On Sun, Sep 06, 2015 at 11:26:16PM +0000, Jeremy Rand wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I was looking at the Gitian descriptor for the pluggable transports at https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia n/descriptors/windows/gitian-pluggable-transports.yml , and I noticed that it has an input file called "python.msi". Furthermore, I noticed the following line in https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia n/versions :
PYTHON_MSI_URL=https://www.python.org/ftp/python/$%7BPYTHON_VER%7D/$%7BPYTHON_ MSI_PACKAGE}
- From this, I conclude that Python is not being built in Gitian, and
the download from www.python.org is assumed to be safe / not backdoored. Is this correct?
If I'm correct, is there a reason that Python is not being built in Gitian? Was it attempted and found that Python cannot easily be built for Windows in Gitian? Or was it not attempted and just still on the to-do list? I don't see any relevant ticket on Trac.
Way way back when pluggable transports were first integrated into Tor Browser, we tried compiling Python and it was too problematic to be worth it. Here is the comment you want to read:
https://trac.torproject.org/projects/tor/ticket/9444#comment:18 https://trac.torproject.org/projects/tor/ticket/9444#comment:20
Those comments are two years old now. Maybe things have changed and it's easier to cross-compile for Windows now. If it's something you have expertise with, it'd be great if you tried it!