[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-dev] GNU Guix and Tor Browser Packaging



There is a serious Tor Browser packaging effort [3][4] being done by ng0 (GNUnet dev) for the GNU Guix [0] package manager. GNU Guix supports transactional upgrades and roll-backs, unprivileged package management, per-user profiles and most importantly reproducible builds. I have checked with Guix's upstream and they are working on making a binary mirror available over a Tor Hidden Service. [2] Also planned is resilience [2] to the attack outlined in the TUF threat model. [1]

Back to the topic of Tor Browser packaging. While there are good reasons for Debian's pakaging policies they make packaging of fast evolving software (and especially with TBB's reliance on a opaque binary VM for builds) impractial. Both we and Micah have been doing a good effort to automate downloading and validating TBB but I still believe its a maintenance burden and Guix may be a way out of that for Linux distros in general.

What are your thoughts on this?





***

[0] https://www.gnu.org/software/guix/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
[2] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00192.html
[3] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00189.html
[4] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00149.html
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev