BridgeDB is the core of the Tor bridge backend. It provides for various pools in doling out bridge relays on user request via SMTP, HTTPS, instant messaging, and a few reserved pools given out by hand to real-world physical networks. The code repository is at


(Sponsor D, deliverable 21 for Sep 30)

  • Write a BridgeDB specification (#1606).
  • Add code that will make it possible to request bridges for a certain country like so by email: bridges+zh@… or by HTTP: (#1607).
  • If we know a certain bridge is blocked in a certain country, don’t give out that bridge to that country (#1608 and #1837).
  • Add code that will give out bridges in a localized way (gettext). For that, put all messages in need for translation in one file (#1609).
  • Design algorithm to rotate available bridges over time (#1839).
  • Turn mail requests into ’subscriptions’: People mail ’subscribe bridges’ to us, we put them in a database and send them bridges periodically. To not send emails to users that long have forgotten about their subscription, make them re-subscribe periodically by putting a ”Reply to this mail or you won’t get any more bridges” text somewhere in a mail we send them with fresh bridges (#1610).
  • Increase the "reserved" share of bridges (#1611).
  • Group reserved bridges into buckets for people, write those buckets to files on request (so that those files can be used by Roger or $foo to give to trusted people) (#1612).
  • i18n bridgedb (#1613).
  • Drop email-to-bridge mappings after N days.
  • Bump up epoch length a lot.
  • Test DB migration code.
  • Drop email persistence.
  • Rate-limit email replies (#1860).
  • Stop looking for "get bridges" in emails.
  • Clean email backend periodically
  • List only one bridge per /16 per reply.
  • It keeps corrupting its database, causing Roger to delete the old database and undermine this whole give-the-same-answer-each-time design (#1098).
  • Send back an email even if there aren't any bridges
  • Check dkim headers for sanity.
  • Make the 'magic word' for the email configurable, case-tolerant, HTML-tolerant, and punctuation-tolerant
    • for bonus points, make it Base64-tolerant
  • Make all the rest of the email options configurable.
  • Bug: the email handler gets really upset when the email doesn't have a message-id header in it.
  • When we hit the end of a period, forget the email address history.
  • When sending bridges to an email address in the history, check for liveness.
  • Make bounces go to the right address.
  • Make address sent in "mail from" command configurable. Actually, configure it.
  • Make the bridge list you get back include at least one non-443 bridge. It turns out sometimes 443 isn't all it's cracked up to be.

Not now:

  • Check that the incoming IP address of an email is sane.
  • Check more email headers for sanity.


  • Document stuff better
  • Better area division logic
  • Make all proxies get stuck in their own area.
  • Implement slightly nicer logging
  • Add CAPTCHAs (ugh, this doesn't stop anything, do we have to?) (#1836)
  • Decent template for the web interface
  • Decent template for mail interface
  • Implement a 'help' command

* Reload configuration on signup; not just bridges.

  • Reply with locale support.
  • Check host option in HTTP.

Tickets for BridgeDB Upgrades Phase 1 No results

Last modified 18 months ago Last modified on May 9, 2019, 6:30:50 PM