From debbugs-submit-bounces@debbugs.gnu.org Wed Jul 15 17:16:31 2020 Received: (at submit) by debbugs.gnu.org; 15 Jul 2020 21:16:32 +0000 Received: from localhost ([127.0.0.1]:53766 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvolI-0004MI-Ta for submit@debbugs.gnu.org; Wed, 15 Jul 2020 17:16:31 -0400 Received: from lists.gnu.org ([209.51.188.17]:35540) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvolE-0004M8-8X for submit@debbugs.gnu.org; Wed, 15 Jul 2020 17:16:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56368) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvolE-0005N5-2q for guix-patches@gnu.org; Wed, 15 Jul 2020 17:16:16 -0400 Received: from mx1.riseup.net ([198.252.153.129]:44422) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvol7-0007K9-Sy for guix-patches@gnu.org; Wed, 15 Jul 2020 17:16:15 -0400 Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4B6VYM1ztKzFdxM for ; Wed, 15 Jul 2020 14:16:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1594847767; bh=SVlWcFrq/mhJe4ruNJLi/VsrCx9CxMLmIyB5MaQth2U=; h=Date:From:To:Subject:From; b=Xc0ks9PPkX03eqt8X8m7jkV+fWNlvtIWugTpgQOP82aAkL/Xq86ygNFjK3sevY0ev 3koO+hBZxEj+GO7ctDVl8xcfJNZJUg0sbs03LvbhSYCjbGx6bxKGunoQZbXKqN6CBp YbzILPve5XNA+U5THSfPZX1pk3XSV7gvwstmhDC0= X-Riseup-User-ID: 8CB70C45CD92722A3A815FDFEAC3B41DFF70BFD506D1B2428183B4D40B040602 Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 4B6VYJ3R9Gz8sjr for ; Wed, 15 Jul 2020 14:16:03 -0700 (PDT) Date: Wed, 15 Jul 2020 18:15:47 -0300 From: =?iso-8859-1?Q?Andr=E9?= Batista To: guix-patches@gnu.org Subject: [WIP] gnu: Add torbrowser-unbundle. Message-ID: <20200715211547.GA17146@andel> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Pd0ReVV5GZGQvF3a" Content-Disposition: inline Received-SPF: pass client-ip=198.252.153.129; envelope-from=nandre@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/15 17:16:07 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) --Pd0ReVV5GZGQvF3a Content-Type: multipart/mixed; boundary="6c2NcOVqGQ03X4Wi" Content-Disposition: inline --6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hello Guix! The patch bellow adds a torbrowser-unbundle variable, but it needs a bit of working before merging into master. I've inserted many comments on the code regarding issues which need attention and questions that remained. I've decided to send this early notice so I can ask some questions and get criticism before I go too deep on the wrong direction. As the name implies it does not bundle tor and to use it, you need to have a properly configured system instance. You also need to configure a ControlPort and a HashedControlPassword if you want to be able to get new identities while browsing and if you don't want to keep seeing a warning on startup page. It will create/change permissions on ${HOME}/Data and use the native Downloads dir. It does not have bundled fonts, so you will be fingerprintable on levels bellow safest. It does not have support for obfs4 bridges yet. There is no startup script for now, you are advised to invoke it with '--class "Tor Browser"'. Now for the questions: - Should it keep unbundled? If so, should we try to unbundle the https-everywhere and noscript extensions? - Is it acceptable to use to use the noscript .xpi, instead of building? Upstream just grabs it from addons.mozilla. There does not appear to be blobs and the GPL full text is inside it. - Should we try change the app name at build time or is it enough to adapt the name of the startup script (which is not the for now, but is certainly needed)? - Any other things that I've been blind to? If you don't have time to review the code, but has processing power available, build it with rounds=2 or try to cross compile for i686 and comment back. Thanks, --6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename="0001-gnu-Add-torbrowser-unbundle.patch" Content-Transfer-Encoding: quoted-printable =46rom 2a9d31c9422de3d7486da6c2ef3e15c3496c7e69 Mon Sep 17 00:00:00 2001 =46rom: =3D?UTF-8?q?Andr=3DC3=3DA9=3D20Batista?