[tbb-bugs] #26401 [Applications/Tor Browser]: Rebase Orfox patches onto Tor Browser 8.0 for TBA

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 18 08:38:02 UTC 2018

#26401: Rebase Orfox patches onto Tor Browser 8.0 for TBA
 Reporter:  sysrqb                             |          Owner:  tbb-team
     Type:  task                               |         Status:
                                               |  needs_review
 Priority:  Very High                          |      Milestone:
Component:  Applications/Tor Browser           |        Version:
 Severity:  Normal                             |     Resolution:
 Keywords:  tbb-mobile, TorBrowserTeam201807R  |  Actual Points:
Parent ID:  #26531                             |         Points:
 Reviewer:                                     |        Sponsor:

Comment (by gk):

 Replying to [comment:20 sysrqb]:
 > Replying to [comment:17 gk]:


 > > I guess the comments before the *strip options are essentially
 enabling stripping? if so, we should be explicit about it an use
 `--enable-strip` like on other platforms as well
 > >
 > The defaults are effectively `--disable-strip` and `--enable-install-
 strip` but we should test these options and understand what improves and
 what fails when we enable/disable them. I'm still not sure.

 Well, that makes it so that we build with symbols but then strip them
 during the packaging step (that can be confusing alone in case you want to
 get debug symbols after packaging up everything). It seems to be cleaner
 to me to indicate upfront in the .mozconfig file that we don't have
 symbols available by specifying `--enable-strip`.


 > > commit 69bdd94ecb8e97e4d590dc75c04963b6659bdae0 -- probably okay (why
 do we need the duplicated entries we already have in confvars.sh?)
 > I added those in torbrowser.configure because they look like configure
 flags but they are environment variables. They are still in
 torbrowser.configure only for documentation purposes. I can delete them if
 it's confusing or you think they aren't helpful.

 I don't feel that strongly about it. Let's keep the commit as-is if you


 > >
 > > Why is "#ifdef TOR_BROWSER_VERSION" commented out? It seems to me we
 don't want to point our users to the aus5 URL. Maybe I am missing
 something here.
 > Hm! Those `//` were only supposed to be visual and not affect the
 inclusion. I thought the preprocessor preserves and enforces the ifdef
 when it scans the file - but I see this did not happen.
 `app.update.url.android` is still set. I'll look into this more.

 I don't think that's the case for the .js file. At any rate, I would
 follow the style Mozilla has in this file which is plain `#ifdef`'s.


 > >
 > > commit 4b3c94077749e620f8d9055412ab01bf4286b435 -- probably okay (What
 is the threat here?)
 > I think this provides a safe default. When this is enabled, the user is
 provided an icon in the awesome bar for scanning a QRCode that
 (presumably) contains a URL the user wants to visit. When the icon is
 pressed, another app is opened (if it is installed) where a picture is
 taken and it is scanned for a QRCode and then decoded. I believe the
 scanning/decoding is performed on a remote server. Disabling this by
 default protects against accidentally revealing their location to third
 parties. The user could tap the icon by mistake and launch the third party
 app, and we don't have any control over what that app does or what
 information that app sends.

 Good point. I was not aware that the QRCode treatment is actually done
 remotely, so, yes, let's keep the commit.


Ticket URL: <https://trac.torproject.org/projects/tor/ticket/26401#comment:23>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list