[tor-dev] GNU Guix and Tor Browser Packaging

bancfc at openmailbox.org bancfc at openmailbox.org
Mon Mar 13 22:31:24 UTC 2017

There is a serious Tor Browser packaging effort [3][4] being done by ng0 
(GNUnet dev) for the GNU Guix [0] package manager. GNU Guix supports 
transactional upgrades and roll-backs, unprivileged package management, 
per-user profiles and most importantly reproducible builds. I have 
checked with Guix's upstream and they are working on making a binary 
mirror available over a Tor Hidden Service. [2] Also planned is 
resilience [2] to the attack outlined in the TUF threat model. [1]

Back to the topic of Tor Browser packaging. While there are good reasons 
for Debian's pakaging policies they make packaging of fast evolving 
software (and especially with TBB's reliance on a opaque binary VM for 
builds) impractial. Both we and Micah have been doing a good effort to 
automate downloading and validating TBB but I still believe its a 
maintenance burden and Guix may be a way out of that for Linux distros 
in general.

What are your thoughts on this?


[0] https://www.gnu.org/software/guix/
[1] https://github.com/theupdateframework/tuf/blob/develop/SECURITY.md
[2] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00192.html
[3] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00189.html
[4] https://lists.gnu.org/archive/html/guix-devel/2017-03/msg00149.html

More information about the tor-dev mailing list