      servers when directory connections are tunnelled through Tor.
-    - Clients no longer store bandwidth history in the state file.
-    - Do not log introduction points for hidden services if SafeLogging
-      is set.
-
-  o Minor bugfixes:
-    - Fix an assert failure when a directory authority sets
-      AuthDirRejectUnlisted and then receives a descriptor from an
-      unlisted router (reported by seeess).
-
-
-Changes in version 0.1.1.25 - 2006-11-04
-  o Major bugfixes:
-    - When a client asks us to resolve (rather than connect to)
-      an address, and we have a cached answer, give them the cached
-      answer. Previously, we would give them no answer at all.
-    - We were building exactly the wrong circuits when we predict
-      hidden service requirements, meaning Tor would have to build all
-      its circuits on demand.
-    - If none of our live entry guards have a high uptime, but we
-      require a guard with a high uptime, try adding a new guard before
-      we give up on the requirement. This patch should make long-lived
-      connections more stable on average.
-    - When testing reachability of our DirPort, don't launch new
-      tests when there's already one in progress -- unreachable
-      servers were stacking up dozens of testing streams.
-
-  o Security bugfixes:
-    - When the user sends a NEWNYM signal, clear the client-side DNS
-      cache too. Otherwise we continue to act on previous information.
-
-  o Minor bugfixes:
-    - Avoid a memory corruption bug when creating a hash table for
-      the first time.
-    - Avoid possibility of controller-triggered crash when misusing
-      certain commands from a v0 controller on platforms that do not
-      handle printf("%s",NULL) gracefully.
-    - Avoid infinite loop on unexpected controller input.
-    - Don't log spurious warnings when we see a circuit close reason we
-      don't recognize; it's probably just from a newer version of Tor.
-    - Add Vidalia to the OS X uninstaller script, so when we uninstall
-      Tor/Privoxy we also uninstall Vidalia.
-
-
-Changes in version 0.1.1.24 - 2006-09-29
-  o Major bugfixes:
-    - Allow really slow clients to not hang up five minutes into their
-      directory downloads (suggested by Adam J. Richter).
-    - Fix major performance regression from 0.1.0.x: instead of checking
-      whether we have enough directory information every time we want to
-      do something, only check when the directory information has changed.
-      This should improve client CPU usage by 25-50%.
-    - Don't crash if, after a server has been running for a while,
-      it can't resolve its hostname.
-    - When a client asks us to resolve (not connect to) an address,
-      and we have a cached answer, give them the cached answer.
-      Previously, we would give them no answer at all.
-
-  o Minor bugfixes:
-    - Allow Tor to start when RunAsDaemon is set but no logs are set.
-    - Don't crash when the controller receives a third argument to an
-      "extendcircuit" request.
-    - Controller protocol fixes: fix encoding in "getinfo addr-mappings"
-      response; fix error code when "getinfo dir/status/" fails.
-    - Fix configure.in to not produce broken configure files with
-      more recent versions of autoconf. Thanks to Clint for his auto*
-      voodoo.
-    - Fix security bug on NetBSD that could allow someone to force
-      uninitialized RAM to be sent to a server's DNS resolver. This
-      only affects NetBSD and other platforms that do not bounds-check
-      tolower().
-    - Warn user when using libevent 1.1a or earlier with win32 or kqueue
-      methods: these are known to be buggy.
-    - If we're a directory mirror and we ask for "all" network status
-      documents, we would discard status documents from authorities
-      we don't recognize.
-
-
-Changes in version 0.1.1.23 - 2006-07-30
-  o Major bugfixes:
-    - Fast Tor servers, especially exit nodes, were triggering asserts
-      due to a bug in handling the list of pending DNS resolves. Some
-      bugs still remain here; we're hunting them.
-    - Entry guards could crash clients by sending unexpected input.
-    - More fixes on reachability testing: if you find yourself reachable,
-      then don't ever make any client requests (so you stop predicting
-      circuits), then hup or have your clock jump, then later your IP
-      changes, you won't think circuits are working, so you won't try to
-      test reachability, so you won't publish.
-
-  o Minor bugfixes:
-    - Avoid a crash if the controller does a resetconf firewallports
-      and then a setconf fascistfirewall=1.
-    - Avoid an integer underflow when the dir authority decides whether
-      a router is stable: we might wrongly label it stable, and compute
-      a slightly wrong median stability, when a descriptor is published
-      later than now.
-    - Fix a place where we might trigger an assert if we can't build our
-      own server descriptor yet.
-
-
-Changes in version 0.1.1.22 - 2006-07-05
-  o Major bugfixes:
-    - Fix a big bug that was causing servers to not find themselves
-      reachable if they changed IP addresses. Since only 0.1.1.22+
-      servers can do reachability testing correctly, now we automatically
-      make sure to test via one of these.
-    - Fix to allow clients and mirrors to learn directory info from
-      descriptor downloads that get cut off partway through.
-    - Directory authorities had a bug in deciding if a newly published
-      descriptor was novel enough to make everybody want a copy -- a few
-      servers seem to be publishing new descriptors many times a minute.
-  o Minor bugfixes:
-    - Fix a rare bug that was causing some servers to complain about
-      "closing wedged cpuworkers" and skip some circuit create requests.
-    - Make the Exit flag in directory status documents actually work.
-
-
-Changes in version 0.1.1.21 - 2006-06-10
-  o Crash and assert fixes from 0.1.1.20:
-    - Fix a rare crash on Tor servers that have enabled hibernation.
-    - Fix a seg fault on startup for Tor networks that use only one
-      directory authority.
-    - Fix an assert from a race condition that occurs on Tor servers
-      while exiting, where various threads are trying to log that they're
-      exiting, and delete the logs, at the same time.
-    - Make our unit tests pass again on certain obscure platforms.
-
-  o Other fixes:
-    - Add support for building SUSE RPM packages.
-    - Speed up initial bootstrapping for clients: if we are making our
-      first ever connection to any entry guard, then don't mark it down
-      right after that.
-    - When only one Tor server in the network is labelled as a guard,
-      and we've already picked him, we would cycle endlessly picking him
-      again, being unhappy about it, etc. Now we specifically exclude
-      current guards when picking a new guard.
-    - Servers send create cells more reliably after the TLS connection
-      is established: we were sometimes forgetting to send half of them
-      when we had more than one pending.
-    - If we get a create cell that asks us to extend somewhere, but the
-      Tor server there doesn't match the expected digest, we now send
-      a destroy cell back, rather than silently doing nothing.
-    - Make options->RedirectExit work again.
-    - Make cookie authentication for the controller work again.
-    - Stop being picky about unusual characters in the arguments to
-      mapaddress. It's none of our business.
-    - Add a new config option "TestVia" that lets you specify preferred
-      middle hops to use for test circuits. Perhaps this will let me
-      debug the reachability problems better.
-
-  o Log / documentation fixes:
-    - If we're a server and some peer has a broken TLS certificate, don't
-      log about it unless ProtocolWarnings is set, i.e., we want to hear
-      about protocol violations by others.
-    - Fix spelling of VirtualAddrNetwork in man page.
-    - Add a better explanation at the top of the autogenerated torrc file
-      about what happened to our old torrc.
-
-
-Changes in version 0.1.1.20 - 2006-05-23
-  o Crash and assert fixes from 0.1.0.17:
-    - Fix assert bug in close_logs() on exit: when we close and delete
-      logs, remove them all from the global "logfiles" list.
-    - Fix an assert error when we're out of space in the connection_list
-      and we try to post a hidden service descriptor (reported by Peter
-      Palfrader).
-    - Fix a rare assert error when we've tried all intro points for
-      a hidden service and we try fetching the service descriptor again:
-      "Assertion conn->state != AP_CONN_STATE_RENDDESC_WAIT failed".
-    - Setconf SocksListenAddress kills Tor if it fails to bind. Now back
-      out and refuse the setconf if it would fail.
-    - If you specify a relative torrc path and you set RunAsDaemon in
-      your torrc, then it chdir()'s to the new directory. If you then
-      HUP, it tries to load the new torrc location, fails, and exits.
-      The fix: no longer allow a relative path to torrc when using -f.
-    - Check for integer overflows in more places, when adding elements
-      to smartlists. This could possibly prevent a buffer overflow
-      on malicious huge inputs.
-
-  o Security fixes, major:
-    - When we're printing strings from the network, don't try to print
-      non-printable characters. Now we're safer against shell escape
-      sequence exploits, and also against attacks to fool users into
-      misreading their logs.
-    - Implement entry guards: automatically choose a handful of entry
-      nodes and stick with them for all circuits. Only pick new guards
-      when the ones you have are unsuitable, and if the old guards
-      become suitable again, switch back. This will increase security
-      dramatically against certain end-point attacks. The EntryNodes
-      config option now provides some hints about which entry guards you
-      want to use most; and StrictEntryNodes means to only use those.
-      Fixes CVE-2006-0414.
-    - Implement exit enclaves: if we know an IP address for the
-      destination, and there's a running Tor server at that address
-      which allows exit to the destination, then extend the circuit to
-      that exit first. This provides end-to-end encryption and end-to-end
-      authentication. Also, if the user wants a .exit address or enclave,
-      use 4 hops rather than 3, and cannibalize a general circ for it
-      if you can.
-    - Obey our firewall options more faithfully:
-      . If we can't get to a dirserver directly, try going via Tor.
-      . Don't ever try to connect (as a client) to a place our
-        firewall options forbid.
-      . If we specify a proxy and also firewall options, obey the
-        firewall options even when we're using the proxy: some proxies
-        can only proxy to certain destinations.
-    - Make clients regenerate their keys when their IP address changes.
-    - For the OS X package's modified privoxy config file, comment
-      out the "logfile" line so we don't log everything passed
-      through privoxy.
-    - Our TLS handshakes were generating a single public/private
-      keypair for the TLS context, rather than making a new one for
-      each new connection. Oops. (But we were still rotating them
-      periodically, so it's not so bad.)
-    - When we were cannibalizing a circuit with a particular exit
-      node in mind, we weren't checking to see if that exit node was
-      already present earlier in the circuit. Now we are.
-    - Require server descriptors to list IPv4 addresses -- hostnames
-      are no longer allowed. This also fixes potential vulnerabilities
-      to servers providing hostnames as their address and then
-      preferentially resolving them so they can partition users.
-    - Our logic to decide if the OR we connected to was the right guy
-      was brittle and maybe open to a mitm for invalid routers.
-
-  o Security fixes, minor:
-    - Adjust tor-spec.txt to parameterize cell and key lengths. Now
-      Ian Goldberg can prove things about our handshake protocol more
-      easily.
-    - Make directory authorities generate a separate "guard" flag to
-      mean "would make a good entry guard". Clients now honor the
-      is_guard flag rather than looking at is_fast or is_stable.
-    - Try to list MyFamily elements by key, not by nickname, and warn
-      if we've not heard of a server.
-    - Start using RAND_bytes rather than RAND_pseudo_bytes from
-      OpenSSL. Also, reseed our entropy every hour, not just at
-      startup. And add entropy in 512-bit chunks, not 160-bit chunks.
-    - Refuse server descriptors where the fingerprint line doesn't match
-      the included identity key. Tor doesn't care, but other apps (and
-      humans) might actually be trusting the fingerprint line.
-    - We used to kill the circuit when we receive a relay command we
-      don't recognize. Now we just drop that cell.
-    - Fix a bug found by Lasse Overlier: when we were making internal
-      circuits (intended to be cannibalized later for rendezvous and
-      introduction circuits), we were picking them so that they had
-      useful exit nodes. There was no need for this, and it actually
-      aids some statistical attacks.
-    - Start treating internal circuits and exit circuits separately.
-      It's important to keep them separate because internal circuits
-      have their last hops picked like middle hops, rather than like
-      exit hops. So exiting on them will break the user's expectations.
-    - Fix a possible way to DoS dirservers.
-    - When the client asked for a rendezvous port that the hidden
-      service didn't want to provide, we were sending an IP address
-      back along with the end cell. Fortunately, it was zero. But stop
-      that anyway.
-
-  o Packaging improvements:
-    - Implement --with-libevent-dir option to ./configure. Improve
-      search techniques to find libevent, and use those for openssl too.
-    - Fix a couple of bugs in OpenSSL detection. Deal better when
-      there are multiple SSLs installed with different versions.
-    - Avoid warnings about machine/limits.h on Debian GNU/kFreeBSD.
-    - On non-gcc compilers (e.g. Solaris's cc), use "-g -O" instead of
-      "-Wall -g -O2".
-    - Make unit tests (and other invocations that aren't the real Tor)
-      run without launching listeners, creating subdirectories, and so on.
-    - The OS X installer was adding a symlink for tor_resolve but
-      the binary was called tor-resolve (reported by Thomas Hardly).
-    - Now we can target arch and OS in rpm builds (contributed by
-      Phobos). Also make the resulting dist-rpm filename match the
-      target arch.
-    - Apply Matt Ghali's --with-syslog-facility patch to ./configure
-      if you log to syslog and want something other than LOG_DAEMON.
-    - Fix the torify (tsocks) config file to not use Tor for localhost
-      connections.
-    - Start shipping socks-extensions.txt, tor-doc-unix.html,
-      tor-doc-server.html, and stylesheet.css in the tarball.
-    - Stop shipping tor-doc.html, INSTALL, and README in the tarball.
-      They are useless now.
-    - Add Peter Palfrader's contributed check-tor script. It lets you
-      easily check whether a given server (referenced by nickname)
-      is reachable by you.
-    - Add BSD-style contributed startup script "rc.subr" from Peter
-      Thoenen.
-
-  o Directory improvements -- new directory protocol:
-    - See tor/doc/dir-spec.txt for all the juicy details. Key points:
-    - Authorities and caches publish individual descriptors (by
-      digest, by fingerprint, by "all", and by "tell me yours").
-    - Clients don't download or use the old directory anymore. Now they
-      download network-statuses from the directory authorities, and
-      fetch individual server descriptors as needed from mirrors.
-    - Clients don't download descriptors of non-running servers.
-    - Download descriptors by digest, not by fingerprint. Caches try to
-      download all listed digests from authorities; clients try to
-      download "best" digests from caches. This avoids partitioning
-      and isolating attacks better.
-    - Only upload a new server descriptor when options change, 18
-      hours have passed, uptime is reset, or bandwidth changes a lot.
-    - Directory authorities silently throw away new descriptors that
-      haven't changed much if the timestamps are similar. We do this to
-      tolerate older Tor servers that upload a new descriptor every 15
-      minutes. (It seemed like a good idea at the time.)
-    - Clients choose directory servers from the network status lists,
-      not from their internal list of router descriptors. Now they can
-      go to caches directly rather than needing to go to authorities
-      to bootstrap the first set of descriptors.
-    - When picking a random directory, prefer non-authorities if any
-      are known.
-    - Add a new flag to network-status indicating whether the server
-      can answer v2 directory requests too.
-    - Directory mirrors now cache up to 16 unrecognized network-status
-      docs, so new directory authorities will be cached too.
-    - Stop parsing, storing, or using running-routers output (but
-      mirrors still cache and serve it).
-    - Clients consider a threshold of "versioning" directory authorities
-      before deciding whether to warn the user that he's obsolete.
-    - Authorities publish separate sorted lists of recommended versions
-      for clients and for servers.
-    - Change DirServers config line to note which dirs are v1 authorities.
-    - Put nicknames on the DirServer line, so we can refer to them
-      without requiring all our users to memorize their IP addresses.
-    - Remove option when getting directory cache to see whether they
-      support running-routers; they all do now. Replace it with one
-      to see whether caches support v2 stuff.
-    - Stop listing down or invalid nodes in the v1 directory. This
-      reduces its bulk by about 1/3, and reduces load on mirrors.
-    - Mirrors no longer cache the v1 directory as often.
-    - If we as a directory mirror don't know of any v1 directory
-      authorities, then don't try to cache any v1 directories.
-
-  o Other directory improvements:
-    - Add lefkada.eecs.harvard.edu and tor.dizum.com as fourth and
-      fifth authoritative directory servers.
-    - Directory authorities no longer require an open connection from
-      a server to consider him "reachable". We need this change because
-      when we add new directory authorities, old servers won't know not
-      to hang up on them.
-    - Dir authorities now do their own external reachability testing
-      of each server, and only list as running the ones they found to
-      be reachable. We also send back warnings to the server's logs if
-      it uploads a descriptor that we already believe is unreachable.
-    - Spread the directory authorities' reachability testing over the
-      entire testing interval, so we don't try to do 500 TLS's at once
-      every 20 minutes.
-    - Make the "stable" router flag in network-status be the median of
-      the uptimes of running valid servers, and make clients pay
-      attention to the network-status flags. Thus the cutoff adapts
-      to the stability of the network as a whole, making IRC, IM, etc
-      connections more reliable.
-    - Make the v2 dir's "Fast" flag based on relative capacity, just
-      like "Stable" is based on median uptime. Name everything in the
-      top 7/8 Fast, and only the top 1/2 gets to be a Guard.
-    - Retry directory requests if we fail to get an answer we like
-      from a given dirserver (we were retrying before, but only if
-      we fail to connect).
-    - Return a robots.txt on our dirport to discourage google indexing.
-
-  o Controller protocol improvements:
-    - Revised controller protocol (version 1) that uses ascii rather
-      than binary: tor/doc/control-spec.txt. Add supporting libraries
-      in python and java and c# so you can use the controller from your
-      applications without caring how our protocol works.
-    - Allow the DEBUG controller event to work again. Mark certain log
-      entries as "don't tell this to controllers", so we avoid cycles.
-    - New controller function "getinfo accounting", to ask how
-      many bytes we've used in this time period.
-    - Add a "resetconf" command so you can set config options like
-      AllowUnverifiedNodes and LongLivedPorts to "". Also, if you give
-      a config option in the torrc with no value, then it clears it
-      entirely (rather than setting it to its default).
-    - Add a "getinfo config-file" to tell us where torrc is. Also
-      expose guard nodes, config options/names.
-    - Add a "quit" command (when when using the controller manually).
-    - Add a new signal "newnym" to "change pseudonyms" -- that is, to
-      stop using any currently-dirty circuits for new streams, so we
-      don't link new actions to old actions. This also occurs on HUP
-      or "signal reload".
-    - If we would close a stream early (e.g. it asks for a .exit that
-      we know would refuse it) but the LeaveStreamsUnattached config
-      option is set by the controller, then don't close it.
-    - Add a new controller event type "authdir_newdescs" that allows
-      controllers to get all server descriptors that were uploaded to
-      a router in its role as directory authority.
-    - New controller option "getinfo desc/all-recent" to fetch the
-      latest server descriptor for every router that Tor knows about.
-    - Fix the controller's "attachstream 0" command to treat conn like
-      it just connected, doing address remapping, handling .exit and
-      .onion idioms, and so on. Now we're more uniform in making sure
-      that the controller hears about new and closing connections.
-    - Permit transitioning from ORPort==0 to ORPort!=0, and back, from
-      the controller. Also, rotate dns and cpu workers if the controller
-      changes options that will affect them; and initialize the dns
-      worker cache tree whether or not we start out as a server.
-    - Add a new circuit purpose 'controller' to let the controller ask
-      for a circuit that Tor won't try to use. Extend the "extendcircuit"
-      controller command to let you specify the purpose if you're starting
-      a new circuit.  Add a new "setcircuitpurpose" controller command to
-      let you change a circuit's purpose after it's been created.
-    - Let the controller ask for "getinfo dir/server/foo" so it can ask
-      directly rather than connecting to the dir port. "getinfo
-      dir/status/foo" also works, but currently only if your DirPort
-      is enabled.
-    - Let the controller tell us about certain router descriptors
-      that it doesn't want Tor to use in circuits. Implement
-      "setrouterpurpose" and modify "+postdescriptor" to do this.
-    - If the controller's *setconf commands fail, collect an error
-      message in a string and hand it back to the controller -- don't
-      just tell them to go read their logs.
-
-  o Scalability, resource management, and performance:
-    - Fix a major load balance bug: we were round-robin reading in 16 KB
-      chunks, and servers with bandwidthrate of 20 KB, while downloading
-      a 600 KB directory, would starve their other connections. Now we
-      try to be a bit more fair.
-    - Be more conservative about whether to advertise our DirPort.
-      The main change is to not advertise if we're running at capacity
-      and either a) we could hibernate ever or b) our capacity is low
-      and we're using a default DirPort.
-    - We weren't cannibalizing circuits correctly for
-      CIRCUIT_PURPOSE_C_ESTABLISH_REND and
-      CIRCUIT_PURPOSE_S_ESTABLISH_INTRO, so we were being forced to
-      build those from scratch. This should make hidden services faster.
-    - Predict required circuits better, with an eye toward making hidden
-      services faster on the service end.
-    - Compress exit policies even more: look for duplicate lines and
-      remove them.
-    - Generate 18.0.0.0/8 address policy format in descs when we can;
-      warn when the mask is not reducible to a bit-prefix.
-    - There used to be two ways to specify your listening ports in a
-      server descriptor: on the "router" line and with a separate "ports"
-      line. Remove support for the "ports" line.
