From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id CEvAN6JLsGBRaAEAgWs5BA (envelope-from ) for ; Fri, 28 May 2021 03:47:14 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id SOdbM6JLsGBfGgAAbx9fmQ (envelope-from ) for ; Fri, 28 May 2021 01:47:14 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id E06C019139 for ; Fri, 28 May 2021 03:47:13 +0200 (CEST) Received: from localhost ([::1]:51666 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lmRai-0000wT-6X for larch@yhetil.org; Thu, 27 May 2021 21:47:12 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35536) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lmRaY-0000w2-OV for guix-patches@gnu.org; Thu, 27 May 2021 21:47:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:41729) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lmRaY-0003qL-Gi for guix-patches@gnu.org; Thu, 27 May 2021 21:47:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lmRaY-0008Br-El for guix-patches@gnu.org; Thu, 27 May 2021 21:47:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#42380] Wow! Resent-From: =?UTF-8?Q?Andr=C3=A9?= Batista Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 28 May 2021 01:47:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 42380 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: Raghav Gururajan , Xinglu Chen , 42380@debbugs.gnu.org, Leo Famulari Received: via spool by 42380-submit@debbugs.gnu.org id=B42380.162216637228963 (code B ref 42380); Fri, 28 May 2021 01:47:02 +0000 Received: (at 42380) by debbugs.gnu.org; 28 May 2021 01:46:12 +0000 Received: from localhost ([127.0.0.1]:53275 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmRZj-0007Wi-LA for submit@debbugs.gnu.org; Thu, 27 May 2021 21:46:12 -0400 Received: from mx1.riseup.net ([198.252.153.129]:37682) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lmRZg-0007Ot-G8 for 42380@debbugs.gnu.org; Thu, 27 May 2021 21:46:10 -0400 Received: from fews1.riseup.net (fews1-pn.riseup.net [10.0.1.83]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4FrnZy46nvzDsdc; Thu, 27 May 2021 18:46:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1622166362; bh=vdA0JMa1vVyST99WQLcQthxgSZwE1cQ+b32jyp5kGM4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=aKqfwStCzXTE/p4PIvEaxjrs16H2XK2UuwbDJ3BibQvpB92driMgCsT8nm3zsW+nR 2YosRQ3G+D425UTP19+aNd8ZR3yxZOHuDjvdWtMMidn03TvamjxBTZ27rc3auKBmCe aMaIC4GvkW+gQqIPZcpU1qaaRfeuX+bN+zYN6O6M= X-Riseup-User-ID: BD35962DCF622FB04B2D560F95F0294FEA82EAAB23F592965792A3BE9F6895F1 Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews1.riseup.net (Postfix) with ESMTPSA id 4FrnZw6tzPz5vVf; Thu, 27 May 2021 18:46:00 -0700 (PDT) Date: Thu, 27 May 2021 22:45:51 -0300 From: =?UTF-8?Q?Andr=C3=A9?= Batista Message-ID: References: <20200715211547.GA17146@andel> <20200915152332.GJ13296@andel> <87zgwic0qc.fsf@yoctocell.xyz> <87tumqwlqm.fsf@gnu.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <87tumqwlqm.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622166434; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=ODGdr3SXDqv14LPBF0gfpSzQ5UUYRiozRwN5ExI6pTs=; b=OxfT0+hLjYdEMzT4o6DkJGtDdkzH1qyqkAjTBsBytimrmGf+jEZ9wY8TI7UEETDxnamdMz jbibHNb/fygYenrHlYqZvwsCma++xTtInKkhQ671HByXILRuiKiO8J3+T4Xoe/GA8S4QJb XIxECSu/c9MjDdL4+96AY7DzRh6MjWEBZqfTFH4XQvFCAOU0k1KgXw5AUzD6tNqupOzkQy NjZAuCaA51+SDugeIAqkIae+jKizkkdQBV+bdT64wpKam38E4n09H5WLnlmGou6zj1vxCC 5pkiYkRoTYDR+3shh2pgsTozWx/PG4BOq4XpNit6gToyGGaCsjW5oShwLLrDtA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622166434; a=rsa-sha256; cv=none; b=M/iAQ278zudepNaFSMdDXc/A5zrlEk0a/A0zSPJa9l/aK8FJf+sg1Jt3YST4S6ch7pVk3U oXX+5JpX+j2Z+vVenRBLInn3nZVvJQKtSYpJ3IbWuX2uuHtAJIx3tbVfDRD6BllIE1ARpq sWbK6e0OdpI1dLD0TrQOI3oIHXyBLxyKsycvL8gUoZYDmrOr7su0pKuVW7HoNdlwwR6vr7 TyJT49R3UPTRMLf4IB+ffIikI5vEKjrS5d0be/CrxUDI6Em2YuYNdoUKapKTWkDyMb8oGj