October 2017 - tbb-dev - lists.torproject.org

Re: [tbb-dev] [tor-dev] RFC: porting torbrowser (was: Re: GNU Guix and Tor Browser Packaging)
by ng0 09 Mar '18

09 Mar '18

Hi, It seems as if tbb-dev(a)lists.torproject.org is the list which would be more appropriate. If the 7 days without a reaction are simply due to the holidays in some countries, it's my mistake. If you need internal discussion about this to respond appropriately, let me know that you are reviewing this message at all. I have no expectation for "neoliberal optimized" reply times. Thanks. ng0 transcribed 7.9K bytes: > Hi folks, > > as your trademarks team / person suggested to me I get in touch with the > dev team of torproject. While I'm more involved in GNUnet, I work at the > intersection of projects. Currently this means I'm involved in system > integration. At Guix we are interested in working closer with projects > like tor, TAILS, Whonix and the like. Porting torbrowser is not only in > the interest of the Guix community but also in the interest of Wonix who > recently expressed interest in selectively using Guix for their work. > For me as maintainer of the system (in development) pragmaOS it also > means that we can decide between icecat OR torless torbrowser for > proxied GNUnet connections. > > I'm interested in your response to the actions listed below and wether > you think this will still qualify as torbrowser or what other option you > propose for us at Guix to use. "Option" here means that I am not sure > what other graphical theme you have for versions of the browser which do > not use the trademark when they can (logically) also not use the firefox > trademarks. > I would reflect in the description of the package that it is not > torbrowser but a reconstruction of the way torbrowser is build, tracking > upstream as closely as possible while removing (list of features which > were removed goes here). > This can be compared to what the inoffical Gentoo maintainer does in the > .ebuild file here: > https://data.gpo.zugaina.org/torbrowser/www-client/torbrowser/ > > My request here is just in the position as a contributor to Guix, not > for pragmatique (the project which works on pragmaOS etc), Whonix, > GNUnet or any other project I mentioned before. > > Thanks in advance. Now the content I've been talking about: > > It looks like the changes I need to make to torbrowser are not so > grave at all. Someone pointed me to the gnu-linux-libre(a)nongnu.org list > to reach out to other FSDG systems. > The thread can be reviewed here: > https://lists.nongnu.org/archive/html/gnu-linux-libre/2017-03/msg00002.html > > Basically: > > I will need to discourage Mozilla leftovers: > - the mozilla addon service will be overwritten, in other words: > Where you would find https://addons.mozilla.org/ at "Preferences > AddOns" > it will be replaced by the thing Icecat points to. Longterm plan is > to offer firefox extensions native through "guix package -i > youraddonnamehere". > > Privacy / Tracking reasons: > - Firefox "Sync" will be disabled. > - Google will be removed from the search plugins if I understood the > procedure correctly (at least it is not in Icecat) > > A question directly for torbrowser team: > - about:license does not list licenses the torbrowser project uses, only > firefox. Why? > > DRM > - Luke from parabola mentioned that drm has been enabled in recent > versions of torbrowser. This needs to be removed aswell. > https://git.parabola.nu/abslibre.git/tree/libre/iceweasel/vendor.js#n23 > https://git.parabola.nu/abslibre.git/tree/libre/iceweasel/mozconfig#n39 > https://gitweb.torproject.org/tor-browser.git/tree/browser/app/profile/fire… > > ng0 transcribed 3.4K bytes: > > bancfc(a)openmailbox.org transcribed 1.9K bytes: > > > There is a serious Tor Browser packaging effort [3][4] being done by ng0 > > > (GNUnet dev) for the GNU Guix [0] package manager. GNU Guix supports > > > > Eh, now that the cat is out of the bag (cat's don't belong into bags > > anyway), I think I have to do this now and not on my own conditions. > > > > Hi! > > > > As I told bancfc somewhere else, I've had a short contact with the > > trademarks team of torproject. I will get back to you when someone was > > able to identify issues in torbrowser which might lead to modifications > > of torbrowser (for more details I just hope trademarks(a)tp.o can > > communicate it to you) because all packaged software which is included > > in upstream of Guix (master) must follow the GNU Free System > > Distribution Guidelines. > > I hope that I have to make as little modifications as possible as I > > I am aware that the fingerprint of the browser could change depending on > > the kind of changes. > > > > I hope to get back to this task in about 3 weeks, right now I'm busy > > with getting more documentation done for another project. > > > > > transactional upgrades and roll-backs, unprivileged package management, > > > per-user profiles and most importantly reproducible builds. I have checked > > > with Guix's upstream and they are working on making a binary mirror > > > available over a Tor Hidden Service. [2] Also planned is resilience [2] to > > > the attack outlined in the TUF threat model. [1] > > > > > > Back to the topic of Tor Browser packaging. While there are good reasons for > > > Debian's pakaging policies they make packaging of fast evolving software > > > (and especially with TBB's reliance on a opaque binary VM for builds) > > > impractial. Both we and Micah have been doing a good effort to automate > > > downloading and validating TBB but I still believe its a maintenance burden > > > and Guix may be a way out of that for Linux distros in general. > > > > > > What are your thoughts on this? > > > > > > > > > > > > > > > > > > *** > > > > > > [0] https://www.gnu.org/software/guix/ > > > [1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md > > > [2] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00192.html > > > [3] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00189.html > > > [4] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00149.html > > > _______________________________________________ > > > tor-dev mailing list > > > tor-dev(a)lists.torproject.org > > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > > _______________________________________________ > > tor-dev mailing list > > tor-dev(a)lists.torproject.org > > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > > -- > PGP and more: https://people.pragmatique.xyz/ng0/ > _______________________________________________ > tor-dev mailing list > tor-dev(a)lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev -- PGP and more: https://people.pragmatique.xyz/ng0/