-    - Reduce memory requirements in our structs by changing the order
-      of fields. Replace balanced trees with hash tables. Inline
-      bottleneck smartlist functions. Add a "Map from digest to void*"
-      abstraction so we can do less hex encoding/decoding, and use it
-      in router_get_by_digest(). Many other CPU and memory improvements.
-    - Allow tor_gzip_uncompress to extract as much as possible from
-      truncated compressed data. Try to extract as many
-      descriptors as possible from truncated http responses (when
-      purpose is DIR_PURPOSE_FETCH_ROUTERDESC).
-    - Make circ->onionskin a pointer, not a static array. moria2 was using
-      125000 circuit_t's after it had been up for a few weeks, which
-      translates to 20+ megs of wasted space.
-    - The private half of our EDH handshake keys are now chosen out
-      of 320 bits, not 1024 bits. (Suggested by Ian Goldberg.)
-    - Stop doing the complex voodoo overkill checking for insecure
-      Diffie-Hellman keys. Just check if it's in [2,p-2] and be happy.
-    - Do round-robin writes for TLS of at most 16 kB per write. This
-      might be more fair on loaded Tor servers.
-    - Do not use unaligned memory access on alpha, mips, or mipsel.
-      It *works*, but is very slow, so we treat them as if it doesn't.
-
-  o Other bugfixes and improvements:
-    - Start storing useful information to $DATADIR/state, so we can
-      remember things across invocations of Tor. Retain unrecognized
-      lines so we can be forward-compatible, and write a TorVersion line
-      so we can be backward-compatible.
-    - If ORPort is set, Address is not explicitly set, and our hostname
-      resolves to a private IP address, try to use an interface address
-      if it has a public address. Now Windows machines that think of
-      themselves as localhost can guess their address.
-    - Regenerate our local descriptor if it's dirty and we try to use
-      it locally (e.g. if it changes during reachability detection).
-      This was causing some Tor servers to keep publishing the same
-      initial descriptor forever.
-    - Tor servers with dynamic IP addresses were needing to wait 18
-      hours before they could start doing reachability testing using
-      the new IP address and ports. This is because they were using
-      the internal descriptor to learn what to test, yet they were only
-      rebuilding the descriptor once they decided they were reachable.
-    - It turns out we couldn't bootstrap a network since we added
-      reachability detection in 0.1.0.1-rc. Good thing the Tor network
-      has never gone down. Add an AssumeReachable config option to let
-      servers and authorities bootstrap. When we're trying to build a
-      high-uptime or high-bandwidth circuit but there aren't enough
-      suitable servers, try being less picky rather than simply failing.
-    - Newly bootstrapped Tor networks couldn't establish hidden service
-      circuits until they had nodes with high uptime. Be more tolerant.
-    - Really busy servers were keeping enough circuits open on stable
-      connections that they were wrapping around the circuit_id
-      space. (It's only two bytes.) This exposed a bug where we would
-      feel free to reuse a circuit_id even if it still exists but has
-      been marked for close. Try to fix this bug. Some bug remains.
-    - When we fail to bind or listen on an incoming or outgoing
-      socket, we now close it before refusing, rather than just
-      leaking it. (Thanks to Peter Palfrader for finding.)
-    - Fix a file descriptor leak in start_daemon().
-    - On Windows, you can't always reopen a port right after you've
-      closed it. So change retry_listeners() to only close and re-open
-      ports that have changed.
-    - Workaround a problem with some http proxies that refuse GET
-      requests that specify "Content-Length: 0". Reported by Adrian.
-    - Recover better from TCP connections to Tor servers that are
-      broken but don't tell you (it happens!); and rotate TLS
-      connections once a week.
-    - Fix a scary-looking but apparently harmless bug where circuits
-      would sometimes start out in state CIRCUIT_STATE_OR_WAIT at
-      servers, and never switch to state CIRCUIT_STATE_OPEN.
-    - Check for even more Windows version flags when writing the platform
-      string in server descriptors, and note any we don't recognize.
-    - Add reasons to DESTROY and RELAY_TRUNCATED cells, so clients can
-      get a better idea of why their circuits failed. Not used yet.
-    - Add TTLs to RESOLVED, CONNECTED, and END_REASON_EXITPOLICY cells.
-      We don't use them yet, but maybe one day our DNS resolver will be
-      able to discover them.
-    - Let people type "tor --install" as well as "tor -install" when they
-      want to make it an NT service.
-    - Looks like we were never delivering deflated (i.e. compressed)
-      running-routers lists, even when asked. Oops.
-    - We were leaking some memory every time the client changed IPs.
-    - Clean up more of the OpenSSL memory when exiting, so we can detect
-      memory leaks better.
-    - Never call free() on tor_malloc()d memory. This will help us
-      use dmalloc to detect memory leaks.
-    - Some Tor servers process billions of cells per day. These
-      statistics are now uint64_t's.
-    - Check [X-]Forwarded-For headers in HTTP requests when generating
-      log messages. This lets people run dirservers (and caches) behind
-      Apache but still know which IP addresses are causing warnings.
-    - Fix minor integer overflow in calculating when we expect to use up
-      our bandwidth allocation before hibernating.
-    - Lower the minimum required number of file descriptors to 1000,
-      so we can have some overhead for Valgrind on Linux, where the
-      default ulimit -n is 1024.
-    - Stop writing the "router.desc" file, ever. Nothing uses it anymore,
-      and its existence is confusing some users.
-
-  o Config option fixes:
-    - Add a new config option ExitPolicyRejectPrivate which defaults
-      to on. Now all exit policies will begin with rejecting private
-      addresses, unless the server operator explicitly turns it off.
-    - Bump the default bandwidthrate to 3 MB, and burst to 6 MB.
-    - Add new ReachableORAddresses and ReachableDirAddresses options
-      that understand address policies. FascistFirewall is now a synonym
-      for "ReachableORAddresses *:443", "ReachableDirAddresses *:80".
-    - Start calling it FooListenAddress rather than FooBindAddress,
-      since few of our users know what it means to bind an address
-      or port.
-    - If the user gave Tor an odd number of command-line arguments,
-      we were silently ignoring the last one. Now we complain and fail.
-      This wins the oldest-bug prize -- this bug has been present since
-      November 2002, as released in Tor 0.0.0.
-    - If you write "HiddenServicePort 6667 127.0.0.1 6668" in your
-      torrc rather than "HiddenServicePort 6667 127.0.0.1:6668",
-      it would silently ignore the 6668.
-    - If we get a linelist or linelist_s config option from the torrc,
-      e.g. ExitPolicy, and it has no value, warn and skip rather than
-      silently resetting it to its default.
-    - Setconf was appending items to linelists, not clearing them.
-    - Add MyFamily to torrc.sample in the server section, so operators
-      will be more likely to learn that it exists.
-    - Make ContactInfo mandatory for authoritative directory servers.
-    - MaxConn has been obsolete for a while now. Document the ConnLimit
-      config option, which is a *minimum* number of file descriptors
-      that must be available else Tor refuses to start.
-    - Get rid of IgnoreVersion undocumented config option, and make us
-      only warn, never exit, when we're running an obsolete version.
-    - Make MonthlyAccountingStart config option truly obsolete now.
-    - Correct the man page entry on TrackHostExitsExpire.
-    - Let directory authorities start even if they don't specify an
-      Address config option.
-    - Change "AllowUnverifiedNodes" to "AllowInvalidNodes", to
-      reflect the updated flags in our v2 dir protocol.
-
-  o Config option features:
-    - Add a new config option FastFirstHopPK (on by default) so clients
-      do a trivial crypto handshake for their first hop, since TLS has
-      already taken care of confidentiality and authentication.
-    - Let the user set ControlListenAddress in the torrc. This can be
-      dangerous, but there are some cases (like a secured LAN) where it
-      makes sense.
-    - New config options to help controllers: FetchServerDescriptors
-      and FetchHidServDescriptors for whether to fetch server
-      info and hidserv info or let the controller do it, and
-      PublishServerDescriptor and PublishHidServDescriptors.
-    - Also let the controller set the __AllDirActionsPrivate config
-      option if you want all directory fetches/publishes to happen via
-      Tor (it assumes your controller bootstraps your circuits).
-    - Add "HardwareAccel" config option: support for crypto hardware
-      accelerators via OpenSSL. Off by default, until we find somebody
-      smart who can test it for us. (It appears to produce seg faults
-      in at least some cases.)
-    - New config option "AuthDirRejectUnlisted" for directory authorities
-      as a panic button: if we get flooded with unusable servers we can
-      revert to only listing servers in the approved-routers file.
-    - Directory authorities can now reject/invalidate by key and IP,
-      with the config options "AuthDirInvalid" and "AuthDirReject", or
-      by marking a fingerprint as "!reject" or "!invalid" (as its
-      nickname) in the approved-routers file. This is useful since
-      currently we automatically list servers as running and usable
-      even if we know they're jerks.
-    - Add a new config option TestSocks so people can see whether their
-      applications are using socks4, socks4a, socks5-with-ip, or
-      socks5-with-fqdn. This way they don't have to keep mucking
-      with tcpdump and wondering if something got cached somewhere.
-    - Add "private:*" as an alias in configuration for policies. Now
-      you can simplify your exit policy rather than needing to list
-      every single internal or nonroutable network space.
-    - Accept "private:*" in routerdesc exit policies; not generated yet
-      because older Tors do not understand it.
-    - Add configuration option "V1AuthoritativeDirectory 1" which
-      moria1, moria2, and tor26 have set.
-    - Implement an option, VirtualAddrMask, to set which addresses
-      get handed out in response to mapaddress requests. This works
-      around a bug in tsocks where 127.0.0.0/8 is never socksified.
-    - Add a new config option FetchUselessDescriptors, off by default,
-      for when you plan to run "exitlist" on your client and you want
-      to know about even the non-running descriptors.
-    - SocksTimeout: How long do we let a socks connection wait
-      unattached before we fail it?
-    - CircuitBuildTimeout: Cull non-open circuits that were born
-      at least this many seconds ago.
-    - CircuitIdleTimeout: Cull open clean circuits that were born
-      at least this many seconds ago.
-    - New config option SafeSocks to reject all application connections
-      using unsafe socks protocols. Defaults to off.
-
-  o Improved and clearer log messages:
-    - Reduce clutter in server logs. We're going to try to make
-      them actually usable now. New config option ProtocolWarnings that
-      lets you hear about how _other Tors_ are breaking the protocol. Off
-      by default.
-    - Divide log messages into logging domains. Once we put some sort
-      of interface on this, it will let people looking at more verbose
-      log levels specify the topics they want to hear more about.
-    - Log server fingerprint on startup, so new server operators don't
-      have to go hunting around their filesystem for it.
-    - Provide dire warnings to any users who set DirServer manually;
-      move it out of torrc.sample and into torrc.complete.
-    - Make the log message less scary when all the dirservers are
-      temporarily unreachable.
-    - When tor_socketpair() fails in Windows, give a reasonable
-      Windows-style errno back.
-    - Improve tor_gettimeofday() granularity on windows.
-    - We were printing the number of idle dns workers incorrectly when
-      culling them.
-    - Handle duplicate lines in approved-routers files without warning.
-    - We were whining about using socks4 or socks5-with-local-lookup
-      even when it's an IP address in the "virtual" range we designed
-      exactly for this case.
-    - Check for named servers when looking them up by nickname;
-      warn when we're calling a non-named server by its nickname;
-      don't warn twice about the same name.
-    - Downgrade the dirserver log messages when whining about
-      unreachability.
-    - Correct "your server is reachable" log entries to indicate that
-      it was self-testing that told us so.
-    - If we're trying to be a Tor server and running Windows 95/98/ME
-      as a server, explain that we'll likely crash.
-    - Provide a more useful warn message when our onion queue gets full:
-      the CPU is too slow or the exit policy is too liberal.
-    - Don't warn when we receive a 503 from a dirserver/cache -- this
-      will pave the way for them being able to refuse if they're busy.
-    - When we fail to bind a listener, try to provide a more useful
-      log message: e.g., "Is Tor already running?"
-    - Only start testing reachability once we've established a
-      circuit. This will make startup on dir authorities less noisy.
-    - Don't try to upload hidden service descriptors until we have
-      established a circuit.
-    - Tor didn't warn when it failed to open a log file.
-    - Warn when listening on a public address for socks. We suspect a
-      lot of people are setting themselves up as open socks proxies,
-      and they have no idea that jerks on the Internet are using them,
-      since they simply proxy the traffic into the Tor network.
-    - Give a useful message when people run Tor as the wrong user,
-      rather than telling them to start chowning random directories.
-    - Fix a harmless bug that was causing Tor servers to log
-      "Got an end because of misc error, but we're not an AP. Closing."
-    - Fix wrong log message when you add a "HiddenServiceNodes" config
-      line without any HiddenServiceDir line (reported by Chris Thomas).
-    - Directory authorities now stop whining so loudly about bad
-      descriptors that they fetch from other dirservers. So when there's
-      a log complaint, it's for sure from a freshly uploaded descriptor.
-    - When logging via syslog, include the pid whenever we provide
-      a log entry. Suggested by Todd Fries.
-    - When we're shutting down and we do something like try to post a
-      server descriptor or rendezvous descriptor, don't complain that
-      we seem to be unreachable. Of course we are, we're shutting down.
-    - Change log line for unreachability to explicitly suggest /etc/hosts
-      as the culprit. Also make it clearer what IP address and ports we're
-      testing for reachability.
-    - Put quotes around user-supplied strings when logging so users are
-      more likely to realize if they add bad characters (like quotes)
-      to the torrc.
-    - NT service patch from Matt Edman to improve error messages on Win32.
-
-
-Changes in version 0.1.0.17 - 2006-02-17
-  o Crash bugfixes on 0.1.0.x:
-    - When servers with a non-zero DirPort came out of hibernation,
-      sometimes they would trigger an assert.
-
-  o Other important bugfixes:
-    - On platforms that don't have getrlimit (like Windows), we were
-      artificially constraining ourselves to a max of 1024
-      connections. Now just assume that we can handle as many as 15000
-      connections. Hopefully this won't cause other problems.
-
-  o Backported features:
-    - When we're a server, a client asks for an old-style directory,
-      and our write bucket is empty, don't give it to him. This way
-      small servers can continue to serve the directory *sometimes*,
-      without getting overloaded.
-    - Whenever you get a 503 in response to a directory fetch, try
-      once more. This will become important once servers start sending
-      503's whenever they feel busy.
-    - Fetch a new directory every 120 minutes, not every 40 minutes.
-      Now that we have hundreds of thousands of users running the old
-      directory algorithm, it's starting to hurt a lot.
-    - Bump up the period for forcing a hidden service descriptor upload
-      from 20 minutes to 1 hour.
-
-
-Changes in version 0.1.0.16 - 2006-01-02
-  o Crash bugfixes on 0.1.0.x:
-    - On Windows, build with a libevent patch from "I-M Weasel" to avoid
-      corrupting the heap, losing FDs, or crashing when we need to resize
-      the fd_sets. (This affects the Win32 binaries, not Tor's sources.)
-    - It turns out sparc64 platforms crash on unaligned memory access
-      too -- so detect and avoid this.
-    - Handle truncated compressed data correctly (by detecting it and
-      giving an error).
-    - Fix possible-but-unlikely free(NULL) in control.c.
-    - When we were closing connections, there was a rare case that
-      stomped on memory, triggering seg faults and asserts.
-    - Avoid potential infinite recursion when building a descriptor. (We
-      don't know that it ever happened, but better to fix it anyway.)
-    - We were neglecting to unlink marked circuits from soon-to-close OR
-      connections, which caused some rare scribbling on freed memory.
-    - Fix a memory stomping race bug when closing the joining point of two
-      rendezvous circuits.
-    - Fix an assert in time parsing found by Steven Murdoch.
-
-  o Other bugfixes on 0.1.0.x:
-    - When we're doing reachability testing, provide more useful log
-      messages so the operator knows what to expect.
-    - Do not check whether DirPort is reachable when we are suppressing
-      advertising it because of hibernation.
-    - When building with -static or on Solaris, we sometimes needed -ldl.
-    - One of the dirservers (tor26) changed its IP address.
-    - When we're deciding whether a stream has enough circuits around
-      that can handle it, count the freshly dirty ones and not the ones
-      that are so dirty they won't be able to handle it.
-    - When we're expiring old circuits, we had a logic error that caused
-      us to close new rendezvous circuits rather than old ones.
-    - Give a more helpful log message when you try to change ORPort via
-      the controller: you should upgrade Tor if you want that to work.
-    - We were failing to parse Tor versions that start with "Tor ".
-    - Tolerate faulty streams better: when a stream fails for reason
-      exitpolicy, stop assuming that the router is lying about his exit
-      policy. When a stream fails for reason misc, allow it to retry just
-      as if it was resolvefailed. When a stream has failed three times,
-      reset its failure count so we can try again and get all three tries.
-
-
-Changes in version 0.1.0.15 - 2005-09-23
-  o Bugfixes on 0.1.0.x:
-    - Reject ports 465 and 587 (spam targets) in default exit policy.
-    - Don't crash when we don't have any spare file descriptors and we
-      try to spawn a dns or cpu worker.
-    - Get rid of IgnoreVersion undocumented config option, and make us
-      only warn, never exit, when we're running an obsolete version.
-    - Don't try to print a null string when your server finds itself to
-      be unreachable and the Address config option is empty.
-    - Make the numbers in read-history and write-history into uint64s,
-      so they don't overflow and publish negatives in the descriptor.
-    - Fix a minor memory leak in smartlist_string_remove().
-    - We were only allowing ourselves to upload a server descriptor at
-      most every 20 minutes, even if it changed earlier than that.
-    - Clean up log entries that pointed to old URLs.
-
-
-Changes in version 0.1.0.14 - 2005-08-08
-  o Bugfixes on 0.1.0.x:
-      - Fix the other half of the bug with crypto handshakes
-        (CVE-2005-2643).
-      - Fix an assert trigger if you send a 'signal term' via the
-        controller when it's listening for 'event info' messages.
-
-
-Changes in version 0.1.0.13 - 2005-08-04
-  o Bugfixes on 0.1.0.x:
-    - Fix a critical bug in the security of our crypto handshakes.
-    - Fix a size_t underflow in smartlist_join_strings2() that made
-      it do bad things when you hand it an empty smartlist.
-    - Fix Windows installer to ship Tor license (thanks to Aphex for
-      pointing out this oversight) and put a link to the doc directory
-      in the start menu.
-    - Explicitly set no-unaligned-access for sparc: it turns out the
-      new gcc's let you compile broken code, but that doesn't make it
-      not-broken.
-
-
-Changes in version 0.1.0.12 - 2005-07-18
-  o New directory servers:
-      - tor26 has changed IP address.
-
-  o Bugfixes on 0.1.0.x:
-    - Fix a possible double-free in tor_gzip_uncompress().
-    - When --disable-threads is set, do not search for or link against
-      pthreads libraries.
-    - Don't trigger an assert if an authoritative directory server
-      claims its dirport is 0.
-    - Fix bug with removing Tor as an NT service: some people were
-      getting "The service did not return an error." Thanks to Matt
-      Edman for the fix.
-
-
-Changes in version 0.1.0.11 - 2005-06-30
-  o Bugfixes on 0.1.0.x:
-    - Fix major security bug: servers were disregarding their
-      exit policies if clients behaved unexpectedly.
-    - Make OS X init script check for missing argument, so we don't
-      confuse users who invoke it incorrectly.
-    - Fix a seg fault in "tor --hash-password foo".
-    - The MAPADDRESS control command was broken.
-
-
-Changes in version 0.1.0.10 - 2005-06-14
-  o Fixes on Win32:
-    - Make NT services work and start on startup on Win32 (based on
-      patch by Matt Edman). See the FAQ entry for details.
-    - Make 'platform' string in descriptor more accurate for Win32
-      servers, so it's not just "unknown platform".
-    - REUSEADDR on normal platforms means you can rebind to the port
-      right after somebody else has let it go. But REUSEADDR on Win32
-      means you can bind to the port _even when somebody else already
-      has it bound_! So, don't do that on Win32.
-    - Clean up the log messages when starting on Win32 with no config
-      file.
-    - Allow seeding the RNG on Win32 even when you're not running as
-      Administrator. If seeding the RNG on Win32 fails, quit.
-
-  o Assert / crash bugs:
-    - Refuse relay cells that claim to have a length larger than the
-      maximum allowed. This prevents a potential attack that could read
-      arbitrary memory (e.g. keys) from an exit server's process
-      (CVE-2005-2050).
-    - If unofficial Tor clients connect and send weird TLS certs, our
-      Tor server triggers an assert. Stop asserting, and start handling
-      TLS errors better in other situations too.
-    - Fix a race condition that can trigger an assert when we have a
-      pending create cell and an OR connection attempt fails.
-
-  o Resource leaks:
-    - Use pthreads for worker processes rather than forking. This was
-      forced because when we forked, we ended up wasting a lot of
-      duplicate ram over time.
-      - Also switch to foo_r versions of some library calls to allow
-        reentry and threadsafeness.