=3D Date: Wed, 15 Jul 2020 17:24:04 -0300 Subject: [PATCH] gnu: Add torbrowser-unbundle. To: guix-patches@gnu.org * gnu/packages/tor.scm (torbrowser-unbundle): New variable. --- gnu/packages/tor.scm | 634 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 633 insertions(+), 1 deletion(-) diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm index c852c54a5b..528a528403 100644 --- a/gnu/packages/tor.scm +++ b/gnu/packages/tor.scm @@ -49,7 +49,49 @@ #:use-module (gnu packages qt) #:use-module (gnu packages autotools) #:use-module (gnu packages tls) - #:use-module (gnu packages w3m)) + #:use-module (gnu packages w3m) + ;; New flags start here. Verify if they are all needed. + #:use-module ((srfi srfi-1) #:hide (zip)) + #:use-module (ice-9 match) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix gexp) + #:use-module (guix store) + #:use-module (guix monads) + #:use-module (guix build-system cargo) + #:use-module (guix build-system trivial) + #:use-module (gnu packages admin) + #:use-module (gnu packages audio) + #:use-module (gnu packages autotools) + #:use-module (gnu packages bash) + #:use-module (gnu packages databases) + #:use-module (gnu packages glib) + #:use-module (gnu packages gtk) + #:use-module (gnu packages gnome) + #:use-module (gnu packages libcanberra) + #:use-module (gnu packages cups) + #:use-module (gnu packages kerberos) + #:use-module (gnu packages perl) + #:use-module (gnu packages compression) + #:use-module (gnu packages fontutils) + #:use-module (gnu packages libreoffice) ;for hunspell + #:use-module (gnu packages image) + #:use-module (gnu packages libffi) + #:use-module (gnu packages pulseaudio) + #:use-module (gnu packages node) + #:use-module (gnu packages xorg) + #:use-module (gnu packages gl) + #:use-module (gnu packages assembly) + #:use-module (gnu packages rust) + #:use-module (gnu packages rust-apps) + #:use-module (gnu packages llvm) + #:use-module (gnu packages nss) + #:use-module (gnu packages icu4c) + #:use-module (gnu packages video) + #:use-module (gnu packages xiph) + #:use-module (gnu packages xdisorg) + #:use-module (gnu packages readline) + #:use-module (gnu packages vim) ; for xxd + #:use-module (gnu packages sqlite)) =20 (define-public tor (package @@ -324,3 +366,593 @@ statistics and status reports on: =20 Potential client and exit connections are scrubbed of sensitive informatio= n.") (license license:gpl3+))) + +;; Imported from gnuzilla.scm, make it public there? +(define* (computed-origin-method gexp-promise hash-algo hash + #:optional (name "source") + #:key (system (%current-system)) + (guile (default-guile))) + "Return a derivation that executes the G-expression that results +from forcing GEXP-PROMISE." + (mlet %store-monad ((guile (package->derivation guile system))) + (gexp->derivation (or name "computed-origin") + (force gexp-promise) + #:graft? #f ;nothing to graft + #:system system + #:guile-for-build guile))) + +(define %torbrowser-version "68.10.0esr-9.5-1") +(define %torbrowser-build-id "20200709000000") ;must be of the form YYYYMM= DDhhmmss + +;; (Un)fortunatly TorBrowser has it's own reproducible build system - RBM = - which +;; automates the build process for them and compiles TorBrowser from a ran= ge of +;; repositories and produces a range of tarballs for different architectur= es and +;; locales. So we need to nit-pick what is needed for guix and produce our= own +;; tarball. See https://gitweb.torproject.org/builders/tor-browser-build.g= it/projects/\ +;; {tor-browser,firefox}/{build,config} for the rationale applied here. Wh= en built from its +;; unpatched repo, the 'mozconfig' is different and it errors out on missi= ng +;; torbutton source code. If we patch 'toolkit/moz.build', it compiles suc= cessfuly +;; but the browser does not run and even if it ran, it would be missing mo= st of +;; its funcionality. See also the Hacking on TorBrowser document for a hig= h level +;; introduction (https://trac.torproject.org/projects/tor/wiki/doc/TorBrow= ser/Hacking). +;; +;; WARNING: For now it still lacks the bundled fonts, obfs4 bridge and loc= ales. +;; If used on level below safest, the browser accessible fonts are fingerp= rintable. +;; On safest, it doesn't seem to be distinguishable from upstream bundle a= ccording +;; to https://panopticlick.eff.org. To access some features, users need to +;; configure the ControlPort and HashedControlPassword in system torrc and= set +;; TOR_CONTROL_PASSWD accordingly before launching the Browser (ControlPor= t defaults to +;; 9051). Without this, the browser will work (try https://check.torprojec= t.org) but +;; user is presented with a startup page that tells something is wrong. +(define torbrowser-source + (let* ((torbrowser-commit "75c2bb720d4ceb76231e8ecc3455754bf05ba19b") + (torbrowser-version %torbrowser-version) + (upstream-torbrowser-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/tor-browser.git") + (commit torbrowser-commit))) + (file-name (git-file-name "tor-browser" torbrowser-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "19sk46k2bqa72il46pdl534nk2g3fi6l7m7kbglddccxv19ck0k4")))) + + ;; Not used yet, mainly useful for references and for a patched s= tart-tor-browser + ;; script in the near future. + (torbrowser-build-commit "e94ba3a7677f7051a14b2304427ec8393a450fd= c") + (torbrowser-build-version "9.5") + (upstream-torbrowser-build-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/builders/tor-browser-bu= ild.git") + (commit torbrowser-build-commit))) + (file-name (git-file-name "tor-browser-build" torbrowser-build= -version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "1jgkrsckcjgr1lgcwahzdrcasmpghs2ppz6w80fya89pa5d6r0gv")))) + + (torbutton-commit "ebe2bedab44e38f18c7968bd327d99eef7660f34") + (torbutton-version "9.5") + (upstream-torbutton-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/torbutton.git") + (commit torbutton-commit))) + (file-name (git-file-name "torbutton" torbutton-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "03xdyszab1a8j98xv6440v4lq58jkfqgmhxc2a62qz8q085d2x83")))) + + (tor-launcher-commit "b4838d339a84c5ebebd91a0ba6b22d44ecda97b1") + (tor-launcher-version "0.2.21") + (upstream-tor-launcher-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/tor-launcher.git") + (commit tor-launcher-commit))) + (file-name (git-file-name "tor-launcher" tor-launcher-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "0xxwyw1j6dkm2a24kg1564k701p5ikfzs1f9n0gflvlzz9427haf")))) + + ;; TorBrowser uses its own git repo but it appears to be unpatche= d from upstream + ;; and it does no provide a tarball, so let's try upstream for no= w. + (https-everywhere-version "2020.5.20") + (upstream-https-everywhere-source + (origin + (method url-fetch) + (uri (string-append "https://github.com/EFForg/https-everywher= e/archive/" + https-everywhere-version ".tar.gz")) + ;; Substitute for hash syntax. + (sha256 + (base32 + "027lga3z0a4d7s95id861das7g0k29p7pqh9xd77jm87f7w4l763")))) + + ;; TorBrowser 9.5.1 actualy uses v11.0.32, but let's get latest r= elease. + ;; TorProject uses the .xpi instead of compiling the source code. + (noscript-xpi-version "11.0.34") + (upstream-noscript-xpi + (origin + (method url-fetch) + (uri (string-append "https://secure.informaction.com/download/= releases/noscript-" + noscript-xpi-version ".xpi")) + (sha256 + (base32 + "0y45925ms2bk9d42zbgwcdb2sif8kqlbaflkz15q08gi7vgki6km")))) + + ;; Not used for now. It uses curl to update TLDs at build time wh= ich will make + ;; the build unreproducible. Also it uses LWM::Simple module whic= h is not available + ;; on guix. Moreover, it complains about perl not having regexp c= apabilities. Patch + ;; build script, translate it to guile or just use the .xpi as up= stream does? + (noscript-version "11.0.34") + (upstream-noscript-source + (origin + (method url-fetch) + (uri (string-append "https://github.com/hackademix/noscript/ar= chive/" + noscript-version ".tar.gz")) + ;; Substitute for hash syntax. + (sha256 + (base32 + "1amhdwc62cnp1i7vx4zyqd7iyj52rcr5ks9a39viczpqgfgk7hfy"))))) + + ;; Now we bundle the grabbed sources. + (origin + (method computed-origin-method) + (file-name (string-append "torbrowser-" %torbrowser-version ".tar.xz= ")) + (sha256 #f) + (uri + (delay + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (let ((torbrowser-dir (string-append "torbrowser-" #$torbrow= ser-version)) + (torbutton-dir "toolkit/torproject/torbutton") + (tor-launcher-dir "browser/extensions/tor-launcher") + (tbb-scripts-dir "tbb-scripts") + (https-everywhere "https-everywhere.tar.gz") + (noscript "noscript.tar.gz") + (noscript-xpi "noscript.xpi")) + + (set-path-environment-variable + "PATH" '("bin") + (list #+(canonical-package bash) + #+(canonical-package xz) + #+(canonical-package tar))) + + (format #t "Copying torbrowser source to writable path ...= ~%") + (force-output) + (copy-recursively #+upstream-torbrowser-source + torbrowser-dir + #:log (%make-void-port "w")) + + (with-directory-excursion torbrowser-dir + (format #t "Setting torbutton to writable...~%") + (force-output) + (make-file-writable torbutton-dir) + + (format #t "Copying torbutton source to torbrowser...~%") + (force-output) + (copy-recursively #+upstream-torbutton-source + torbutton-dir + #:log (%make-void-port "w")) + + (format #t "Copying tor-launcher source to torbrowser...= ~%") + (force-output) + (copy-recursively #+upstream-tor-launcher-source + tor-launcher-dir + #:log (%make-void-port "w")) + + (format #t "Copying tor-browser-build source to torbrows= er...~%") + (force-output) + (mkdir tbb-scripts-dir) + (copy-recursively #+upstream-torbrowser-build-source + tbb-scripts-dir + #:log (%make-void-port "w")) + + (format #t "Copying https-everywhere source to torbrowse= r...~%") + (force-output) + (copy-file #+upstream-https-everywhere-source + https-everywhere) + + (format #t "Copying noscript source to torbrowser...~%") + (force-output) + (copy-file #+upstream-noscript-source + noscript) + + (format #t "Copying noscript xpi to torbrowser...