Opened 9 years ago

Closed 5 years ago

#2078 closed defect (fixed)

document settings in tor browser bundles

Reported by: phobos Owned by: erinn
Priority: Medium Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: documentation
Cc: mikeperry Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We really need to ship a document in the TBB's that clearly documents what's included, what's changed, and why each change from the default was made. A number of people are asking why noscript, better privacy, and such are now included in the TBBs.

In fact, I think I know why they are included but not clear on each reason. In the past, we only wanted to include software for which we've read the source code and properly vetted and tested thoroughly.

Child Tickets

Change History (7)

comment:1 Changed 9 years ago by cypherpunks

TBB disables NoScript's ABE by set of noscript.ABE.enabled to false. It is not enough.

NoScript tries to protect a flawed routers (CSRF). For such purpose NoScript tries to detect an external IP-address and tries to take a fingerprint for a web resource of detected address if a proxy server is not defined or proxy host is local. TBB need to turn off noscript.ABE.wanIpAsLocal too.

comment:2 in reply to:  1 Changed 9 years ago by erinn

Status: newaccepted

Replying to cypherpunks:

TBB disables NoScript's ABE by set of noscript.ABE.enabled to false. It is not enough.

NoScript tries to protect a flawed routers (CSRF). For such purpose NoScript tries to detect an external IP-address and tries to take a fingerprint for a web resource of detected address if a proxy server is not defined or proxy host is local. TBB need to turn off noscript.ABE.wanIpAsLocal too.

I've enabled this in the most recent Tor Browser Bundles (Windows 1.3.11, OSX 1.03, and Linux 1.0.14, respectively)

comment:3 Changed 9 years ago by erinn

I've started documenting this -- can you tell me how fine-grained you want it to be? There can be a formal "decisions about included software" document, or there can be more verbosity in the changelogs themselves, or both, or something in between.

comment:4 Changed 9 years ago by arma

Getting something out there is more important than getting the perfect thing out there.

So do whatever feels natural to you as a first go, and we can iterate from there.

More verbosity in the changelog docs would be useful, and a separate list of "what you should expect to find in TBB and why we put it there" would also be useful.

Imagine some dude from the Tor community whipped this up, and handed it to you, and said "try this blob, it'll be great". Then imagine you want to decide whether the blob is the right blob, and you don't have Windows to unpack it and crawl through it and find out what's there. Instead you want to read a list of what we think is in it, and why we think that's good to have there.

comment:5 Changed 9 years ago by erinn

Status: acceptedneeds_review

I've started to document everything to do with TBB here:
https://gitweb.torproject.org/erinn/torbrowser.git/blob/refs/heads/maint-2.2:/docs/HACKING

I haven't added *all* of the patches to version control, but it's a beginning. I'd be happy to have feedback about any of it.

comment:6 Changed 7 years ago by arma

Cc: mikeperry added
Keywords: easy removed

The HACKING file looks useful, but doesn't address the need in this ticket.

What can we do to help move this ticket forward? How much of it is resolved by the tor-browser design doc?

I'm cc'ing Mikeperry, and removing the 'easy' keyword, since explaining why we made each change in e.g. about:config is not trivial.

comment:7 Changed 5 years ago by cypherpunks

Resolution: fixed
Status: needs_reviewclosed

Was it merged?
Either way closing as fixed because this ticket for Scripts to build the Tor Browser Bundles (old, pre 3.x).

Note: See TracTickets for help on using tickets.