Most active commenters
  • acheong08(4)
  • (3)
  • medo-bear(3)

Arti: A Tor Implementation in Rust

(tpo.pages.torproject.net)
185 points acheong08 | 34 comments | 30 Apr 24 18:54 UTC | HN request time: 1.706s | source | bottom
1. ◴[30 Apr 24 20:49 UTC] No.40216166[source]
2. tromp ◴[30 Apr 24 20:51 UTC] No.40216177[source]
The name is an acronym for "A Rust Tor Implementation" [1].

[1] https://gitlab.torproject.org/tpo/core/arti/-/blob/850a3c3b6...

replies(2): >>40217454 #>>40220751 #
3. ◴[30 Apr 24 22:37 UTC] No.40217284[source]
4. davidee ◴[30 Apr 24 22:54 UTC] No.40217454[source]
Cool! Also an opportunity missed: Arti Rust Tor Implementation
replies(1): >>40219220 #
5. buildbuildbuild ◴[30 Apr 24 23:34 UTC] No.40217757[source]
Shoutout to the Zcash Foundation for funding a large portion of Arti’s development.
replies(1): >>40221240 #
6. newZWhoDis ◴[01 May 24 01:19 UTC] No.40218477[source]
So given the US fed’s new insane rules about what a money transmitter is, how can anyone US-adjacent feel safe contributing?

Like the recent S wallet people the minute your software is used for anything illegal you risk extradition.

replies(2): >>40218493 #>>40219271 #
7. cassonmars ◴[01 May 24 01:21 UTC] No.40218493[source]
Tor isn't a money transmitter, but also, they were indicted more for the fact they actively sought out sanctioned individuals in marketing/dev outreach
8. Ar-Curunir ◴[01 May 24 02:15 UTC] No.40218815[source]
This is not that: it is from the official Tor implementers
replies(1): >>40218965 #
9. binary132 ◴[01 May 24 02:43 UTC] No.40218965{3}[source]
it literally says that in the README

it is not a Real Project, it’s someone trying an experimental implementation of a tor client

replies(4): >>40219129 #>>40219151 #>>40219222 #>>40219313 #
10. fastball ◴[01 May 24 03:16 UTC] No.40219129{4}[source]
Where does it say that in the README?
replies(1): >>40219174 #
11. ◴[01 May 24 03:22 UTC] No.40219151{4}[source]
12. designed ◴[01 May 24 03:26 UTC] No.40219174{5}[source]
They might have been referencing the link posted by tromp (currently top comment)
replies(1): >>40219256 #
13. Forbo ◴[01 May 24 03:32 UTC] No.40219220{3}[source]
Please, no more recursive backronyms. Or maybe I just have a sour taste of them because of some of more lamentable choices of other projects....
14. zamalek ◴[01 May 24 03:32 UTC] No.40219222{4}[source]
> Until Arti is more mature, we recommend it for experimental use only.

Helps to read the entire context. This means that it likely hasn't had a security audit yet, and may de-anonymize you due to a bug. It doesn't mean it's abandonware.

15. Forbo ◴[01 May 24 03:39 UTC] No.40219256{6}[source]
I don't think holding the current state of the project to a version of the README from three years ago is even remotely anywhere near a good faith comparison.
replies(1): >>40221857 #
16. ulrikrasmussen ◴[01 May 24 03:41 UTC] No.40219271[source]
I'm not up to date - do you have a reference?
replies(1): >>40221385 #
17. contact9879 ◴[01 May 24 03:49 UTC] No.40219313{4}[source]
the link posted by tromp is to the readme from 3 years ago. you should read the latest readme before making assumptions about the quality of arti today
18. acheong08 ◴[01 May 24 04:34 UTC] No.40219540[source]
Re: the flagged comment about Arti not being a real project

It is a real project and it works well. I've been building some stuff on top of it in my free time and it's generally stable. There are a few footguns in their API (namely the DataStream not flushing writes automatically) but they're actively working on everything.

replies(1): >>40220757 #
19. medo-bear ◴[01 May 24 05:55 UTC] No.40219986[source]
I dont understand why my other comment was flagged. The Tor Project does not reccomend using Arti just yet. If you think that is outdated see the following article published on 04.03.24, which also states the following

   There are still some rough edges and missing security features, so we don't (yet) recommend Arti onion services for production use, or for any purpose that requires privacy.
https://blog.torproject.org/arti_1_2_0_released/
replies(2): >>40220849 #>>40229217 #
20. rvalue ◴[01 May 24 08:11 UTC] No.40220751[source]
Interesting. My first thought was this was something to connect with the hindi word aarti.

https://en.wikipedia.org/wiki/Arti_(Hinduism)

21. fullspectrumdev ◴[01 May 24 08:12 UTC] No.40220757[source]
I’d be genuinely interested in seeing what people are building on top of this.

