Project

General

Profile

Packaging Request #874

[tor-browser] add package for PCR

totalchaos - over 6 years ago - . Updated 3 months ago.

Status:
open
Priority:
wish
Assignee:
-
% Done:

0%


Description

Tor Browser Bundle: Anonymous browsing using Firefox and Tor
I guess it will be a crucial part of Parabola's nonprism suite, thus making Parabola the logical choice for users, that value their privacy.
https://www.torproject.org/projects/torbrowser.html.en

History

#1

Updated by GNUtoo over 6 years ago

There are several issues to handle here:
  • Is tor-browser suggesting non-free software with "get add-ons"?
    • The tor-browser and Tor project suggest not to install any add-ons (reference needed), this is to prevent the user's browser from looking different and unique
    • We should probably try to disable that feature instead. But we should be very careful at not changing how the modified tor-browser looks on the internet, else it becomes dangerous and useless (you will be uniquely identified). We probably need to check that with tor-browser developers, and make them review the change.
  • Since there is this add-on issue, we can't use stock tor-browser for now, which is really problematic, we loose:
    • Reproducible builds
    • The possibility not to make a tor-browser-libre package but instead a tor-browser installer. This would have been desirable because it has a nice auto-update feature. You also would get a reproducible build.
#2

Updated by pizzaiolo over 6 years ago

I think your first point could be suggested upstream at the Tor Project, that would be a very good idea.

#3

Updated by Anonymous over 6 years ago

  • Subject changed from tor-browser to [tor-browser] add package for PCR
#4

Updated by GNUtoo almost 6 years ago

I've made some research but forgot to report back:
The add-on page can be changed in about:config.

However extra care must be taken not to make a tor-browser-libre distinguishable from the tor-browser.
Some information about plugins updates can be found in the following (fixed) security bug: http://seclists.org/dailydave/2016/q3/51

#5

Updated by GNUtoo about 4 years ago

See also the same bug for another FSDG compliant distribution: https://tracker.pureos.net/T343

#6

Updated by ovruni about 4 years ago

  • Priority changed from bug to wish
#7

Updated by GNUtoo over 2 years ago

Here are some pointers to the status of this issue:
  • The following wiki page has information on the status of the tor-browser port to other architectures (arm and ppc64le)
  • The following bug report has information on getting rid of the add-on repository.

Thanks to Jeremy Rand for working on both.

#8

Updated by bill-auger over 2 years ago

the auto-update feature makes this program not well fit for any distro - every program that i know of, which has such a feature, has it disabled in parabola builds

there is hardly any reason to package any program with with an auto-update feature - anyone who installs the package would only be using the packaged build until the next auto-update (like maybe the very next day in this case); and then will be using the upstream binary from then on - one really may just as well get the upstream binary in the first place, saving us the trouble of maintaining yet another mozilla beast

#9

Updated by gap 4 months ago

GNUtoo

Please may I submit my wish for this? Since torbrowser-launcher was blacklisted today I no longer have a web browser which is safe to use over Tor. Needless to say, I never utilised the Mozilla repo with nonfree addons in it.

Would the existing Iceweasel patchset be helpful to liberate the Tor Browser?

#10

Updated by bill-auger 4 months ago

gap - read my last comment above - i think you are better off using the ones, that tor people build

OTOH, you could install tor on your computer and 'torify' any program

i can add that there is one other huge factor impeding the progress of this ticket - that is, all of the same arguments against #2165 - mozilla software is a huge maintenance burden

#11

Updated by gap 3 months ago

The issue with Torification is that not everything is safe to Torify, IIRC, without modifying it to act in a less identifiable way.
The Tor Browser and Torifiable programs have been designed to work safely over Tor.
In this way, merely Torifying Iceweasel (or any other browser) wouldn't be as safe as the Tor Browser.

I wouldn't want to use the binary directly from the Tor Project for several reasons:
1. Self-updating programs are a nightmare and all updating should be handled by the system package manager.
2. It is not compliant with the GNU FSDG.
3. The build environment of the Tor Project is almost certainly different to that of the Parabola build server, so dependencies and libraries might be different, potentially incompatible versions.
4. There are all these redundant faux-universal package formats to deal with (eg. AppImage) and I don't want to have to deal with a TPPM, so I'd probably end up waiting hours for it to compile from a sourceball.

I lived with issues 1, 2, and 3, whilst using torbrowser-launcher, and a native package would be much better.
The AUR package has issues 1 and 2, assuming the user builds it locally, so it could be a starting point for a -libre package.

At the moment I am relatively busy and have enough time only to submit issue reports and discuss issues, but I might volunteer to maintain a tor-browser package, if the patch set from Iceweasel is manageable.
I'd be willing to learn how to package such complex software and Parabola's policies regarding packaging, but I would probably start off contributing to smaller bugfixes in the blacklist first.

Also available in: Atom PDF