Opened 2 months ago

Last modified 2 months ago

#32024 new defect

In tor-android-services, document where the code we imported comes from

Reported by: boklm Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-mobile
Cc: sisbell Actual Points:
Parent ID: #32069 Points:
Reviewer: Sponsor:

Description

In tor-android-service, we have commit 36f9873ff075253f4c1c9e394c91031fd4ba9d4a which is adding a bunch of code:
https://gitweb.torproject.org/tor-android-service.git/commit/?id=36f9873ff075253f4c1c9e394c91031fd4ba9d4a

However it seems that this code has been taken from various other places, but there is no indication of where.

Ideally we would have kept history of the projects we imported code from (for example with git filter-branch), or just used sub-modules if we did not modify them. But since we didn't do that, I think we should at least put somewhere the information about where all the code we include comes from.

For example the jsocksAndroid directory seems to be imported from https://github.com/guardianproject/jsocks or maybe https://github.com/ravn/jsocks, but there is no indication of that, or which commit was used. The directory service/ looks similar to https://github.com/guardianproject/orbot/tree/master/orbotservice, but there is no indication that it was imported from there, or which commit was used.

I am also wondering why we have both jsocksAndroid/ and external/jsocks/.

We also have a LICENSE file containing the Apache License, but it is unclear to what it applies since this is neither the license of Orbot of jsocks.

Child Tickets

Change History (4)

comment:1 Changed 2 months ago by gk

Keywords: tbb-mobile added

comment:2 Changed 2 months ago by sisbell

Parent ID: #32069

comment:3 Changed 2 months ago by sisbell

In regards to jSocks, that will be removed #32075

comment:4 Changed 2 months ago by sisbell

I can tell from the history of changes that I took the commit from Dec 14th, 2018.

2c59c8489bc6302f2417448d8fad519b3c0a423b

In regards to licensing, this is a much bigger issue than just tor-android-service. We should be including a licensing page in the Android version of Tor Browser, which means we will need to track the licenses of all dependencies, including gradle dependencies. There are some plugins which can help pull this in.

Orbot has its file here: https://github.com/guardianproject/orbot/blob/master/LICENSE (although this isn't complete from a binary dependency issue, just the main ones).

The Apache License would just cover the changes I made to Orbot, while those bits that are not changed are covered by a compatible BSD style liscense.(if we have a Tor license I can put that in instead).

Note: See TracTickets for help on using tickets.