Source release tarballs for Tor Browser

Would greatly help with porting efforts if there were official source tarballs.

added TorBrowserTeam201903R component::applications/tor browser owner::tbb-team priority::medium resolution::fixed severity::normal status::closed tbb-rbm type::task labels

You mean a source tarball just for the browser part or for the whole bundle, including things like pluggable transports, the browser profile, tor, etc.?

Trac:
Status: new to needs_information

If the need is to create tarballs for the components that are currently at https://bits.torbsd.org/pub/OpenBSD/distfiles/, then I think we could easily add to tor-browser-build some make commands such as make src-tarballs-alpha and make src-tarballs-release that would generate tarballs for those components (firefox, tor-launcher and torbutton). When you need to update the OpenBSD port, you can then run this and upload the tarballs somewhere. Would that be enough?

Replying to gk:

You mean a source tarball just for the browser part or for the whole bundle, including things like pluggable transports, the browser profile, tor, etc.?

Okay, answering my own question: looking at the related tickets (#25877 (moved) and #25878 (moved)) it seems only the browser part, torbutton, and tor-launcher are requested.

Some other idea, maybe for a different ticket: after looking a little at https://github.com/openbsd/ports/tree/master/www/tor-browser, I have been thinking that in addition to having a command to generate source tarballs, if that's helpful it might be possible to add the openbsd www/tor-browser directory somewhere into tor-browser-build. Then we could have some make openbsd-port-release command that would generate an updated www/tor-browser directory with:

• Makefile files for tor-browser, browser, https-everywhere, noscript, tor-launcher, torbutton with updated version numbers
• distinfo files for browser, https-everywhere, noscript, tor-launcher, torbutton with updated SHA256SUM and SIZE
• tor-browser/browser/files/extension-overrides.js file with updated list of bridges and other prefs

Then the openbsd port release process could be something like:

• checkout the new tor browser version tag in tor-browser-build
• run make openbsd-port-release
• upload source tarballs somewhere
• copy updated www/tor-browser to openbsd ports tree
• go to the openbsd ports tree, start the build and commit the changes

I started working on this in branch bug_25876_v2: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v2&id=6013d37fda456b987fe1f5e3262340f2a28d30b0

$ make openbsd-port-alpha
git submodule update --init
./rbm/rbm build openbsd-port --target alpha
Building project tor-browser - src-tarballs-8.0a6-build1-build1-9e0027
Using directory /home/boklm/tor-browser-build/projects/tor-browser/Bundle-Data
Building project torbutton - torbutton-1.9.9.1-c33dea.xpi
Tag 1.9.9.1 is signed with key 35CD74C24A9B15A19E1A81A194373AA94B7C3223
Created /home/boklm/tor-browser-build/tmp/rbm-MswRJ/torbutton-1.9.9.1.tar.gz
Build log: /home/boklm/tor-browser-build/logs/torbutton.log
Finished build of project torbutton - torbutton-1.9.9.1-c33dea.xpi
Using file /home/boklm/tor-browser-build/out/openbsd-port/torbutton/torbutton-1.9.9.1-c33dea.xpi
Building project tor-launcher - tor-launcher-0.2.15.1-01c01f.xpi
Tag 0.2.15.1 is signed with key 35CD74C24A9B15A19E1A81A194373AA94B7C3223
Created /home/boklm/tor-browser-build/tmp/rbm-KUjp3/tor-launcher-0.2.15.1.tar.gz
Build log: /home/boklm/tor-browser-build/logs/tor-launcher.log
Finished build of project tor-launcher - tor-launcher-0.2.15.1-01c01f.xpi
Using file /home/boklm/tor-browser-build/out/openbsd-port/tor-launcher/tor-launcher-0.2.15.1-01c01f.xpi
Building project firefox - tor-browser-52.7.3esr-8.0-1-build2.tar.gz
Tag tor-browser-52.7.3esr-8.0-1-build2 is signed with key 35CD74C24A9B15A19E1A81A194373AA94B7C3223
Created /home/boklm/tor-browser-build/tmp/rbm-HPgTn/firefox-90e16dd25b6e.tar.gz
Build log: /home/boklm/tor-browser-build/logs/firefox.log
Finished build of project firefox - tor-browser-52.7.3esr-8.0-1-build2.tar.gz
Using file /home/boklm/tor-browser-build/out/openbsd-port/firefox/tor-browser-52.7.3esr-8.0-1-build2.tar.gz
converted 'https://secure.informaction.com/download/releases/noscript-5.1.8.5.xpi' (ANSI_X3.4-1968) -> 'https://secure.informaction.com/download/releases/noscript-5.1.8.5.xpi' (UTF-8)
--2018-04-25 16:27:04--  https://secure.informaction.com/download/releases/noscript-5.1.8.5.xpi
Resolving secure.informaction.com (secure.informaction.com)... 69.195.158.197, 69.195.158.196, 69.195.158.195, ...
Connecting to secure.informaction.com (secure.informaction.com)|69.195.158.197|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 789174 (771K) [application/x-xpinstall]
Saving to: '/home/boklm/tor-browser-build/out/openbsd-port/tor-browser/noscript-5.1.8.5.xpi'

/home/boklm/tor-browser-build/out/openbsd- 100%[=======================================================================================>] 770.68K  1.26MB/s   in 0.6s   

2018-04-25 16:27:05 (1.26 MB/s) - '/home/boklm/tor-browser-build/out/openbsd-port/tor-browser/noscript-5.1.8.5.xpi' saved [789174/789174]

Using file /home/boklm/tor-browser-build/out/openbsd-port/tor-browser/noscript-5.1.8.5.xpi
Building project https-everywhere - https-everywhere-2018.4.11-6efcd6.xpi
Tag 2018.4.11 is signed with key 1073E74EB38BD6D19476CBF8EA9DBF9FB761A677
Created /home/boklm/tor-browser-build/tmp/rbm-G1sBy/https-everywhere-2018.4.11.tar.gz
Build log: /home/boklm/tor-browser-build/logs/https-everywhere.log
Finished build of project https-everywhere - https-everywhere-2018.4.11-6efcd6.xpi
Using file /home/boklm/tor-browser-build/out/openbsd-port/https-everywhere/https-everywhere-2018.4.11-6efcd6.xpi
Build log: /home/boklm/tor-browser-build/logs/tor-browser.log
Finished build of project tor-browser - src-tarballs-8.0a6-build1-build1-9e0027
Using directory /home/boklm/tor-browser-build/out/openbsd-port/tor-browser/src-tarballs-8.0a6-build1-build1-9e0027
Build log: /home/boklm/tor-browser-build/logs/openbsd-port.log
$ ls -l alpha/openbsd-port/8.0a6-build1/src-tarballs/
total 296952
-rw-r--r-- 1 boklm boklm   1646514 Apr 25 18:27 https-everywhere-2018.4.11-6efcd6.xpi
-rw-r--r-- 1 boklm boklm    789174 Apr 25 18:27 noscript-5.1.8.5.xpi
-rw-r--r-- 1 boklm boklm 299179260 Apr 25 18:27 tor-browser-52.7.3esr-8.0-1-build2.tar.gz
-rw-r--r-- 1 boklm boklm    953652 Apr 25 18:27 tor-browser-bundle-data-8.0a6-build1.tar.gz
-rw-r--r-- 1 boklm boklm    843424 Apr 25 18:27 torbutton-1.9.9.1-c33dea.xpi
-rw-r--r-- 1 boklm boklm    657322 Apr 25 18:27 tor-launcher-0.2.15.1-01c01f.xpi

I don't know if it works when running on OpenBSD, but if not, I think we could try to fix it.

If you think that could be useful, I can also add a copy of www/tor-browser to projects/openbsd-port and make it updated by make openbsd-port-alpha.

I'm sorry to rain on your parade but really none of that would help me at all. All I really need are source tarballs. Signed not necessary. Checksums would be good.

That's it. Really.

