HISTORY

NEW IN VERSION 0.0.8alpha4:
   - Avoid crashes on servers when name resolution fails for our own name
     (Patch from Tobias).
   - Avoid crashes on servers when directory download fails (Patch from
     Tobias).
   - Fix support for -n option to flushqueue command (Patch from Tobias).
   - Fix SQL syntax error spotted by Uwe Danz.

NEW IN VERSION 0.0.8alpha3:
   - Create .mixminion directory even when we try to lock before accessing
     it: This prevents "update-servers" from crashing when run without
     a .mixminion directory.
   - Don't die when gzip compression on a downloaded directory is corrupt.
   - Don't die when an incoming connection closes before we can get its
     address.
   - Do not believe any path specifier that results in an impossibly short
     path.
   - Bump preferred openssl version to 0.9.8e.

NEW IN VERSION 0.0.8alpha2:
   - License changed from LGPL to the so-called "MIT" license. This has
     been planned for ages; see
       http://archives.seul.org/mixminion/dev/May-2004/msg00000.html
   - Numerous bugfixes:
     - Implement DESTDIR correctly.
     - Do not crash when run with python 2.4
     - Bump preferred openssl version to 0.9.8a
     - Work when umask setting is bizarre (0077, 0000, etc.)
     - Make -P and mbox work correctly together.
     - Catch over-long paths.
     - Tolerate missing /dev/null
     - Solve crash on mixminion clean-queue
     - Do not exit on a spurious protocol string from another MMTP host.
     - Do not use stdio to read /dev/urandom: This wastes entropy.
   - Security improvements
     - Regenerate SSL certificates more frequently.
     - Servers schedule and retry delivery on a per-address basis, not a
       per-message basis.
   - Drop support for pre-0.0.6 servers: Servers are now located by
     hostname.
   - Add a "count-packets" command to tell how many packets will be needed
     to send a message.  Some integrators need this.
   - Add a "SendmailCommand" option for invoking an external program to send
     email rather than simply connecting to an SMTP server.
   - Write much of ClientAPI, so Mixminion is easier to embed -- having this
     in a real release should make the Nymbaron team happy.
   - Experimental pinger code, using pysqlite as a data store and
     implementing the "Echolot" remailer reliability algorithm.
     More work is needed.
   - Partially implemented code for distributed coordinated voting directory
     servers.  Client side and data formats are done; glue remains.
     - Recommended versions are no longer hard-coded.
     - Refactor how we learn about servers and generate paths.
   - Split out option-parsing logic to make option lists more consistent.
   - Suppress prompt when reading messages from non-TTY fds.
   - Implement --status-fd option to dump info to would-be integrators.
   - Better errors on expired certs

NEW IN VERSION 0.0.8alpha1:
   - Make it work with Python 2.4, and more versions of zlib.

NEW IN VERSION 0.0.7.1:
   - Install man pages in PREFIX/share/man, not PREFIX/man.
   - If the server crashed while changing a packet's metadata, it would often
     crash upon restart.  Now it doesn't.
   - Don't crash when trying to route from a pre-0.0.6 server to a server
     with no IP.
   - Don't crash when we fail to download a directory.

NEW IN VERSION 0.0.7:
   - New version number; nothing else has changed since 0.0.7rc2.

NEW IN VERSION 0.0.7rc2:
   - BUGFIXES
     - Provide more helpful error messages when directory download fails.
     - Fix a possible crash during message delivery
     - Fix a race condition with multiple simultaneous processes.
     - Don't create empty output files when there is no data to write.
     - Many bugfixes for client-side message reassembly.

   - UI FIXES
     - All options that asked for a number of hops are now deprecated (with
       warnings) or disabled (with errors); use -P instead.
     - Server bandwith spikiness is now configurable.
     - ConnectionTimout has been renamed (more accurately) to Timeout.
     - The -i and -o flags are now optional whereever possible, and
       default to stdin and stdout.