~%") + (force-output) + (copy-file #+upstream-noscript-xpi + "noscript.xpi")) + + (invoke "tar" "cvfa" #$output + ;; Avoid non-determinism in the archive. For now j= ust copy icecat timestamp. + "--mtime=3D@315619200" ; 1980-01-02 UTC + "--owner=3Droot:0" + "--group=3Droot:0" + "--sort=3Dname" + torbrowser-dir) + #t)))))))) + +(define-public torbrowser-unbundle + (package + (name "torbrowser-unbundle") + (version %torbrowser-version) + (source torbrowser-source) + (build-system gnu-build-system) + (inputs + `(("alsa-lib" ,alsa-lib) + ("bzip2" ,bzip2) + ("cups" ,cups) + ("dbus-glib" ,dbus-glib) + ("gdk-pixbuf" ,gdk-pixbuf) + ("glib" ,glib) + ("gtk+" ,gtk+) + ("gtk+-2" ,gtk+-2) + ("graphite2" ,graphite2) + ("pango" ,pango) + ("freetype" ,freetype) + ("harfbuzz" ,harfbuzz) + ("libcanberra" ,libcanberra) + ("libgnome" ,libgnome) + ("libjpeg-turbo" ,libjpeg-turbo) + ("libogg" ,libogg) + ;; ("libtheora" ,libtheora) ; wants theora-1.2, not yet released + ("libvorbis" ,libvorbis) + ("libxft" ,libxft) + ("libevent" ,libevent) + ("libxinerama" ,libxinerama) + ("libxscrnsaver" ,libxscrnsaver) + ("libxcomposite" ,libxcomposite) + ("libxt" ,libxt) + ("libffi" ,libffi) + ("ffmpeg" ,ffmpeg) + ("libvpx" ,libvpx) + ("icu4c" ,icu4c) + ("pixman" ,pixman) + ("pulseaudio" ,pulseaudio) + ("mesa" ,mesa) + ("mit-krb5" ,mit-krb5) + ;; See + ;; and related comments in the 'remove-bundled-libraries' phase. + ;; UNBUNDLE-ME! ("nspr" ,nspr) + ;; UNBUNDLE-ME! ("nss" ,nss) + ("shared-mime-info" ,shared-mime-info) + ("sqlite" ,sqlite) + ("startup-notification" ,startup-notification) + ("unzip" ,unzip) + ("zip" ,zip) + ("zlib" ,zlib))) + (native-inputs + `(("patch" ,(canonical-package patch)) + ("rust" ,rust) + ("cargo" ,rust "cargo") + ("rust-cbindgen" ,rust-cbindgen) + ("llvm" ,llvm) + ("clang" ,clang) + ("perl" ,perl) + ("node" ,node) + ("openssl" ,openssl) ; Required for building https-everywhere + ("tar" ,tar) ; for untaring extensions + ("util-linux" ,util-linux) ; for getopt on https-everywhere build + ("xxd" ,xxd) ; for https-everywhere build + ("python" ,python) + ("python2" ,python-2.7) + ("python2-pysqlite" ,python2-pysqlite) + ("yasm" ,yasm) + ("nasm" ,nasm) ; XXX FIXME: only needed on x86_64 and i686 + ("pkg-config" ,pkg-config) + ("autoconf" ,autoconf-2.13) + ("which" ,which))) + (arguments + `(#:tests? #f ; Some tests are autodone by mach on build fas= e. + + ;; XXX: There are RUNPATH issues such as + ;; $prefix/lib/icecat-31.6.0/plugin-container NEEDing libmozalloc.s= o, + ;; which is not in its RUNPATH, but they appear to be harmless in + ;; practice somehow. See . + ;; + ;; Is this needed? + #:validate-runpath? #f + + #:imported-modules ,%cargo-utils-modules ;for `generate-all-checksu= ms' + + ;; Verify which modules are actually needed. + #:modules ((ice-9 ftw) + (ice-9 rdelim) + (ice-9 regex) + (ice-9 match) + (srfi srfi-34) + (srfi srfi-35) + (rnrs bytevectors) + (rnrs io ports) + (guix elf) + (guix build gremlin) + (guix build utils) + (sxml simple) + ,@%gnu-build-system-modules) + + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'unpack-extensions + (lambda* (#:key inputs native-inputs #:allow-other-keys) + (let ((https-everywhere-archive "https-everywhere.tar.gz") + (https-everywhere-srcdir "https-everywhere-src") + (noscript-archive "noscript.tar.gz") + (noscript-srcdir "noscript-src") + (bash (which "bash"))) + + (setenv "SHELL" bash) + + (mkdir https-everywhere-srcdir) + (mkdir noscript-srcdir) + (invoke "tar" "xf" https-everywhere-archive "--strip-compo= nents=3D1" + "-C" https-everywhere-srcdir) + (invoke "tar" "xf" noscript-archive "--strip-components=3D= 1" + "-C" noscript-srcdir)))) + + ;; Not used yet. For start-tor-browser patch and possibly others. + (add-after 'unpack-extensions 'apply-guix-specific-patches + (lambda* (#:key inputs native-inputs #:allow-other-keys) + (let ((patch (string-append (assoc-ref (or native-inputs inpu= ts) + "patch") + "/bin/patch"))) + (for-each (match-lambda + ((label . file) + (when (and (string-prefix? "torbrowser-" label) + (string-suffix? ".patch" label)) + (format #t "applying '~a'...