-      - Implement --disable-threads configure option. Disable threads on
-        netbsd and openbsd by default, because they have no reentrant
-        resolver functions (!), and on solaris since it has other
-        threading issues.
-    - Fix possible bug on threading platforms (e.g. win32) which was
-      leaking a file descriptor whenever a cpuworker or dnsworker died.
-    - Fix a minor memory leak when somebody establishes an introduction
-      point at your Tor server.
-    - Fix possible memory leak in tor_lookup_hostname(). (Thanks to
-      Adam Langley.)
-    - Add ./configure --with-dmalloc option, to track memory leaks.
-    - And try to free all memory on closing, so we can detect what
-      we're leaking.
-
-  o Protocol correctness:
-    - When we've connected to an OR and handshaked but didn't like
-      the result, we were closing the conn without sending destroy
-      cells back for pending circuits. Now send those destroys.
-    - Start sending 'truncated' cells back rather than destroy cells
-      if the circuit closes in front of you. This means we won't have
-      to abandon partially built circuits.
-    - Handle changed router status correctly when dirserver reloads
-      fingerprint file. We used to be dropping all unverified descriptors
-      right then. The bug was hidden because we would immediately
-      fetch a directory from another dirserver, which would include the
-      descriptors we just dropped.
-    - Revise tor-spec to add more/better stream end reasons.
-    - Revise all calls to connection_edge_end to avoid sending 'misc',
-      and to take errno into account where possible.
-    - Client now retries when streams end early for 'hibernating' or
-      'resource limit' reasons, rather than failing them.
-    - Try to be more zealous about calling connection_edge_end when
-      things go bad with edge conns in connection.c.
-
-  o Robustness improvements:
-    - Better handling for heterogeneous / unreliable nodes:
-      - Annotate circuits with whether they aim to contain high uptime
-        nodes and/or high capacity nodes. When building circuits, choose
-        appropriate nodes.
-      - This means that every single node in an intro rend circuit,
-        not just the last one, will have a minimum uptime.
-      - New config option LongLivedPorts to indicate application streams
-        that will want high uptime circuits.
-      - Servers reset uptime when a dir fetch entirely fails. This
-        hopefully reflects stability of the server's network connectivity.
-      - If somebody starts his tor server in Jan 2004 and then fixes his
-        clock, don't make his published uptime be a year.
-      - Reset published uptime when we wake up from hibernation.
-    - Introduce a notion of 'internal' circs, which are chosen without
-      regard to the exit policy of the last hop. Intro and rendezvous
-      circs must be internal circs, to avoid leaking information. Resolve
-      and connect streams can use internal circs if they want.
-    - New circuit pooling algorithm: keep track of what destination ports
-      we've used recently (start out assuming we'll want to use 80), and
-      make sure to have enough circs around to satisfy these ports. Also
-      make sure to have 2 internal circs around if we've required internal
-      circs lately (and with high uptime if we've seen that lately too).
-    - Turn addr_policy_compare from a tristate to a quadstate; this should
-      help address our "Ah, you allow 1.2.3.4:80. You are a good choice
-      for google.com" problem.
-    - When a client asks us for a dir mirror and we don't have one,
-      launch an attempt to get a fresh one.
-    - First cut at support for "create-fast" cells. Clients can use
-      these when extending to their first hop, since the TLS already
-      provides forward secrecy and authentication. Not enabled on
-      clients yet.
-
-  o Reachability testing.
-    - Your Tor server will automatically try to see if its ORPort and
-      DirPort are reachable from the outside, and it won't upload its
-      descriptor until it decides at least ORPort is reachable (when
-      DirPort is not yet found reachable, publish it as zero).
-    - When building testing circs for ORPort testing, use only
-      high-bandwidth nodes, so fewer circuits fail.
-    - Notice when our IP changes, and reset stats/uptime/reachability.
-    - Authdirservers don't do ORPort reachability detection, since
-      they're in clique mode, so it will be rare to find a server not
-      already connected to them.
-    - Authdirservers now automatically approve nodes running 0.1.0.2-rc
-      or later.
-
-  o Dirserver fixes:
-    - Now we allow two unverified servers with the same nickname
-      but different keys. But if a nickname is verified, only that
-      nickname+key are allowed.
-    - If you're an authdirserver connecting to an address:port,
-      and it's not the OR you were expecting, forget about that
-      descriptor. If he *was* the one you were expecting, then forget
-      about all other descriptors for that address:port.
-    - Allow servers to publish descriptors from 12 hours in the future.
-      Corollary: only whine about clock skew from the dirserver if
-      he's a trusted dirserver (since now even verified servers could
-      have quite wrong clocks).
-    - Require servers that use the default dirservers to have public IP
-      addresses. We have too many servers that are configured with private
-      IPs and their admins never notice the log entries complaining that
-      their descriptors are being rejected.
-
-  o Efficiency improvements:
-    - Use libevent. Now we can use faster async cores (like epoll, kpoll,
-      and /dev/poll), and hopefully work better on Windows too.
-      - Apple's OS X 10.4.0 ships with a broken kqueue API, and using
-        kqueue on 10.3.9 causes kernel panics. Don't use kqueue on OS X.
-      - Find libevent even if it's hiding in /usr/local/ and your
-        CFLAGS and LDFLAGS don't tell you to look there.
-      - Be able to link with libevent as a shared library (the default
-        after 1.0d), even if it's hiding in /usr/local/lib and even
-        if you haven't added /usr/local/lib to your /etc/ld.so.conf,
-        assuming you're running gcc. Otherwise fail and give a useful
-        error message.
-    - Switch to a new buffer management algorithm, which tries to avoid
-      reallocing and copying quite as much. In first tests it looks like
-      it uses *more* memory on average, but less cpu.
-    - Switch our internal buffers implementation to use a ring buffer,
-      to hopefully improve performance for fast servers a lot.
-    - Reenable the part of the code that tries to flush as soon as an
-      OR outbuf has a full TLS record available. Perhaps this will make
-      OR outbufs not grow as huge except in rare cases, thus saving lots
-      of CPU time plus memory.
-    - Improve performance for dirservers: stop re-parsing the whole
-      directory every time you regenerate it.
-    - Keep a big splay tree of (circid,orconn)->circuit mappings to make
-      it much faster to look up a circuit for each relay cell.
-    - Remove most calls to assert_all_pending_dns_resolves_ok(),
-      since they're eating our cpu on exit nodes.
-    - Stop wasting time doing a case insensitive comparison for every
-      dns name every time we do any lookup. Canonicalize the names to
-      lowercase when you first see them.
-
-  o Hidden services:
-    - Handle unavailable hidden services better. Handle slow or busy
-      hidden services better.
-    - Cannibalize GENERAL circs to be C_REND, C_INTRO, S_INTRO, and S_REND
-      circ as necessary, if there are any completed ones lying around
-      when we try to launch one.
-    - Make hidden services try to establish a rendezvous for 30 seconds
-      after fetching the descriptor, rather than for n (where n=3)
-      attempts to build a circuit.
-    - Adjust maximum skew and age for rendezvous descriptors: let skew
-      be 48 hours rather than 90 minutes.
-    - Reject malformed .onion addresses rather then passing them on as
-      normal web requests.
-
-  o Controller:
-    - More Tor controller support. See
-      http://tor.eff.org/doc/control-spec.txt for all the new features,
-      including signals to emulate unix signals from any platform;
-      redirectstream; extendcircuit; mapaddress; getinfo; postdescriptor;
-      closestream; closecircuit; etc.
-    - Encode hashed controller passwords in hex instead of base64,
-      to make it easier to write controllers.
-    - Revise control spec and implementation to allow all log messages to
-      be sent to controller with their severities intact (suggested by
-      Matt Edman). Disable debug-level logs while delivering a debug-level
-      log to the controller, to prevent loop. Update TorControl to handle
-      new log event types.
-
-  o New config options/defaults:
-    - Begin scrubbing sensitive strings from logs by default. Turn off
-      the config option SafeLogging if you need to do debugging.
-    - New exit policy: accept most low-numbered ports, rather than
-      rejecting most low-numbered ports.
-    - Put a note in the torrc about abuse potential with the default
-      exit policy.
-    - Add support for CONNECTing through https proxies, with "HttpsProxy"
-      config option.
-    - Add HttpProxyAuthenticator and HttpsProxyAuthenticator support
-      based on patch from Adam Langley (basic auth only).
-    - Bump the default BandwidthRate from 1 MB to 2 MB, to accommodate
-      the fast servers that have been joining lately. (Clients are now
-      willing to load balance over up to 2 MB of advertised bandwidth
-      capacity too.)
-    - New config option MaxAdvertisedBandwidth which lets you advertise
-      a low bandwidthrate (to not attract as many circuits) while still
-      allowing a higher bandwidthrate in reality.
-    - Require BandwidthRate to be at least 20kB/s for servers.
-    - Add a NoPublish config option, so you can be a server (e.g. for
-      testing running Tor servers in other Tor networks) without
-      publishing your descriptor to the primary dirservers.
-    - Add a new AddressMap config directive to rewrite incoming socks
-      addresses. This lets you, for example, declare an implicit
-      required exit node for certain sites.
-    - Add a new TrackHostExits config directive to trigger addressmaps
-      for certain incoming socks addresses -- for sites that break when
-      your exit keeps changing (based on patch from Mike Perry).
-    - Split NewCircuitPeriod option into NewCircuitPeriod (30 secs),
-      which describes how often we retry making new circuits if current
-      ones are dirty, and MaxCircuitDirtiness (10 mins), which describes
-      how long we're willing to make use of an already-dirty circuit.
-    - Change compiled-in SHUTDOWN_WAIT_LENGTH from a fixed 30 secs to
-      a config option "ShutdownWaitLength" (when using kill -INT on
-      servers).
-    - Fix an edge case in parsing config options: if they say "--"
-      on the commandline, it's not a config option (thanks weasel).
-    - New config option DirAllowPrivateAddresses for authdirservers.
-      Now by default they refuse router descriptors that have non-IP or
-      private-IP addresses.
-    - Change DirFetchPeriod/StatusFetchPeriod to have a special "Be
-      smart" default value: low for servers and high for clients.
-    - Some people were putting "Address  " in their torrc, and they had
-      a buggy resolver that resolved " " to 0.0.0.0. Oops.
-    - If DataDir is ~/.tor, and that expands to /.tor, then default to
-      LOCALSTATEDIR/tor instead.
-    - Implement --verify-config command-line option to check if your torrc
-      is valid without actually launching Tor.
-
-  o Logging improvements:
-    - When dirservers refuse a server descriptor, we now log its
-      contactinfo, platform, and the poster's IP address.
-    - Only warn once per nickname from add_nickname_list_to_smartlist()
-      per failure, so an entrynode or exitnode choice that's down won't
-      yell so much.
-    - When we're connecting to an OR and he's got a different nickname/key
-      than we were expecting, only complain loudly if we're an OP or a
-      dirserver. Complaining loudly to the OR admins just confuses them.
-    - Whine at you if you're a server and you don't set your contactinfo.
-    - Warn when exit policy implicitly allows local addresses.
-    - Give a better warning when some other server advertises an
-      ORPort that is actually an apache running ssl.
-    - If we get an incredibly skewed timestamp from a dirserver mirror
-      that isn't a verified OR, don't warn -- it's probably him that's
-      wrong.
-    - When a dirserver causes you to give a warn, mention which dirserver
-      it was.
-    - Initialize libevent later in the startup process, so the logs are
-      already established by the time we start logging libevent warns.
-    - Use correct errno on win32 if libevent fails.
-    - Check and warn about known-bad/slow libevent versions.
-    - Stop warning about sigpipes in the logs. We're going to
-      pretend that getting these occassionally is normal and fine.
-
-  o New contrib scripts:
-    - New experimental script tor/contrib/exitlist: a simple python
-      script to parse directories and find Tor nodes that exit to listed
-      addresses/ports.
-    - New experimental script tor/contrib/ExerciseServer.py (needs more
-      work) that uses the controller interface to build circuits and
-      fetch pages over them. This will help us bootstrap servers that
-      have lots of capacity but haven't noticed it yet.
-    - New experimental script tor/contrib/PathDemo.py (needs more work)
-      that uses the controller interface to let you choose whole paths
-      via addresses like
-      "<hostname>.<path,separated by dots>.<length of path>.path"
-    - New contributed script "privoxy-tor-toggle" to toggle whether
-      Privoxy uses Tor. Seems to be configured for Debian by default.
-    - Have torctl.in/tor.sh.in check for location of su binary (needed
-      on FreeBSD)
-
-  o Misc bugfixes:
-    - chdir() to your datadirectory at the *end* of the daemonize process,
-      not the beginning. This was a problem because the first time you
-      run tor, if your datadir isn't there, and you have runasdaemon set
-      to 1, it will try to chdir to it before it tries to create it. Oops.
-    - Fix several double-mark-for-close bugs, e.g. where we were finding
-      a conn for a cell even if that conn is already marked for close.
-    - Stop most cases of hanging up on a socks connection without sending
-      the socks reject.
-    - Fix a bug in the RPM package: set home directory for _tor to
-      something more reasonable when first installing.
-    - Stop putting nodename in the Platform string in server descriptors.
-      It doesn't actually help, and it is confusing/upsetting some people.
-    - When using preferred entry or exit nodes, ignore whether the
-      circuit wants uptime or capacity. They asked for the nodes, they
-      get the nodes.
-    - Tie MAX_DIR_SIZE to MAX_BUF_SIZE, so now directory sizes won't get
-      artificially capped at 500kB.
-    - Cache local dns resolves correctly even when they're .exit
-      addresses.
-    - If we're hibernating and we get a SIGINT, exit immediately.
-    - tor-resolve requests were ignoring .exit if there was a working circuit
-      they could use instead.
-    - Pay more attention to the ClientOnly config option.
-    - Resolve OS X installer bugs: stop claiming to be 0.0.9.2 in certain
-      installer screens; and don't put stuff into StartupItems unless
-      the user asks you to.
-
-  o Misc features:
-    - Rewrite address "serifos.exit" to "externalIP.serifos.exit"
-      rather than just rejecting it.
-    - If our clock jumps forward by 100 seconds or more, assume something
-      has gone wrong with our network and abandon all not-yet-used circs.
-    - When an application is using socks5, give him the whole variety of
-      potential socks5 responses (connect refused, host unreachable, etc),
-      rather than just "success" or "failure".
-    - A more sane version numbering system. See
-      http://tor.eff.org/cvs/tor/doc/version-spec.txt for details.
-    - Change version parsing logic: a version is "obsolete" if it is not
-      recommended and (1) there is a newer recommended version in the
-      same series, or (2) there are no recommended versions in the same
-      series, but there are some recommended versions in a newer series.
-      A version is "new" if it is newer than any recommended version in
-      the same series.
-    - Report HTTP reasons to client when getting a response from directory
-      servers -- so you can actually know what went wrong.
-    - Reject odd-looking addresses at the client (e.g. addresses that
-      contain a colon), rather than having the server drop them because
-      they're malformed.
-    - Stop publishing socksport in the directory, since it's not
-      actually meant to be public. For compatibility, publish a 0 there
-      for now.
-    - Since we ship our own Privoxy on OS X, tweak it so it doesn't write
-      cookies to disk and doesn't log each web request to disk. (Thanks
-      to Brett Carrington for pointing this out.)
-    - Add OSX uninstall instructions. An actual uninstall script will
-      come later.
-    - Add "opt hibernating 1" to server descriptor to make it clearer
-      whether the server is hibernating.
-
-
-Changes in version 0.0.9.10 - 2005-06-16
-  o Bugfixes on 0.0.9.x (backported from 0.1.0.10):
-    - Refuse relay cells that claim to have a length larger than the
-      maximum allowed. This prevents a potential attack that could read
-      arbitrary memory (e.g. keys) from an exit server's process
-      (CVE-2005-2050).
-
-
-Changes in version 0.0.9.9 - 2005-04-23
-  o Bugfixes on 0.0.9.x:
-    - If unofficial Tor clients connect and send weird TLS certs, our
-      Tor server triggers an assert. This release contains a minimal
-      backport from the broader fix that we put into 0.1.0.4-rc.
-
-
-Changes in version 0.0.9.8 - 2005-04-07
-  o Bugfixes on 0.0.9.x:
-    - We have a bug that I haven't found yet. Sometimes, very rarely,
-      cpuworkers get stuck in the 'busy' state, even though the cpuworker
-      thinks of itself as idle. This meant that no new circuits ever got
-      established. Here's a workaround to kill any cpuworker that's been
-      busy for more than 100 seconds.
-
-
-Changes in version 0.0.9.7 - 2005-04-01
-  o Bugfixes on 0.0.9.x:
-    - Fix another race crash bug (thanks to Glenn Fink for reporting).
-    - Compare identity to identity, not to nickname, when extending to
-      a router not already in the directory. This was preventing us from
-      extending to unknown routers. Oops.
-    - Make sure to create OS X Tor user in <500 range, so we aren't
-      creating actual system users.
-    - Note where connection-that-hasn't-sent-end was marked, and fix
-      a few really loud instances of this harmless bug (it's fixed more
-      in 0.1.0.x).
-
-
-Changes in version 0.0.9.6 - 2005-03-24
-  o Bugfixes on 0.0.9.x (crashes and asserts):
-    - Add new end stream reasons to maintainance branch. Fix bug where
-      reason (8) could trigger an assert.  Prevent bug from recurring.
-    - Apparently win32 stat wants paths to not end with a slash.
-    - Fix assert triggers in assert_cpath_layer_ok(), where we were
-      blowing away the circuit that conn->cpath_layer points to, then
-      checking to see if the circ is well-formed. Backport check to make
-      sure we dont use the cpath on a closed connection.
-    - Prevent circuit_resume_edge_reading_helper() from trying to package
-      inbufs for marked-for-close streams.
-    - Don't crash on hup if your options->address has become unresolvable.
-    - Some systems (like OS X) sometimes accept() a connection and tell
-      you the remote host is 0.0.0.0:0. If this happens, due to some
-      other mis-features, we get confused; so refuse the conn for now.
-
-  o Bugfixes on 0.0.9.x (other):
-    - Fix harmless but scary "Unrecognized content encoding" warn message.
-    - Add new stream error reason: TORPROTOCOL reason means "you are not
-      speaking a version of Tor I understand; say bye-bye to your stream."
-    - Be willing to cache directories from up to ROUTER_MAX_AGE seconds
-      into the future, now that we are more tolerant of skew. This
-      resolves a bug where a Tor server would refuse to cache a directory
-      because all the directories it gets are too far in the future;
-      yet the Tor server never logs any complaints about clock skew.
-    - Mac packaging magic: make man pages useable, and do not overwrite
-      existing torrc files.
-    - Make OS X log happily to /var/log/tor/tor.log
-
-
-Changes in version 0.0.9.5 - 2005-02-22
-  o Bugfixes on 0.0.9.x:
-    - Fix an assert race at exit nodes when resolve requests fail.
-    - Stop picking unverified dir mirrors--it only leads to misery.
-    - Patch from Matt Edman to make NT services work better. Service
-      support is still not compiled into the executable by default.
-    - Patch from Dmitri Bely so the Tor service runs better under
-      the win32 SYSTEM account.
-    - Make tor-resolve actually work (?) on Win32.
-    - Fix a sign bug when getrlimit claims to have 4+ billion
-      file descriptors available.
-    - Stop refusing to start when bandwidthburst == bandwidthrate.
-    - When create cells have been on the onion queue more than five
-      seconds, just send back a destroy and take them off the list.
-
-
-Changes in version 0.0.9.4 - 2005-02-03
-  o Bugfixes on 0.0.9:
-    - Fix an assert bug that took down most of our servers: when
-      a server claims to have 1 GB of bandwidthburst, don't
-      freak out.
-    - Don't crash as badly if we have spawned the max allowed number
-      of dnsworkers, or we're out of file descriptors.
-    - Block more file-sharing ports in the default exit policy.
-    - MaxConn is now automatically set to the hard limit of max
-      file descriptors we're allowed (ulimit -n), minus a few for
-      logs, etc.
-    - Give a clearer message when servers need to raise their
-      ulimit -n when they start running out of file descriptors.
-    - SGI Compatibility patches from Jan Schaumann.
-    - Tolerate a corrupt cached directory better.
-    - When a dirserver hasn't approved your server, list which one.
-    - Go into soft hibernation after 95% of the bandwidth is used,
-      not 99%. This is especially important for daily hibernators who
-      have a small accounting max. Hopefully it will result in fewer
-      cut connections when the hard hibernation starts.
-    - Load-balance better when using servers that claim more than
-      800kB/s of capacity.
-    - Make NT services work (experimental, only used if compiled in).
-
-
-Changes in version 0.0.9.3 - 2005-01-21
-  o Bugfixes on 0.0.9:
-    - Backport the cpu use fixes from main branch, so busy servers won't
-      need as much processor time.
-    - Work better when we go offline and then come back, or when we
-      run Tor at boot before the network is up. We do this by
-      optimistically trying to fetch a new directory whenever an
-      application request comes in and we think we're offline -- the
-      human is hopefully a good measure of when the network is back.
