[tbb-bugs] #27539 [Applications/Tor Browser]: Create plan for releasing on F-Droid

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Feb 12 13:56:32 UTC 2019

#27539: Create plan for releasing on F-Droid
 Reporter:  sysrqb                               |          Owner:  tbb-
                                                 |  team
     Type:  enhancement                          |         Status:  new
 Priority:  Medium                               |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, TorBrowserTeam201902,    |  Actual Points:
  TBA-8.5                                        |
Parent ID:  #26318                               |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor8

Comment (by eighthave):

 The ideal setup is to have both a Tor Project repo and TBA building in
 f-droid.org.  F-Droid handles getting the same app from multiple sources

 Since TBA will be released only with Tor Project's signature (and not an
 f-droid.org signature), Tor Project can publish to its own repo on its own
 schedule.  Then the f-droid.org builders will trigger builds based on git
 tags (or other means), and can fetch the APK from the Tor Project's own
 repo.  It will then use the signatures from those APKs as the test of a
 successful build.

 If you want more control of when the f-droid.org builders make their
 builds, you can manually submit merge/pull requests for each release, and
 include just the APK signature there (that can be extracted using `fdroid
 signatures tor-browser.apk`).

 Having a Tor Project repo means TBA updates can be shipped regardless of
 timing/status of f-droid.org.  Having f-droid.org also build and ship the
 TBA APKs provides an extra level of reproducibility and distribution
 resilience, since the f-droid.org repo is mirrored on many standard free
 software mirror servers (ftp.fau.de, cyberbits.eu, osuosl, etc).  It is
 also easy to add mirrors to the Tor Project repo, they can be any
 webserver via ssh/rsync, GitHub Pages, GitLab Pages, and AmazonS3 or any
 service compatible with `s3cmd`.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27539#comment:10>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list