   - DOCUMENTATION
     - Mixminion now ships with man pages for mixminion(1), mixminiond(8),
       mixminionrc(5), and mixminiond.conf(5).

NEW IN VERSION 0.0.7rc1:
   - USER FUNCTIONALITY
     - Ability to delete or transmit queued messages to selected mixes,
       instead of all mixes.
     - Configuration options to block servers from path generation.
     - New "mixminiond FOO" script as alternate starting point for
       "mixminion server-FOO" functions.
     - CLI interface for client-side fragment reassembly.
     - Command shell (on Windows) supports filenames with spaces much
       better.

   - INFRASTRUCTURE
     - Allow servers to download and use directories (necessary for
       dummy/pinging work in future versions.)
     - Display server nicknames in log instead of just IP addresses.
     - Servers check recommended-version, complain when server is obsolete.
     - Put timezones in log.
     - Refactor RFC822 header generation logic (original patch from
       bfordham).

   - NETWORKING
     - Rewrite MMTP logic to implement protocol correctly and transfer
       packets more quickly, without waiting for round-trip acknowledgments
       after each before sending the next.
     - Unify client and server MMTP sending implementations.
     - Use IP TOS flags where available to request optimization for
       bandwidth.
     - Configurable limits for bandwidth.
     - Configurable limits on number of outgoing network connections.
     - New --reply-block-fd option to read reply-blocks from a file
       descriptor.
     - New --passphrase-fd option to read passphrase from a file
       descriptor.
     - The --quiet option works for clients as well as servers.
     - "mixminion ping" supports addr:port syntax as well as nicknames.

   - MISC
     - Call shred more efficiently when calling shred
     - Other bugfixes too numerous to mention
     - Remove some deprecated functionality
     - Better windows build

NEW IN VERSION 0.0.6.2:
   - Fixed a bug that prevented the client from ever deleting messages
     from its queue.

   - Have clients handle dropped connections to servers correctly, by
     retrying only the packets that were not delivered.

NEW IN VERSION 0.0.6.1:
   - Several documentation fixes.

   - Make the -H option work again when -P is not provided, and give a
     useful error when it is.

   - Make 'list-server -R' work properly.

   - Fix a bug that made it impossible to send replies messages with text
     from the command line.

   - Never try to clean client queues without holding the proper lock.

   - Prevent the server from crashing on an unresolvable hostname.

NEW IN VERSION 0.0.6:
   - Several documentation fixes.

   - Starting a server for the first time will no longer give a spurious
     message about an out-of-date installation.

   - We now accept as uniform several more recent versions of zlib.

   - 'mixminion server-start --quiet' is now even more quiet than before.

   - Inital initial debian packaging files and targes (Peter Palfrader)

NEW IN VERSION 0.0.6rc2:
   - Fixed a couple of bugs that would prevent Mixminion from running on
     Python 2.0 or Python 2.1.

   - Fixed a build problem with stand-alone Windows builds: the 'bsddb'
     module was not included, so we were defaulting to the slow and
     inefficient 'dumbdbm' module to store hash logs, SURB logs, and fragment
     indexes.

NEW IN VERSION 0.0.6rc1:
   - Windows support
       - The Mixminion command-line interface now works on MS Windows, at
         least for me.  It has been tested on Windows 2000, and should work
         on any platform running Windows 98 or later.  There are probably
         some lingering bugs, especially when running a server.

   - Improved security
       - SURB keys are now rotated periodically.

       - The client now _always_ shuffles packets before delivery, and sends
         them in a random order.

   - Improved robustness
       - Servers are now addressed by hostname rather than IP.  It is now
         feasible to run a Mixminion server with a dynamic IP address.
         Support for old-style routing will be deprecated in 0.0.7.
         (Servers use a DNS-farm abstraction to avoid blocking on slow
         DNS lookups.  MMTP connections are still authenticated, so attacks
         against DNS can at worst delay packets from arriving.)

       - The path generation logic has been largely rewritten to use the
         optimal routing method for each server-to-server pair.