4 8

[tag] sandboxed-tor-browser-0.0.15
by Yawning Angel 30 Oct '17

30 Oct '17

Hello, I just tagged sandboxed-tor-browser 0.0.15. Changes in version 0.0.15 - 2017-10-30: * Bug 23915: 7.0.7 and later fails to work without `SECCOMP_FILTER_FLAG_TSYNC`. * Bug 23166: Add Felix's obfs4 bridges to the built-in bridges. * Bug 23943: obfs4proxy crashes on certain systems. * Disable the 2017 donation campaign banner. It should work out of the box on Debian oldstable along with other systems that use comparatively old kernels (< 3.17), and bridges should work on systems running comparatively recent things (I suspect glibc, but didn't bother isolating it fully). The donation banner is disabled by default because I use the non-volatile profile directory feature, and I don't want to be stuck seeing it till the expiration date passes. Regards, -- Yawning Angel

1 0

Richard updates
by Richard Pospesel 23 Oct '17

23 Oct '17

Hey all, Might not make it to dev meeting as I'm in the tor-office flattening my laptop install so I can get rbm build working on it (rbm requires particular mount options, ubuntu's ecryptfs encrypted home directory setup apparently doesn't use fstab to specify said mount options, learn from my mistaaaakes). updates from this past week: - print to file is broken in latest due to our sandboxing changes; gk found some similar issues in the firefox bug-tracker so presumably there's a path forward to fixing that particular issue (involves enabling print.print_via_parent and bringing over some font serialization patches). - investigation continues into the original issue posted by interigri, able to reproduce a *different* print-to-file issue with their debian setup, but not the one bugged - will start sniping tbb-fingerprinting and tbb-linkabililty issues this week best, -Richard

1 0

The impossible fights on anti-fingerprinting
by Tom Ritter 23 Oct '17

23 Oct '17

<mozilla hat> As we add more and more coverage to privacy.resistFingerprinting in FF Nightly and Beta, we're getting more and more breakage reports. This is great. And it's showing us a few places we should think about more deeply. We have a list we're collecting here: https://wiki.mozilla.org/Security/Fingerprinting#Fingerprinting_Breakage 1) User Agent We round the user agent of the browser to the previous ESR version. So FF 57 appears as FF 52. This breaks Add-On installation: https://bugzilla.mozilla.org/show_bug.cgi?id=1394448 Addons.Mozilla uses the User-Agent header to detect if the user is able to install a given addon and will or will not enable the install button based on that. However, does spoofing the major version of the browser actually work? I would argue: no. A website that wants to learn what version of Firefox you're using can use feature detection. Every major release we're adding CSS stuff, creating or enabling DOM apis by default, and probably changing some subtelties of error messages. Spoofing the minor version is still valuable; but we're considering reporting the correct major version. What do you think? 2) OS We report the OS as Windows on Mac and Linux. This breaks google apps on mac: keyboard shortcuts are not recognized because Windows is looking for a key modifier that isn't there. https://bugzilla.mozilla.org/show_bug.cgi?id=1405810 It also gives desktop pages on mobile: https://bugzilla.mozilla.org/show_bug.cgi?id=1404608 But is spoofing the OS even possible? You guys don't reward for it in the bug bounty. I found your list of OS-fingerprinting bugs: https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… Of those, I'm guessing the Math routines are probably the hardest. Also, this doesn't affect Tor Browser, but it does affect Firefox: you can passively (or actively) fingerprint the OS by TCP/IP characteristics: https://bugzilla.mozilla.org/show_bug.cgi?id=1409269 So I'm wondering, are there other OS-level fingerprinting vectors that seem unsolvable that don't have tickets for them? What do you think of reporting the correct OS (in FF at least), since it seems like we wouldn't be able to hide it anyway? For both of these Tor Browser will be able to do whatever it wants, since this data is all controlled by prefs; but we'd value your thoughts on these things for the FF use case. -tom

