[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #33939 [Applications/Tor Browser]: Decide which components of Fenix to rip out, disable, or use
#33939: Decide which components of Fenix to rip out, disable, or use
----------------------------------------------+----------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile, TorBrowserTeam202004 | Actual Points:
Parent ID: #33184 | Points:
Reviewer: | Sponsor:
| Sponsor58-must
----------------------------------------------+----------------------------
Comment (by gk):
Replying to [comment:6 sysrqb]:
> Replying to [comment:5 gk]:
> > Thanks, that's a good start. Two thoughts while skimming the list (I
did not look carefully yet)
> >
> > 1) At least the progressive web apps (PWA) part should probably be in
the Must Audit section. We even have a ticket for that already: #25845 :)
>
> That's probably a smart thing, yes. PWA is only available in non-private
browsing mode in Fennec, but we should audit it in Fenix. Indeed, PWA is
available in private browsing mode in Fenix...
>
> >
> > 2) I was wondering how the dependencies those dependencies have would
influence where we put them category-wise. So, starting with one layer
seems good to me but I feel we might need to dig deeper to have a final
assessment. One of the things I am already wary of is getting all the
application-services parts roped in "for free". Not all components are
probably needing that (I've not checked) but I bet some would move into
the Must Audit part alone due to that. And there's probably other stuff
that is bubbling in this morass, under the quiet surface... :)
>
> Ideally, we should audit everything, but I don't think that is
realistic. We should quickly look at all components in the `Include`
category and confirm they do not make any network calls or expose
personal/device information. I placed them in this category purely based
on my assumption of how these components are implemented.
Just to be clear: I was _not_ saying we need to audit everything (yes,
ideally we would), just that it might be worth looking in particular at
the Mozilla dependencies of those dependencies to figure out whether
things should be re-categorized so that we have a closer second look on
components that really need it (even if the dependency check you did or
the assumptions you had indicated otherwise).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33939#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs