[tor-dev] Reproducibility of Pluggable Transports python.msi

David Fifield david at bamsoftware.com
Mon Sep 7 00:29:27 UTC 2015

On Sun, Sep 06, 2015 at 11:26:16PM +0000, Jeremy Rand wrote:
> Hash: SHA256
> I was looking at the Gitian descriptor for the pluggable transports at
> https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia
> n/descriptors/windows/gitian-pluggable-transports.yml
> , and I noticed that it has an input file called "python.msi".
> Furthermore, I noticed the following line in
> https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitia
> n/versions
> :
> PYTHON_MSI_URL=https://www.python.org/ftp/python/${PYTHON_VER}/${PYTHON_
> - From this, I conclude that Python is not being built in Gitian, and
> the download from www.python.org is assumed to be safe / not
> backdoored.  Is this correct?
> If I'm correct, is there a reason that Python is not being built in
> Gitian?  Was it attempted and found that Python cannot easily be built
> for Windows in Gitian?  Or was it not attempted and just still on the
> to-do list?  I don't see any relevant ticket on Trac.

Way way back when pluggable transports were first integrated into Tor
Browser, we tried compiling Python and it was too problematic to be
worth it. Here is the comment you want to read:


Those comments are two years old now. Maybe things have changed and it's
easier to cross-compile for Windows now. If it's something you have
expertise with, it'd be great if you tried it!

More information about the tor-dev mailing list