[tor-bugs] #33939 [Applications/Tor Browser]: Decide which components of Fenix to rip out, disable, or use

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Jun 12 03:37:58 UTC 2020


#33939: Decide which components of Fenix to rip out, disable, or use
----------------------------------------------+----------------------------
 Reporter:  gk                                |          Owner:  tbb-team
     Type:  task                              |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser          |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:  tbb-mobile, TorBrowserTeam202006  |  Actual Points:
Parent ID:  #33661                            |         Points:
 Reviewer:                                    |        Sponsor:
                                              |  Sponsor58-must
----------------------------------------------+----------------------------

Comment (by sysrqb):

 Replying to [comment:14 gk]:
 > Replying to [comment:13 sysrqb]:
 > > Replying to [comment:3 sysrqb]:
 > > > The follow list partitions the dependencies into "include",
 "exclude", "disable", and "must-audit" sets
 > > >
 > > > "Must Audit" includes dependencies that we could allow depending on
 their implementation
 > > >
 > > > "Disable" includes dependencies that we probably do not want and we
 should always use "Dummy" implementations
 > > >
 > > > "Disable" and "Exclude" may merge into a single set.
 > > >
 > > > === Include ===
 > > > {{{
 > > > > # GeckoView
 > > > > mozilla_browser_engine_gecko_nightly -> org.mozilla.components
 :browser-engine-gecko-nightly
 > > > > mozilla_browser_engine_gecko_beta -> org.mozilla.components
 :browser-engine-gecko-beta
 > >
 > > #34177
 >
 > One thing I've been thinking about the requirement for having multiple
 engines included at the same time when building is how to make sure we
 avoid that when actually building releases/alphas. I am not sure yet how
 to do that in the best way. I started playing with ripping things our in
 `android-components` so that we e.g. don't require some `gecko_nightly`
 code anymore. But it feels a bit awkward so far.
 >
 > The reason for doing that is tha I don't want to land in a situation
 that due to a bug not-proxy-safe and not audited nightly code is suddenly
 used in our builds. That's not a problem with geckoview per se as there is
 a branch per series (`mozilla-central` -> `gecko_nightly`, `mozilla-beta`
 -> `gecko_beta` etc.) but that's not the case anymore for those
 dependencies in `android-components` and `fenix`.

 Do you suggest we only keep `beta` and `production`? Should we simply
 carry a patch that deletes/comments-out the geckoNightly variant, so it
 can never be built accidentally?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33939#comment:16>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list