Re: tor

help-guix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tor

From:	Denis 'GNUtoo' Carikli
Subject:	Re: tor
Date:	Sat, 5 Nov 2022 01:29:42 +0100

Hi again,

I had some data loss so I wasn't able to reply to this thread before.

I managed to make the tor-browser work in Guix proper, and I've
attached the script I used for that. It's hardcoded for i686 though so
it needs to be modified for x86_64.

Even if that works, there is a problematic issue: the tor-browser has a
potential freedom issue: on one hand it very strongly advises people
not to install any addons, on the other hand in "tools->Addons and
themes->Plugins", there is the following message:
> Get extensions and themes on addons.mozilla.org

And the issue is that that repository also contains nonfree addons.

If that address can get removed or changed, we could have something
where we could be sure that it is FSDG compliant, so we could probably
ship scripts like guix-tor-browser-installer for instance.

I've tried to find where that string is set in the binaries in the hope
of being able to make a dead simple sed script that would fix the
potential FSDG issue at least at installation time, but it didn't
find much:
> $ tar xf tor-browser-linux64-11.5.4_en-US.tar.xz
> $ grep addons.mozilla.org -r tor-browser_en-US
> tor-browser_en-US/Browser/TorBrowser/Docs/ChangeLog.txt:   * Bug
> 10464: Remove addons.mozilla.org from NoScript whitelist grep:
> tor-browser_en-US/Browser/libxul.so: binary file matches

> $ strings tor-browser_en-US/Browser/libxul.so | \
> grep addons.mozilla.org
> addons.mozilla.org
> $http://addons.mozilla.org/ca/crl.pem0
> signingca1.addons.mozilla.org1!0
> $http://addons.mozilla.org/ca/crl.pem0N

The issue is that this domain is also used for addons updates, so we
can't simply remove it blindly. We need to only remove that string in
"tools->Addons and themes->Plugins".

The advantage of patching binaries is that we don't need to rebuild it,
so we really have the tiniest amount of change possible to make it FSDG
compliant (and we can hope that it doesn't change the tor-browser
fingerprint).

As far as I understand it should also also be OK to use binaries like
that as long as we're also able to rebuild it in an FSDG distribution
somehow.

Though here the path forward is probably to dig into upstream bug
reports and see what upstream thinks about making the tor-browser FSDG
compliant and/or removing the information of where to find addons.

Denis.

tor-browser
Description: Binary data

pgpJOWgghOJWb.pgp
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Re: tor, Denis 'GNUtoo' Carikli <=
- Re: tor, Gottfried, 2022/11/07
  - Re: tor, Wojtek Kosior, 2022/11/07
    - Re: tor, Denis 'GNUtoo' Carikli, 2022/11/07

Prev by Date: Re: which package gets built first?
Next by Date: Re: make clean-go breaks my build environment
Previous by thread: auto encrypt user passwords for opensmtpd-service
Next by thread: Re: tor
Index(es):
- Date
- Thread