       - The path generation code now chooses good paths for fragmented
         messages and messages with specific requirements on their exit
         nodes.

       - Client queues are generally less buggy.

       - Consistency enforcement between fragmentation and other modules.

       - Better spec compliance.

   - Improved performance
       - When flushing messages from the client queue, it is no longer
         necessary to load them all into RAM at once.

   - User interface tweaks
       - When running as a client, Mixminion now displays servers by nickname
         in addition to IP:port whenever possible.  Servers will gain this
         behavior in a later version, once they begin downloading
         directories.

       - The behavior of 'mixminion list-servers' has been changed: its
         default output is far terser and easier to parse than before, though
         output _even more_ verbose than previous can be selected.  Also,
         whereas the old implementation only listed servers by their
         lifetime, capabilities, and status, it is now possible to list
         arbitrary 'features' of the servers in the directory.

       - Error messages for timeouts are more reasonable; timeouts themselves
         should now work a little better than before.

       - A longstanding typo in the MMTP server's logging code has been
         resolved: running at DEBUG should be far terser and more reasonable
         than before.

       - Users can now send fragmented messages for reassembly by their
         recipients rather than exit servers.  (Client side reassembly is
         not yet implemented, however.)

       - Many error messages have been cleaned up, including a few related to
         SSL errors, Windows internals, corrupt databases, unsupported
         databases.

   - Build improvements
       - Use the preferred version of Python if one exists.

       - Add build target to output test vectors for crypto functionality.

       - Support the DESTDIR environment variable

       - Check SHA1 digest on downloaded OpenSSL 0.9.7c.

   - Other bugfixes too numerous to mention.

NEW IN VERSION 0.0.5.1:
   - Allow exit servers to decide whether to support user-supplied from
     addresses.
   - Fail more gracefully when we try to deliver mail and the the local MTA
     is down.

NEW IN VERSION 0.0.5:
   - Fix a harmless but hard-to-detect bug that showed up when running
     unittests on certain platforms.

NEW IN VERSION 0.0.5rc2:
   - Fix for a bug that would crash exit servers trying to upgrade from
     certain older versions.

   - Improved error messages for several cases.

   - Add a draft man page (credit goes to George Danezis).

NEW IN VERSION 0.0.5rc1:
   - Support for email headers.  'Subject', 'In-Reply-To', and 'References'
     are fully supported.  'From' support is limited, as documented in
     'E2E-spec.txt'.

   - Limited support for K-of-N message fragmentation and reassembly.  Right
     now, clients can send large fragmented messages for servers to
     reassemble them.  Not yet supported are independent paths, fragmented
     reply messages, and client-side fragment reassembly.

   - UI improvements
      - Path generation can now create random-length paths
      - Support for removing old messages from client queues.
      - 'Mixminion shell' command to wrap other commands on platforms with
        iffy terminals or shells.  Poor substitute for a real GUI.

   - Improved portability
      - All client and server functionality works properly on Cygwin.
      - Everything should work on win32 too.  (But it won't be supported till
        I can get Py2Exe working.)
      - The build system should work on more unixes.

   - Improved configurability
      - Support for suppressing directory permission messages.

   - Improved performance
      - Server RAM usage should be way down, except while reassembling large
        messages.

   - Improved testability
      - Server descriptors now describe the server's platform and
        configuration.

   - Bugfixes too numerous to mention.  Server pools in general should be
     significantly more robust.

NEW IN FINAL 0.0.4 RELEASE:
  BUGFIXES:
  - Fixed a bug that would sometimes give a useless error message when
    trying to build a message with a too-long path.

NEW IN VERSION 0.0.4rc4:
  BUGFIXES:
  - Improved error message on nonexistent directory.
  - Fixed a bug (found by Mike Gurski) that could kill a server if a message
    was received for an old key in between deleting the old key's replay cache,
    and deleting the old key itself.
  - Fixed a bug in setting up server directories.

