| 1 | | UNFINISHED DRAFT! |
| 2 | | |
| 3 | | = Current situation in Debian = |
| 4 | | |
| 5 | | * If you install TorBirdy + Thunderbird you will use system-wide tor. |
| 6 | | * If you install torbrowser-launcher you will use TBB's bundled tor, not a system-wide instance even if available. |
| 7 | | * If you install onionshare it depends on torbrowser-launcher and on TBB to be running. |
| 8 | | |
| 9 | | => not very consistent, several tor configurations => confused users. |
| 10 | | |
| 11 | | = Two solutions = |
| 12 | | |
| 13 | | * One system-wide instance |
| 14 | | |
| 15 | | * Spin up one instance per application |
| 16 | | |
| 17 | | See trade-offs: https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMeeting/TorProcessShare |
| 18 | | |
| 19 | | We are leaning towards "One system-wide instance" on Linux, possibly as a first step towards the "Spin up one instance per application" approach. So, from now on, we'll have "One system-wide instance" as a goal on Linux. |
| 20 | | |
| 21 | | = Security = |
| 22 | | |
| 23 | | We don't want each application to have full access to the system-wide tor's control port, so we need to use onion-grater, and ship a profile for each application. |
| 24 | | |
| 25 | | XXX: elaborate why full control port access for all applications is a terrible idea. |
| 26 | | |
| 27 | | = Best practices = |
| 28 | | |
| 29 | | == Linux == |
| 30 | | |
| 31 | | === For packagers === |
| 32 | | |
| 33 | | * Patch or reconfigure the application to use the system-wide Tor. |
| 34 | | * Depends: onion-grater |
| 35 | | * Provide a profile for onion-grater and AppArmor |
| 36 | | |
| 37 | | XXX: elaborate on these dependencies. |
| 38 | | |
| 39 | | XXX: we don't have a solution for when AppArmor is not enabled. |
| 40 | | |
| 41 | | === For application developers === |
| 42 | | |
| 43 | | XXX: set a socks user name for stream isolation (IsolateSOCKSAuth) |
| 44 | | |
| 45 | | If your application is packaged in distros: Include a system-wide (in /etc) configuration toggle for using a system-wide tor instance instead of a potentially bundled tor. |
| 46 | | |
| 47 | | Otherwise: get it packaged in distros if realistic, otherwise fallback to the Windows/TBB approach => start your own tor process. |
| 48 | | |
| 49 | | == Windows == |
| 50 | | |
| 51 | | Start your own tor process. |
| 52 | | |
| 53 | | = What about configuration sharing? = |
| 54 | | |
| 55 | | XXX: specify how this should work. Probably by writing the settings to some file all applications will look at first. |
| 56 | | |
| 57 | | == Linux == |
| 58 | | |
| 59 | | When we allow two cases, i.e. system-wide tor, and bundled tor, we need a way for all applications to still use the same tor configuration to connect to the Tor network (proxy, pluggable transport). |
| 60 | | |
| 61 | | == Windows == |
| 62 | | |
| 63 | | All apps run their own Tor but should share the tor configuration for connecting to the Tor network. |