-    - Backport some minimal hidserv bugfixes: keep rend circuits open as
-      long as you keep using them; actually publish hidserv descriptors
-      shortly after they change, rather than waiting 20-40 minutes.
-    - Enable Mac startup script by default.
-    - Fix duplicate dns_cancel_pending_resolve reported by Giorgos Pallas.
-    - When you update AllowUnverifiedNodes or FirewallPorts via the
-      controller's setconf feature, we were always appending, never
-      resetting.
-    - When you update HiddenServiceDir via setconf, it was screwing up
-      the order of reading the lines, making it fail.
-    - Do not rewrite a cached directory back to the cache; otherwise we
-      will think it is recent and not fetch a newer one on startup.
-    - Workaround for webservers that lie about Content-Encoding: Tor
-      now tries to autodetect compressed directories and compression
-      itself. This lets us Proxypass dir fetches through apache.
-
-
-Changes in version 0.0.9.2 - 2005-01-04
-  o Bugfixes on 0.0.9 (crashes and asserts):
-    - Fix an assert on startup when the disk is full and you're logging
-      to a file.
-    - If you do socks4 with an IP of 0.0.0.x but *don't* provide a socks4a
-      style address, then we'd crash.
-    - Fix an assert trigger when the running-routers string we get from
-      a dirserver is broken.
-    - Make worker threads start and run on win32. Now win32 servers
-      may work better.
-    - Bandaid (not actually fix, but now it doesn't crash) an assert
-      where the dns worker dies mysteriously and the main Tor process
-      doesn't remember anything about the address it was resolving.
-
-  o Bugfixes on 0.0.9 (Win32):
-    - Workaround for brain-damaged __FILE__ handling on MSVC: keep Nick's
-      name out of the warning/assert messages.
-    - Fix a superficial "unhandled error on read" bug on win32.
-    - The win32 installer no longer requires a click-through for our
-      license, since our Free Software license grants rights but does not
-      take any away.
-    - Win32: When connecting to a dirserver fails, try another one
-      immediately. (This was already working for non-win32 Tors.)
-    - Stop trying to parse $HOME on win32 when hunting for default
-      DataDirectory.
-    - Make tor-resolve.c work on win32 by calling network_init().
-
-  o Bugfixes on 0.0.9 (other):
-    - Make 0.0.9.x build on Solaris again.
-    - Due to a fencepost error, we were blowing away the \n when reporting
-      confvalue items in the controller. So asking for multiple config
-      values at once couldn't work.
-    - When listing circuits that are pending on an opening OR connection,
-      if we're an OR we were listing circuits that *end* at us as
-      being pending on every listener, dns/cpu worker, etc. Stop that.
-    - Dirservers were failing to create 'running-routers' or 'directory'
-      strings if we had more than some threshold of routers. Fix them so
-      they can handle any number of routers.
-    - Fix a superficial "Duplicate mark for close" bug.
-    - Stop checking for clock skew for OR connections, even for servers.
-    - Fix a fencepost error that was chopping off the last letter of any
-      nickname that is the maximum allowed nickname length.
-    - Update URLs in log messages so they point to the new website.
-    - Fix a potential problem in mangling server private keys while
-      writing to disk (not triggered yet, as far as we know).
-    - Include the licenses for other free software we include in Tor,
-      now that we're shipping binary distributions more regularly.
-
-
-Changes in version 0.0.9.1 - 2004-12-15
-  o Bugfixes on 0.0.9:
-    - Make hibernation actually work.
-    - Make HashedControlPassword config option work.
-    - When we're reporting event circuit status to a controller,
-      don't use the stream status code.
-
-
-Changes in version 0.0.9 - 2004-12-12
-  o Bugfixes on 0.0.8.1 (Crashes and asserts):
-    - Catch and ignore SIGXFSZ signals when log files exceed 2GB; our
-      write() call will fail and we handle it there.
-    - When we run out of disk space, or other log writing error, don't
-      crash. Just stop logging to that log and continue.
-    - Fix isspace() and friends so they still make Solaris happy
-      but also so they don't trigger asserts on win32.
-    - Fix assert failure on malformed socks4a requests.
-    - Fix an assert bug where a hidden service provider would fail if
-      the first hop of his rendezvous circuit was down.
-    - Better handling of size_t vs int, so we're more robust on 64
-      bit platforms.
-
-  o Bugfixes on 0.0.8.1 (Win32):
-    - Make windows sockets actually non-blocking (oops), and handle
-      win32 socket errors better.
-    - Fix parse_iso_time on platforms without strptime (eg win32).
-    - win32: when being multithreaded, leave parent fdarray open.
-    - Better handling of winsock includes on non-MSV win32 compilers.
-    - Change our file IO stuff (especially wrt OpenSSL) so win32 is
-      happier.
-    - Make unit tests work on win32.
-
-  o Bugfixes on 0.0.8.1 (Path selection and streams):
-    - Calculate timeout for waiting for a connected cell from the time
-      we sent the begin cell, not from the time the stream started. If
-      it took a long time to establish the circuit, we would time out
-      right after sending the begin cell.
-    - Fix router_compare_addr_to_addr_policy: it was not treating a port
-      of * as always matching, so we were picking reject *:* nodes as
-      exit nodes too. Oops.
-    - When read() failed on a stream, we would close it without sending
-      back an end. So 'connection refused' would simply be ignored and
-      the user would get no response.
-    - Stop a sigpipe: when an 'end' cell races with eof from the app,
-      we shouldn't hold-open-until-flush if the eof arrived first.
-    - Let resolve conns retry/expire also, rather than sticking around
-      forever.
-    - Fix more dns related bugs: send back resolve_failed and end cells
-      more reliably when the resolve fails, rather than closing the
-      circuit and then trying to send the cell. Also attach dummy resolve
-      connections to a circuit *before* calling dns_resolve(), to fix
-      a bug where cached answers would never be sent in RESOLVED cells.
-
-  o Bugfixes on 0.0.8.1 (Circuits):
-    - Finally fix a bug that's been plaguing us for a year:
-      With high load, circuit package window was reaching 0. Whenever
-      we got a circuit-level sendme, we were reading a lot on each
-      socket, but only writing out a bit. So we would eventually reach
-      eof. This would be noticed and acted on even when there were still
-      bytes sitting in the inbuf.
-    - Use identity comparison, not nickname comparison, to choose which
-      half of circuit-ID-space each side gets to use. This is needed
-      because sometimes we think of a router as a nickname, and sometimes
-      as a hex ID, and we can't predict what the other side will do.
-
-  o Bugfixes on 0.0.8.1 (Other):
-    - Fix a whole slew of memory leaks.
-    - Disallow NDEBUG. We don't ever want anybody to turn off debug.
-    - If we are using select, make sure we stay within FD_SETSIZE.
-    - When poll() is interrupted, we shouldn't believe the revents values.
-    - Add a FAST_SMARTLIST define to optionally inline smartlist_get
-      and smartlist_len, which are two major profiling offenders.
-    - If do_hup fails, actually notice.
-    - Flush the log file descriptor after we print "Tor opening log file",
-      so we don't see those messages days later.
-    - Hidden service operators now correctly handle version 1 style
-      INTRODUCE1 cells (nobody generates them still, so not a critical
-      bug).
-    - Handle more errnos from accept() without closing the listener.
-      Some OpenBSD machines were closing their listeners because
-      they ran out of file descriptors.
-    - Some people had wrapped their tor client/server in a script
-      that would restart it whenever it died. This did not play well
-      with our "shut down if your version is obsolete" code. Now people
-      don't fetch a new directory if their local cached version is
-      recent enough.
-    - Make our autogen.sh work on ksh as well as bash.
-    - Better torrc example lines for dirbindaddress and orbindaddress.
-    - Improved bounds checking on parsed ints (e.g. config options and
-      the ones we find in directories.)
-    - Stop using separate defaults for no-config-file and
-      empty-config-file. Now you have to explicitly turn off SocksPort,
-      if you don't want it open.
-    - We were starting to daemonize before we opened our logs, so if
-      there were any problems opening logs, we would complain to stderr,
-      which wouldn't work, and then mysteriously exit.
-    - If a verified OR connects to us before he's uploaded his descriptor,
-      or we verify him and hup but he still has the original TLS
-      connection, then conn->nickname is still set like he's unverified.
-
-  o Code security improvements, inspired by Ilja:
-    - tor_snprintf wrapper over snprintf with consistent (though not C99)
-      overflow behavior.
-    - Replace sprintf with tor_snprintf. (I think they were all safe, but
-      hey.)
-    - Replace strcpy/strncpy with strlcpy in more places.
-    - Avoid strcat; use tor_snprintf or strlcat instead.
-
-  o Features (circuits and streams):
-    - New circuit building strategy: keep a list of ports that we've
-      used in the past 6 hours, and always try to have 2 circuits open
-      or on the way that will handle each such port. Seed us with port
-      80 so web users won't complain that Tor is "slow to start up".
-    - Make kill -USR1 dump more useful stats about circuits.
-    - When warning about retrying or giving up, print the address, so
-      the user knows which one it's talking about.
-    - If you haven't used a clean circuit in an hour, throw it away,
-      just to be on the safe side. (This means after 6 hours a totally
-      unused Tor client will have no circuits open.)
-    - Support "foo.nickname.exit" addresses, to let Alice request the
-      address "foo" as viewed by exit node "nickname". Based on a patch
-      from Geoff Goodell.
-    - If your requested entry or exit node has advertised bandwidth 0,
-      pick it anyway.
-    - Be more greedy about filling up relay cells -- we try reading again
-      once we've processed the stuff we read, in case enough has arrived
-      to fill the last cell completely.
-    - Refuse application socks connections to port 0.
-    - Use only 0.0.9pre1 and later servers for resolve cells.
-
-  o Features (bandwidth):
-    - Hibernation: New config option "AccountingMax" lets you
-      set how many bytes per month (in each direction) you want to
-      allow your server to consume. Rather than spreading those
-      bytes out evenly over the month, we instead hibernate for some
-      of the month and pop up at a deterministic time, work until
-      the bytes are consumed, then hibernate again. Config option
-      "MonthlyAccountingStart" lets you specify which day of the month
-      your billing cycle starts on.
-    - Implement weekly/monthly/daily accounting: now you specify your
-      hibernation properties by
-      AccountingMax N bytes|KB|MB|GB|TB
-      AccountingStart day|week|month [day] HH:MM
-        Defaults to "month 1 0:00".
-    - Let bandwidth and interval config options be specified as 5 bytes,
-      kb, kilobytes, etc; and as seconds, minutes, hours, days, weeks.
-
-  o Features (directories):
-    - New "router-status" line in directory, to better bind each verified
-      nickname to its identity key.
-    - Clients can ask dirservers for /dir.z to get a compressed version
-      of the directory. Only works for servers running 0.0.9, of course.
-    - Make clients cache directories and use them to seed their router
-      lists at startup. This means clients have a datadir again.
-    - Respond to content-encoding headers by trying to uncompress as
-      appropriate.
-    - Clients and servers now fetch running-routers; cache
-      running-routers; compress running-routers; serve compressed
-      running-routers.z
-    - Make moria2 advertise a dirport of 80, so people behind firewalls
-      will be able to get a directory.
-    - Http proxy support
-      - Dirservers translate requests for http://%s:%d/x to /x
-      - You can specify "HttpProxy %s[:%d]" and all dir fetches will
-        be routed through this host.
-      - Clients ask for /tor/x rather than /x for new enough dirservers.
-        This way we can one day coexist peacefully with apache.
-      - Clients specify a "Host: %s%d" http header, to be compatible
-        with more proxies, and so running squid on an exit node can work.
-    - Protect dirservers from overzealous descriptor uploading -- wait
-      10 seconds after directory gets dirty, before regenerating.
-
-  o Features (packages and install):
-    - Add NSI installer contributed by J Doe.
-    - Apply NT service patch from Osamu Fujino. Still needs more work.
-    - Commit VC6 and VC7 workspace/project files.
-    - Commit a tor.spec for making RPM files, with help from jbash.
-    - Add contrib/torctl.in contributed by Glenn Fink.
-    - Make expand_filename handle ~ and ~username.
-    - Use autoconf to enable largefile support where necessary. Use
-      ftello where available, since ftell can fail at 2GB.
-    - Ship src/win32/ in the tarball, so people can use it to build.
-    - Make old win32 fall back to CWD if SHGetSpecialFolderLocation
-      is broken.
-
-  o Features (ui controller):
-    - Control interface: a separate program can now talk to your
-      client/server over a socket, and get/set config options, receive
-      notifications of circuits and streams starting/finishing/dying,
-      bandwidth used, etc. The next step is to get some GUIs working.
-      Let us know if you want to help out. See doc/control-spec.txt .
-    - Ship a contrib/tor-control.py as an example script to interact
-      with the control port.
-    - "tor --hash-password zzyxz" will output a salted password for
-      use in authenticating to the control interface.
-    - Implement the control-spec's SAVECONF command, to write your
-      configuration to torrc.
-    - Get cookie authentication for the controller closer to working.
-    - When set_conf changes our server descriptor, upload a new copy.
-      But don't upload it too often if there are frequent changes.
-
-  o Features (config and command-line):
-    - Deprecate unofficial config option abbreviations, and abbreviations
-      not on the command line.
-    - Configuration infrastructure support for warning on obsolete
-      options.
-    - Give a slightly more useful output for "tor -h".
-    - Break DirFetchPostPeriod into:
-      - DirFetchPeriod for fetching full directory,
-      - StatusFetchPeriod for fetching running-routers,
-      - DirPostPeriod for posting server descriptor,
-      - RendPostPeriod for posting hidden service descriptors.
-    - New log format in config:
-      "Log minsev[-maxsev] stdout|stderr|syslog" or
-      "Log minsev[-maxsev] file /var/foo"
-    - DirPolicy config option, to let people reject incoming addresses
-      from their dirserver.
-    - "tor --list-fingerprint" will list your identity key fingerprint
-      and then exit.
-    - Make tor --version --version dump the cvs Id of every file.
-    - New 'MyFamily nick1,...' config option for a server to
-      specify other servers that shouldn't be used in the same circuit
-      with it. Only believed if nick1 also specifies us.
-    - New 'NodeFamily nick1,nick2,...' config option for a client to
-      specify nodes that it doesn't want to use in the same circuit.
-    - New 'Redirectexit pattern address:port' config option for a
-      server to redirect exit connections, e.g. to a local squid.
-    - Add "pass" target for RedirectExit, to make it easier to break
-      out of a sequence of RedirectExit rules.
-    - Make the dirservers file obsolete.
-      - Include a dir-signing-key token in directories to tell the
-        parsing entity which key is being used to sign.
-      - Remove the built-in bulky default dirservers string.
-      - New config option "Dirserver %s:%d [fingerprint]", which can be
-        repeated as many times as needed. If no dirservers specified,
-        default to moria1,moria2,tor26.
-      - Make 'Routerfile' config option obsolete.
-    - Discourage people from setting their dirfetchpostperiod more often
-      than once per minute.
-
-  o Features (other):
-    - kill -USR2 now moves all logs to loglevel debug (kill -HUP to
-      get back to normal.)
-    - Accept *:706 (silc) in default exit policy.
-    - Implement new versioning format for post 0.1.
-    - Distinguish between TOR_TLS_CLOSE and TOR_TLS_ERROR, so we can
-      log more informatively.
-    - Check clock skew for verified servers, but allow unverified
-      servers and clients to have any clock skew.
-    - Make sure the hidden service descriptors are at a random offset
-      from each other, to hinder linkability.
-    - Clients now generate a TLS cert too, in preparation for having
-      them act more like real nodes.
-    - Add a pure-C tor-resolve implementation.
-    - Use getrlimit and friends to ensure we can reach MaxConn (currently
-      1024) file descriptors.
-    - Raise the max dns workers from 50 to 100.
-
-
-Changes in version 0.0.8.1 - 2004-10-13
-  o Bugfixes:
-    - Fix a seg fault that can be triggered remotely for Tor
-      clients/servers with an open dirport.
-    - Fix a rare assert trigger, where routerinfos for entries in
-      our cpath would expire while we're building the path.
-    - Fix a bug in OutboundBindAddress so it (hopefully) works.
-    - Fix a rare seg fault for people running hidden services on
-      intermittent connections.
-    - Fix a bug in parsing opt keywords with objects.
-    - Fix a stale pointer assert bug when a stream detaches and
-      reattaches.
-    - Fix a string format vulnerability (probably not exploitable)
-      in reporting stats locally.
-    - Fix an assert trigger: sometimes launching circuits can fail
-      immediately, e.g. because too many circuits have failed recently.
-    - Fix a compile warning on 64 bit platforms.
-
-
-Changes in version 0.0.8 - 2004-08-25
-  o Bugfixes:
-    - Made our unit tests compile again on OpenBSD 3.5, and tor
-      itself compile again on OpenBSD on a sparc64.
-    - We were neglecting milliseconds when logging on win32, so
-      everything appeared to happen at the beginning of each second.
-    - Check directory signature _before_ you decide whether you're
-      you're running an obsolete version and should exit.
-    - Check directory signature _before_ you parse the running-routers
-      list to decide who's running.
-    - Check return value of fclose while writing to disk, so we don't
-      end up with broken files when servers run out of disk space.
-    - Port it to SunOS 5.9 / Athena
-    - Fix two bugs in saving onion keys to disk when rotating, so
-      hopefully we'll get fewer people using old onion keys.
-    - Remove our mostly unused -- and broken -- hex_encode()
-      function. Use base16_encode() instead. (Thanks to Timo Lindfors
-      for pointing out this bug.)
-    - Only pick and establish intro points after we've gotten a
-      directory.
-    - Fix assert triggers: if the other side returns an address 0.0.0.0,
-      don't put it into the client dns cache.
-    - If a begin failed due to exit policy, but we believe the IP
-      address should have been allowed, switch that router to exitpolicy
-      reject *:* until we get our next directory.
-
-  o Protocol changes:
-    - 'Extend' relay cell payloads now include the digest of the
-      intended next hop's identity key. Now we can verify that we're
-      extending to the right router, and also extend to routers we
-      hadn't heard of before.
-
-  o Features:
-    - Tor nodes can now act as relays (with an advertised ORPort)
-      without being manually verified by the dirserver operators.
-      - Uploaded descriptors of unverified routers are now accepted
-        by the dirservers, and included in the directory.
-      - Verified routers are listed by nickname in the running-routers
-        list; unverified routers are listed as "$<fingerprint>".
-      - We now use hash-of-identity-key in most places rather than
-        nickname or addr:port, for improved security/flexibility.
-      - AllowUnverifiedNodes config option to let circuits choose no-name
-        routers in entry,middle,exit,introduction,rendezvous positions.
-        Allow middle and rendezvous positions by default.
-      - When picking unverified routers, skip those with low uptime and/or
-        low bandwidth, depending on what properties you care about.
-      - ClientOnly option for nodes that never want to become servers.
-    - Directory caching.
-      - "AuthoritativeDir 1" option for the official dirservers.
-      - Now other nodes (clients and servers) will cache the latest
-        directory they've pulled down.
-      - They can enable their DirPort to serve it to others.
-      - Clients will pull down a directory from any node with an open
-        DirPort, and check the signature/timestamp correctly.
-      - Authoritative dirservers now fetch directories from other
-        authdirservers, to stay better synced.
-      - Running-routers list tells who's down also, along with noting
-        if they're verified (listed by nickname) or unverified (listed
-        by hash-of-key).
-      - Allow dirservers to serve running-router list separately.
-        This isn't used yet.
-      - You can now fetch $DIRURL/running-routers to get just the
-        running-routers line, not the whole descriptor list. (But
-        clients don't use this yet.)
-    - Clients choose nodes proportional to advertised bandwidth.
-    - Clients avoid using nodes with low uptime as introduction points.
-    - Handle servers with dynamic IP addresses: don't just replace
-      options->Address with the resolved one at startup, and
-      detect our address right before we make a routerinfo each time.
-    - 'FascistFirewall' option to pick dirservers and ORs on specific
-      ports; plus 'FirewallPorts' config option to tell FascistFirewall
-      which ports are open. (Defaults to 80,443)
-    - Try other dirservers immediately if the one you try is down. This
-      should tolerate down dirservers better now.
-    - ORs connect-on-demand to other ORs
-      - If you get an extend cell to an OR you're not connected to,
-        connect, handshake, and forward the create cell.
-      - The authoritative dirservers stay connected to everybody,
-        and everybody stays connected to 0.0.7 servers, but otherwise
-        clients/servers expire unused connections after 5 minutes.
-    - When servers get a sigint, they delay 30 seconds (refusing new
-      connections) then exit. A second sigint causes immediate exit.
-    - File and name management:
-      - Look for .torrc if no CONFDIR "torrc" is found.
-      - If no datadir is defined, then choose, make, and secure ~/.tor
-        as datadir.
-      - If torrc not found, exitpolicy reject *:*.
-      - Expands ~/ in filenames to $HOME/ (but doesn't yet expand ~arma).
-      - If no nickname is defined, derive default from hostname.
-      - Rename secret key files, e.g. identity.key -> secret_id_key,
-        to discourage people from mailing their identity key to tor-ops.
