Opened 9 months ago

Last modified 4 months ago

#25876 needs_information task

Source release tarballs for Tor Browser

Reported by: attila Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: w3ICKRsTMaxPeO Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Would greatly help with porting efforts if there were official source tarballs.

Child Tickets

Change History (10)

comment:1 Changed 9 months ago by gk

Status: newneeds_information

You mean a source tarball just for the browser part or for the whole bundle, including things like pluggable transports, the browser profile, tor, etc.?

comment:2 Changed 9 months ago by boklm

If the need is to create tarballs for the components that are currently at https://bits.torbsd.org/pub/OpenBSD/distfiles/, then I think we could easily add to tor-browser-build some make commands such as make src-tarballs-alpha and make src-tarballs-release that would generate tarballs for those components (firefox, tor-launcher and torbutton). When you need to update the OpenBSD port, you can then run this and upload the tarballs somewhere. Would that be enough?

comment:3 in reply to:  1 Changed 9 months ago by gk

Replying to gk:

You mean a source tarball just for the browser part or for the whole bundle, including things like pluggable transports, the browser profile, tor, etc.?

Okay, answering my own question: looking at the related tickets (#25877 and #25878) it seems only the browser part, torbutton, and tor-launcher are requested.

comment:4 Changed 9 months ago by boklm

Some other idea, maybe for a different ticket: after looking a little at https://github.com/openbsd/ports/tree/master/www/tor-browser, I have been thinking that in addition to having a command to generate source tarballs, if that's helpful it might be possible to add the openbsd www/tor-browser directory somewhere into tor-browser-build. Then we could have some make openbsd-port-release command that would generate an updated www/tor-browser directory with:

  • Makefile files for tor-browser, browser, https-everywhere, noscript, tor-launcher, torbutton with updated version numbers
  • distinfo files for browser, https-everywhere, noscript, tor-launcher, torbutton with updated SHA256SUM and SIZE
  • tor-browser/browser/files/extension-overrides.js file with updated list of bridges and other prefs

Then the openbsd port release process could be something like:

  • checkout the new tor browser version tag in tor-browser-build
  • run make openbsd-port-release
  • upload source tarballs somewhere
  • copy updated www/tor-browser to openbsd ports tree
  • go to the openbsd ports tree, start the build and commit the changes

comment:5 Changed 9 months ago by boklm

I started working on this in branch bug_25876_v2:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v2&id=6013d37fda456b987fe1f5e3262340f2a28d30b0

$ make openbsd-port-alpha
git submodule update --init
./rbm/rbm build openbsd-port --target alpha
Building project tor-browser - src-tarballs-8.0a6-build1-build1-9e0027
Using directory /home/boklm/tor-browser-build/projects/tor-browser/Bundle-Data
Building project torbutton - torbutton-1.9.9.1-c33dea.xpi
Tag 1.9.9.1 is signed with key 35CD74C24A9B15A19E1A81A194373AA94B7C3223
Created /home/boklm/tor-browser-build/tmp/rbm-MswRJ/torbutton-1.9.9.1.tar.gz
Build log: /home/boklm/tor-browser-build/logs/torbutton.log
Finished build of project torbutton - torbutton-1.9.9.1-c33dea.xpi
Using file /home/boklm/tor-browser-build/out/openbsd-port/torbutton/torbutton-1.9.9.1-c33dea.xpi
Building project tor-launcher - tor-launcher-0.2.15.1-01c01f.xpi
Tag 0.2.15.1 is signed with key 35CD74C24A9B15A19E1A81A194373AA94B7C3223
Created /home/boklm/tor-browser-build/tmp/rbm-KUjp3/tor-launcher-0.2.15.1.tar.gz
Build log: /home/boklm/tor-browser-build/logs/tor-launcher.log
Finished build of project tor-launcher - tor-launcher-0.2.15.1-01c01f.xpi
Using file /home/boklm/tor-browser-build/out/openbsd-port/tor-launcher/tor-launcher-0.2.15.1-01c01f.xpi
Building project firefox - tor-browser-52.7.3esr-8.0-1-build2.tar.gz
Tag tor-browser-52.7.3esr-8.0-1-build2 is signed with key 35CD74C24A9B15A19E1A81A194373AA94B7C3223
Created /home/boklm/tor-browser-build/tmp/rbm-HPgTn/firefox-90e16dd25b6e.tar.gz
Build log: /home/boklm/tor-browser-build/logs/firefox.log
Finished build of project firefox - tor-browser-52.7.3esr-8.0-1-build2.tar.gz
Using file /home/boklm/tor-browser-build/out/openbsd-port/firefox/tor-browser-52.7.3esr-8.0-1-build2.tar.gz
converted 'https://secure.informaction.com/download/releases/noscript-5.1.8.5.xpi' (ANSI_X3.4-1968) -> 'https://secure.informaction.com/download/releases/noscript-5.1.8.5.xpi' (UTF-8)
--2018-04-25 16:27:04--  https://secure.informaction.com/download/releases/noscript-5.1.8.5.xpi
Resolving secure.informaction.com (secure.informaction.com)... 69.195.158.197, 69.195.158.196, 69.195.158.195, ...
Connecting to secure.informaction.com (secure.informaction.com)|69.195.158.197|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 789174 (771K) [application/x-xpinstall]
Saving to: '/home/boklm/tor-browser-build/out/openbsd-port/tor-browser/noscript-5.1.8.5.xpi'