~%" file) + (invoke patch "--force" "--no-backup-if-mism= atch" + "-p1" "--input" file)))) + (or native-inputs inputs))) + #t)) + + ;; On mach build system this is done on configure. + (delete 'bootstrap) + + (add-after 'patch-source-shebangs 'patch-cargo-checksums + (lambda _ + (use-modules (guix build cargo-utils)) + (let ((null-hash "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649= b934ca495991b7852b855")) + (substitute* '("Cargo.lock" "gfx/wr/Cargo.lock") + (("(\"checksum .* =3D )\".*\"" all name) + (string-append name "\"" null-hash "\""))) + (generate-all-checksums "third_party/rust")) + #t)) + + (add-after 'build 'neutralize-store-references + (lambda _ + ;; Mangle the store references to compilers & other build too= ls in + ;; about:buildconfig, reducing TorBrowser's closure significa= nt. + ;; The resulting files are saved in lib/firefox/omni.ja + (substitute* "objdir/dist/bin/chrome/toolkit/content/global/b= uildconfig.html" + (((format #f "(~a/)([0-9a-df-np-sv-z]{32})" + (regexp-quote (%store-directory))) _ s= tore hash) + (string-append store + (string-take hash 8) + "" + (string-drop hash 8)))) + #t)) + + (replace 'configure + (lambda* (#:key inputs outputs configure-flags #:allow-other-ke= ys) + (let* ((out (assoc-ref outputs "out")) + (bash (which "bash")) + ;; Is this needed? + (flags `(,(string-append "--prefix=3D" out) + ,@configure-flags))) + + (setenv "SHELL" bash) + (setenv "AUTOCONF" (string-append + (assoc-ref %build-inputs "autoconf") + "/bin/autoconf")) + (setenv "CONFIG_SHELL" bash) + (setenv "PYTHON" (string-append + (assoc-ref inputs "python2") + "/bin/python")) + (setenv "MOZ_BUILD_DATE" ,%torbrowser-build-id) ; avoid tim= estamp. + (setenv "LDFLAGS" (string-append + "-Wl,-rpath=3D" + (assoc-ref outputs "out") + "/lib/firefox")) + + ;; Maybe remove --disable-strip since tor-builder strips on= another step + ;; See tor-browser-build.git/projects/firefox/build:231. + ;; Add flag for changing app name to torbrowser or use this= name for the start script? + (substitute* ".mozconfig" + ;; Arch independent builddir. + (("(mk_add_options MOZ_OBJDIR=3D@TOPSRCDIR@/ob= j).*" _ m) + (string-append m "dir\n")) + (("ac_add_options --disable-tor-launcher") "") + ;; We won't be building incrementals. + (("ac_add_options --enable-signmar") "") + (("ac_add_options --enable-verify-mar") "") + (("ac_add_options --with-tor-browser-version= =3Ddev-build") + (string-append "ac_add_options --with-tor-bro= wser-version=3Dorg.gnu\n" + "ac_add_options --with-unsigne= d-addon-scopes=3Dapp\n" + "ac_add_options --enable-pulse= audio\n" + "ac_add_options --disable-debu= g-symbols\n" + "ac_add_options --disable-upda= ter\n" + "ac_add_options --disable-gcon= f\n" + ;; Other syslibs that can be u= nbundled? (nss, nspr) + "ac_add_options --enable-syste= m-pixman\n" + "ac_add_options --enable-syste= m-ffi\n" + "ac_add_options --with-system-= bz2\n" + "ac_add_options --with-system-= icu\n" + "ac_add_options --with-system-= jpeg\n" + "ac_add_options --with-system-= libevent\n" + "ac_add_options --with-system-= zlib\n" + ;; Without these clang is not = found. + "ac_add_options --with-clang-p= ath=3D" + (assoc-ref %build-inputs "clan= g") "/bin/clang\n" + "ac_add_options --with-libclan= g-path=3D" + (assoc-ref %build-inputs "clan= g") "/lib\n"))) + + ;; See tor-browser-build.git/projects/tor-browser/RelativeL= ink/start-tor-browser:307 on running + ;; with system tor instance. + (substitute* "browser/app/profile/000-tor-browser.js" + (("(pref\\(\"network.proxy.socks_port\").