ezvyOBt8fdU/XEZpoyxWxuRMYzmkXa525jf8FYMJduW1pIXo/kMmTZBmHE2DLg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=aKqfwStC; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: 0.67 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=riseup.net header.s=squak header.b=aKqfwStC; dmarc=fail reason="SPF not aligned (relaxed)" header.from=riseup.net (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: E06C019139 X-Spam-Score: 0.67 X-Migadu-Scanner: scn0.migadu.com X-TUID: 0gNC1pc6ysDz Hi, ter 25 mai 2021 às 23:24:01 (1621995841), ludo@gnu.org enviou: > Leo Famulari skribis: > > > Does this package build the Tor browser from source? Or is it just a > > launcher, like the Debian package? > > It builds from source. Apart from noscript which Tor Browser itself does not build from source and https-everywhere which at the time I thought I'd be able to build from source but I got stuck on rust dependency nightmare and had to delay. Unfortunately, this issue still remains to be solved. > And sorry for dropping the ball, André! If anyone’s willing to give it > a try and report back, or to comment on the patch, that’d be great. No problem, Ludo, it was lacking feedback and I know it's somewhat a big and delicate piece of software to be merging without it. > > My understanding is that the Tor people discourage anyone else from > > distributing builds of the Tor browser. That's also my understanding, however I do think that building from source is: 1. the very core of software freedom, despite the relevance other concerns such as diminishing anonymity set; 2. one of the main strenghts and what Guix strives for. > > If it builds from source, we should probably call it something besides > > "Tor browser", since it will be different from the official Tor browser > > due to the unbundling and other changes. I've initially called the package definition "torbrowser-unbundle" and also inserted a warning that it was _not_ official Tor Browser, but I did not try to patch sources to rename the browser as it appears after installed. I can both agree to another name that makes it clearly appart from the official browser by Tor Project ("nottorbrowser?", "onionbrowser?") and to work on a patching sources to remove the user visible name and logo, if it's deemed necessary. (That may take a while however). > > Also, if it builds from source, it will be easy to identify users of > > this package as being Guix users and since the Guix userbase is > > relatively small, it will be much easier than usual to positively > > identify the person using the package. I've tested it with panopticlick.eff.org and it's user identifying bits remain the same as the official Tor Browser. That said, panopticlick is certainly not a silver bullet and you have grounds to be concerned. If someone were to need/want the very best assurances on anonymity set, I'd advise not to risk it and go with the larger crowd. On the other hand, until not long ago and maybe currently still, guix users were using IceCat with tor and that's a much more telling tale. > Good points. I think we could ask the Tor Browser folks (we met with a > couple of them at Reproducible Builds Summits in the past and I’m > confident we’d understand each other :-)). That would be great :) In the mean time, I'll take this as an invitation to send a new patch version with the latest Tor Browser stable. I've made some minor improvements such as using tarballs from archive.torproject.org instead of {git|dist}.torproject.org. Since they are planning a new stable release in the next few days, I'll take the time to work on a reproducibility issue that have arised with the new zip routine to package extensions inside omni.ja which affected the timestamps, at least the way I did it. Cheers,