-    - Refuse to build a circuit before the directory has arrived --
-      it won't work anyway, since you won't know the right onion keys
-      to use.
-    - Parse tor version numbers so we can do an is-newer-than check
-      rather than an is-in-the-list check.
-    - New socks command 'resolve', to let us shim gethostbyname()
-      locally.
-      - A 'tor_resolve' script to access the socks resolve functionality.
-      - A new socks-extensions.txt doc file to describe our
-        interpretation and extensions to the socks protocols.
-    - Add a ContactInfo option, which gets published in descriptor.
-    - Write tor version at the top of each log file
-    - New docs in the tarball:
-      - tor-doc.html.
-      - Document that you should proxy your SSL traffic too.
-    - Log a warning if the user uses an unsafe socks variant, so people
-      are more likely to learn about privoxy or socat.
-    - Log a warning if you're running an unverified server, to let you
-      know you might want to get it verified.
-    - Change the default exit policy to reject the default edonkey,
-      kazaa, gnutella ports.
-    - Add replace_file() to util.[ch] to handle win32's rename().
-    - Publish OR uptime in descriptor (and thus in directory) too.
-    - Remember used bandwidth (both in and out), and publish 15-minute
-      snapshots for the past day into our descriptor.
-    - Be more aggressive about trying to make circuits when the network
-      has changed (e.g. when you unsuspend your laptop).
-    - Check for time skew on http headers; report date in response to
-      "GET /".
-    - If the entrynode config line has only one node, don't pick it as
-      an exitnode.
-    - Add strict{entry|exit}nodes config options. If set to 1, then
-      we refuse to build circuits that don't include the specified entry
-      or exit nodes.
-    - OutboundBindAddress config option, to bind to a specific
-      IP address for outgoing connect()s.
-    - End truncated log entries (e.g. directories) with "[truncated]".
-
-
-Changes in version 0.0.7.3 - 2004-08-12
-  o Stop dnsworkers from triggering an assert failure when you
-    ask them to resolve the host "".
-
-
-Changes in version 0.0.7.2 - 2004-07-07
-  o A better fix for the 0.0.0.0 problem, that will hopefully
-    eliminate the remaining related assertion failures.
-
-
-Changes in version 0.0.7.1 - 2004-07-04
-  o When an address resolves to 0.0.0.0, treat it as a failed resolve,
-    since internally we use 0.0.0.0 to signify "not yet resolved".
-
-
-Changes in version 0.0.7 - 2004-06-07
-  o Fixes for crashes and other obnoxious bugs:
-    - Fix an epipe bug: sometimes when directory connections failed
-      to connect, we would give them a chance to flush before closing
-      them.
-    - When we detached from a circuit because of resolvefailed, we
-      would immediately try the same circuit twice more, and then
-      give up on the resolve thinking we'd tried three different
-      exit nodes.
-    - Limit the number of intro circuits we'll attempt to build for a
-      hidden service per 15-minute period.
-    - Check recommended-software string *early*, before actually parsing
-      the directory. Thus we can detect an obsolete version and exit,
-      even if the new directory format doesn't parse.
-  o Fixes for security bugs:
-    - Remember which nodes are dirservers when you startup, and if a
-      random OR enables his dirport, don't automatically assume he's
-      a trusted dirserver.
-  o Other bugfixes:
-    - Directory connections were asking the wrong poll socket to
-      start writing, and not asking themselves to start writing.
-    - When we detached from a circuit because we sent a begin but
-      didn't get a connected, we would use it again the first time;
-      but after that we would correctly switch to a different one.
-    - Stop warning when the first onion decrypt attempt fails; they
-      will sometimes legitimately fail now that we rotate keys.
-    - Override unaligned-access-ok check when $host_cpu is ia64 or
-      arm. Apparently they allow it but the kernel whines.
-    - Dirservers try to reconnect periodically too, in case connections
-      have failed.
-    - Fix some memory leaks in directory servers.
-    - Allow backslash in Win32 filenames.
-    - Made Tor build complain-free on FreeBSD, hopefully without
-      breaking other BSD builds. We'll see.
-    - Check directory signatures based on name of signer, not on whom
-      we got the directory from. This will let us cache directories more
-      easily.
-    - Rotate dnsworkers and cpuworkers on SIGHUP, so they get new config
-      settings too.
-  o Features:
-    - Doxygen markup on all functions and global variables.
-    - Make directory functions update routerlist, not replace it. So
-      now directory disagreements are not so critical a problem.
-    - Remove the upper limit on number of descriptors in a dirserver's
-      directory (not that we were anywhere close).
-    - Allow multiple logfiles at different severity ranges.
-    - Allow *BindAddress to specify ":port" rather than setting *Port
-      separately. Allow multiple instances of each BindAddress config
-      option, so you can bind to multiple interfaces if you want.
-    - Allow multiple exit policy lines, which are processed in order.
-      Now we don't need that huge line with all the commas in it.
-    - Enable accept/reject policies on SOCKS connections, so you can bind
-      to 0.0.0.0 but still control who can use your OP.
-    - Updated the man page to reflect these features.
-
-
-Changes in version 0.0.6.2 - 2004-05-16
-  o Our integrity-checking digest was checking only the most recent cell,
-    not the previous cells like we'd thought.
-    Thanks to Stefan Mark for finding the flaw!
-
-
-Changes in version 0.0.6.1 - 2004-05-06
-  o Fix two bugs in our AES counter-mode implementation (this affected
-    onion-level stream encryption, but not TLS-level). It turns
-    out we were doing something much more akin to a 16-character
-    polyalphabetic cipher. Oops.
-    Thanks to Stefan Mark for finding the flaw!
-  o Retire moria3 as a directory server, and add tor26 as a directory
-    server.
-
-
-Changes in version 0.0.6 - 2004-05-02
-  o Features:
-    - Hidden services and rendezvous points are implemented. Go to
-      http://6sxoyfb3h2nvok2d.onion/ for an index of currently available
-      hidden services. (This only works via a socks4a proxy such as
-      Privoxy, and currently it's quite slow.)
-    - We now rotate link (tls context) keys and onion keys.
-    - CREATE cells now include oaep padding, so you can tell
-      if you decrypted them correctly.
-    - Retry stream correctly when we fail to connect because of
-      exit-policy-reject (should try another) or can't-resolve-address.
-    - When we hup a dirserver and we've *removed* a server from the
-      approved-routers list, now we remove that server from the
-      in-memory directories too.
-    - Add bandwidthburst to server descriptor.
-    - Directories now say which dirserver signed them.
-    - Use a tor_assert macro that logs failed assertions too.
-    - Since we don't support truncateds much, don't bother sending them;
-      just close the circ.
-    - Fetch randomness from /dev/urandom better (not via fopen/fread)
-    - Better debugging for tls errors
-    - Set Content-Type on the directory and hidserv descriptor.
-    - Remove IVs from cipher code, since AES-ctr has none.
-  o Bugfixes:
-    - Fix an assert trigger for exit nodes that's been plaguing us since
-      the days of 0.0.2prexx (thanks weasel!)
-    - Fix a bug where we were closing tls connections intermittently.
-      It turns out openssl keeps its errors around -- so if an error
-      happens, and you don't ask about it, and then another openssl
-      operation happens and succeeds, and you ask if there was an error,
-      it tells you about the first error.
-    - Fix a bug that's been lurking since 27 may 03 (!)
-      When passing back a destroy cell, we would use the wrong circ id.
-    - Don't crash if a conn that sent a begin has suddenly lost its circuit.
-    - Some versions of openssl have an SSL_pending function that erroneously
-      returns bytes when there is a non-application record pending.
-    - Win32 fixes. Tor now compiles on win32 with no warnings/errors.
-      o We were using an array of length zero in a few places.
-      o Win32's gethostbyname can't resolve an IP to an IP.
-      o Win32's close can't close a socket.
-      o Handle windows socket errors correctly.
-  o Portability:
-    - check for <sys/limits.h> so we build on FreeBSD again, and
-      <machine/limits.h> for NetBSD.
-
-
-Changes in version 0.0.5 - 2004-03-30
-  o Install torrc as torrc.sample -- we no longer clobber your
-    torrc. (Woo!)
-  o Fix mangled-state bug in directory fetching (was causing sigpipes).
-  o Only build circuits after we've fetched the directory: clients were
-    using only the directory servers before they'd fetched a directory.
-    This also means longer startup time; so it goes.
-  o Fix an assert trigger where an OP would fail to handshake, and we'd
-    expect it to have a nickname.
-  o Work around a tsocks bug: do a socks reject when AP connection dies
-    early, else tsocks goes into an infinite loop.
-  o Hold socks connection open until reply is flushed (if possible)
-  o Make exit nodes resolve IPs to IPs immediately, rather than asking
-    the dns farm to do it.
-  o Fix c99 aliasing warnings in rephist.c
-  o Don't include server descriptors that are older than 24 hours in the
-    directory.
-  o Give socks 'reject' replies their whole 15s to attempt to flush,
-    rather than seeing the 60s timeout and assuming the flush had failed.
-  o Clean automake droppings from the cvs repository
-  o Add in a 'notice' log level for things the operator should hear
-    but that aren't warnings
-
-
-Changes in version 0.0.4 - 2004-03-26
-  o When connecting to a dirserver or OR and the network is down,
-    we would crash.
-
-
-Changes in version 0.0.3 - 2004-03-26
-  o Warn and fail if server chose a nickname with illegal characters
-  o Port to Solaris and Sparc:
-    - include missing header fcntl.h
-    - have autoconf find -lsocket -lnsl automatically
-    - deal with hardware word alignment
-    - make uname() work (solaris has a different return convention)
-    - switch from using signal() to sigaction()
-  o Preliminary work on reputation system:
-    - Keep statistics on success/fail of connect attempts; they're published
-      by kill -USR1 currently.
-    - Add a RunTesting option to try to learn link state by creating test
-      circuits, even when SocksPort is off.
-    - Remove unused open circuits when there are too many.
-
-
-Changes in version 0.0.2 - 2004-03-19
-    - Include strlcpy and strlcat for safer string ops
-    - define INADDR_NONE so we compile (but still not run) on solaris
-
-
-Changes in version 0.0.2pre27 - 2004-03-14
-  o Bugfixes:
-    - Allow internal tor networks (we were rejecting internal IPs,
-      now we allow them if they're set explicitly).
-    - And fix a few endian issues.
-
-
-Changes in version 0.0.2pre26 - 2004-03-14
-  o New features:
-    - If a stream times out after 15s without a connected cell, don't
-      try that circuit again: try a new one.
-    - Retry streams at most 4 times. Then give up.
-    - When a dirserver gets a descriptor from an unknown router, it
-      logs its fingerprint (so the dirserver operator can choose to
-      accept it even without mail from the server operator).
-    - Inform unapproved servers when we reject their descriptors.
-    - Make tor build on Windows again. It works as a client, who knows
-      about as a server.
-    - Clearer instructions in the torrc for how to set up a server.
-    - Be more efficient about reading fd's when our global token bucket
-      (used for rate limiting) becomes empty.
-  o Bugfixes:
-    - Stop asserting that computers always go forward in time. It's
-      simply not true.
-    - When we sent a cell (e.g. destroy) and then marked an OR connection
-      expired, we might close it before finishing a flush if the other
-      side isn't reading right then.
-    - Don't allow dirservers to start if they haven't defined
-      RecommendedVersions
-    - We were caching transient dns failures. Oops.
-    - Prevent servers from publishing an internal IP as their address.
-    - Address a strcat vulnerability in circuit.c
-
-
-Changes in version 0.0.2pre25 - 2004-03-04
-  o New features:
-    - Put the OR's IP in its router descriptor, not its fqdn. That way
-      we'll stop being stalled by gethostbyname for nodes with flaky dns,
-      e.g. poblano.
-  o Bugfixes:
-    - If the user typed in an address that didn't resolve, the server
-      crashed.
-
-
-Changes in version 0.0.2pre24 - 2004-03-03
-  o Bugfixes:
-    - Fix an assertion failure in dns.c, where we were trying to dequeue
-      a pending dns resolve even if it wasn't pending
-    - Fix a spurious socks5 warning about still trying to write after the
-      connection is finished.
-    - Hold certain marked_for_close connections open until they're finished
-      flushing, rather than losing bytes by closing them too early.
-    - Correctly report the reason for ending a stream
-    - Remove some duplicate calls to connection_mark_for_close
-    - Put switch_id and start_daemon earlier in the boot sequence, so it
-      will actually try to chdir() to options.DataDirectory
-    - Make 'make test' exit(1) if a test fails; fix some unit tests
-    - Make tor fail when you use a config option it doesn't know about,
-      rather than warn and continue.
-    - Make --version work
-    - Bugfixes on the rpm spec file and tor.sh, so it's more up to date
-
-
-Changes in version 0.0.2pre23 - 2004-02-29
-  o New features:
-    - Print a statement when the first circ is finished, so the user
-      knows it's working.
-    - If a relay cell is unrecognized at the end of the circuit,
-      send back a destroy. (So attacks to mutate cells are more
-      clearly thwarted.)
-    - New config option 'excludenodes' to avoid certain nodes for circuits.
-    - When it daemonizes, it chdir's to the DataDirectory rather than "/",
-      so you can collect coredumps there.
- o Bugfixes:
-    - Fix a bug in tls flushing where sometimes data got wedged and
-      didn't flush until more data got sent. Hopefully this bug was
-      a big factor in the random delays we were seeing.
-    - Make 'connected' cells include the resolved IP, so the client
-      dns cache actually gets populated.
-    - Disallow changing from ORPort=0 to ORPort>0 on hup.
-    - When we time-out on a stream and detach from the circuit, send an
-      end cell down it first.
-    - Only warn about an unknown router (in exitnodes, entrynodes,
-      excludenodes) after we've fetched a directory.
-
-
-Changes in version 0.0.2pre22 - 2004-02-26
-  o New features:
-    - Servers publish less revealing uname information in descriptors.
-    - More memory tracking and assertions, to crash more usefully when
-      errors happen.
-    - If the default torrc isn't there, just use some default defaults.
-      Plus provide an internal dirservers file if they don't have one.
-    - When the user tries to use Tor as an http proxy, give them an http
-      501 failure explaining that we're a socks proxy.
-    - Dump a new router.desc on hup, to help confused people who change
-      their exit policies and then wonder why router.desc doesn't reflect
-      it.
-    - Clean up the generic tor.sh init script that we ship with.
-  o Bugfixes:
-    - If the exit stream is pending on the resolve, and a destroy arrives,
-      then the stream wasn't getting removed from the pending list. I
-      think this was the one causing recent server crashes.
-    - Use a more robust poll on OSX 10.3, since their poll is flaky.
-    - When it couldn't resolve any dirservers, it was useless from then on.
-      Now it reloads the RouterFile (or default dirservers) if it has no
-      dirservers.
-    - Move the 'tor' binary back to /usr/local/bin/ -- it turns out
-      many users don't even *have* a /usr/local/sbin/.
-
-
-Changes in version 0.0.2pre21 - 2004-02-18
-  o New features:
-    - There's a ChangeLog file that actually reflects the changelog.
-    - There's a 'torify' wrapper script, with an accompanying
-      tor-tsocks.conf, that simplifies the process of using tsocks for
-      tor. It even has a man page.
-    - The tor binary gets installed to sbin rather than bin now.
-    - Retry streams where the connected cell hasn't arrived in 15 seconds
-    - Clean up exit policy handling -- get the default out of the torrc,
-      so we can update it without forcing each server operator to fix
-      his/her torrc.
-    - Allow imaps and pop3s in default exit policy
-  o Bugfixes:
-    - Prevent picking middleman nodes as the last node in the circuit
-
-
-Changes in version 0.0.2pre20 - 2004-01-30
-  o New features:
-    - We now have a deb package, and it's in debian unstable. Go to
-      it, apt-getters. :)
-    - I've split the TotalBandwidth option into BandwidthRate (how many
-      bytes per second you want to allow, long-term) and
-      BandwidthBurst (how many bytes you will allow at once before the cap
-      kicks in).  This better token bucket approach lets you, say, set
-      BandwidthRate to 10KB/s and BandwidthBurst to 10MB, allowing good
-      performance while not exceeding your monthly bandwidth quota.
-    - Push out a tls record's worth of data once you've got it, rather
-      than waiting until you've read everything waiting to be read. This
-      may improve performance by pipelining better. We'll see.
-    - Add an AP_CONN_STATE_CONNECTING state, to allow streams to detach
-      from failed circuits (if they haven't been connected yet) and attach
-      to new ones.
-    - Expire old streams that haven't managed to connect. Some day we'll
-      have them reattach to new circuits instead.
-
-  o Bugfixes:
-    - Fix several memory leaks that were causing servers to become bloated
-      after a while.
-    - Fix a few very rare assert triggers. A few more remain.
-    - Setuid to User _before_ complaining about running as root.
-
-
-Changes in version 0.0.2pre19 - 2004-01-07
-  o Bugfixes:
-    - Fix deadlock condition in dns farm. We were telling a child to die by
-      closing the parent's file descriptor to him. But newer children were
-      inheriting the open file descriptor from the parent, and since they
-      weren't closing it, the socket never closed, so the child never read
-      eof, so he never knew to exit. Similarly, dns workers were holding
-      open other sockets, leading to all sorts of chaos.
-    - New cleaner daemon() code for forking and backgrounding.
-    - If you log to a file, it now prints an entry at the top of the
-      logfile so you know it's working.
-    - The onionskin challenge length was 30 bytes longer than necessary.
-    - Started to patch up the spec so it's not quite so out of date.
-
-
-Changes in version 0.0.2pre18 - 2004-01-02
-  o Bugfixes:
-    - Fix endian issues with the 'integrity' field in the relay header.
-    - Fix a potential bug where connections in state
-      AP_CONN_STATE_CIRCUIT_WAIT might unexpectedly ask to write.
-
-
-Changes in version 0.0.2pre17 - 2003-12-30
-  o Bugfixes:
-    - Made --debuglogfile (or any second log file, actually) work.
-    - Resolved an edge case in get_unique_circ_id_by_conn where a smart
-      adversary could force us into an infinite loop.
-
-  o Features:
-    - Each onionskin handshake now includes a hash of the computed key,
-      to prove the server's identity and help perfect forward secrecy.
-    - Changed cell size from 256 to 512 bytes (working toward compatibility
-      with MorphMix).
-    - Changed cell length to 2 bytes, and moved it to the relay header.
-    - Implemented end-to-end integrity checking for the payloads of
-      relay cells.
-    - Separated streamid from 'recognized' (otherwise circuits will get
-      messed up when we try to have streams exit from the middle). We
-      use the integrity-checking to confirm that a cell is addressed to
-      this hop.
-    - Randomize the initial circid and streamid values, so an adversary who
-      breaks into a node can't learn how many circuits or streams have
-      been made so far.
-
-
-Changes in version 0.0.2pre16 - 2003-12-14
-  o Bugfixes:
-    - Fixed a bug that made HUP trigger an assert
-    - Fixed a bug where a circuit that immediately failed wasn't being
-      counted as a failed circuit in counting retries.
-
-  o Features:
-    - Now we close the circuit when we get a truncated cell: otherwise we're
-      open to an anonymity attack where a bad node in the path truncates
-      the circuit and then we open streams at him.
-    - Add port ranges to exit policies
-    - Add a conservative default exit policy
-    - Warn if you're running tor as root
-    - on HUP, retry OR connections and close/rebind listeners
-    - options.EntryNodes: try these nodes first when picking the first node
-    - options.ExitNodes: if your best choices happen to include any of
-      your preferred exit nodes, you choose among just those preferred
-      exit nodes.
-    - options.ExcludedNodes: nodes that are never picked in path building
-
-
-Changes in version 0.0.2pre15 - 2003-12-03
-  o Robustness and bugfixes:
-    - Sometimes clients would cache incorrect DNS resolves, which would
-      really screw things up.
-    - An OP that goes offline would slowly leak all its sockets and stop
-      working.
-    - A wide variety of bugfixes in exit node selection, exit policy
-      handling, and processing pending streams when a new circuit is
-      established.
-    - Pick nodes for a path only from those the directory says are up
-    - Choose randomly from all running dirservers, not always the first one
-    - Increase allowed http header size for directory fetch.
-    - Stop writing to stderr (if we're daemonized it will be closed).
-    - Enable -g always, so cores will be more useful to me.
-    - Switch "-lcrypto -lssl" to "-lssl -lcrypto" for broken distributions.
-
-  o Documentation:
-    - Wrote a man page. It lists commonly used options.
-
-  o Configuration:
-    - Change default loglevel to warn.
-    - Make PidFile default to null rather than littering in your CWD.
-    - OnionRouter config option is now obsolete. Instead it just checks
-      ORPort>0.
-    - Moved to a single unified torrc file for both clients and servers.
