Add redirect bug to timeline

1 files changed, 18 insertions, 0 deletions

diff --git a/docs/operations.md b/docs/operations.md
index 9c213d6..1e437f6 100644
--- a/docs/operations.md
+++ b/docs/operations.md
@@ -131,6 +131,7 @@ In the full measurement, we had to replace Stockholm with Frankfurt (see notes).
 | 2023/04/13 | 05:40      | prepare dataset (de fra)    | moving files on VM-3, transfer to VM-1 [19] |
 | 2023/04/13 | 05:50      | experiment is completed     | datasets are ready, zipped, and documented  |
 | 2023/07/06 |            | move source to tpo gitlab   | git.cs.kau.se/rasmoste is not a stable home |
+| 2024/07/16 |            | onion-grab bug report       | wrt. how redirects are followed [20]        |
 
 ## Notes
 
@@ -824,3 +825,20 @@ Zip, checksum, and transfer to VM-1:
     $ zip -r de-fra.zip de-fra/
     $ sha256sum de-fra.zip
     2ea1f053decea3915b29bc60c2f954da55ea48f6d8ab9f47112caddf3a2e2f7f  de-fra.zip
+
+### 20
+
+Pier found that onion-grab follows redirects without correctly attributing the
+Onion-Location configuration to the destination it was redirected to, see:
+
+  - <https://gitlab.torproject.org/tpo/onion-services/onion-grab/-/issues/1>
+
+This explained an anomaly where it looked like a lot of sites were, e.g.,
+configuring Twitter/X's Onion-Location when in fact they were redirecting.
+
+Use `scripts/digest2.py` to get a cleaner picture of the distribution of sites
+that use HTTP and HTML for configuring Onion-Location.  Since this was found
+before the camera-ready deadline, we were able to update §4.1.2 accordingly.
+
+To avoid this bug in the future, onion-grab was patched on 2025-05-11 to (still)
+follow redirects but then associate Onion-Location with the final destination.