[tor-bugs] #9308 [Firefox Patch Issues]: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and Windows
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Apr 22 18:20:29 UTC 2014
#9308: JavaScript's BrowserFeedWriter() leaks installation paths on OS X and
Windows
-------------------------------------+-------------------------------------
Reporter: cypherpunks | Owner: mikeperry
Type: defect | Status: needs_revision
Priority: critical | Milestone:
Component: Firefox Patch | Version:
Issues | Keywords: tbb-fingerprinting,
Resolution: | tbb-easy, interview
Actual Points: | Parent ID:
Points: |
-------------------------------------+-------------------------------------
Comment (by gk):
Replying to [comment:28 arthuredelstein]:
> Replying to [comment:26 gk]:
> > What about Mike's idea of doing a python stub that is doing the pre-
compilation?
>
> Maybe I'm not understanding this suggestion. I don't see how python can
compile JavaScript, unless we write our own JS compiler ;). I'm not an
expert on this startup cache, but from my googlings, it seems these files
are SpiderMonkey-compatible bytecode.
Yes. Frankly, I am not sure what the xpcshell binary is doing under the
hood. My guess (and maybe Mike's) was that it is "just" calling some other
code that does the hard work (i.e. get the js into bytecode). And maybe
replacing the xpcshell binary with some Python code that is just calling
the other code as well might have worked.
> > And what about compiling those .js files once and ship them as
resources via the gitian versions files?
>
> Yes, I think that absolutely can work, but don't we then need a way to
verify the integrity of those binary files on the build machine? Is there
currently a mechanism for doing that?
Yes, having > 1 people build the code on different machines (as we already
do now) and make sure the sha256sums match.
> Would checking the binaries into tor-browser.git or tor-brower-
bundle.git and relying on git's hashing strategy be acceptable?
Well, I think we would put it on a mirror and download it when fetching
the build prerequisites (there are mirror URLs in the fetch-inputs.sh we
already use). Then we could fiddle with the bundle descriptors and put
them manually into the omni.ja files.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9308#comment:29>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list