[bug#42380] Wow!

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#42380] Wow!

From:	André Batista
Subject:	[bug#42380] Wow!
Date:	Thu, 27 May 2021 22:45:51 -0300

Hi,

ter 25 mai 2021 às 23:24:01 (1621995841), ludo@gnu.org enviou:
> Leo Famulari <leo@famulari.name> skribis:
> 
> > Does this package build the Tor browser from source? Or is it just a
> > launcher, like the Debian package?
> 
> It builds from source.

Apart from noscript which Tor Browser itself does not build from source
and https-everywhere which at the time I thought I'd be able to build
from source but I got stuck on rust dependency nightmare and had to
delay. Unfortunately, this issue still remains to be solved.

> And sorry for dropping the ball, André!  If anyone’s willing to give it
> a try and report back, or to comment on the patch, that’d be great.

No problem, Ludo, it was lacking feedback and I know it's somewhat a
big and delicate piece of software to be merging without it.

> > My understanding is that the Tor people discourage anyone else from
> > distributing builds of the Tor browser.

That's also my understanding, however I do think that building from
source is: 1. the very core of software freedom, despite the relevance
other concerns such as diminishing anonymity set; 2. one of the main
strenghts and what Guix strives for.

> > If it builds from source, we should probably call it something besides
> > "Tor browser", since it will be different from the official Tor browser
> > due to the unbundling and other changes.

I've initially called the package definition "torbrowser-unbundle" and
also inserted a warning that it was _not_ official Tor Browser, but I
did not try to patch sources to rename the browser as it appears after
installed. I can both agree to another name that makes it clearly
appart from the official browser by Tor Project ("nottorbrowser?",
"onionbrowser?") and to work on a patching sources to remove the user
visible name and logo, if it's deemed necessary. (That may take a while
however).

> > Also, if it builds from source, it will be easy to identify users of
> > this package as being Guix users and since the Guix userbase is
> > relatively small, it will be much easier than usual to positively
> > identify the person using the package.

I've tested it with panopticlick.eff.org and it's user identifying bits
remain the same as the official Tor Browser. That said, panopticlick
is certainly not a silver bullet and you have grounds to be concerned.
If someone were to need/want the very best assurances on anonymity set,
I'd advise not to risk it and go with the larger crowd.

On the other hand, until not long ago and maybe currently still, guix
users were using IceCat with tor and that's a much more telling tale.

> Good points.  I think we could ask the Tor Browser folks (we met with a
> couple of them at Reproducible Builds Summits in the past and I’m
> confident we’d understand each other :-)).

That would be great :)

In the mean time, I'll take this as an invitation to send a new patch
version with the latest Tor Browser stable. I've made some minor
improvements such as using tarballs from archive.torproject.org instead
of {git|dist}.torproject.org.

Since they are planning a new stable release in the next few days, I'll
take the time to work on a reproducibility issue that have arised with
the new zip routine to package extensions inside omni.ja which affected
the timestamps, at least the way I did it.

Cheers,

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#42380] Wow!, Xinglu Chen, 2021/05/25
- [bug#42380] Wow!, Leo Famulari, 2021/05/25
  - [bug#42380] Wow!, Ludovic Courtès, 2021/05/25
    - [bug#42380] Wow!, André Batista <=

Prev by Date: [bug#48702] [PATCH 0/3] Add patatt and update b4
Next by Date: [bug#48697] [PATCH] import: Add CHICKEN egg importer.
Previous by thread: [bug#42380] Wow!
Next by thread: [bug#48655] [PATCH] gnu: synapse: Update to 1.33.2.
Index(es):
- Date
- Thread