3 2

No Meeting on Monday, Oct 16
by Georg Koppen 15 Oct '17

15 Oct '17

Hi! Some of you might be wondering whether there will be a Tor Browser meeting tomorrow, Oct 16. We will skip that one as we had plenty of meeting time this week. See you the week thereafter, Georg

1 0

No meeting on Monday, Oct 9
by Georg Koppen 06 Oct '17

06 Oct '17

Hi all, I forgot to mention it at the last meeting but I think we'll skip the meeting on Monday as we'll have plenty of time next week to talk about status updates and to discuss important things in person. See you in Montreal, Georg

1 0

Roadmaps and funding moving forward.
by isabela 06 Oct '17

06 Oct '17

Hello Tor Browser team, as we approach Montreal's meeting and teams will be creating their roadmap for the months between meetings (till winter 2018 meeting). I would like to present you a new way of relationship we are building between teams work and our funding. Tor is trying to get out of the 'deliverable' funding model, which is mostly used with the current gov grants we have. We are working to shift to funding opportunities that follows a different model, more focus on the execution of the vision of our mission than on specific deliverables. It will take some time till we have a significant part of our fund to come from this type. But we have already started to seek for these opportunities and some teams will start to shift to this model. Another thing related to this model are reports. We will still keep our work organized and have tickets associated with every item on the roadmap so we can easily tell what happened with each task. Since it is a model focus more on the execution of the vision of our mission, our accomplishments from our roadmap is what we are reporting as they are driving us towards our mission. With this said, the Tor Browser 'desktop' team is one that is starting on this model. So for the roadmap exercise in Montreal you will have some freedom when creating it. I am saying 'some' because there are tasks you can't really ignore like keeping up with ESR releases from Mozilla. I am listing here some areas of work that the team can consider tasks for the roadmap, please add more if you have any. This is just a way to start our brainstorming process for Montreal: * keep up with ESR releases * acquisition ux work - download process and get connected to the network (tor launcher) * user onboarding ux work - about:tor page * fingerprinting * selfrando * sandboxing * release infra We can use this pad to document ideas for the roadmap: https://storm.torproject.org/shared/FJWrnBf1SXemGKhOK_Wxwl57BVlj0Ynjn8lXcjF… Cheers, Isabela

2 4

Should we delay Tails 3.2? [Was: Tor Browser release is postponed by two days]
by anonym 06 Oct '17

06 Oct '17

Georg Koppen: > Hi, > > Just to inform you about things we learned a couple of minutes ago: the > Firefox release is due on Thursday. It got postponed by two days mainly > to give 57 beta more publicity. > > We'll follow and release Tor Browser on Thursday as well. Got it! It makes sense for you Tor Browser folks, since the Firefox security issues fixed in ESR 52.3 are not publicly known yet (at least in theory, but the code changes have been out for a week so they can have been reverse-engineered). But what about Tails? Tails 3.2, which is ready to be published right now, would fix several publicly known security issues for our users, including some potential RCEs (Thunderbird, libsoup, ...). Of course, some of these issues have been out for weeks already, so what's two more days of delay? Still, it makes me want to remember/re-evaluate *why* we always wait on Mozilla. What are your feelings around this? What are the arguments for/against releasing early? TBH this has always seemed odd to me. I remember argument for this being about us behaving like good Free Software community members by coordinating releases. I wonder if they really care, especially given our users' position. So, let's ask them! Tor Browser folks, would you care if we released Tails 3.2 right now, so we in effect release Tor Browser 7.0.6 way before you? What do you feel about this in general? As for asking Mozilla, I'm not even sure who/where to ask. Does any one have a clue? Cheers!

4 8

Tor Browser meetings are moving to #tor-meeting from now on
by Georg Koppen 02 Oct '17

02 Oct '17

Hi all! Just a gentle reminder that we are moving our meetings to #tor-meeting from now on. Time and date remain the same (18:00UTC on Monday). For background see: https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… Georg

1 0