To reduce the number of guard nodes I should look into decide_num_guards(). To increase the rotation period I should look into MIN_GUARD_LIFETIME et al. or play with the GuardLifetime consensus parameter on the authority side.
How to test the external script: Make artificial data sets of consensuses and see if the external script parses them properly.
How to test Tor: Create artificial guard age results file, give the test a fake network (some relays) and see if Tor generates the right weights for the relays.
a) How are we going to get past consesuses? AFAIK, directories don't keep and serve old consesuses. Is metrics.tpo the only place where we can get them? Is it reasonalbe to make metrics.tpo a single point of failure for this feature?
b) We will need to verify the sigs of the past consesuses. Can arm verify signatures of Tor documents? Also, what can go wrong with verifying consesus sigs from many months ago? Have auths ever changed their identity keys? Also, what happens if we try to parse a badly-signed consesus? Should we just ignore it?
a) How are we going to get past consesuses? AFAIK, directories don't keep and serve old consesuses. Is metrics.tpo the only place where we can get them? Is it reasonalbe to make metrics.tpo a single point of failure for this feature?
Would somebody want to run a fall-back instance of the part of metrics.tpo that archives consensuses? I run two instances, but I sure wouldn't mind knowing that there's another instance running that is not run by me.
b) We will need to verify the sigs of the past consesuses. Can arm verify signatures of Tor documents?
stem, not arm. That's a question for atagar.
Also, what can go wrong with verifying consesus sigs from many months ago? Have auths ever changed their identity keys?
metrics.tpo also serves past certificates that you could use here. You'll also want to extract a list of authority identities that little-t-tor clients considered valid. That list changes every now and then, but not very often.
Also, what happens if we try to parse a badly-signed consesus? Should we just ignore it?
Probably warn about the bad signature and ignore it. If the consensus still has enough good signatures for little-t-tor clients to accept it, you can probably accept it, too.
Trac: Summary: Implement the single guard node proposal to Implement the single guard node proposal (prop#236) Severity: N/Ato Normal Reviewer: N/AtoN/A
Remove the SponsorU status from these items, which we already decided to defer from 0.2.9. add the SponsorU-deferred tag instead in case we ever want to remember which ones these were.