[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tor

From: Denis 'GNUtoo' Carikli
Subject: Re: tor
Date: Sat, 5 Nov 2022 01:29:42 +0100

Hi again,

I had some data loss so I wasn't able to reply to this thread before.

I managed to make the tor-browser work in Guix proper, and I've
attached the script I used for that. It's hardcoded for i686 though so
it needs to be modified for x86_64.

Even if that works, there is a problematic issue: the tor-browser has a
potential freedom issue: on one hand it very strongly advises people
not to install any addons, on the other hand in "tools->Addons and
themes->Plugins", there is the following message:
> Get extensions and themes on

And the issue is that that repository also contains nonfree addons.

If that address can get removed or changed, we could have something
where we could be sure that it is FSDG compliant, so we could probably
ship scripts like guix-tor-browser-installer for instance.

I've tried to find where that string is set in the binaries in the hope
of being able to make a dead simple sed script that would fix the
potential FSDG issue at least at installation time, but it didn't
find much:
> $ tar xf tor-browser-linux64-11.5.4_en-US.tar.xz
> $ grep -r tor-browser_en-US
> tor-browser_en-US/Browser/TorBrowser/Docs/ChangeLog.txt:   * Bug
> 10464: Remove from NoScript whitelist grep:
> tor-browser_en-US/Browser/ binary file matches

> $ strings tor-browser_en-US/Browser/ | \
> grep
> $
> signingca1.addons.mozilla.org1!0
> $

The issue is that this domain is also used for addons updates, so we
can't simply remove it blindly. We need to only remove that string in
"tools->Addons and themes->Plugins".

The advantage of patching binaries is that we don't need to rebuild it,
so we really have the tiniest amount of change possible to make it FSDG
compliant (and we can hope that it doesn't change the tor-browser

As far as I understand it should also also be OK to use binaries like
that as long as we're also able to rebuild it in an FSDG distribution

Though here the path forward is probably to dig into upstream bug
reports and see what upstream thinks about making the tor-browser FSDG
compliant and/or removing the information of where to find addons.


Attachment: tor-browser
Description: Binary data

Attachment: pgpJOWgghOJWb.pgp
Description: OpenPGP digital signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]