Opened 8 weeks ago

Closed 8 weeks ago

#33761 closed task (fixed)

Remove unnecessary dependencies of Snowflake from Tor Browser

Reported by: cohosh Owned by:
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: TorBrowserTeam202004R, tbb-9.5a10
Cc: cohosh, phw, arlolra, dcf, sysrqb Actual Points:
Parent ID: Points: 1
Reviewer: Sponsor:

Description

pion/webrtc brings in a lot of dependencies for Tor Browser, and many of these are for unused features. Specifically, we never use pion/quic, and its dependency on quic-go has the potential to cause us a lot of headache in the future (see #33745).

Child Tickets

Attachments (1)

0001-Disable-experimental-quic-features-of-ORTC.patch (19.0 KB) - added by cohosh 8 weeks ago.

Download all attachments as: .zip

Change History (11)

comment:1 Changed 8 weeks ago by dcf

Is it necessary to patch the source? Or could we just remove the dependencies from projects/pion-webrtc/config and delete the projects? It seems to me that the quic parts of pion-webrtc are not built by default; all the involved files have a +build quic build constraint. In the upstream CI they have to specifically pass -tags quic to go build.

On the other hand, if in #28325 the Tor Browser team starts using go.mod files directly for dependency tracking (as we are kind of currently doing with the gomodtorbm script), then it makes sense to patch the source and get a new go.mod, as you've done.

What tor-browser-build projects does it allow to be removed? My reckoning from a quick grep is pion-quic, quic-go, genny, ginkgo, gomega, gomock, qtls.

comment:2 Changed 8 weeks ago by dcf

By the way thanks for tracking this down.

comment:3 in reply to:  1 Changed 8 weeks ago by cohosh

Replying to dcf:

Is it necessary to patch the source? Or could we just remove the dependencies from projects/pion-webrtc/config and delete the projects? It seems to me that the quic parts of pion-webrtc are not built by default; all the involved files have a +build quic build constraint. In the upstream CI they have to specifically pass -tags quic to go build.

Thanks for pointing this out. I've started a Tor Browser build to test this.

On the other hand, if in #28325 the Tor Browser team starts using go.mod files directly for dependency tracking (as we are kind of currently doing with the gomodtorbm script), then it makes sense to patch the source and get a new go.mod, as you've done.

Interestingly, even this didn't remove all the dependencies it could have from go.sum.

What tor-browser-build projects does it allow to be removed? My reckoning from a quick grep is pion-quic, quic-go, genny, ginkgo, gomega, gomock, qtls.

Looks like 11 projects, at least:
genny, ginkgo, gofsnotify, gomega, gomock, gotail, gotomb, goxtools, pion-quic, quic-go, qtls

Last edited 8 weeks ago by cohosh (previous) (diff)

comment:4 Changed 8 weeks ago by cohosh

Status: newneeds_review

You were right, we don't even need to patch the source.

Here's a patch that removes 11 unnecessary projects from tor browser: https://gitweb.torproject.org/user/cohosh/tor-browser-build.git/commit/?h=ticket/33761&id=515c2eb30db1ee37f39ac8126f948d4b244a11cc

comment:5 Changed 8 weeks ago by dcf

Status: needs_reviewmerge_ready

It looks good to me. Thanks for undertaking to check with a Tor Browser build.

comment:6 Changed 8 weeks ago by cohosh

Cc: sysrqb added
Component: Circumvention/SnowflakeApplications/Tor Browser

comment:7 Changed 8 weeks ago by cohosh

Status: merge_readyneeds_review

comment:8 Changed 8 weeks ago by gk

Keywords: TorBrowserTeam202004R added

comment:9 Changed 8 weeks ago by sysrqb

Keywords: tbb-9.5a10 added

comment:10 Changed 8 weeks ago by sysrqb

Resolution: fixed
Status: needs_reviewclosed

Looks okay to me. Cherry-picked as commit 499d7c746833b90621a82a74bb52c2e780e3837e on master.

Note: See TracTickets for help on using tickets.