NEW IN VERSION 0.0.4rc3:
   BUGFIXES:
   - Memory leaks:
       - Made server code release memory more aggressively.
       - Fixed a race condition where messages could be queued on a server
         connection that was already shutting down.
       - Fixed memory leaks on certificate checking.
   - Server bugs:
       - Fixed a server crash on key-rotation that would occur when to trying
         to open the same hash log db file twice.
       - Fixed bug that would crash server if PublicKeyLifetime changed.
       - Made server differentiate between ENOENT and EACCES when starting.
       - Fixed a bug that would cause key generation to happen at the wrong
         times.
   - Other bugs:
       - Fixed a bug related to using client keyrings without passwords.
       - Made ASCII armor more reliable in the face of extraneous space,
         headerless armor, and so on.
       - Excluded superseded servers from directories more thoroughly.

   OTHER CHANGES:
   - Cosmetic:
       - Commented most uncommented code.
       - Refactored path selection again.
       - Refactored code to use more reliable file accessing functions.
       - Added more unit tests
   - Performance enhancements:
       - Changed recommended OpenSSL version to 0.9.7b.
   - Implementation quality
       - Improved a few log messages.
       - Made included etc/mixminiond.conf more reasonable by using a less
         aggressive retry schedule, commenting out unused Allow lines, and
         decreasing PublicKeyLifetime.
       - Made os.expanduser work on more configuration values.
   - Enabled threading on more C functions.

NEW IN VERSION 0.0.4rc2:
   BUGFIXES:
   - The server shouldn't crash so much when it gets bad TLS errors or
     timed-out connections.  Sometimes, it will give better errors when it
     does.

NEW IN VERSION 0.0.4rc1:
   First steps toward directory automation:
      - Servers generate new keys and server descriptors when the old ones
        are close to expiring.  (~2 weeks)
      - Servers also regenerate server descriptors when their configuration
        changes.
      - When a set of keys expires, a server rotates to the next set
        automatically (with some overlap).
      - Servers can upload their descriptors to a directory server
        automatically.
      - There's a trivial directory backend that accepts signed updates
        automatically, and queues new servers.
      - Directories now include a list of which servers are believed to be
        working correctly.  Right now, this list is still manually
        configured.
      - There's a cron job that regenerates the directory every so often.

   Packet format overhaul:
      - Server RSA keys are now 2048 bits long.
      - The header representation is more compact now, so we don't pay in
        space for the increased key length.

   MMTP improvements:
      - The certificate regime has changed so that key rotation is now
        possible: instead of authenticating servers based on their TLS
        keys, we authenticate based on their identity keys, which never
        change.
      - Packets sent from a server to itself no longer hit the network.
      - When relaying messages, a server never opens more than 1 connection
        at a time to the same server.
      - MMTP clients now recognize a 'REJECTED' reply that a server can use
        to refuse messages when under high load.

   Other server improvements:
      - Servers can (optionally) track the number of packets received,
        relayed successfully, dropped, and so on.
      - Servers can recognize and advertise whether they are configured
        'securely.'
      - The deliver/retry logic has been largely rewritten.  It should
        freak out and die less frequently now.  In any case, it also prints
        better debugging messages, and thrashes the disk less.

   Minor changes:
      - We now use real OpenPGP-style ASCII-armor.  Accept no substitutes!

   Numerous UI Improvements:
      - There are saner error messages for many common cases.
      - Support for multiple SURB keys to prevent identity-blending attack.
      - There's a new (temporary) 'mixminion ping' command that you can use
        to tell whether a server is accepting connections.  It's potentially
        dangerous (if you go pinging all the servers in your path), and has
        a banner saying so.
      - The path selection syntax has changed to be more flexible.  (You can
        now specify a single random hop, or N random hops.)

NEW IN VERSION 0.0.3:
   Better build support:
      - Fail more gracefully with missing 'which'.
      - Fail more gracefully with missing python-dev.
      - Portability fixes for Python 2.0.
   Client tweaks:
      - Default connection timeout to 1 minute.
      - Rename stop-server to server-stop.
      - Rename reload-server to server-reload.

