Hacker News new | past | comments | ask | show | jobs | submit login
Arti: A Tor Implementation in Rust (torproject.net)
185 points by acheong08 7 months ago | hide | past | favorite | 30 comments



The name is an acronym for "A Rust Tor Implementation" [1].

[1] https://gitlab.torproject.org/tpo/core/arti/-/blob/850a3c3b6...


Cool! Also an opportunity missed: Arti Rust Tor Implementation


Please, no more recursive backronyms. Or maybe I just have a sour taste of them because of some of more lamentable choices of other projects....


Interesting. My first thought was this was something to connect with the hindi word aarti.

https://en.wikipedia.org/wiki/Arti_(Hinduism)


I dont understand why my other comment was flagged. The Tor Project does not reccomend using Arti just yet. If you think that is outdated see the following article published on 04.03.24, which also states the following

   There are still some rough edges and missing security features, so we don't (yet) recommend Arti onion services for production use, or for any purpose that requires privacy.
    
https://blog.torproject.org/arti_1_2_0_released/


“For production”

This is hacker news. We hack. Even though it’s still a work in progress, we can experiment and try new things. API changes are not expected, the code you write now should work in the future when it comes out of the experimental phase.


> This is hacker news. We hack.

? Do you think only "hackers" read hn ?


Second paragraph of linked page already states: "Until Arti is more mature, we recommend it for experimental use only."

It is one of five sentences on the page - not some hidden message. Not sure what your point is? The flagged comment stated that it is "not real project". `Not finished` and `not real` are two different things.


Point is that it is a matter of responsibility to state something that might affect safety of people. I dont understand why this reaction.

> The flagged comment stated that it is "not real project". `Not finished` and `not real` are two different things.

My comment said none of those things.


Shoutout to the Zcash Foundation for funding a large portion of Arti’s development.


Been a number of examples of cryptobros funding unrelated projects for the positive PR. Is there a word for it yet? 'FOSSwashing'?


Do you have any insight into crypto ecosystem or just troll here? First of all, zcash is focused on private payments and Tor helps its users to stay anonymous while using third party wallets, etc. It's their dependency and relevant privacy project so they decide to support it. But this is nothing new, crypto ecosystem has been contributing to Tor for a decade, starting in Silk Road era. Many privacy related project have anon contributors only funded in crypto. It's literally FOSS native payment method.

These days, public goods funding of free and open software is one of the most active areas in crypto scene. They activate individual donors and organizations/DAOs to donate towards impactful non-profit projects. Quadratic funding platforms like Gitcoin are used to funnel millions of dollars to FOSS.


As much as I dislike cryptocurrency, you're being unfair here. Some people of that crowd have privacy as central principle, Tor is then more than clearly related.


It’s almost as bad as the number of HN commenters posting negatively about crypto without bothering to check if the criticism is accurate.

https://zcash.readthedocs.io/en/latest/rtd_pages/tor.html


Most cryptobros are very pro open source and pro privacy, it's the whole reason they're trying to amass resources in crypto, to make it stronger and also to direct others to build up more resilient systems.


Re: the flagged comment about Arti not being a real project

It is a real project and it works well. I've been building some stuff on top of it in my free time and it's generally stable. There are a few footguns in their API (namely the DataStream not flushing writes automatically) but they're actively working on everything.


I’d be genuinely interested in seeing what people are building on top of this.

Especially to see some concrete code examples, as I find those easier to learn from than the current state of the docs. Especially with regard to footguns mentioned!

I’ve had a few ideas, mostly porting older projects I built in Python using the Stem library. I feel like Arti is going to be much cleaner for embedding in applications than having to also bundle the correct Tor binary… manage running it as a subprocess… etc


I’m still in the process of experimentation. An example of the flushing thing is that you can’t simply pass the DataStream/connection directly into crates like fast-socks5 which depend on implicit behavior by the TCPStream struct which implements the AsyncReader/Writer traits which don’t require it. I had to manually add a bunch of flushes after each write chunk.

Another thing is that some features have been partially implemented but not configurable (basically dead code for now) such as ephemeral hidden services. I spent a good few days forking and implementing that myself and am in contact with the devs to see how it could be implemented/merged in a cleaner way. Some of my code: https://gitlab.torproject.org/acheong08/arti/-/compare/main....

I wanted a socks5 proxy over a hidden service to securely expose my machine in a firewall without owning any servers in between or having to mess with port forwarding.

Now working on a new pluggable transport to tunnel tor connections over syncthing relays.

Mostly just for fun, nothing actually too useful yet


So given the US fed’s new insane rules about what a money transmitter is, how can anyone US-adjacent feel safe contributing?

Like the recent S wallet people the minute your software is used for anything illegal you risk extradition.


Tor isn't a money transmitter, but also, they were indicted more for the fact they actively sought out sanctioned individuals in marketing/dev outreach


I'm not up to date - do you have a reference?


Devs of Bitcoin wallet enabling anonymous payments, Samourai, were arrested because their software was presumably used for money laundering.


[flagged]


This is not that: it is from the official Tor implementers


it literally says that in the README

it is not a Real Project, it’s someone trying an experimental implementation of a tor client


> Until Arti is more mature, we recommend it for experimental use only.

Helps to read the entire context. This means that it likely hasn't had a security audit yet, and may de-anonymize you due to a bug. It doesn't mean it's abandonware.


the link posted by tromp is to the readme from 3 years ago. you should read the latest readme before making assumptions about the quality of arti today


Where does it say that in the README?


They might have been referencing the link posted by tromp (currently top comment)


I don't think holding the current state of the project to a version of the README from three years ago is even remotely anywhere near a good faith comparison.


If it’s a mistake, then it’s in good faith, right? Maybe the README no longer literally says “learning Rust as I go along”, but it definitely did in the one I looked at quickly (yes, from tromp’s comment)

That said... is it really “really real” if it’s still experimental 3 years later?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: