[tor-bugs] #27609 [Applications/Tor Browser]: TBA: Evaluate Tor Onion Proxy Library

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Mar 12 09:45:25 UTC 2019


#27609: TBA: Evaluate Tor Onion Proxy Library
-------------------------------------------------+-------------------------
 Reporter:  sysrqb                               |          Owner:  tbb-
                                                 |  team
     Type:  defect                               |         Status:
                                                 |  needs_revision
 Priority:  Very High                            |      Milestone:
Component:  Applications/Tor Browser             |        Version:
 Severity:  Normal                               |     Resolution:
 Keywords:  tbb-mobile, TBA-a3,                  |  Actual Points:
  TorBrowserTeam201903, tbb-8.5                  |
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
                                                 |  Sponsor8
-------------------------------------------------+-------------------------

Comment (by gk):

 Okay, I looked over all the patches for #29312, #29313, #29574, and
 #29575. Nice work! It feels we are pretty close here. We can use the
 parent ticket to address all comments/review requests in one place. Here
 are my 2cents:

 e38175545f4de75030fcf48b9950b65118228688 (#29312)

 Why are we using 0.3.5.6-rc (which is a release candidate and no stable
 tor)? Are we sure we are better off security- and/or stability- and/or
 performance-wise than with 0.3.4.9? We have been testing the latter for
 quite a while now but not the -rc yet and we plan to have a stable soon
 for Android users...

 d79c8ef41190cc37c16c7b90cfe65f083d6a3b95 (#29313)
 {{{
 ++        ndk {
 ++            abiFilters "armeabi-v7a"
 ++        }
 }}}
 How does that work for x86 builds which we have now as well? Do we need a
 similar entry for them as well? If so, what is supposed to happen if we
 omitted both entries?

 8e3d539f76e3bd45a809dc1b14277d2b1a2fa3c4 (#29574)

 I assume "tor-0.3.4.9" is just part of the filename of the .aar file but
 there is no tor 0.3.4.9 or 0.3.4.9 related code in it? (Especially as you
 are using 0.3.5.6-rc) Otherwise I'd be worried about possible bad
 interactions with code belonging to different tor versions.

 `orbot-uber.patch` is tricky to review, the diff to the older patchset is
 {{{
 diff --git a/app/build.gradle b/app/build.gradle
 index 3051dd5c..4e33472c 100644
 --- a/app/build.gradle
 +++ b/app/build.gradle
 @@ -76,12 +76,16 @@ android {
  dependencies {
  //    implementation 'com.github.delight-im:Android-Languages:v1.0.1'
      implementation 'com.android.support.constraint:constraint-
 layout:1.1.3'
 -    implementation project(':orbotservice')
      // Match Fennec's ANDROID_SUPPORT_LIBRARY_VERSION
      implementation 'com.android.support:design:23.4.0'
      implementation 'pl.bclogic:pulsator4droid:1.0.3'
      // These require higher versions of ANDROID_SUPPORT_LIBRARY_VERSION
      //implementation 'com.github.apl-devs:appintro:v4.2.2'
      //implementation 'com.github.javiersantos:AppUpdater:2.6.4'
 -
 +    implementation fileTree(dir: 'libs', include: ['*.jar', '*.aar'])
 +    implementation 'com.android.support:appcompat-v7:26.1.0'
 +    implementation 'net.freehaven.tor.control:jtorctl:0.2'
 +    implementation 'org.torproject:tor-android-binary:0.3.5.6-rc'
 +    implementation 'org.slf4j:slf4j-api:1.7.25'
 +    implementation 'org.slf4j:slf4j-android:1.7.25'
  }
 diff --git a/build.gradle b/build.gradle
 index edcfc84f..ce06f082 100644
 --- a/build.gradle
 +++ b/build.gradle
 @@ -3,7 +3,6 @@ buildscript {
      repositories {
          jcenter()
          google()
 -        maven { url System.getenv("GRADLE_MAVEN_REPO") }
      }
      dependencies {
          // Match Fennec
 @@ -17,6 +16,5 @@ allprojects {
          maven { url
 "https://raw.githubusercontent.com/guardianproject/gpmaven/master" }
          google()
          maven { url 'https://jitpack.io' }
 -        maven { url System.getenv("GRADLE_MAVEN_REPO") }
      }
  }
 diff --git a/settings.gradle b/settings.gradle
 index 9984a03e..e7b4def4 100644
 --- a/settings.gradle
 +++ b/settings.gradle
 @@ -1,2 +1 @@
 -include ':jsocksAndroid', ':orbotservice'
  include ':app'
 }}}


 We have a
 {{{
 +-    implementation 'com.android.support:appcompat-v7:27.1.1'
 ++    // Match Fennec's version
 ++    implementation 'com.android.support:appcompat-v7:23.4.0'
 }}}
 in the orbot patch. So, we explicitly downgraded appcompat to 23.4.0 with
 the intent to match what Mozilla is using. However in the uber patch above
 you require 26.1.0. Is that necessary?

 Additionally, we have
 {{{
 +     implementation 'com.jrummyapps:android-shell:1.0.1'
 }}}
 there, yet you remove all the `android-shell` bits from the gradle-
 dependencies-file. Thus, we can remove `android-shell` as a dependency in
 the `build.gradle` file as well?

 ca269f08af2e17d07a0ec9d9612252348d6656f8 (#29575)

 Do we still need `android-shell` in the gradle-dependencies list given
 that you removed `orbotservice` from `build.gradle`?

 The `dependencies.patch` should be done in the `tor-browser` repo. I guess
 a fixup to Matt's original patch
 (fbad5b5dabb3c45a9da853a6b784a28e78b9583c) would be fine.

 Leaving this ticket at `needs_revision` to address changes/questions.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27609#comment:35>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list