[tbb-bugs] #21862 [Applications/Tor Browser]: Make rust code in ESR 52 proxy safe

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Jun 1 23:27:12 UTC 2017

#21862: Make rust code in ESR 52 proxy safe
 Reporter:  gk                                   |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_review
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  ff52-esr, tbb-7.0-must,              |  Actual Points:
  TorBrowserTeam201706R                          |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor4

Comment (by arthuredelstein):

 I don't know rust either, but I was curious what happens if these
 functions are ripped out. Is any code calling them?

 I tried building with `ac_add_options --enable-rust` in the mozconfig file
 and I got the follow error message:

  2:45.75 error: the listed checksum of `/home/arthur/tor-
 browser/third_party/rust/url/src/lib.rs` has changed:
  2:45.75 expected:
  2:45.75 actual:
  2:45.75 directory sources are not intended to be edited, if modifications
 are required then it is recommended that [replace] is used with a forked
 copy of the source
  2:45.76 /home/arthur/tor-browser/config/rules.mk:939: recipe for target
 'force-cargo-build' failed
  2:45.76 make[5]: *** [force-cargo-build] Error 101
  2:45.76 /home/arthur/tor-browser/config/recurse.mk:71: recipe for target
 'toolkit/library/rust/target' failed
  2:45.76 make[4]: *** [toolkit/library/rust/target] Error 2
  2:45.76 make[4]: *** Waiting for unfinished jobs....

 The "expected" hash (c3542aab...) is located in `third_party/rust/url
 /.cargo-checksum.json`. The README in the same directory says this code is
 URL library for Rust, based on the [URL

 So it looks to me like this is patching a "third-party library", whereas
 we should probably be ripping out something considered to be "first-party"
 gecko code.

 Another option might be just to remove the whole third-party directory or
 even all rust files from the source code.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21862#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list