*" _ = m) + (string-append m ", 9050);\n")) + (("(pref\\(\"extensions.torbutton.loglevel\").= *" _ m) + (string-append m ",2);\n")) + (("(pref\\(\"extensions.torbutton.logmethod\")= =2E*" _ m) + (string-append m ",0);\n")) + (("(pref\\(\"extensions.torbutton.inserted_but= ton\").*" _ m) + (string-append m ",true);\n")) + (("(pref\\(\"extensions.torbutton.launch_warni= ng\").*" _ m) + (string-append m ",false);\n")) + ;; TorBrowser updates are disabled on mozconfi= g, but let's make sure. + (("(pref\\(\"extensions.torbutton.versioncheck= _enabled\").*" _ m) + (string-append m ",false);\n"))) + + (substitute* "browser/extensions/tor-launcher/src/defaults/= preferences/torlauncher-prefs.js" + (("(pref\\(\"extensions.torlauncher.start_tor\= ").*" _ m) + (string-append m ", false);\n")) + (("(pref\\(\"extensions.torlauncher.prompt_at_= startup\").*" _ m) + (string-append m ", false);\n")) + ;; Investigate this one: "extensions.torlaunch= er.only_configure_tor" + ;; on 'tl-util.jsm', would it be a nice additi= on? + (("(pref\\(\"extensions.torlauncher.should_rem= ove_meek_helper_profiles\").*" _ m) + (string-append m ", false);\n")) + (("(pref\\(\"extensions.torlauncher.loglevel\"= ).*" _ m) + (string-append m ", 2);\n")) + (("(pref\\(\"extensions.torlauncher.logmethod\= ").*" _ m) + (string-append m ", 0);\n")) + (("(pref\\(\"extensions.torlauncher.control_po= rt\").*" _ m) + (string-append m ", 9051);\n"))) + + ;; For user data outside the guix store. Dirty hack. Maybe = worth a patch upstream to create a + ;; configure flag for guix. It will create/modify permissio= ns on 'Data' dir on $HOME. It also + ;; means that TorBrowser will share the Downloads dir on ho= me and not keep its own. + ;; Work on start-tor-browser script to set a TorBrowser own= home. + (substitute* "xpcom/io/TorFileUtils.cpp" + (("ANDROID") "GNUGUIX")) + (substitute* "old-configure.in" + (("(AC_SUBST\\(TOR_BROWSER_DISABLE_TOR_LAUNCHE= R\\))" _ m) + (string-append m "\n AC_DEFINE(GNUGUIX)\n"))) + + ;; TODO: change prefs to block autoupdate app and extension= s. + + (newline) + (format #t "Invoking mach configure ...~%") + (force-output) + (invoke "./mach" "configure")))) + + ;; Building noscript from source is failing for now. So its sourc= es remain unused. + (add-after 'configure 'build-extensions + (lambda* (#:key inputs native-inputs #:allow-other-keys) + (let* ((bash (which "bash"))) + + (setenv "SHELL" bash) + + ;; Python3.6 is hardcoded on these scripts. Using v3.8 appe= ars to be harmless. + (with-directory-excursion "https-everywhere-src" + (substitute* '("install-dev-depen= dencies.sh" + "make.sh" + "hooks/precommit" + "test/firefox.sh" + "test/manual.sh" + "test/script.py" + "test/validations.= sh" + "utils/create_zip.= py" + "utils/merge-rules= ets.py" + "utils/setversion.= py" + "utils/zipfile_det= erministic.py") + (("python3.6") "pyth= on3")) + + ;; Failing to generate the xpi, b= ut copy-dir appears to be enough. + ;; Failing on missing 'wasm'? + (invoke "./make.sh"))))) + + (replace 'build + (lambda _ (invoke "./mach" "build"))) + + ;; TorBrowser just do a stage-package here and copy files to its = places. + (replace 'install + (lambda* (#:key inputs outputs configure-flags #:allow-other-ke= ys) + (let* ((out (assoc-ref outputs "out")) + (builddir "objdir/dist/firefox") + (libdir (string-append out "/lib/firefox")) + (bindir (string-append out "/bin")) + (noscript-id "{73a6fe31-595d-460b-a920-fcc0f8843232}.x= pi") + (extdir (string-append libdir "/browser/extensions"))) + + ;; (display "string\n") should be enough here, chage this. + (format #t "Staging package ...