Re: Tor Browser

[Alex Vong]

Hello,

ng0 <address@hidden> writes:

> Hi,
>
> in the following reply I assume that you did not read all of the
> original thread[0]. If I am wrong, correct me.
>
You are right, I didn't read the whole thread.

> Alex Vong <address@hidden> writes:
>
>> ng0 <address@hidden> writes:
>>
>>> Ludovic Courtès <address@hidden> writes:
>>>
>>>> address@hidden skribis:
>>>>
>>>>> Ludovic Courtès writes:
>>>>
>>>> [...]
>>>>
>>>>>> I suppose TB contains a script that does all that, right?  Would it work
>>>>>> to simply run it?  If it invokes wget/curl, then this needs to be
>>>>>> replaced, but the rest should be fine.
>>>>>
>>>>> It's not that easy I'm afraid.
>>>>> Currently they use a gitian build, as described in this README[0],
>>>>> which the person maintaining the torbrowser ebuild for Gentoo out
>>>>> of portage replicates and follows in parts.
>>>>> It can't be followed completely, as `builders/tor-browser-bundle'
>>>>> requires a checkout of gitian of the torproject.org
>>>>>
>>>>> So we have to look at what they do and recreate this build
>>>>> procedure, there's no individual Makefile, the releases are
>>>>> created in VMs.
>>>>>
>>>>> Dependencies are kept up to date here[1].
>>>>>
>>>>> This[2] is the script connecting/using gitian for gnu-linux releases.
>>>>>
>>>>> The Makefile just runs the corresponding scripts.
>>>>
>>>> Gitian is about building binaries.  There must be some script somewhere
>>>> to apply the relevant patches to the source first, before one builds it,
>>>> no?
>>>>
>>>>>> It’s unfortunate that there’s no ready-to-build TB tarball, that would
>>>>>> simplify things for us.
>>>>>
>>>>> Yes.. But I think icecat suffers from the same problem, only that
>>>>> icecat tarballs/binaries are built using a bash script applying
>>>>> all that's needed to the firefox sources again.
>>>>
>>>> IceCat publishes source tarballs that, AIUI, are produced essentially by
>>>> running a script that patches Firefox’s code base (same approach for
>>>> Linux-libre.)
>>>>
>>>> Thanks,
>>>> Ludo’.
>>>
>>> There are the .mar files, which I suppose are the built source of
>>> torbrowser, but I can't tell for sure since i can't find an upstream for
>>> mar-tools. I guess it is Mozilla, but where is it available?
>>>
>>> https://dist.torproject.org/torbrowser/6.0.3/
>>
>> Hi, I am a tor browser and torsocks user (since a few months ago). Last
>> time I tried building tor browser from source (and failed), gitian will
>> have to download some non-free xcode stuff to build for the os x
>> platform. Is it possible to only build for gnu/linux without building
>> for windows and os x? Will the resulting binary still be byte-to-byte
>> identical with the tor project official build?
>
> Was this a build with a guix package? Can you share the code if it is?
>
I was trying to reproduce the official build. I didn't write any guix
recipe.

>> Also, it seems tor browser needs virtualenv and virtualbox to
>> build. Last time I checked virtualbox, it was on the contrib area of
>> debian since it requires a non-free[1] compiler to build the bios[2].
>> I hope we can find way around these issues since tor browser is IMHO an
>> essential tool nowadays.
>
> You might want to re-read the full thread this message is part of. I
> already wrote that with the builds I use for torbrowser in Gentoo, that
> at least virtualbox is not needed and Ludovic said that the gitian build
> is not what we should be looking into. It is mostly poncho's work on
> Gentoo, but the overlay I contribute to mirrors their work. There we
> don't use gitian but a combination of torbrowser source + firefox source
> and distro specific patches.
>
I see. So poncho and you have already done the hard work :)
>
> We could also address tor with this when we succeed, as they have an
> interest in NixOS or they are looking into it, specifically hydra for
> builds: https://trac.torproject.org/projects/tor/ticket/12520
>
>> Finally, I agree that icecat could switch to tor browser as its upstream.
>
> Maybe you want to help me out with writing the email / post to
> torproject:
> https://lists.gnu.org/archive/html/guix-devel/2016-08/msg00326.html
>
> On second note, maybe this is message should be addressed to both
> torproject and icecat developer(s). What do you think? I have no fixed
> plan in mind for this.
>
Hmm, maybe I will give my (rough) idea here. In my opinion, icecat has 2
important features, librejs (gpl3+) and the lack of non-free addons
suggestion.

For librejs, TBB already have noscripts, although they serve different
purposes (librejs intends to block non-free js only), I doubt devs would
want to include 2 js blocker addons. But I think html5 everyhere will be
a good addon for TBB since most html5 player requires js. Currently,
enabling noscript breaks most video-playing sites.

For the lack of non-free addons suggestion, TBB recommends not to
install addon, but the addon page is still there, which suggest non-free
addons. I don't really know what should we do here. Perhaps we could
turn off the suggestion by default and warned user about the existence
of non-free addons? We could also provide a replacement page (like
icecat).

For other addons, I think https everywhere is already in TBB and
spyblock looks like haven't been update for long time, so they don't
need to be add to TBB.

Finally, do you know what is the current state of the firefox trademark
issue? Some say it is fixed. (Debian switched back to firefox next
release)

What is your idea?

> [0]:
> https://lists.gnu.org/archive/cgi-bin/namazu.cgi?query=torbrowser&submit=Search&idxname=guix-devel
>>
>> [1]: https://en.wikipedia.org/wiki/Sybase_Open_Watcom_Public_License
>> [2]: https://wiki.debian.org/VirtualBox

Cheers,
Alex