If we decide to publish source tarballs, then branch bug_25876_v4 can be used for that: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v4&id=e7f96823c16fb9f15302a1d6464af10e573e6198

With an example of the tarballs it creates: https://people.torproject.org/~boklm/tmp/bug_25876/8.0a6-build1/

I am not sure if we should upload that to dist.torproject.org, or some other place.

How long should we keep each release online? Is it enough if we only keep the last 2 releases?

#27242 (moved) is a duplicate.

Trac:
Cc: N/A to w3ICKRsTMaxPeO

Hi tor devs, I greatly appreciate your work.

The bug so far seems to concern bsd. My use-case is different (porting to Gentoo GNU/Linux), but for that I also need source tarball.

For Gentoo, the browser part, torbutton, and tor-launcher would also suffice.

There are already at least 3 efforts to port torbrowser to Gentoo: https://cgit.gentoo.org/proj/mozilla.git/tree/www-client/torbrowser https://github.com/MeisterP/torbrowser-overlay https://github.com/4nykey/4nykey/tree/master/www-client/torbrowser

All of them would benefit from official source tarballs with stable hash, because Gentoo is a source-based distro. That means torbrowser sources need to be fetched and compiled by each user when installing. Hash verification is needed for reasons of security and quality assurance.

dist.torproject.org sounds like a stable, official place to fetch source tarballs from, so please put them there.

Keeping the last 2 releases suffices for Gentoo, which has a mirroring system, which will keep copies for as long as needed. The only requirement is that a given source URL has a constant hash over time.

I believe the 'needs_information' tag is no longer valid. Please remove it so that tor devs don't think the bug waits for user input.

Trac:
Username: w3ICKRsTMaxPeO

@devs, can you please remove the 'needs_information' tag, so devs don't ignore this bug?

Trac:
Username: w3ICKRsTMaxPeO

Replying to boklm:

If we decide to publish source tarballs, then branch bug_25876_v4 can be used for that: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v4&id=e7f96823c16fb9f15302a1d6464af10e573e6198

I rebased this patch on master, in branch bug_25876_v5: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v5&id=ee759bad2b293fa1700ee463575f2618ed07111b

With this patch, we can run src-tarballs-{release,alpha}, which create source tarballs in directory {alpha,release}/src-tarballs/$TORBROWSER_VERSION.

However, it might be easier if we just put those files into the normal bundle directory, so that we can sign and publish them like the other bundles. I will make a revision of the patch doing that.

Trac:
Status: needs_information to needs_revision
Keywords: N/A deleted, tbb-rbm, TorBrowserTeam201903 added

attila: Are you good if we only keep the latest two releases? And putting them on dist.torproject.org would work as well for you?

There is a patch for review in branch bug_25876_v9: https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v9&id=1b79a12ecc1b918c379c29b58954d2680672e201

With this patch we generate source tarballs during build, and include them in sha256sums-unsigned-build.txt. Currently it generates the following files:

src-firefox-tor-browser-60.5.1esr-8.5-1-build2.tar.xz
src-tor-launcher-0.2.18.tar.xz
src-torbutton-2.1.4.tar.xz

Trac:
Status: needs_revision to needs_review
Keywords: TorBrowserTeam201903 deleted, TorBrowserTeam201903R added

Looks good. Let's test this in the upcoming alpha. Merged to ´master` with commit f44c5d73cfe8d47a6394939e9c237cfbd45a0c5f.

Trac:
Status: needs_review to closed
Resolution: N/A to fixed

Replying to gk:

attila: Are you good if we only keep the latest two releases? And putting them on dist.torproject.org would work as well for you?

Sorry for the belated reply. Yes, this would work great. I see this is happening for the alpha releases already! Looking forward to dropping my git-wrangling when this hits the stable releases as well... thanks a lot.

closed

mentioned in issue #25877 (moved)

mentioned in issue #25878 (moved)

mentioned in issue #27242 (moved)

mentioned in issue #29661 (moved)

mentioned in issue tpo/applications/tor-launcher#25878 (closed)

moved to tpo/applications/tor-browser#25876 (closed)

mentioned in issue tpo/applications/tor-browser#29661 (closed)

mentioned in issue tpo/applications/torbutton#25877 (closed)