Packaging Request #874
[tor-browser] add package for PCR
Tor Browser Bundle: Anonymous browsing using Firefox and Tor
I guess it will be a crucial part of Parabola's nonprism suite, thus making Parabola the logical choice for users, that value their privacy.
Updated by GNUtoo over 6 years ago
- Is tor-browser suggesting non-free software with "get add-ons"?
- The tor-browser and Tor project suggest not to install any add-ons (reference needed), this is to prevent the user's browser from looking different and unique
- We should probably try to disable that feature instead. But we should be very careful at not changing how the modified tor-browser looks on the internet, else it becomes dangerous and useless (you will be uniquely identified). We probably need to check that with tor-browser developers, and make them review the change.
- Since there is this add-on issue, we can't use stock tor-browser for now, which is really problematic, we loose:
- Reproducible builds
- The possibility not to make a tor-browser-libre package but instead a tor-browser installer. This would have been desirable because it has a nice auto-update feature. You also would get a reproducible build.
Updated by GNUtoo almost 6 years ago
I've made some research but forgot to report back:
The add-on page can be changed in about:config.
However extra care must be taken not to make a tor-browser-libre distinguishable from the tor-browser.
Some information about plugins updates can be found in the following (fixed) security bug: http://seclists.org/dailydave/2016/q3/51
Updated by GNUtoo over 2 years ago
Updated by bill-auger over 2 years ago
the auto-update feature makes this program not well fit for any distro - every program that i know of, which has such a feature, has it disabled in parabola builds
there is hardly any reason to package any program with with an auto-update feature - anyone who installs the package would only be using the packaged build until the next auto-update (like maybe the very next day in this case); and then will be using the upstream binary from then on - one really may just as well get the upstream binary in the first place, saving us the trouble of maintaining yet another mozilla beast
Please may I submit my wish for this? Since
torbrowser-launcher was blacklisted today I no longer have a web browser which is safe to use over Tor. Needless to say, I never utilised the Mozilla repo with nonfree addons in it.
Would the existing Iceweasel patchset be helpful to liberate the Tor Browser?
Updated by bill-auger 4 months ago
gap - read my last comment above - i think you are better off using the ones, that tor people build
OTOH, you could install tor on your computer and 'torify' any program
i can add that there is one other huge factor impeding the progress of this ticket - that is, all of the same arguments against #2165 - mozilla software is a huge maintenance burden
The issue with Torification is that not everything is safe to Torify, IIRC, without modifying it to act in a less identifiable way.
The Tor Browser and Torifiable programs have been designed to work safely over Tor.
In this way, merely Torifying Iceweasel (or any other browser) wouldn't be as safe as the Tor Browser.
I wouldn't want to use the binary directly from the Tor Project for several reasons:
1. Self-updating programs are a nightmare and all updating should be handled by the system package manager.
2. It is not compliant with the GNU FSDG.
3. The build environment of the Tor Project is almost certainly different to that of the Parabola build server, so dependencies and libraries might be different, potentially incompatible versions.
4. There are all these redundant faux-universal package formats to deal with (eg. AppImage) and I don't want to have to deal with a TPPM, so I'd probably end up waiting hours for it to compile from a sourceball.
I lived with issues 1, 2, and 3, whilst using
torbrowser-launcher, and a native package would be much better.
The AUR package has issues 1 and 2, assuming the user builds it locally, so it could be a starting point for a
At the moment I am relatively busy and have enough time only to submit issue reports and discuss issues, but I might volunteer to maintain a
tor-browser package, if the patch set from Iceweasel is manageable.
I'd be willing to learn how to package such complex software and Parabola's policies regarding packaging, but I would probably start off contributing to smaller bugfixes in the blacklist first.