<div class="gmail_quote">On Sun, Aug 12, 2012 at 1:21 PM, Alessandro Di Federico <span dir="ltr"><<a href="mailto:ale@clearmind.me" target="_blank">ale@clearmind.me</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi, I'm trying to put up an ebuild for the Tor Browser Bundle for<br>
Gentoo. As you may know an ebuild is a script which automates the build<br>
of a certain application. We already have something in Portage [2] (the<br>
official ebuild repository) but it's in an experimental state and we<br>
want to make sure that it's something useful and not harmful.<br>
<br>
So I'd like to know your opinion about the idea as whole (is it a good<br>
idea at all to build by yourself the TBB instead of using the official<br>
one?) and what could be the main problems arising in such an operation.<br>
So:<br>
<br>
1. Can you name a list of tools to fingerprint a browser so we can<br>
compare our ebuild with the official TBB?<br>
2. Which version should we use? We were planning to offer both the<br>
current official release (even if TBB for Linux is currently in<br>
beta) and something more recent, even if AFAIK this would be for<br>
testing purpose only and could weaken anonymity and<br>
untrackability.<br>
3. We plan to use the system version of the Tor client, in my<br>
understanding it should not be a problem to use a Tor client<br>
with a version different from the one officially released, but I<br>
could be wrong. We also plan to exclude vidalia (and the<br>
"0015-Make-Tor-Browser-exit-when-not-launched-from-Vidalia.patch" patch).<br>
4. We have a different ebuild for the Firefox profile directory (so<br>
if it's not installed the HTTPS Everywhere plugin won't be<br>
installed), is this a good idea or would it be better to<br>
integrate them?<br>
5. Gentoo build system offers USE flags, which are options that<br>
allow to customize the way the package is built. These are the<br>
USE flag available for the standard Firefox ebuild in Gentoo,<br>
which is the base for our build of the TBB:<br>
1. alsa: Adds support for media-libs/alsa-lib (Advanced<br>
Linux Sound Architecture)<br>
2. bindist: Disable official Firefox branding (icons, name)<br>
which are not binary-redistributable according to<br>
upstream.<br>
3. custom-cflags: Build with user-specified CFLAGS<br>
(unsupported)<br>
4. custom-optimization: Fine-tune custom compiler<br>
optimizations, setting this is not recommended.<br>
5. dbus: Enable dbus support for anything that needs it<br>
(gpsd, gnomemeeting, etc)<br>
6. debug: Enable extra debug codepaths, like asserts and<br>
extra output. If you want to get meaningful backtraces<br>
see <a href="http://www.gentoo.org/proj/en/qa/backtraces.xml" target="_blank">http://www.gentoo.org/proj/en/qa/backtraces.xml</a><br>
7. ipc: Use inter-process communication between tabs and<br>
plugins. Allows for greater stability in case of plugin<br>
crashes<br>
8. libnotify: Enable desktop notification support<br>
9. minimal: Prevent sdk and headers from being installed<br>
10. pgo: Add support for profile-guided optimization using<br>
gcc-4.5, for faster binaries. This option will double<br>
the compile time.<br>
11. startup-notification: Enable application startup event<br>
feedback mechanism<br>
12. system-sqlite: Use the system-wide dev-db/sqlite<br>
installation with secure-delete enabled<br>
13. webm: Use system media-libs/libvpx for HTML5 WebM video<br>
support.<br>
14. wifi: Enable wireless network functions<br>
<br>
Looking at the TBB build script this the combination of USE<br>
flags to make as similar as possible to the official release<br>
(minus means the USE flag is disabled): -pgo -debug -bindist<br>
-custom-optimization -crashreporter webm ipc system-sqlite<br>
-wifi. I'm planning to remove the possibility to configure these<br>
use flags.<br>
Do you agree? For further details you can take a look at the<br>
ebuild [1], which should be understandable. Take a look also at<br>
the current ebuild for TBB [2].<br>
<br>
Is there something else we should pay attention to in the build process<br>
or in general?<br>
<br>
Thanks in advance,<br>
Alessandro Di Federico<br>
<br>
[1] <a href="http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/firefox/firefox-10.0.6.ebuild?view=markup" target="_blank">http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/firefox/firefox-10.0.6.ebuild?view=markup</a><br>
<a href="http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/mozconfig-3.eclass?view=markup" target="_blank">http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/eclass/mozconfig-3.eclass?view=markup</a><br>
[2] <a href="http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/torbrowser/torbrowser-13.0-r1.ebuild?view=markup" target="_blank">http://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/www-client/torbrowser/torbrowser-13.0-r1.ebuild?view=markup</a><br>
<br>
_______________________________________________<br>
tor-dev mailing list<br>
<a href="mailto:tor-dev@lists.torproject.org" target="_blank">tor-dev@lists.torproject.org</a><br>
<a href="https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev" target="_blank">https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev</a><br>
</blockquote></div><div><br></div>Hi Alessandro,<div><br></div><div>After thinking about this for a little bit, here's my 2 cents. =)</div><div><br></div><div>1) The ebuild is specifically for building the Tor browser, not the bundle. The package name of the ebuild states this but the email mentions the bundle.</div>
<div>2) One of the best reasons for using the bundle is that it is self-contained. If you want to use the bundle for anonymity you can easily do this and then discard it will little trace. This becomes much more difficult with a system-level install.</div>
<div>3) On the other hand, I see no reason to restrict a security-conscious user from using a more secure browser, as long as they understand the trade-offs. However, torprofile should not be an optional USE flag. Only adding some patches from upstream does not make it the Torbrowser.</div>
<div>4) Given 3), is there a reason Tor is not at least an optional RDEPEND for torbrowser via a USE flag (or another way)?</div><div>5) If you did/do intend to create an ebuild for the TBB and not just the browser, it should provide the exact same experience as if the user downloaded it from <a href="http://torproject.org">torproject.org</a>. I think this should include Vidalia launching Torbrowser once the network is configured.</div>
<div>6) Make sure the ebuild references Tor and not TOR</div><div><br></div><div>However, I think because of 1) it's difficult to provide a little better feedback. Is your goal to only provide an alternative browser or are you attempting to provide the full bundle?<br>
<br>Thanks,<br clear="all"><div>- Matt</div>
</div>