-
-
-Changes in version 0.0.2pre14 - 2003-11-29
-  o Robustness and bugfixes:
-    - Force the admin to make the DataDirectory himself
-      - to get ownership/permissions right
-      - so clients no longer make a DataDirectory and then never use it
-    - fix bug where a client who was offline for 45 minutes would never
-      pull down a directory again
-    - fix (or at least hide really well) the dns assert bug that was
-      causing server crashes
-    - warnings and improved robustness wrt clockskew for certs
-    - use the native daemon(3) to daemonize, when available
-    - exit if bind() fails
-    - exit if neither socksport nor orport is defined
-    - include our own tor_timegm (Win32 doesn't have its own)
-    - bugfix for win32 with lots of connections
-    - fix minor bias in PRNG
-    - make dirserver more robust to corrupt cached directory
-
-  o Documentation:
-    - Wrote the design document (woo)
-
-  o Circuit building and exit policies:
-    - Circuits no longer try to use nodes that the directory has told them
-      are down.
-    - Exit policies now support bitmasks (18.0.0.0/255.0.0.0) and
-      bitcounts (18.0.0.0/8).
-    - Make AP connections standby for a circuit if no suitable circuit
-      exists, rather than failing
-    - Circuits choose exit node based on addr/port, exit policies, and
-      which AP connections are standing by
-    - Bump min pathlen from 2 to 3
-    - Relay end cells have a payload to describe why the stream ended.
-    - If the stream failed because of exit policy, try again with a new
-      circuit.
-    - Clients have a dns cache to remember resolved addresses.
-    - Notice more quickly when we have no working circuits
-
-  o Configuration:
-    - APPort is now called SocksPort
-    - SocksBindAddress, ORBindAddress, DirBindAddress let you configure
-      where to bind
-    - RecommendedVersions is now a config variable rather than
-      hardcoded (for dirservers)
-    - Reloads config on HUP
-    - Usage info on -h or --help
-    - If you set User and Group config vars, it'll setu/gid to them.
-
-Changes in version 0.0.2pre13 - 2003-10-19
-  o General stability:
-    - SSL_write no longer fails when it returns WANTWRITE and the number
-      of bytes in the buf has changed by the next SSL_write call.
-    - Fix segfault fetching directory when network is down
-    - Fix a variety of minor memory leaks
-    - Dirservers reload the fingerprints file on HUP, so I don't have
-      to take down the network when I approve a new router
-    - Default server config file has explicit Address line to specify fqdn
-
-  o Buffers:
-    - Buffers grow and shrink as needed (Cut process size from 20M to 2M)
-    - Make listener connections not ever alloc bufs
-
-  o Autoconf improvements:
-    - don't clobber an external CFLAGS in ./configure
-    - Make install now works
-    - create var/lib/tor on make install
-    - autocreate a tor.sh initscript to help distribs
-    - autocreate the torrc and sample-server-torrc with correct paths
-
-  o Log files and Daemonizing now work:
-    - If --DebugLogFile is specified, log to it at -l debug
-    - If --LogFile is specified, use it instead of commandline
-    - If --RunAsDaemon is set, tor forks and backgrounds on startup
-

Deleted: tor/trunk/acinclude.m4
===================================================================
--- tor/trunk/acinclude.m4	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/acinclude.m4	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,218 +0,0 @@
-dnl Helper macros for Tor configure.in
-dnl Copyright (c) 2001-2004, Roger Dingledine
-dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-dnl Copyright (c) 2007-2008, Roger Dingledine, Nick Mathewson
-dnl See LICENSE for licensing information
-
-AC_DEFUN([TOR_EXTEND_CODEPATH],
-[
-  if test -d "$1/lib"; then
-    LDFLAGS="-L$1/lib $LDFLAGS"
-  else
-    LDFLAGS="-L$1 $LDFLAGS"
-  fi
-  if test -d "$1/include"; then
-    CPPFLAGS="-I$1/include $CPPFLAGS"
-  else
-    CPPFLAGS="-I$1 $CPPFLAGS"
-  fi
-])
-
-AC_DEFUN([TOR_DEFINE_CODEPATH],
-[
-  if test x$1 = "x(system)"; then
-    TOR_LDFLAGS_$2=""
-    TOR_CPPFLAGS_$2=""
-  else
-   if test -d "$1/lib"; then
-     TOR_LDFLAGS_$2="-L$1/lib"
-   else
-     TOR_LDFLAGS_$2="-L$1"
-   fi
-   if test -d "$1/include"; then
-     TOR_CPPFLAGS_$2="-I$1/include"
-   else
-     TOR_CPPFLAGS_$2="-I$1"
-   fi
-  fi
-  AC_SUBST(TOR_CPPFLAGS_$2)
-  AC_SUBST(TOR_LDFLAGS_$2)
-])
-
-dnl 1:libname
-AC_DEFUN([TOR_WARN_MISSING_LIB], [
-h=""
-if test x$2 = xdevpkg; then
-  h=" headers for"
-fi
-if test -f /etc/debian_version && test x"$tor_$1_$2_debian" != x; then
-  AC_WARN([On Debian, you can install$h $1 using "apt-get install $tor_$1_$2_debian"])
-  if test x"$tor_$1_$2_debian" != x"$tor_$1_devpkg_debian"; then 
-    AC_WARN([   You will probably need $tor_$1_devpkg_debian too.])
-  fi 
-fi
-if test -f /etc/fedora-release && test x"$tor_$1_$2_redhat" != x; then
-  AC_WARN([On Fedora Core, you can install$h $1 using "yum install $tor_$1_$2_redhat"])
-  if test x"$tor_$1_$2_redhat" != x"$tor_$1_devpkg_redhat"; then 
-    AC_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
-  fi 
-else
-  if test -f /etc/redhat-release && test x"$tor_$1_$2_redhat" != x; then
-    AC_WARN([On most Redhat-based systems, you can get$h $1 by installing the $tor_$1_$2_redhat" RPM package])
-    if test x"$tor_$1_$2_redhat" != x"$tor_$1_devpkg_redhat"; then 
-      AC_WARN([   You will probably need to install $tor_$1_devpkg_redhat too.])
-    fi 
-  fi
-fi
-])
-
-dnl Look for a library, and its associated includes, and how to link
-dnl against it.
-dnl
-dnl TOR_SEARCH_LIBRARY(1:libname, 2:IGNORED, 3:linkargs, 4:headers,
-dnl                    5:prototype,
-dnl                    6:code, 7:IGNORED, 8:searchextra)
-dnl
-dnl Special variables:
-dnl   ALT_{libname}_WITHVAL -- another possible value for --with-$1-dir.
-dnl       Used to support renaming --with-ssl-dir to --with-openssl-dir
-dnl
-AC_DEFUN([TOR_SEARCH_LIBRARY], [
-try$1dir=""
-AC_ARG_WITH($1-dir,
-  [  --with-$1-dir=PATH    Specify path to $1 installation ],
-  [
-     if test x$withval != xno ; then
-        try$1dir="$withval"
-     fi
-  ])
-if test "x$try$1dir" = x && test "x$ALT_$1_WITHVAL" != x ; then
-  try$1dir="$ALT_$1_WITHVAL"
-fi
-
-tor_saved_LIBS="$LIBS"
-tor_saved_LDFLAGS="$LDFLAGS"
-tor_saved_CPPFLAGS="$CPPFLAGS"
-AC_CACHE_CHECK([for $1 directory], tor_cv_library_$1_dir, [
-  tor_$1_dir_found=no
-  tor_$1_any_linkable=no
-
-  for tor_trydir in "$try$1dir" "(system)" "$prefix" /usr/local /usr/pkg $8; do
-    LDFLAGS="$tor_saved_LDFLAGS"
-    LIBS="$tor_saved_LIBS $3"
-    CPPFLAGS="$tor_saved_CPPFLAGS"
-
-    if test -z "$tor_trydir" ; then
-      continue;
-    fi
-
-    # Skip the directory if it isn't there.
-    if test ! -d "$tor_trydir" && test "$tor_trydir" != "(system)"; then
-      continue;
-    fi
-
-    # If this isn't blank, try adding the directory (or appropriate
-    # include/libs subdirectories) to the command line.
-    if test "$tor_trydir" != "(system)"; then
-      TOR_EXTEND_CODEPATH($tor_trydir)
-    fi
-
-    # Can we link against (but not necessarily run, or find the headers for)
-    # the binary?
-    AC_LINK_IFELSE(AC_LANG_PROGRAM([$5], [$6]),
-                   [linkable=yes], [linkable=no])
-
-    if test "$linkable" = yes; then
-      tor_$1_any_linkable=yes
-      # Okay, we can link against it.  Can we find the headers?
-      AC_COMPILE_IFELSE(AC_LANG_PROGRAM([$4], [$6]),
-                        [buildable=yes], [buildable=no])
-      if test "$buildable" = yes; then
-         tor_cv_library_$1_dir=$tor_trydir
-         tor_$1_dir_found=yes
-         break
-      fi
-    fi
-  done
-
-  if test "$tor_$1_dir_found" = no; then
-    if test "$tor_$1_any_linkable" = no ; then
-      AC_MSG_WARN([Could not find a linkable $1.  If you have it installed somewhere unusual, you can specify an explicit path using --with-$1-dir])
-      TOR_WARN_MISSING_LIB($1, pkg)
-      AC_MSG_ERROR([Missing libraries; unable to proceed.])
-    else
-      AC_MSG_WARN([We found the libraries for $1, but we could not find the C header files.  You may need to install a devel package.])
-      TOR_WARN_MISSING_LIB($1, devpkg)
-      AC_MSG_ERROR([Missing headers; unable to proceed.])
-    fi
-  fi
-
-  LDFLAGS="$tor_saved_LDFLAGS"
-  LIBS="$tor_saved_LIBS"
-  CPPFLAGS="$tor_saved_CPPFLAGS"
-]) dnl end cache check
-
-LIBS="$LIBS $3"
-if test "$tor_cv_library_$1_dir" != "(system)"; then
-   TOR_EXTEND_CODEPATH($tor_cv_library_$1_dir)
-fi
-
-TOR_DEFINE_CODEPATH($tor_cv_library_$1_dir, $1)
-
-if test "$cross_compiling" != yes; then
-  AC_CACHE_CHECK([whether we need extra options to link $1],
-                 tor_cv_library_$1_linker_option, [
-   orig_LDFLAGS="$LDFLAGS"
-   runs=no
-   linked_with=nothing
-   if test -d "$tor_cv_library_$1_dir/lib"; then
-     tor_trydir="$tor_cv_library_$1_dir/lib"
-   else
-     tor_trydir="$tor_cv_library_$1_dir"
-   fi
-   for tor_tryextra in "(none)" "-Wl,-R$tor_trydir" "-R$tor_trydir" \
-                       "-Wl,-rpath,$tor_trydir" ; do
-     if test "$tor_tryextra" = "(none)"; then
-       LDFLAGS="$orig_LDFLAGS"
-     else
-       LDFLAGS="$tor_tryextra $orig_LDFLAGS"
-     fi
-     AC_RUN_IFELSE(AC_LANG_PROGRAM([$5], [$6]),
-                   [runnable=yes], [runnable=no])
-     if test "$runnable" = yes; then
-        tor_cv_library_$1_linker_option=$tor_tryextra
-        break
-     fi
-   done
-
-   if test "$runnable" = no; then
-     AC_MSG_ERROR([Found linkable $1 in $tor_cv_library_$1_dir, but it does not seem to run, even with -R. Maybe specify another using --with-$1-dir}])
-   fi
-   LDFLAGS="$orig_LDFLAGS"
-  ]) dnl end cache check check for extra options.
-
-  if test "$tor_cv_library_$1_linker_option" != "(none)" ; then
-    TOR_LDFLAGS_$1="$TOR_LDFLAGS_$1 $tor_cv_library_$1_linker_option"
-  fi
-fi # cross-compile
-
-LIBS="$tor_saved_LIBS"
-LDFLAGS="$tor_saved_LDFLAGS"
-CPPFLAGS="$tor_saved_CPPFLAGS"
-
-]) dnl end defun
-
-dnl Check whether the prototype for a function is present or missing.
-dnl Apple has a nasty habit of putting functions in their libraries (so that
-dnl AC_CHECK_FUNCS passes) but not actually declaring them in the headers.
-dnl
-dnl TOR_CHECK_PROTYPE(1:functionname, 2:macroname, 2: includes)
-AC_DEFUN([TOR_CHECK_PROTOTYPE], [
- AC_CACHE_CHECK([for declaration of $1], tor_cv_$1_declared, [
-   AC_COMPILE_IFELSE(AC_LANG_PROGRAM([$3],[void *ptr= $1 ;]),
-                     tor_cv_$1_declared=yes,tor_cv_$1_declared=no)])
-if test x$tor_cv_$1_declared != xno ; then
-  AC_DEFINE($2, 1,
-       [Defined if the prototype for $1 seems to be present.])
-fi
-])

Deleted: tor/trunk/autogen.sh
===================================================================
--- tor/trunk/autogen.sh	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/autogen.sh	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,9 +0,0 @@
-#!/bin/sh
-
-set -e
-
-# Run this to generate all the initial makefiles, etc.
-aclocal && \
-	autoheader && \
-	autoconf && \
-	automake --add-missing --copy

Deleted: tor/trunk/configure.in
===================================================================
--- tor/trunk/configure.in	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/configure.in	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,835 +0,0 @@
-dnl Copyright (c) 2001-2004, Roger Dingledine
-dnl Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
-dnl Copyright (c) 2007-2008, The Tor Project, Inc.
-dnl See LICENSE for licensing information
-
-AC_INIT
-AM_INIT_AUTOMAKE(tor, 0.2.2.5-alpha-dev)
-AM_CONFIG_HEADER(orconfig.h)
-
-AC_CANONICAL_HOST
-
-if test -f /etc/redhat-release ; then
-  if test -f /usr/kerberos/include ; then
-    CPPFLAGS="$CPPFLAGS -I/usr/kerberos/include"
-  fi
-fi
-
-# Not a no-op; we want to make sure that CPPFLAGS is set before we use
-# the += operator on it in src/or/Makefile.am
-CPPFLAGS="$CPPFLAGS -I\${top_srcdir}/src/common"
-
-AC_ARG_ENABLE(debug,
- AS_HELP_STRING(--enable-debug, compile with debugging info),
-[if test x$enableval = xyes; then
-    CFLAGS="$CFLAGS -g"
-fi])
-
-#XXXX ideally, we should make this into a no-op, and detect whether we're
-#compiling for the iphone by using $target.
-AC_ARG_ENABLE(iphone,
- AS_HELP_STRING(--enable-iphone, compile with iPhone support),
- [if test x$enableval = xyes ; then
-   tor_cv_iphone=true
-   CFLAGS="$CFLAGS -D__DARWIN_UNIX03 -DIPHONE"
-  fi])
-
-#XXXX020 We should make these enabled or not, before 0.2.0.x-final
-AC_ARG_ENABLE(buf-freelists,
-   AS_HELP_STRING(--disable-buf-freelists, disable freelists for buffer RAM))
-AC_ARG_ENABLE(openbsd-malloc,
-   AS_HELP_STRING(--enable-openbsd-malloc, Use malloc code from openbsd.  Linux only))
-AC_ARG_ENABLE(instrument-downloads,
-   AS_HELP_STRING(--enable-instrument-downloads, Instrument downloads of directory resources etc.))
-
-if test x$enable_buf_freelists != xno; then
-  AC_DEFINE(ENABLE_BUF_FREELISTS, 1,
-            [Defined if we try to use freelists for buffer RAM chunks])
-fi
-AM_CONDITIONAL(USE_OPENBSD_MALLOC, test x$enable_openbsd_malloc = xyes)
-if test x$enable_instrument_downloads = xyes; then
-  AC_DEFINE(INSTRUMENT_DOWNLOADS, 1,
-            [Defined if we want to keep track of how much of each kind of resource we download.])
-fi
-
-AC_ARG_ENABLE(transparent,
-     AS_HELP_STRING(--disable-transparent, disable transparent proxy support),
-     [case "${enableval}" in
-        yes) transparent=true ;;
-        no)  transparent=false ;;
-        *) AC_MSG_ERROR(bad value for --enable-transparent) ;;
-      esac], [transparent=true])
-
-AC_ARG_ENABLE(threads,
-     AS_HELP_STRING(--disable-threads, disable multi-threading support))
-
-if test x$enable_threads = x; then
-   case $host in
-    *-*-solaris* )
-     # Don't try multithreading on solaris -- cpuworkers seem to lock.
-     AC_MSG_NOTICE([You are running Solaris; Sometimes threading makes
-cpu workers lock up here, so I will disable threads.])
-     enable_threads="no";;
-    *)
-     enable_threads="yes";;
-   esac
-fi
-
-if test "$enable_threads" = "yes"; then
-  AC_DEFINE(ENABLE_THREADS, 1, [Defined if we will try to use multithreading])
-fi
-
-case $host in
-   *-*-solaris* )
-     AC_DEFINE(_REENTRANT, 1, [Define on some platforms to activate x_r() functions in time.h])
-     ;;
-esac
-
-AC_ARG_ENABLE(gcc-warnings,
-     AS_HELP_STRING(--enable-gcc-warnings, enable verbose warnings))
-
-AC_ARG_ENABLE(local-appdata,
-   AS_HELP_STRING(--enable-local-appdata, default to host local application data paths on Windows))
-if test "$enable_local_appdata" = "yes"; then
-  AC_DEFINE(ENABLE_LOCAL_APPDATA, 1,
-            [Defined if we default to host local appdata paths on Windows])
-fi
-
-AC_PROG_CC
-AC_PROG_CPP
-AC_PROG_MAKE_SET
-AC_PROG_RANLIB
-
-dnl autoconf 2.59 appears not to support AC_PROG_SED
-AC_CHECK_PROG([SED],[sed],[sed],[/bin/false])
-
-AC_PATH_PROG([SHA1SUM], [sha1sum], none)
-AC_PATH_PROG([OPENSSL], [openssl], none)
-
-TORUSER=_tor
-AC_ARG_WITH(tor-user,
-        [  --with-tor-user=NAME    Specify username for tor daemon ],
-        [
-           TORUSER=$withval
-        ]
-)
-AC_SUBST(TORUSER)
-
-TORGROUP=_tor
-AC_ARG_WITH(tor-group,
-        [  --with-tor-group=NAME   Specify group name for tor daemon ],
-        [
-           TORGROUP=$withval
-        ]
-)
-AC_SUBST(TORGROUP)
-
-
-dnl If WIN32 is defined and non-zero, we are building for win32
-AC_MSG_CHECKING([for win32])
-AC_RUN_IFELSE([
-int main(int c, char **v) {
-#ifdef WIN32
-#if WIN32
-  return 0;
-#else
-  return 1;
-#endif
-#else
-  return 2;
-#endif
-}],
-bwin32=true; AC_MSG_RESULT([yes]),
-bwin32=false; AC_MSG_RESULT([no]),
-bwin32=cross; AC_MSG_RESULT([cross])
-)
-
-if test "$bwin32" = cross; then
-AC_MSG_CHECKING([for win32 (cross)])
-AC_COMPILE_IFELSE([
-#ifdef WIN32
-int main(int c, char **v) {return 0;}
-#else
-#error
-int main(int c, char **v) {return x(y);}
-#endif
-],
-bwin32=true; AC_MSG_RESULT([yes]),
-bwin32=false; AC_MSG_RESULT([no]))
-fi
-
-if test "$bwin32" = true; then
-AC_DEFINE(MS_WINDOWS, 1, [Define to 1 if we are building for Windows.])
-fi
-AM_CONDITIONAL(BUILD_NT_SERVICES, test x$bwin32 = xtrue)
-
-dnl Enable C99 when compiling with MIPSpro
-AC_MSG_CHECKING([for MIPSpro compiler])
-AC_COMPILE_IFELSE(AC_LANG_PROGRAM(, [
-#if (defined(__sgi) && defined(_COMPILER_VERSION))
-#error
-  return x(y);
-#endif
-]),
-bmipspro=false; AC_MSG_RESULT(no),
-bmipspro=true; AC_MSG_RESULT(yes))
-
-if test "$bmipspro" = true; then
-  CFLAGS="$CFLAGS -c99"
-fi
-
-AC_C_BIGENDIAN
-
-AC_SEARCH_LIBS(socket, [socket])
-AC_SEARCH_LIBS(gethostbyname, [nsl])
-AC_SEARCH_LIBS(dlopen, [dl])
-AC_SEARCH_LIBS(inet_aton, [resolv])
-
-if test "$enable_threads" = "yes"; then
-  AC_SEARCH_LIBS(pthread_create, [pthread])
-  AC_SEARCH_LIBS(pthread_detach, [pthread])
-fi
-
-dnl -------------------------------------------------------------------
-dnl Check for functions before libevent, since libevent-1.2 apparently
-dnl exports strlcpy without defining it in a header.
-
-AC_CHECK_FUNCS(gettimeofday ftime socketpair uname inet_aton strptime getrlimit strlcat strlcpy strtoull getaddrinfo localtime_r gmtime_r memmem strtok_r writev readv flock prctl)
-
-using_custom_malloc=no
-if test x$enable_openbsd_malloc = xyes ; then
-   AC_DEFINE(HAVE_MALLOC_GOOD_SIZE, 1, [Defined if we have the malloc_good_size function])
-   using_custom_malloc=yes
-fi
-if test x$tcmalloc = xyes ; then
-   using_custom_malloc=yes
-fi
-if test $using_custom_malloc = no ; then
-   AC_CHECK_FUNCS(mallinfo malloc_good_size malloc_usable_size)
-fi
-
-if test "$enable_threads" = "yes"; then
-  AC_CHECK_HEADERS(pthread.h)
-  AC_CHECK_FUNCS(pthread_create)
-fi
-
-dnl ------------------------------------------------------
-dnl Where do you live, libevent?  And how do we call you?
-
-if test "$bwin32" = true; then
-  TOR_LIB_WS32=-lws2_32
-  # Some of the cargo-cults recommend -lwsock32 as well, but I don't
-  # think it's actually necessary.
-  TOR_LIB_GDI=-lgdi32
-else
-  TOR_LIB_WS32=
-  TOR_LIB_GDI=
-fi
-AC_SUBST(TOR_LIB_WS32)
-AC_SUBST(TOR_LIB_GDI)
-
-dnl We need to do this before we try our disgusting hack below.
-AC_CHECK_HEADERS([sys/types.h])
-
-dnl This is a disgusting hack so we safely include older libevent headers.
-AC_CHECK_TYPE(u_int64_t, unsigned long long)
-AC_CHECK_TYPE(u_int32_t, unsigned long)
-AC_CHECK_TYPE(u_int16_t, unsigned short)
-AC_CHECK_TYPE(u_int8_t, unsigned char)
-
-tor_libevent_pkg_redhat="libevent"
-tor_libevent_pkg_debian="libevent-dev"
-tor_libevent_devpkg_redhat="libevent-devel"
-tor_libevent_devpkg_debian="libevent-dev"
-
-TOR_SEARCH_LIBRARY(libevent, $trylibeventdir, [-levent $TOR_LIB_WS32], [
-#ifdef WIN32
-#include <winsock2.h>
-#endif
-#include <stdlib.h>
-#include <sys/time.h>
-#include <sys/types.h>
-#include <event.h>], [
-#ifdef WIN32
-#include <winsock2.h>
-#endif
-void exit(int); void *event_init(void);],
-    [
-#ifdef WIN32
-{WSADATA d; WSAStartup(0x101,&d); }
-#endif
-event_init(); exit(0);
-], [--with-libevent-dir], [/opt/libevent])
-
-dnl Now check for particular libevent functions.
-save_LIBS="$LIBS"
-save_LDFLAGS="$LDFLAGS"
-save_CPPFLAGS="$CPPFLAGS"
-LIBS="-levent $TOR_LIB_WS32 $LIBS"
-LDFLAGS="$TOR_LDFLAGS_libevent $LDFLAGS"
-CPPFLAGS="$TOR_CPPFLAGS_libevent $CPPFLAGS"
-AC_CHECK_FUNCS(event_get_version event_get_version_number event_get_method event_set_log_callback evdns_set_outgoing_bind_address event_base_loopexit)
-AC_CHECK_MEMBERS([struct event.min_heap_idx], , ,
-[#include <event.h>
-])
-
-AC_CHECK_HEADERS(event2/event.h event2/dns.h)
-
-LIBS="$save_LIBS"
-LDFLAGS="$save_LDFLAGS"
-CPPFLAGS="$save_CPPFLAGS"
-
-AM_CONDITIONAL(USE_EXTERNAL_EVDNS, test x$ac_cv_header_event2_dns_h = xyes)
-
-dnl ------------------------------------------------------
-dnl Where do you live, openssl?  And how do we call you?
-
-tor_openssl_pkg_redhat="openssl"
-tor_openssl_pkg_debian="libssl"
-tor_openssl_devpkg_redhat="openssl-devel"
-tor_openssl_devpkg_debian="libssl-dev"
-
-ALT_openssl_WITHVAL=""
-AC_ARG_WITH(ssl-dir,
-  [  --with-ssl-dir=PATH    Obsolete alias for --with-openssl-dir ],
-  [
-      if test "x$withval" != xno && test "x$withval" != "x" ; then
-         ALT_openssl_WITHVAL="$withval"
-      fi
-  ])
-
-TOR_SEARCH_LIBRARY(openssl, $tryssldir, [-lssl -lcrypto $TOR_LIB_GDI],
-    [#include <openssl/rand.h>],
-    [void RAND_add(const void *buf, int num, double entropy);],
-    [RAND_add((void*)0,0,0); exit(0);], [],
-    [/usr/local/openssl /usr/lib/openssl /usr/local/ssl /usr/lib/ssl /usr/local /usr/athena /opt/openssl])
-
-dnl XXXX check for OPENSSL_VERSION_NUMBER == SSLeay()
-
-dnl ------------------------------------------------------
-dnl Where do you live, zlib?  And how do we call you?
-
-tor_openssl_pkg_redhat="zlib"
-tor_openssl_pkg_debian="zlib1g"
-tor_openssl_devpkg_redhat="zlib-devel"
-tor_openssl_devpkg_debian="zlib1g-dev"
-
-TOR_SEARCH_LIBRARY(zlib, $tryzlibdir, [-lz],
-    [#include <zlib.h>],
-    [const char * zlibVersion(void);],
-    [zlibVersion(); exit(0);], [--with-zlib-dir],
-    [/opt/zlib])
-
-dnl Make sure to enable support for large off_t if available.
-
-AC_SYS_LARGEFILE
-
-AC_CHECK_HEADERS(unistd.h string.h signal.h sys/stat.h sys/types.h fcntl.h sys/fcntl.h sys/time.h errno.h assert.h time.h, , AC_MSG_WARN(Some headers were not found, compilation may fail.  If compilation succeeds, please send your orconfig.h to the developers so we can fix this warning.))
-
-AC_CHECK_HEADERS(netdb.h sys/ioctl.h sys/socket.h arpa/inet.h netinet/in.h pwd.h grp.h sys/un.h sys/uio.h)
-
-dnl These headers are not essential
-
-AC_CHECK_HEADERS(stdint.h sys/types.h inttypes.h sys/param.h sys/wait.h limits.h sys/limits.h netinet/in.h arpa/inet.h machine/limits.h syslog.h sys/time.h sys/resource.h inttypes.h utime.h sys/utime.h sys/mman.h netinet/in6.h malloc.h sys/syslimits.h malloc/malloc.h linux/types.h sys/file.h malloc_np.h sys/prctl.h)
-
-TOR_CHECK_PROTOTYPE(malloc_good_size, HAVE_MALLOC_GOOD_SIZE_PROTOTYPE,
-[#ifdef HAVE_MALLOC_H
-#include <malloc.h>
-#endif
-#ifdef HAVE_MALLOC_MALLOC_H
-#include <malloc/malloc.h>
-#endif])
-
-AC_CHECK_HEADERS(net/if.h, net_if_found=1, net_if_found=0,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif])
-AC_CHECK_HEADERS(net/pfvar.h, net_pfvar_found=1, net_pfvar_found=0,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_NET_IF_H
-#include <net/if.h>
-#endif])
-AC_CHECK_HEADERS(linux/netfilter_ipv4.h,
-        linux_netfilter_ipv4=1, linux_netfilter_ipv4=0,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef HAVE_LIMITS_H
-#include <limits.h>
-#endif
-#ifdef HAVE_LINUX_TYPES_H
-#include <linux/types.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif])
-
-if test x$transparent = xtrue ; then
-   transparent_ok=0
-   if test x$net_if_found = x1 && test x$net_pfvar_found = x1 ; then
-     transparent_ok=1
-   fi
-   if test x$linux_netfilter_ipv4 = x1 ; then
-     transparent_ok=1
-   fi
-   if test x$transparent_ok = x1 ; then
-     AC_DEFINE(USE_TRANSPARENT, 1, "Define to enable transparent proxy support")
-     case $host in
-       *-*-openbsd*)
-         AC_DEFINE(OPENBSD, 1, "Define to handle pf on OpenBSD properly") ;;
-     esac
-   else
-     AC_MSG_NOTICE([Transparent proxy support enabled, but missing headers.])
-   fi
-fi
-
-AC_CHECK_MEMBERS([struct timeval.tv_sec], , ,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif])
-
-dnl In case we aren't given a working stdint.h, we'll need to grow our own.
-dnl Watch out.
-
-AC_CHECK_SIZEOF(int8_t)
-AC_CHECK_SIZEOF(int16_t)
-AC_CHECK_SIZEOF(int32_t)
-AC_CHECK_SIZEOF(int64_t)
-AC_CHECK_SIZEOF(uint8_t)
-AC_CHECK_SIZEOF(uint16_t)
-AC_CHECK_SIZEOF(uint32_t)
-AC_CHECK_SIZEOF(uint64_t)
-AC_CHECK_SIZEOF(intptr_t)
-AC_CHECK_SIZEOF(uintptr_t)
-
-dnl AC_CHECK_TYPES([int8_t, int16_t, int32_t, int64_t, uint8_t, uint16_t, uint32_t, uint64_t, intptr_t, uintptr_t])
-
-AC_CHECK_SIZEOF(char)
-AC_CHECK_SIZEOF(short)
-AC_CHECK_SIZEOF(int)
-AC_CHECK_SIZEOF(long)
-AC_CHECK_SIZEOF(long long)
-AC_CHECK_SIZEOF(__int64)
-AC_CHECK_SIZEOF(void *)
-AC_CHECK_SIZEOF(time_t)
-AC_CHECK_SIZEOF(size_t)
-
-AC_CHECK_TYPES([uint, u_char, ssize_t])
-
-dnl used to include sockaddr_storage, but everybody has that.
-AC_CHECK_TYPES([struct in6_addr, struct sockaddr_in6, sa_family_t], , ,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef MS_WINDOWS
-#define WIN32_WINNT 0x400
-#define _WIN32_WINNT 0x400
-#define WIN32_LEAN_AND_MEAN
-#if defined(_MSC_VER) && (_MSC_VER < 1300)
-#include <winsock.h>
-#else
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#endif
-#endif
-])
-AC_CHECK_MEMBERS([struct in6_addr.s6_addr32, struct in6_addr.s6_addr16, struct sockaddr_in.sin_len, struct sockaddr_in6.sin6_len], , ,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_NETINET_IN_H
-#include <netinet/in.h>
-#endif
-#ifdef HAVE_NETINET_IN6_H
-#include <netinet/in6.h>
-#endif
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-#ifdef MS_WINDOWS
-#define WIN32_WINNT 0x400
-#define _WIN32_WINNT 0x400
-#define WIN32_LEAN_AND_MEAN
-#if defined(_MSC_VER) && (_MSC_VER < 1300)
-#include <winsock.h>
-#else
-#include <winsock2.h>
-#include <ws2tcpip.h>
-#endif
-#endif
-])
-
-AC_CHECK_TYPES([rlim_t], , ,
-[#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif
-#ifdef HAVE_SYS_RESOURCE_H
-#include <sys/resource.h>
-#endif
-])
-
-AC_CACHE_CHECK([whether time_t is signed], tor_cv_time_t_signed, [
-AC_RUN_IFELSE(AC_LANG_SOURCE([
-#ifdef HAVE_SYS_TYPES_H
-#include <sys/types.h>
-#endif
-#ifdef HAVE_SYS_TIME_H
-#include <sys/time.h>
-#endif
-#ifdef HAVE_TIME_H
-#include <time.h>
-#endif
-int main(int c, char**v) { if (((time_t)-1)<0) return 1; else return 0; }]),
-  tor_cv_time_t_signed=no, tor_cv_time_t_signed=yes, tor_cv_time_t_signed=cross)
-])
-
-if test "$tor_cv_time_t_signed" = cross; then
-  AC_MSG_NOTICE([Cross compiling: assuming that time_t is signed.])
-fi
-
-if test "$tor_cv_time_t_signed" != no; then
-  AC_DEFINE([TIME_T_IS_SIGNED], 1,
-            [Define to 1 iff time_t is signed])
-fi
-
-AC_CHECK_SIZEOF(socklen_t, , [AC_INCLUDES_DEFAULT()
-#ifdef HAVE_SYS_SOCKET_H
-#include <sys/socket.h>
-#endif
-])
-
-# We want to make sure that we _don't_ have a cell_t defined, like IRIX does.
-
-AC_CHECK_SIZEOF(cell_t)
-
-# Now make sure that NULL can be represented as zero bytes.
-AC_CACHE_CHECK([whether memset(0) sets pointers to NULL], tor_cv_null_is_zero,
-[AC_RUN_IFELSE([AC_LANG_SOURCE(
-[[#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#ifdef HAVE_STDDEF_H
-#include <stddef.h>
-#endif
-int main () { char *p1,*p2; p1=NULL; memset(&p2,0,sizeof(p2));
-return memcmp(&p1,&p2,sizeof(char*))?1:0; }]])],
-       [tor_cv_null_is_zero=yes],
-       [tor_cv_null_is_zero=no],
-       [tor_cv_null_is_zero=cross])])
-
-if test "$tor_cv_null_is_zero" = cross ; then
-  # Cross-compiling; let's hope that the target isn't raving mad.
-  AC_MSG_NOTICE([Cross-compiling: we'll assume that NULL is represented as a sequence of 0-valued bytes.])
-fi
-
-if test "$tor_cv_null_is_zero" != no; then
-  AC_DEFINE([NULL_REP_IS_ZERO_BYTES], 1,
-            [Define to 1 iff memset(0) sets pointers to NULL])
-fi
-
-# And what happens when we malloc zero?
-AC_CACHE_CHECK([whether we can malloc(0) safely.], tor_cv_malloc_zero_works,
-[AC_RUN_IFELSE([AC_LANG_SOURCE(
-[[#include <stdlib.h>
-#include <string.h>
-#include <stdio.h>
-#ifdef HAVE_STDDEF_H
-#include <stddef.h>
-#endif
-int main () { return malloc(0)?0:1; }]])],
-       [tor_cv_malloc_zero_works=yes],
-       [tor_cv_malloc_zero_works=no],
-       [tor_cv_malloc_zero_works=cross])])
-
-if test "$tor_cv_malloc_zero_works" = cross; then
-  # Cross-compiling; let's hope that the target isn't raving mad.
-  AC_MSG_NOTICE([Cross-compiling: we'll assume that we need to check malloc() arguments for 0.])
-fi
-
-if test "$tor_cv_malloc_zero_works" = yes; then
-  AC_DEFINE([MALLOC_ZERO_WORKS], 1,
-            [Define to 1 iff malloc(0) returns a pointer])
-fi
-
-# whether we seem to be in a 2s-complement world.
-AC_CACHE_CHECK([whether we are using 2s-complement arithmetic], tor_cv_twos_complement,
-[AC_RUN_IFELSE([AC_LANG_SOURCE(
-[[int main () { int problem = ((-99) != (~99)+1);
-return problem ? 1 : 0; }]])],
-       [tor_cv_twos_complement=yes],
-       [tor_cv_twos_complement=no],
-       [tor_cv_twos_complement=cross])])
-
-if test "$tor_cv_twos_complement" = cross ; then
-  # Cross-compiling; let's hope that the target isn't raving mad.
-  AC_MSG_NOTICE([Cross-compiling: we'll assume that negative integers are represented with two's complement.])
-fi
-
-if test "$tor_cv_twos_complement" != no ; then
-  AC_DEFINE([USING_TWOS_COMPLEMENT], 1,
-            [Define to 1 iff we represent negative integers with two's complement])
-fi
-
-# Whether we should use the dmalloc memory allocation debugging library.
-AC_MSG_CHECKING(whether to use dmalloc (debug memory allocation library))
-AC_ARG_WITH(dmalloc,
-[  --with-dmalloc          Use debug memory allocation library. ],
-[if [[ "$withval" = "yes" ]]; then
-  dmalloc=1
-  AC_MSG_RESULT(yes)
-else
-  dmalloc=1
-  AC_MSG_RESULT(no)
-fi], [ dmalloc=0; AC_MSG_RESULT(no) ]
-)
-
-if [[ $dmalloc -eq 1 ]]; then
-  AC_CHECK_HEADERS(dmalloc.h, , AC_MSG_ERROR(dmalloc header file not found. Do you have the development files for dmalloc installed?))
-  AC_SEARCH_LIBS(dmalloc_malloc, [dmallocth dmalloc], , AC_MSG_ERROR(Libdmalloc library not found. If you enable it you better have it installed.))
-  AC_DEFINE(USE_DMALLOC, 1, [Debug memory allocation library])
-  AC_DEFINE(DMALLOC_FUNC_CHECK, 1, [Enable dmalloc's malloc function check])
-  AC_CHECK_FUNCS(dmalloc_strdup dmalloc_strndup)
-fi
-
-AC_ARG_WITH(tcmalloc,
-[  --with-tcmalloc         Use tcmalloc memory allocation library. ],
-[ tcmalloc=yes ], [ tcmalloc=no ])
-
-if test x$tcmalloc = xyes ; then
-   LDFLAGS="-ltcmalloc $LDFLAGS"
-fi
-
-# Allow user to specify an alternate syslog facility
-AC_ARG_WITH(syslog-facility,
-[  --with-syslog-facility=LOG syslog facility to use (default=LOG_DAEMON)],
-syslog_facility="$withval", syslog_facility="LOG_DAEMON")
-AC_DEFINE_UNQUOTED(LOGFACILITY,$syslog_facility,[name of the syslog facility])
-AC_SUBST(LOGFACILITY)
-
-# Check if we have getresuid and getresgid
-AC_CHECK_FUNCS(getresuid getresgid)
-
-# Check for gethostbyname_r in all its glorious incompatible versions.
-#   (This logic is based on that in Python's configure.in)
-AH_TEMPLATE(HAVE_GETHOSTBYNAME_R,
-  [Define this if you have any gethostbyname_r()])
-
-AC_CHECK_FUNC(gethostbyname_r, [
-  AC_MSG_CHECKING([how many arguments gethostbyname_r() wants])
-  OLD_CFLAGS=$CFLAGS
-  CFLAGS="$CFLAGS $MY_CPPFLAGS $MY_THREAD_CPPFLAGS $MY_CFLAGS"
-  AC_COMPILE_IFELSE(AC_LANG_PROGRAM([
-#include <netdb.h>
-  ], [[
-    char *cp1, *cp2;
-    struct hostent *h1, *h2;
-    int i1, i2;
-    (void)gethostbyname_r(cp1,h1,cp2,i1,&h2,&i2);
-  ]]),[
-    AC_DEFINE(HAVE_GETHOSTBYNAME_R)
-    AC_DEFINE(HAVE_GETHOSTBYNAME_R_6_ARG, 1,
-     [Define this if gethostbyname_r takes 6 arguments])
-    AC_MSG_RESULT(6)
-  ], [
-    AC_TRY_COMPILE([
-#include <netdb.h>
-    ], [
-      char *cp1, *cp2;
-      struct hostent *h1;
-      int i1, i2;
-      (void)gethostbyname_r(cp1,h1,cp2,i1,&i2);
-    ], [
-      AC_DEFINE(HAVE_GETHOSTBYNAME_R)
-      AC_DEFINE(HAVE_GETHOSTBYNAME_R_5_ARG, 1,
-        [Define this if gethostbyname_r takes 5 arguments])
-      AC_MSG_RESULT(5)
-   ], [
-      AC_TRY_COMPILE([
-#include <netdb.h>
-     ], [
-       char *cp1;
-       struct hostent *h1;
-       struct hostent_data hd;
-       (void) gethostbyname_r(cp1,h1,&hd);
-     ], [
-       AC_DEFINE(HAVE_GETHOSTBYNAME_R)
-       AC_DEFINE(HAVE_GETHOSTBYNAME_R_3_ARG, 1,
-         [Define this if gethostbyname_r takes 3 arguments])
-       AC_MSG_RESULT(3)
-     ], [
-       AC_MSG_RESULT(0)
-     ])
-  ])
- ])
- CFLAGS=$OLD_CFLAGS
-])
-
-AC_CACHE_CHECK([whether the C compiler supports __func__],
-  tor_cv_have_func_macro,
-  AC_COMPILE_IFELSE([
-#include <stdio.h>
-int main(int c, char **v) { puts(__func__); }],
-  tor_cv_have_func_macro=yes,
-  tor_cv_have_func_macro=no))
-
-AC_CACHE_CHECK([whether the C compiler supports __FUNC__],
-  tor_cv_have_FUNC_macro,
-  AC_COMPILE_IFELSE([
-#include <stdio.h>
-int main(int c, char **v) { puts(__FUNC__); }],
-  tor_cv_have_FUNC_macro=yes,
-  tor_cv_have_FUNC_macro=no))
-
-AC_CACHE_CHECK([whether the C compiler supports __FUNCTION__],
-  tor_cv_have_FUNCTION_macro,
-  AC_COMPILE_IFELSE([
-#include <stdio.h>
-int main(int c, char **v) { puts(__FUNCTION__); }],
-  tor_cv_have_FUNCTION_macro=yes,
-  tor_cv_have_FUNCTION_macro=no))
-
-if test "$tor_cv_have_func_macro" = 'yes'; then
-  AC_DEFINE(HAVE_MACRO__func__, 1, [Defined if the compiler supports __func__])
-fi
-
-if test "$tor_cv_have_FUNC_macro" = 'yes'; then
-  AC_DEFINE(HAVE_MACRO__FUNC__, 1, [Defined if the compiler supports __FUNC__])
-fi
-
-if test "$tor_cv_have_FUNCTION_macro" = 'yes'; then
-  AC_DEFINE(HAVE_MACRO__FUNCTION__, 1,
-           [Defined if the compiler supports __FUNCTION__])
-fi
-
-# $prefix stores the value of the --prefix command line option, or
-# NONE if the option wasn't set.  In the case that it wasn't set, make
-# it be the default, so that we can use it to expand directories now.
-if test "x$prefix" = "xNONE"; then
-  prefix=$ac_default_prefix
-fi
-
-# and similarly for $exec_prefix
-if test "x$exec_prefix" = "xNONE"; then
-  exec_prefix=$prefix
-fi
-
-if test "x$CONFDIR" = "x"; then
-  CONFDIR=`eval echo $sysconfdir/tor`
-fi
-AC_SUBST(CONFDIR)
-AH_TEMPLATE([CONFDIR],[tor's configuration directory])
-AC_DEFINE_UNQUOTED(CONFDIR,"$CONFDIR")
-
-BINDIR=`eval echo $bindir`
-AC_SUBST(BINDIR)
-LOCALSTATEDIR=`eval echo $localstatedir`
-AC_SUBST(LOCALSTATEDIR)
-
-# Set CFLAGS _after_ all the above checks, since our warnings are stricter
-# than autoconf's macros like.
-if test "$GCC" = yes; then
-  CFLAGS="$CFLAGS -Wall -g -O2"
-  # Disable GCC's strict aliasing checks.  They are an hours-to-debug
-  # accident waiting to happen.
-  CFLAGS="$CFLAGS -fno-strict-aliasing"
-else
-  CFLAGS="$CFLAGS -g -O"
-  enable_gcc_warnings=no
-fi
-
-# Add some more warnings which we use in development but not in the
-# released versions.  (Some relevant gcc versions can't handle these.)
-if test x$enable_gcc_warnings = xyes; then
-
-  AC_COMPILE_IFELSE(AC_LANG_PROGRAM([], [
-#if !defined(__GNUC__) || (__GNUC__ < 4)
-#error
-#endif]), have_gcc4=yes, have_gcc4=no)
-
-  AC_COMPILE_IFELSE(AC_LANG_PROGRAM([], [
-#if !defined(__GNUC__) || (__GNUC__ < 4) || (__GNUC__ == 4 && __GNUC_MINOR__ < 2)
-#error
-#endif]), have_gcc42=yes, have_gcc42=no)
-
-  AC_COMPILE_IFELSE(AC_LANG_PROGRAM([], [
-#if !defined(__GNUC__) || (__GNUC__ < 4) || (__GNUC__ == 4 && __GNUC_MINOR__ < 3)
-#error
-#endif]), have_gcc43=yes, have_gcc43=no)
-
-  save_CFLAGS="$CFLAGS"
-  CFLAGS="$CFLAGS -Wshorten-64-to-32"
-  AC_COMPILE_IFELSE(AC_LANG_PROGRAM([], []), have_shorten64_flag=yes,
-                    have_shorten64_flag=no)
-  CFLAGS="$save_CFLAGS"
-
-  CFLAGS="$CFLAGS -W -Wfloat-equal -Wundef -Wpointer-arith -Wstrict-prototypes -Wmissing-prototypes -Wwrite-strings -Wredundant-decls -Wchar-subscripts -Wcomment -Wformat=2 -Wwrite-strings -Wmissing-declarations -Wredundant-decls -Wnested-externs -Wbad-function-cast -Wswitch-enum -Werror"
-
-  # Disabled, so we can use mallinfo(): -Waggregate-return
-
-  if test x$have_gcc4 = xyes ; then 
-    # These warnings break gcc 3.3.5 and work on gcc 4.0.2
-    CFLAGS="$CFLAGS -Winit-self -Wmissing-field-initializers -Wdeclaration-after-statement -Wold-style-definition"
-  fi
-
-  if test x$have_gcc42 = xyes ; then 
-    # These warnings break gcc 4.0.2 and work on gcc 4.2
-    # XXXX020 Use -fstack-protector.
-    # XXXX020 See if any of these work with earlier versions.
-    CFLAGS="$CFLAGS -Waddress -Wmissing-noreturn -Wnormalized=id -Woverride-init -Wstrict-overflow=1"
-    # We used to use -Wstrict-overflow=5, but that breaks us heavily under 4.3.
-  fi
-
-  if test x$have_gcc43 = xyes ; then 
-    # These warnings break gcc 4.2 and work on gcc 4.3
-    # XXXX020 See if any of these work with earlier versions.
-    CFLAGS="$CFLAGS -Wextra -Warray-bounds"
-  fi
-
-  if test x$have_shorten64_flag = xyes ; then
-    CFLAGS="$CFLAGS -Wshorten-64-to-32"
-  fi
-
-##This will break the world on some 64-bit architectures
-# CFLAGS="$CFLAGS -Winline"
-fi
-
-
-
-CPPFLAGS="$CPPFLAGS $TOR_CPPFLAGS_libevent $TOR_CPPFLAGS_openssl $TOR_CPPFLAGS_zlib"
-
-AC_CONFIG_FILES([Makefile tor.spec Doxyfile contrib/tor.sh contrib/torctl contrib/torify contrib/tor.logrotate contrib/Makefile contrib/osx/Makefile contrib/osx/TorBundleDesc.plist contrib/osx/TorBundleInfo.plist contrib/osx/TorDesc.plist contrib/osx/TorInfo.plist contrib/osx/TorStartupDesc.plist src/config/torrc.sample doc/tor.1 src/Makefile doc/Makefile doc/design-paper/Makefile doc/spec/Makefile src/config/Makefile src/common/Makefile src/or/Makefile src/test/Makefile src/win32/Makefile src/tools/Makefile contrib/suse/Makefile contrib/suse/tor.sh])
-AC_OUTPUT
-
-if test -x /usr/bin/perl && test -x ./contrib/updateVersions.pl ; then
-  ./contrib/updateVersions.pl
-fi
-

Deleted: tor/trunk/tor.spec.in
===================================================================
--- tor/trunk/tor.spec.in	2010-09-25 04:45:23 UTC (rev 23305)
+++ tor/trunk/tor.spec.in	2010-09-25 10:44:30 UTC (rev 23306)
@@ -1,340 +0,0 @@
-## NOTE: tor.spec is autogenerated from tor.spec.in . Edit the latter,
-## not the former.
-
-## Things that need to be edited frequently
-#
-# This should be incremented whenever the spec file changes, but
-# can drop back to zero at a new Tor version
-
-%define specver 0
-
-## Things users may want to change
-#
-# User (and group) name under which the Tor daemon runs.
-
-%define toruser @TORUSER@
-%define torgroup @TORGROUP@
-
-## Version song and dance
-#
-# This should be the Tor version number, as it appears on the tarball,
-# including any "pre<x>" or "rc<y>" suffix. This gets massaged to
-# create the RPM version number, in a way that depends on the Tor
-# numbering scheme.
-%define native_version       @VERSION@
-
-%define version %(echo %{native_version} | sed -e 's/-/./g')
-
-## Define output filename 
-# 
-# This creates filenames based upon the value of target_cpu defined above
-
-## Release and OS identification song and dance
-#
-# This identifies the lineage of the spec file. This file is the
-# standard one that comes with Tor; various distributions may
-# have their own ideas about the right ways to do things.
-%define pkgspec tor
-
-# This spec is intended to build and install on multiple distributions
-# (someday). Detect the distribution we're building on.
-
-%define is_rh   %(test -e /etc/redhat-release && echo 1 || echo 0)
-%define is_fc   %(test -e /etc/fedora-release && echo 1 || echo 0)
-%define is_mdk  %(test -e /etc/mandrake-release && echo 1 || echo 0)
-%define is_suse %(test -e /etc/SuSE-release && echo 1 || echo 0)
-%define is_rfl  %(test -e /etc/redflag-release && echo 1 || echo 0)
-
-%if %{is_fc}
-%define ostag %(sed -e 's/^.*release /fc/' -e 's/ .*$//' -e 's/\\./_/g' < /etc/fedora-release)
-%endif
-
-%if %{is_rh}
-%define ostag %(sed -e 's/^.*release /rh/' -e 's/ .*$//' -e 's/\\./_/g' < /etc/redhat-release)
-%endif
-
-%if %{is_mdk}
-%define ostag mdk
-%endif
-
-%if %{is_suse}
-%define ostag suse%(grep openSUSE /etc/SuSE-release | awk '{print $2}' | sed -e 's/\\./_/')
-%endif
-
-%if %{is_rfl}
-%define ostag %(sed -e 's/^.*Desktop /redflag/' -e 's/ .*$//' -e 's/\\./_/g' < /etc/redflag-release)
-%endif
-
-# Using the build date ensures that every build really does get
-# a different release number.  We use this trick for CVS versions.
-# For release versions, we don't want or need it.
-%define is_dev_version %(echo %{native_version} | grep 'dev' > /dev/null && echo 1 || echo 0)
-
-%if %{is_dev_version}
-%define blddate %(date -u +"%Y%m%d%H%M")
-%define release %{pkgspec}.%{specver}.%{ostag}.%{blddate}
-%else
-%define release %{pkgspec}.%{specver}.%{ostag}
-%endif
-
-## General-purpose macros
-#
-# Some systems don't have some macros. If a macro doesn't seem
-# to exist on your system, add it here...
-
-%if %{!?__make:1}%{?__make:0}
-%define __make make
-%endif
-
-%if %{!?make:1}%{?make:0}
-%define make %{__make}
-%endif
-
-%if %{!?_localstatedir:1}%{?_localstatedir:0}
-%define _localstatedir @LOCALSTATEDIR@
-%endif
-
-## Package information
-#
-Name: tor
-Version: %{version}
-Release: %{release}
-
-Summary: Anonymizing overlay network for TCP (The onion router)
-URL: https://www.torproject.org/
-Group: System Environment/Daemons
-
-License: 3-clause BSD
-Vendor: The Tor Project (https://torproject.org)
-Packager: Andrew Lewman <andrew@xxxxxxxxxxxxxx>
-
-%if %{is_suse}
-Requires: openssl >= 0.9.7
-BuildRequires: openssl-devel >= 0.9.7, rpm >= 4.0, zlib-devel
-%else 
-Requires: openssl >= 0.9.7
-BuildRequires: openssl-devel >= 0.9.7
-%endif
-%if %{is_fc}
-BuildRequires: rpm-build >= 4.0
-%endif
-Requires(pre): /usr/bin/id, /bin/date, /bin/sh
-Requires(pre): %{_sbindir}/useradd, %{_sbindir}/groupadd
-
-Source0: https://www.torproject.org/dist/%{name}-%{native_version}.tar.gz
-
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
-
-%description
-Tor is a connection-based low-latency anonymous communication system.
-
-This package provides the "tor" program, which serves as both a client and
-a relay node. Scripts will automatically create a "%{toruser}" user and
-a "%{torgroup}" group, and set tor up to run as a daemon when the system
-is rebooted.
-
-Applications connect to the local Tor proxy using the SOCKS
-protocol. The tor client chooses a path through a set of relays, in
-which each relay knows its predecessor and successor, but no
-others. Traffic flowing down the circuit is unwrapped by a symmetric
-key at each relay, which reveals the downstream relay.
-
-Warnings: Tor does no protocol cleaning.  That means there is a danger
-that application protocols and associated programs can be induced to
-reveal information about the initiator. Tor depends on Privoxy or 
-similar protocol cleaners to solve this problem. This is alpha code,
-and is even more likely than released code to have anonymity-spoiling
-bugs. The present network is small -- this further reduces the
-strength of the anonymity provided. Tor is not presently suitable
-for high-stakes anonymity.
-
-%prep
-%setup -q -n %{name}-%{native_version}
-
-%build
-%if %{is_suse}
-%configure --with-tor-user=%{toruser} --with-tor-group=%{torgroup}
-%else
-%configure --with-tor-user=%{toruser} --with-tor-group=%{torgroup} 
-%endif
-%make
-
-%install
-%makeinstall
-
-# Install init script and control script
-%__mkdir_p ${RPM_BUILD_ROOT}%{_initrddir}
-%if %{is_suse}
-%__install -p -m 755 contrib/suse/tor.sh ${RPM_BUILD_ROOT}%{_initrddir}/%{name}
-%else
-%__install -p -m 755 contrib/tor.sh ${RPM_BUILD_ROOT}%{_initrddir}/%{name}
-%endif
-%__install -p -m 755 contrib/torctl ${RPM_BUILD_ROOT}%{_bindir}
-
-# Set up config file; "sample" file implements a basic user node.
-%__install -p -m 644 ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/torrc.sample ${RPM_BUILD_ROOT}%{_sysconfdir}/%{name}/torrc
-
-# Install the logrotate control file.
-%__mkdir_p -m 755 ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d
-%__install -p -m 644 contrib/tor.logrotate ${RPM_BUILD_ROOT}%{_sysconfdir}/logrotate.d/%{name}
-
-# Directories that don't have any preinstalled files
-%__mkdir_p -m 700 ${RPM_BUILD_ROOT}%{_localstatedir}/lib/%{name}
-%__mkdir_p -m 755 ${RPM_BUILD_ROOT}%{_localstatedir}/run/%{name}
-%__mkdir_p -m 755 ${RPM_BUILD_ROOT}%{_localstatedir}/log/%{name}
-%__mkdir_p -m 700 ${RPM_BUILD_ROOT}%{_localstatedir}/tmp/%{name}
-
-%clean
-[ "${RPM_BUILD_ROOT}" != "/" ] && rm -rf ${RPM_BUILD_ROOT}
-
-# These scripts are probably wrong for Mandrake or SuSE. They're certainly
-# wrong for Debian, but what are you doing using RPM on Debian?
-
-%pre
-
-# If tor is already installed and running (whether installed by RPM
-# or not), then kill it, but remember that it was running.
-%__rm -f /%{_localstatedir}/tmp/${name}-was-running-%{version}-%{release}
-if [ -f %{_initrddir}/%{name} ] && /sbin/service %{name} status ; then
-    /sbin/service %{name} stop
-    touch /%{_localstatedir}/tmp/${name}-was-running-%{version}-%{release}
-fi
-
-#
-# Create a user and group if need be
-#
-if [ ! -n "`/usr/bin/id -g %{torgroup} 2>/dev/null`" ]; then
-    # One would like to default the GID, but doing that properly would
-    # require thought.
-    %{_sbindir}/groupadd %{torgroup} 2> /dev/null
-fi
-if [ ! -n "`/usr/bin/id -u %{toruser} 2>/dev/null`" ]; then
-    # One would also like to default the UID, but doing that properly would
-    # also require thought.
-    if [ -x %{_sbindir}/nologin ]; then
-        %{_sbindir}/useradd -r -g %{torgroup} -d% {_localstatedir}/lib/%{name} -s %{_sbindir}/nologin %{toruser} 2> /dev/null
-    else
-        %{_sbindir}/useradd -r -g %{torgroup} -d %{_localstatedir}/lib/%{name}  -s /bin/false %{toruser} 2> /dev/null
-    fi
-fi
-exit 0
-
-%post
-
-# If this is a new installation, use chkconfig to put tor in the
-# default set of runlevels. If it's an upgrade, leave the existing
-# configuration alone.
-if [ $1 -eq 1 ]; then
-    /sbin/chkconfig --add %{name}
-    /sbin/chkconfig %{name} on
-fi
-
-# Older tor RPMS used a different username for the tor daemon.
-# Make sure the runtime data have the right ownership.
-%__chown -R %{toruser}.%{torgroup} %{_localstatedir}/{lib,log,run}/%{name}
-
-if [ -f /%{_localstatedir}/tmp/${name}-was-running-%{version}-%{release} ]; then
-    /sbin/service %{name} start
-    %__rm -f /%{_localstatedir}/tmp/${name}-was-running-%{version}-%{release}
-fi
-exit 0
-
-%preun
-
-# If no instances of tor will be installed when we're done, make
-# sure that it gets killed. We *don't* want to kill it or delete
-# any of its data on uninstall if it's being upgraded to a new
-# version, because the new version will actually already have
-# been installed and started before the uninstall script for
-# the old version is run, and we'd end up hosing it.
-if [ $1 -le 0 ]; then
-    if [ -f %{_initrddir}/%{name} ] && /sbin/service %{name} status ; then
-        /sbin/service %{name} stop
-    fi
-    %/sbin/chkconfig --del %{name}
-    %__rm -f ${_localstatedir}/lib/%{name}/cached-directory
-    %__rm -f ${_localstatedir}/lib/%{name}/bw_accounting
-    %__rm -f ${_localstatedir}/lib/%{name}/control_auth_cookie
-    %__rm -f ${_localstatedir}/lib/%{name}/router.desc
-    %__rm -f ${_localstatedir}/lib/%{name}/fingerprint
-fi
-exit 0
-
-%files
-%defattr(-,root,root)
-%doc AUTHORS INSTALL LICENSE README ChangeLog doc/HACKING doc/TODO
-%{_mandir}/man*/*
-%{_bindir}/tor
-%{_bindir}/torctl
-%{_bindir}/torify
-%{_bindir}/tor-resolve
-%{_bindir}/tor-gencert
-%{_datadir}/tor/geoip
-%config %{_initrddir}/%{name}
-%config(noreplace) %attr(0644,root,root) %{_sysconfdir}/logrotate.d/%{name}
-%dir %attr(0755,root,%{torgroup}) %{_sysconfdir}/%{name}/
-%config(noreplace) %attr(0644,root,%{torgroup}) %{_sysconfdir}/%{name}/*
-%attr(0700,%{toruser},%{torgroup}) %dir %{_localstatedir}/lib/%{name}
-%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/run/%{name}
-%attr(0750,%{toruser},%{torgroup}) %dir %{_localstatedir}/log/%{name}
-
-%changelog
-
-* Fri May 01 2009 Andrew Lewman <andrew@xxxxxxxxxxxxxx>
-- clean up distro detection and remove dead comment blocks
-
-* Sun Feb 22 2009 Andrew Lewman <andrew@xxxxxxxxxxxxxx>
-- update the description, vendor, and packager
-
-* Thu Sep 11 2008 Andrew Lewman <phobos@xxxxxxxxxx>
-- See r16867 
-- http://archives.seul.org/or/cvs/Sep-2008/msg00156.html
-
-* Tue Feb 27 2007 Andrew Lewman <phobos@xxxxxxxxxx>
-- Fix a potential race condition in how we determine the running state of tor.  Found by Stefan Nordhausen.
-- see OR-CVS for details
-
-* Fri May 26 2006 Andrew Lewman <phobos@xxxxxxxxxx>
-- Add in a few "SUSEisms" to make dist-rpm actually work on suse
-- Turn Tor "on" via chkconfig
-- Update -mcpu to -mtune to make GCC happy
-- see OR-CVS for details
-
-* Tue Mar 28 2006 Andrew Lewman <phobos@xxxxxxxxxx>
-- converted to build the specified target cpu and arch
-- override related rpm macros to build correctly
-- see OR-CVS for details
-
-* Mon Jan 17 2005 John Bashinski <jbash@xxxxxxxxxx>
-- Take runtime user and group names from configure system. Default
-  user/group names are now "_tor"; blame Roger...
-- Make logrotate control file a separate file in the source distribution,
-  rather than creating it from the spec file.
-- Properly handle the order in which RPM executes scriptlets on upgrade.
-  The old code would kill the daemon on upgrade.
-- Start the tor daemon after installation if and only if it was
-  running before installation. Preserve runlevel setup on upgrade.
-- Package the torctl script; the init script is now a wrapper around it.
-
-* Tue Nov  5 2004 John Bashinski <jbash@xxxxxxxxxx>
-- Add skeletal support for multiple distributions
-- Even more ridiculous level of macro-ization
-- Modify version numbers so RPM can determine when it has a newer version
-- Return to including distribution name in package release number
-- Sharply trim description
-- Change user/group name from "tor" to "tordmn"; "tor" is a common
-  given name (reported by Marius Hjelle)
-- Change group to "System Environment/Daemons" (suggested by Marius Hjelle)
-- Create logrotate file (suggested by Marius Hjelle)
-- Make Tor run as a user proxy by default (suggested by Marius Hjelle)
-- Autogenerate spec file from GNU autotools data, substituting version
-  and whatnot
-- Be perhaps excessively paranoid with config file and directory modes
-- Remove auto-start and auto-stop at installation time; there's some kind
-  of weird race going on, and it's arguably a bad thing anyway.
-
-* Mon Jun 06 2004 Nick Mathewson <nickm@xxxxxxxxxxxxx> 0.0.7-0.std.0.1.rc2
-- Make spec file more happy with fc2 packaging
-
-* Sat Jan 17 2004 John Bashinski <jbash@xxxxxxxxxx>
-- Basic spec file; tested with Red Hat 9.