On 02/18/2013 12:29 PM, Jacob Appelbaum wrote:
I was assuming that making the launcher depend on a system Tor would be troublesome. However now that I'm looking at https://www.torproject.org/docs/debian again, it seems like it could totally work. What about for Ubuntu users?
For normal Debian GNU/Linux users, I believe it will work. For recent versions of Ubuntu, I also believe it will work. I would also say that the launcher could prompt them to actually *add* the Tor repositories that fix the problems Ubuntu users may or may not face in the future.
True. I'll start with just a normal Tor dependency, and if only add the deb.torproject.org repo if it becomes necessary.
My workaround plan was to download TBB not over Tor the first time. After extracting it, copy a Firefox extension into the TBB profile, and then run it. From that point on, the extension would be in charge of checking for updates, downloading new updates, and telling the user when they should restart their browser.
I'm not sure I follow? You want to extend TBB to check for updates itself? In the long term, I think that is a fine plan - though in the short term, I think a simple script can be safer, easier and generally better. Imagine for a moment that there was a system wide cache of TBB downloads? One TBB to rule them all, or something. Such a thing wouldn't be easy inside of Firefox.
My plan was to make the Firefox extension, and then after extracting the TBB tarball copying the extension into ~/.torbrowser/tbb/x86_64/tor-browser_en-US/Data/profile/extensions and doing whatever you need to do to enable it that profile. However, since I'm going to make Tor a dependency, it's moot.
What do you think the report button should do? What information should it send back to us, and how should it send it? If there is a real attack and the user can't successfully download TBB, how can we make sure they can successfully report the attack? You can post comments on the bug.
I'll add comments to the bug.
Thanks!
Do you pin SSL certs? Or fetch from known mirrors? Or...? :)
No. I assumed that if someone successfully did a MITM attack on the https connection to torproject.org, they wouldn't get their malicious software installed because of the signature verification. Also, I didn't realize urllib2 doesn't check certs automatically. It's a good idea to implement anyway. Thanks for opening the bug about it.
Sure - I find it hard to believe that Python's development community actually settled on that as the default behavior. It bites nearly everyone.
Python's development community also doesn't verifying anything downloaded by pip: http://www.reddit.com/r/Python/comments/17rfh7/warning_dont_use_pip_in_an_un...
Hopefully it will get better soon.
I'd thought about this, but I wasn't sure if this is a reliable way to know which version to download. For example, when I go to https://www.torproject.org/dist/torbrowser/linux/?C=M;O=D now, the first file is:
tor-browser-gnu-linux-x86_64-2.4.10-alpha-1-dev-en-US.tar.gz.asc
But when I go to the TBB download page, the version I'm presented with is 2.3.25-2, not 2.4.10-alpha-1. Maybe TBB's built-in version check will shed some light onto the best way to know what the latest stable version is.
Well, which should your users be using? From my perspective, I think you should give them the alpha and help them report bugs! :-)
Interesting idea. Anyone else have opinions on this? I think I'd be fine giving people the alpha, but I also don't want to annoy people with too many bugs.
Right now it would be easiest to just make it get the alpha.
Or, alternatively, I could download https://www.torproject.org/download/download.html.en and parse it for the current version. However, this will break as soon as torproject.org updates it's web design.
I pushed a code audit first pass to the git repo, did you see the branches that I added?
Yup. I merged in your doc-formatting, gpg-keys, and image-fixups branches into my develop branch.
https://github.com/micahflee/torbrowser-launcher/tree/develop
And I opened issues for most of things you brought up in the code review branch: https://github.com/micahflee/torbrowser-launcher/issues
For the things I didn't open issues on, here are my thoughts:
https://github.com/ioerror/torbrowser-launcher/commit/bfe97f49e53c1de5a69721...
I think it's safe to overwrite whatever is in the version file here, since TBB isn't installed yet. Unless someone messed with their ~/.torbrowser/ folder, it shouldn't exist yet. The version file is supposed to represent the currently installed version, but I think I might refactor this stuff anyway since I'm going to make it check for updates rather than hard-coding the latest version.
https://github.com/ioerror/torbrowser-launcher/commit/bfe97f49e53c1de5a69721...
I'm not sure if arch is portable. I could easily switch it to uname -m, if that's more portable.
https://github.com/ioerror/torbrowser-launcher/commit/bfe97f49e53c1de5a69721...
If HOME isn't set, what should happen? Should tbb_data be set to /tmp/tbb-USER or something?
https://github.com/ioerror/torbrowser-launcher/commit/bfe97f49e53c1de5a69721...
Yeah, we should depend on tar I think.
Originally I wasn't thinking of releasing this for OS X, since I was thinking it would know about updated versions of TBB when torbrowser-launcher gets updated from the deb repositories. But now it seems plausible to make this cross-platform. However, Windows TBB releases are .exe, which wouldn't work with this.
Maybe this should be GNU/Linux only at first, and future releases could be for OS X and Windows.