/home/boklm/tor-browser-build/out/openbsd- 100%[=======================================================================================>] 770.68K  1.26MB/s   in 0.6s   

2018-04-25 16:27:05 (1.26 MB/s) - '/home/boklm/tor-browser-build/out/openbsd-port/tor-browser/noscript-5.1.8.5.xpi' saved [789174/789174]

Using file /home/boklm/tor-browser-build/out/openbsd-port/tor-browser/noscript-5.1.8.5.xpi
Building project https-everywhere - https-everywhere-2018.4.11-6efcd6.xpi
Tag 2018.4.11 is signed with key 1073E74EB38BD6D19476CBF8EA9DBF9FB761A677
Created /home/boklm/tor-browser-build/tmp/rbm-G1sBy/https-everywhere-2018.4.11.tar.gz
Build log: /home/boklm/tor-browser-build/logs/https-everywhere.log
Finished build of project https-everywhere - https-everywhere-2018.4.11-6efcd6.xpi
Using file /home/boklm/tor-browser-build/out/openbsd-port/https-everywhere/https-everywhere-2018.4.11-6efcd6.xpi
Build log: /home/boklm/tor-browser-build/logs/tor-browser.log
Finished build of project tor-browser - src-tarballs-8.0a6-build1-build1-9e0027
Using directory /home/boklm/tor-browser-build/out/openbsd-port/tor-browser/src-tarballs-8.0a6-build1-build1-9e0027
Build log: /home/boklm/tor-browser-build/logs/openbsd-port.log
$ ls -l alpha/openbsd-port/8.0a6-build1/src-tarballs/
total 296952
-rw-r--r-- 1 boklm boklm   1646514 Apr 25 18:27 https-everywhere-2018.4.11-6efcd6.xpi
-rw-r--r-- 1 boklm boklm    789174 Apr 25 18:27 noscript-5.1.8.5.xpi
-rw-r--r-- 1 boklm boklm 299179260 Apr 25 18:27 tor-browser-52.7.3esr-8.0-1-build2.tar.gz
-rw-r--r-- 1 boklm boklm    953652 Apr 25 18:27 tor-browser-bundle-data-8.0a6-build1.tar.gz
-rw-r--r-- 1 boklm boklm    843424 Apr 25 18:27 torbutton-1.9.9.1-c33dea.xpi
-rw-r--r-- 1 boklm boklm    657322 Apr 25 18:27 tor-launcher-0.2.15.1-01c01f.xpi

I don't know if it works when running on OpenBSD, but if not, I think we could try to fix it.

If you think that could be useful, I can also add a copy of www/tor-browser to projects/openbsd-port and make it updated by make openbsd-port-alpha.

comment:6 Changed 9 months ago by attila

I'm sorry to rain on your parade but really *none* of that would help me at all. All I really need are source tarballs. Signed not necessary. Checksums would be good.

That's it. Really.

comment:7 Changed 9 months ago by boklm

If we decide to publish source tarballs, then branch bug_25876_v4 can be used for that:
https://gitweb.torproject.org/user/boklm/tor-browser-build.git/commit/?h=bug_25876_v4&id=e7f96823c16fb9f15302a1d6464af10e573e6198

With an example of the tarballs it creates:
https://people.torproject.org/~boklm/tmp/bug_25876/8.0a6-build1/

I am not sure if we should upload that to dist.torproject.org, or some other place.

How long should we keep each release online? Is it enough if we only keep the last 2 releases?

comment:8 Changed 5 months ago by gk

Cc: w3ICKRsTMaxPeO added

#27242 is a duplicate.

comment:9 Changed 5 months ago by w3ICKRsTMaxPeO

Hi tor devs, I greatly appreciate your work.

The bug so far seems to concern bsd. My use-case is different (porting to Gentoo GNU/Linux), but for that I also need source tarball.

For Gentoo, the browser part, torbutton, and tor-launcher would also suffice.

There are already at least 3 efforts to port torbrowser to Gentoo:
https://cgit.gentoo.org/proj/mozilla.git/tree/www-client/torbrowser
https://github.com/MeisterP/torbrowser-overlay
https://github.com/4nykey/4nykey/tree/master/www-client/torbrowser

All of them would benefit from official source tarballs with stable hash, because Gentoo is a source-based distro. That means torbrowser sources need to be fetched and compiled by each user when installing. Hash verification is needed for reasons of security and quality assurance.

dist.torproject.org sounds like a stable, official place to fetch source tarballs from, so please put them there.

Keeping the last 2 releases suffices for Gentoo, which has a mirroring system, which will keep copies for as long as needed. The only requirement is that a given source URL has a constant hash over time.

I believe the 'needs_information' tag is no longer valid. Please remove it so that tor devs don't think the bug waits for user input.

comment:10 Changed 4 months ago by w3ICKRsTMaxPeO

@devs, can you please remove the 'needs_information' tag, so devs don't ignore this bug?

Note: See TracTickets for help on using tickets.