Thus spake Jérémy Bobbio (lunar@xxxxxxxxxx): > How does that relate to Torbutton and Tor Browser Bundle? > > Well, as already pointed out by intrigeri, Debian has gone a great > length to avoid embedded code copies in its source packages. Firefox > security record is far from perfect, and I see no chance that Debian > security team and ftpmasters would accept to ship another version of > Firefox in the archive. > > If another version of Firefox cannot enter the Debian archive, the Tor > Browser Bundle will not be able to join this great "AppStore" Debian > (and Ubuntu, and others) already has. So it will need, at least, a > custom repository, or a custom way to be installed and a custom way to > tackle security updates. > > Given the amount of work Mike Hommey put in the maintainance of > Iceweasel (Firefox in Debian is called Iceweasel), I wonder if Erinn and > weasel will have the time and energy to maintain TBB in a custom > repository. Having a dedicated application to install and update TBB > makes me really nervous as it paves the road for so many bad habits that > those users I was talking about left when they started using Debian on > their desktop. The reality is we have quite a lot of issues with every distribution. It is true that Debian gives us the least amount of hassle, though. I suspect this may just be because we're lucky enough to be so strongly socially connected to it. Because, man is it a rickety, towering bureaucracy otherwise ;). > As the maintainer of xul-ext-torbutton, I also have one question: what > upgrade path should I provide for Debian next stable release? > (Doing nothing means that 1.2.5 will stay on their system until they > remove the package.) > > Here is a possible solution that quickly came to me, but I have no real > clue on how much work it would need (and if every party involved would > accept it): > > 1. Apply specific Tor patches against Firefox 4 in Debian iceweasel > package. The changes that are not compatible with the common case > would need to be activated by a command-line switch or a specific > configuration option. > 2. Keep xul-ext-torbutton in Debian. It would be modified in the > way that it would not appear at all in the usual browser if > the previous command-line switch or specific configuration > option is not active. > 3. Create a new Debian package, something like "tor-browser" that > would add a new menu entry labeled "Tor Browser" and that would > start Iceweasel with a dedicated profile and the specific "Tor" > switch. > Actually, it might be better to provide Torbutton in the "tor-browser" > package. Provided that it ships a dummy package "xul-ext-torbutton" as > an upgrade path. > > Does this sound like a bad idea? Too much work? > (Input from Weasel and Erinn would probably be welcome.) If Debian as a whole is willing to take our patches, that's great. We hope they'll be merged into Mozilla eventually, so it could be a good testing ground. I agree that the approach above could work. If Debian wants to conjure an alternate package that is really just a shell script that just launches an /etc/skel copied TBB Firefox profile, this sort of thing should be possible and fairly straight-forward. We can talk about this on IRC, I suppose. It likely won't be a priority on Tor's side, though. Also, I think we messed around a bit with remoting (aka new window launching) on TBB Firefox, which may cause odd behavior for your use case, or maybe not.. Erinn and sjmurdoch can tell you the details of this (or I may be able to fetch them out of my subconscious later). Our current working-plan is to provide an external repo, like we've been forced to do for Ubuntu for other reasons. This ticket is supposed to list the barriers to that: https://trac.torproject.org/projects/tor/ticket/2879 But hey, so far there are none! :) The long-term plan is to make Thandy the update future for our packages. It is hardened against a lot of attacks that OS updaters are not hardened against. We designed it because we thought it was the future for all Tor packages, and I think this means we should start acting like it. I think providing our own distro repositories is an intermediate step to self-flagellate ourselves into actually bringing Thandy online. As a last resort, could you replace torbutton with an empty package? I can give you a replacement torbutton that refuses to toggle... Is this against the debian social contract? :) > Last comment: we should all continue to stress out that Internet is > not only made of web sites. If Internet was only about web sites, Tor > would had a harder time happening: this new protocol was free to run > through the cables. IMHO, associating Tor with only web browsing is like > shooting ourselves in our feet: if everyone thinks "Internet = the web" > no one notices when providers start to filter strange protocol, make > everything travel through stupid proxies or use NAT4444. Right. I don't think that anyone is going to forget the value of non-web communications. It's too built-in to the Internet and too readily useful. However, the slightly more nuanced political realities of this may make you sad: https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/ReducedExitPolicy > I am saying that because having separate "tor" and "tor-browser" package > in Debian gives me an opportunity to explain that Tor can be used for > other purpose than only web browsing. Sure. That's what torsocks is for. It's a great Linux app, something we dearly wished existed on Windows (and worked better on Mac OS). http://code.google.com/p/torsocks/ I envision torsocks working with the system tor package, rather than the TBB one. They should run on different ports: https://trac.torproject.org/projects/tor/ticket/2264 The reason for this is that torsocks apps are poorly anonymized at the application layer, and you don't want these to leak data (like your username, hostname, etc) concurrent to your tor web traffic. The easiest way to prevent that right now is to use your distro's tor and our TBB at the same time. (The long term way is to implement SOCKS password support both in Tor and in Firefox: https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/proposals/171-separate-streams.txt https://bugzilla.mozilla.org/show_bug.cgi?id=122752). I still consider torsocks an expert app, though. So, in summary: Chaos and upheaval! Your bureaucracy is doomed! Prepare for the paper shortage! -- Mike Perry Mad Computer Scientist fscked.org evil labs
Attachment:
pgpMhvUJshkSK.pgp
Description: PGP signature
_______________________________________________ tor-talk mailing list tor-talk@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk