[tor-dev] reproducible builds for Android tor daemon

[Georg Koppen]

Hans-Christoph Steiner:
> Georg Koppen:
>> Hans-Christoph Steiner:
>>>
>>> Hey all,
>>>
>>> I'm currently working on tor for Android as part of a Guardian Project
>>> project.  One key goal is making a shareable, reproducible build process
>>> for the tor daemon for Android.  Then this would be published to
>>> MavenCentral as an Android AAR package to be used in all the apps that
>>> include tor (Tor Browser, Orbot, Briar, Thali, etc).  I have cleaned up
>>> the existing build process a lot, so now I'm down to troubleshooting
>>> reproducible issues.
>>>
>>> First off, can anyone see any objections to switching Tor Browser,
>>> Orbot, Briar, etc. to use GPG-signed reproducible binaries via
>>> MavenCentral for the tor dameon?
>>
>> We want to include building tor and all its dependencies in
>> tor-browser-build/rbm to have the latest tor for Android in our nightly
>> builds and respective alpha and stable versions in our alpha and stable
>> browsers. We have a ticket for that for a while now in our bug tracker
>> but did not get to it so far.[1] The plan is to pick that work up in
>> November after Tor Browser 9 is out.
>>
>> As to whether other projects would be interested in that, dunno. But I
>> guess some at least would?
>>
>> Georg
>>
>> [1] The parent ticket for that work is:
>> https://trac.torproject.org/projects/tor/ticket/28704.
> 
> If building tor+libevent+openssl+libz+liblzma for Android was done
> reproducibly and shipped via MavenCentral, would you consider using it?
>  Seems like we'd want this tor binary to be synced to the Tor Browser
> version requirements anyway, since that's the "standard configuration".

What about our nightly build requirement? Oh, and to complicate that: we
build tor nightlies with Rust enabled to be able to test Rust code. And
would do so for Android, too. And to further complicate matters: we plan
to switch to NSS to test that part of tor in a Tor Browser context as
well. (It's been long on the agenda but I finally want to get to that
after Tor Browser 9 is out)

And then there has been times where we actually needed to ship tor
patches ourselves because they were not merged/released yet (although,
luckily that's been a while ago). There might be need for such an option
in the future, too.

So, all in all I am skeptical that Tor Browser fits into your plans.

Georg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20190913/01c3f26b/attachment.sig>