Especially to see some concrete code examples, as I find those easier to learn from than the current state of the docs. Especially with regard to footguns mentioned!

I’ve had a few ideas, mostly porting older projects I built in Python using the Stem library. I feel like Arti is going to be much cleaner for embedding in applications than having to also bundle the correct Tor binary… manage running it as a subprocess… etc

replies(1): >>40229379 #
22. timeon ◴[01 May 24 08:27 UTC] No.40220849[source]
Second paragraph of linked page already states: "Until Arti is more mature, we recommend it for experimental use only."

It is one of five sentences on the page - not some hidden message. Not sure what your point is? The flagged comment stated that it is "not real project". `Not finished` and `not real` are two different things.

replies(1): >>40221083 #
23. medo-bear ◴[01 May 24 09:17 UTC] No.40221083{3}[source]
Point is that it is a matter of responsibility to state something that might affect safety of people. I dont understand why this reaction.

> The flagged comment stated that it is "not real project". `Not finished` and `not real` are two different things.

My comment said none of those things.

24. flooow ◴[01 May 24 09:45 UTC] No.40221240[source]
Been a number of examples of cryptobros funding unrelated projects for the positive PR. Is there a word for it yet? 'FOSSwashing'?
replies(4): >>40221299 #>>40221371 #>>40221420 #>>40222131 #
25. Nuzzerino ◴[01 May 24 09:58 UTC] No.40221299{3}[source]
It’s almost as bad as the number of HN commenters posting negatively about crypto without bothering to check if the criticism is accurate.

https://zcash.readthedocs.io/en/latest/rtd_pages/tor.html

26. taxmeifyoucan ◴[01 May 24 10:08 UTC] No.40221371{3}[source]
Do you have any insight into crypto ecosystem or just troll here? First of all, zcash is focused on private payments and Tor helps its users to stay anonymous while using third party wallets, etc. It's their dependency and relevant privacy project so they decide to support it. But this is nothing new, crypto ecosystem has been contributing to Tor for a decade, starting in Silk Road era. Many privacy related project have anon contributors only funded in crypto. It's literally FOSS native payment method.

These days, public goods funding of free and open software is one of the most active areas in crypto scene. They activate individual donors and organizations/DAOs to donate towards impactful non-profit projects. Quadratic funding platforms like Gitcoin are used to funnel millions of dollars to FOSS.

27. taxmeifyoucan ◴[01 May 24 10:10 UTC] No.40221385{3}[source]
Devs of Bitcoin wallet enabling anonymous payments, Samourai, were arrested because their software was presumably used for money laundering.
28. BoingBoomTschak ◴[01 May 24 10:16 UTC] No.40221420{3}[source]
As much as I dislike cryptocurrency, you're being unfair here. Some people of that crowd have privacy as central principle, Tor is then more than clearly related.
29. binary132 ◴[01 May 24 11:29 UTC] No.40221857{7}[source]
If it’s a mistake, then it’s in good faith, right? Maybe the README no longer literally says “learning Rust as I go along”, but it definitely did in the one I looked at quickly (yes, from tromp’s comment)

That said... is it really “really real” if it’s still experimental 3 years later?

30. kaliqt ◴[01 May 24 12:12 UTC] No.40222131{3}[source]
Most cryptobros are very pro open source and pro privacy, it's the whole reason they're trying to amass resources in crypto, to make it stronger and also to direct others to build up more resilient systems.
31. acheong08 ◴[01 May 24 20:49 UTC] No.40229217[source]
“For production”

This is hacker news. We hack. Even though it’s still a work in progress, we can experiment and try new things. API changes are not expected, the code you write now should work in the future when it comes out of the experimental phase.

replies(1): >>40229845 #
32. acheong08 ◴[01 May 24 21:03 UTC] No.40229379{3}[source]
I’m still in the process of experimentation. An example of the flushing thing is that you can’t simply pass the DataStream/connection directly into crates like fast-socks5 which depend on implicit behavior by the TCPStream struct which implements the AsyncReader/Writer traits which don’t require it. I had to manually add a bunch of flushes after each write chunk.

Another thing is that some features have been partially implemented but not configurable (basically dead code for now) such as ephemeral hidden services. I spent a good few days forking and implementing that myself and am in contact with the devs to see how it could be implemented/merged in a cleaner way. Some of my code: https://gitlab.torproject.org/acheong08/arti/-/compare/main....

I wanted a socks5 proxy over a hidden service to securely expose my machine in a firewall without owning any servers in between or having to mess with port forwarding.

Now working on a new pluggable transport to tunnel tor connections over syncthing relays.

Mostly just for fun, nothing actually too useful yet

33. medo-bear ◴[01 May 24 21:38 UTC] No.40229845{3}[source]
> This is hacker news. We hack.

? Do you think only "hackers" read hn ?