Nathan Freitas:
On 2/27/19 4:54 AM, Georg Koppen wrote:
Torsten Grote:
On 2/26/19 11:19 AM, Georg Koppen wrote:
I think we should be able to provide that with our Tor Browser builds once we have all the PT pieces sorted out (which is rather soon).
That would be nice!
So, probably the easiest way would then be to just copy the respective binaries we produce over to include them in the Briar software
I assume these binaries are reproducible?
They would be used for Tor Browser which has reproducibility as a hard requirement, so yes.
We are currently not including these binaries directly, but publish them as a library (gradle/maven to jcenter) where Briar and other projects can get them from.
Okay, good to know.
It seems to me that Tor Browser should instead perhaps rely on the Briar build process, at least for Android. I will be switching Orbot and our AndroidPT library over to the Briar dependency in the next release.
I am not sure whether I understand your proposal. You mean we should just switch for the PTs to how Briar is doing things? Or for the whole Tor Browser for Android? (note the .apk is already being built reproducibly using the same framwork we use for desktop builds) The latter would essentially mean maintaining two different build setups which seems not like a thing we should pursue, at first glance at least.
We should also figure out who is doing the source builds, how these are published as public modules, and who is monitoring and verifying the reproducibility. This is for both PT's and the current tor-android binary project that I manage (https://github.com/n8fr8/tor-android). It would be great to have Tor to be the source for trustworthy binary builds, available through direct downloads and gradle/maven/cocoapods, etc. We have talked about this many times in the past.
Yeah, I think that's a good idea. Let's tackle this once we have Tor Browser for Android in stable shape and think about ways to improve both our build and maintenance processes.
Related to this, we are also building and publishing PT's as shared libraries, instead of binaries, which is eventually going to be required on Android for both tor and obfs4proxy. It isn't all quite working yet, but will be soon. At some point, we'll have to talk about that whole transition.
Where can we find out about the main pieces that are missing here?
Our goptlib shared library build project is here: https://gitlab.com/eighthave/goptbundle which is being made available to app developers here: https://github.com/guardianproject/AndroidPluggableTransports
Yes, we plan to use that one I think until there are hard blockers that we are not aware of yet. Shane has made a first attempt to integrate that into our build system in #28803.
Georg