[tbb-bugs] #23117 [Applications/Tor Browser]: Link Tor Browser Bundle statically against musl libc

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Aug 5 08:57:11 UTC 2017


#23117: Link Tor Browser Bundle statically against musl libc
------------------------------------------+---------------------------
     Reporter:  robotanarchy              |      Owner:  tbb-team
         Type:  enhancement               |     Status:  new
     Priority:  Medium                    |  Milestone:
    Component:  Applications/Tor Browser  |    Version:
     Severity:  Normal                    |   Keywords:  musl,libc,tbb
Actual Points:                            |  Parent ID:
       Points:                            |   Reviewer:
      Sponsor:                            |
------------------------------------------+---------------------------
 Right now it isn't possible to run the pre-compiled tor browser bundle on
 musl libc based Linux distributions.

 I have found a mail thread from musl users/developers discussing this
 subject, in which Rich Felker came up with the following proposal (to
 always statically compile against musl):
 > > One thing to note: the whole point of Tor Browser Bundle is to avoid
 > > all sorts of side-channel/information-leak risks associated with just
 > > using a normal web browser build on Tor. If anything showing that your
 > > Tor Browser Bundle is built against musl rather than glibc leaks out
 > > to the network, this would compromise much of the benefit of the
 > > package -- there are relatively few musl desktop users, and even fewer
 > > who use Tor Browser, so it becomes much easier to identify you. Of
 > > course it would be ideal if they _always_ used musl, and fully
 > > static-linked, so that there wouldn't even be any risk of glibc
 > > version information (from the system-wide glibc) leaking over the
 > > network.

 However, the thread ends with the following words, so I guess this never
 reached the tor developers:
 > I just tried to but my message was apparently rejected (not just held
 > for moderation) for not being a subscriber.

 Source:
 http://openwall.com/lists/musl/2016/04/26/1


 So what is your point of view on this subject?
 Thanks!

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23117>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list