[tbb-bugs] #33939 [Applications/Tor Browser]: Decide which components of Fenix to rip out, disable, or use

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu May 28 19:06:00 UTC 2020 

#33939: Decide which components of Fenix to rip out, disable, or use
----------------------------------------------+----------------------------
 Reporter:  gk                                |          Owner:  tbb-team
     Type:  task                              |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser          |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:  tbb-mobile, TorBrowserTeam202004  |  Actual Points:
Parent ID:  #33184                            |         Points:
 Reviewer:                                    |        Sponsor:
                                              |  Sponsor58-must
----------------------------------------------+----------------------------

Comment (by sysrqb):

 Replying to [comment:5 gk]:
 > Thanks, that's a good start. Two thoughts while skimming the list (I did
 not look carefully yet)
 >
 > 1) At least the progressive web apps (PWA) part should probably be in
 the Must Audit section. We even have a ticket for that already: #25845 :)

 That's probably a smart thing, yes. PWA is only available in non-private
 browsing mode in Fennec, but we should audit it in Fenix. Indeed, PWA is
 available in private browsing mode in Fenix...

 >
 > 2) I was wondering how the dependencies those dependencies have would
 influence where we put them category-wise. So, starting with one layer
 seems good to me but I feel we might need to dig deeper to have a final
 assessment. One of the things I am already wary of is getting all the
 application-services parts roped in "for free". Not all components are
 probably needing that (I've not checked) but I bet some would move into
 the Must Audit part alone due to that. And there's probably other stuff
 that is bubbling in this morass, under the quite surface... :)

 Ideally, we should audit everything, but I don't think that is realistic.
 We should quickly look at all components in the `Include` category and
 confirm they do not make any network calls or expose personal/device
 information. I placed them in this category purely based on my assumption
 of how these components are implemented.

 I expect we'll spend a large amount of time auditing components within the
 `Must Audit` category because this includes the complex application
 services, and ripping out any of them will be painful.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33939#comment:6>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list