[tor-bugs] #31130 [Applications/Tor Browser]: Use Debian 10 for our Android container images

Thu Nov 28 07:26:58 UTC 2019

#31130: Use Debian 10 for our Android container images
-------------------------------------------+-------------------------------
 Reporter:  gk                             |          Owner:  sisbell
     Type:  defect                         |         Status:
                                           |  needs_revision
 Priority:  Medium                         |      Milestone:
Component:  Applications/Tor Browser       |        Version:
 Severity:  Normal                         |     Resolution:
 Keywords:  tbb-rbm, TorBrowserTeam201911  |  Actual Points:
Parent ID:  #31127                         |         Points:  0.5
 Reviewer:                                 |        Sponsor:
-------------------------------------------+-------------------------------

Comment (by gk):

 Replying to [comment:51 boklm]:
 > Replying to [comment:50 gk]:
 > > Replying to [comment:48 sisbell]:
 > > > Looks like we just need one additional dependency installed for the
 JDK headless installation. I verified a full build.
 > > >
 > > > https://github.com/sisbell/tor-browser-
 build/commit/005b6651ba42737c7e1bd177f01286294355c02f
 > >
 > > Okay, we are close. Looking over the patch again I see you are
 pointing to `https://deb.debian.org/debian/pool/main/o/openjdk-8` for the
 openjdk packages. However, that seems to be brittle to me as it's easily
 conceivable that our version is getting superseded by newer updates in the
 couple of weeks, essentially getting unavailable. Better is using
 `snapshot.debian.org` (e.g.
 https://snapshot.debian.org/archive/debian/20191031T212011Z/pool/main/o/openjdk-8/).
 >
 > As it's an update for a stable distribution, I think previous versions
 of the packages are not removed from mirrors (until the whole suite is
 removed, which I think will not be before 2022 for stretch). So I think
 using `https://deb.debian.org/` is fine (but using snapshot.debian.org is
 fine too).

 I think you are wrong here. Have a look at

 https://snapshot.debian.org/archive/debian/20191001T024204Z/pool/main/o/openjdk-8/
 and
 https://snapshot.debian.org/archive/debian/20191031T212011Z/pool/main/o/openjdk-8/

 in the former you still find `8u232-b04` binaries but not the latter right
 now there are `8u232-b09-1~deb9u1` ones *instead* of the former which the
 stable archive mirrors but it seems that's not guaranteed to hold. That is
 there seems to be no reason to assume that `8u232-b09-1~deb9u1` could not
 get replaced in the future by a successor, which is why I think we should
 go the snapshot route to be on the safe side.

 > > boklm: anything else that should get fixed?
 >
 > I did not try to do a build yet, but the patch looks good to me.
 >
 > I think we should also check that the creation of `wheezy-amd64` and
 `stretch-amd64` images in `debootstrap-image` is still working correctly
 with the updated Ubuntu version.

 Yes, please.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31130#comment:52>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online