NEW IN VERSION 0.0.3rc2:
   Numerous bugfixes, including:
      - More verbose client locking
      - More reasonable log messages
      - Better messages on missing openssl
      - Improved documentation
      - Better support for confused permissions on build
      - Better errors on failing directory retrieval
      - Less verbose description of reply blocks skipped.
      - Base64 encoding should no longer get corrupted by outlook
      - Fix nasty race on queue cleaning.
      - The code compiles (but doesn't run) under cygwin.
   New features:
      - mixminion stop-server and mixminion reload-server commands.

NEW IN VERSION 0.0.3rc1:
   CLIENT:
      - Single-use reply blocks (SURBs) are fully supported and available.
      - You can use client-side pooling: it holds messages until you're
        ready to send them.  Pooling also prevents you from losing
        messages when the first hop in your path is temporarily down.
      - You can now decode binary messages or reply messages from the command
        line.
      - We now time out faster when servers are down.
      - Many error messages are far friendlier.
      - It's now safe to run multiple instances of the client at once.
      - Numerous UI improvements and typo fixes; error reporting is better in
        many ways.
   BUILD:
      - It's easier to build with different OpenSSL installations.
   SERVERS:
      - Servers now have a lightly multithreaded design to prevent extreme
        stalling under heavy loads.  Now the network should remain fairly
        responsive under far more traffic than before.
      - When a message delivery fails, the retry schedule is more reasonable.
        By default, a server will retry an undeliverable message every
        30 minutes for a day, then every 7 hours for 5 days.
      - All modules that use SMTP now set a "X-Anonymous: yes" header.
   CONFORMANCE:
      - We now implement MMTP correctly; before, we didn't accept junk
        packets; handle protocol negotiation right; or do support key
        renegotiation.
      - DROP packets have random payloads.
      - A nasty bug in our implementation of counter mode is fixed.  On
        the bright side, big-endian and little-endian hosts should now,
        finally, be compatible.  On the minus side, we lose backward
        compatibility.
      - Server descriptors and directories now follow a more forward-
        compatible format: we can add sections and entries in the future
        with less risk of breaking existing clients.

NEW IN VERSION 0.0.2.2:
   - Fixed a bug that crashed your server when another server's KeyID was
     incorrect.
   - Add minimal handlers for TERM and HUP signals.
   - Add a disclaimer to main usage message.

NEW IN VERSION 0.0.2.1:
   - BUGFIX: A nasty bug is fixed that could, under just the right
     circumstances, send the server into an infinite loop and fill up your
     hard drive.  If you're running a server, you *should* upgrade.
   - Server log messages are more reasonably structured.
   - setup.py is more clever about half-installed Python.
   - "list-servers" now supports the same directory-download options as
     does "send".

NEW IN VERSION 0.0.2:
   - A real SMTP exit module to relay messages via a local MTA.  Blacklisting
     is supported by address, by username, by host, by entire domain, and
     by regular expression.
   - Integrated directory support for clients.
   - Automatic path selection, along with a better user interface to specify
     paths.
   - You can now enable Cottrell (DynamicPool) and Binomial Dynamic Pool
     batching, though they are disabled by default to make the system more
     testable.
   - Servers resist certain trivial DoS attacks more strongly.  In
     particular, you should no longer be able to send zlib bombs or flood a
     server with open connections.
   - Clean build process under FreeBSD.
   - Ability to run server as a daemon.
   - Slightly better documentation and error messages.
   - Better resistance to newline corruption of server descriptors.
   - Other bugfixes and performance improvements too numerous to mention.

NEW IN VERSION 0.0.1:
   - You can run a rudimentary server that can deliver to other Mixminion
     servers, that can use Mixmaster to deliver to any external address,
     or that sends SMTP directly to a preconfigured set of addresses.
   - You can send anonymous email via these servers.