~%") + (force-output) + (invoke "./mach" "build" "stage-package") + (format #t "Deleting spurious files ...~%") + (force-output) + ;; TorBrowser doesn't use those. See: tor-browser-build.git= /projects/firefox/build:167 + (for-each delete-file `(,(string-append builddir "/firefox-= bin") + ,(string-append builddir "/libfreeb= lpriv3.chk") + ,(string-append builddir "/libnssdb= m3.chk") + ,(string-append builddir "/libsofto= kn3.chk"))) + + (format #t "Creating install dirs ...~%") + (force-output) + (mkdir-p libdir) + (mkdir bindir) + + (format #t "Copying files to install dirs ...~%") + (force-output) + (copy-recursively builddir (string-append libdir "/") + #:log (%make-void-port "w")) + + (format #t "Linking binary ...~%") + (force-output) + (symlink (string-append libdir "/firefox") + (string-append bindir "/firefox")) + + (format #t "Copying extensions to default path ...~%") + (force-output) + (mkdir-p extdir) + (format #t "Copying noscript ...~%") + (force-output) + (copy-file "noscript.xpi" (string-append extdir "/" noscrip= t-id)) + (format #t "Copying https-everywhere ...~%") + (force-output) + (if (file-exists? "https-everywhere-src/pkg/https-everywher= e-2020.5.20~pre-eff.xpi") + (copy-file "https-everywhere-src/pkg/https-everywhere-2= 020.5.20~pre-eff.xpi" + (string-append extdir "/https-everywhere-eff= @eff.org.xpi")) + (copy-recursively "https-everywhere-src/pkg/xpi-eff" + (string-append extdir "/https-everywh= ere-eff@eff.org"))) + #:log (%make-void-port "w"))))))) + + ;; Thunderbird doesn't provide any .desktop file, but TorBrowser = does, however it's staged not installed, let's see. + ;; + ;; Is this needed? Try to play webmedia! + ;;(add-after 'install 'wrap-program + ;; (lambda* (#:key inputs outputs #:allow-other-keys) + ;; (let* ((out (assoc-ref outputs "out")) + ;; (lib (string-append out "/lib")) + ;; (gtk (assoc-ref inputs "gtk+")) + ;; (gtk-share (string-append gtk "/share")) + ;; (pulseaudio (assoc-ref inputs "pulseaudio")) + ;; (pulseaudio-lib (string-append pulseaudio "/lib"))) + ;; (wrap-program (car (find-files lib "^firefox$")) + ;; `("XDG_DATA_DIRS" prefix (,gtk-share)) + ;; `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib))) + ;; #t)))))) + (home-page "https://www.torproject.org") + (synopsis "Anonymous browser derived from Mozilla Firefox") + (description + "TorBrowser is the Tor Project version of the Firefox browser. It is +the only recommended way to anonymously browse the web that is supported by +the project. It modifies firefox in order to avoid many know application = level +attacks on the privacy of Tor users. + +WARNING: This is not the official TorBrowser and is currently on testing. +If you have issues using it, do not bother Tor Developers, as it is not the +official bundle provided by the Tor Project. Use at your own risk and ple= ase +report back on guix channels. This version does not bundle @code{tor}, yo= u need +to configure it as a system service and set ControlPort and HashedControlP= assword +to access some features.") + (license license:mpl2.0))) ;and others, see toolkit/content/licens= e.html --=20 2.27.0 --6c2NcOVqGQ03X4Wi-- --Pd0ReVV5GZGQvF3a Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQI5BAABCgAjFiEEIBdLYNLH+F+MBdSrYrJ+WmBEwoIFAl8PcgAFgwPCZwAACgkQ YrJ+WmBEwoKG+Q//WNP/2bs87azCZfyCmRUPB5mgI5jq6QbTaj+MxBpVtb7laL1Y D/7SadHs79qF63ZwQWzOFbOjDdMVX/h+ZVydoFjIcoK5Idiu3erjyTAFklnMInTE eWY3buWfaPp0/isxlHfNBk7Xzum7mYSAUD4B/L+uCrSGrtTvy1PLHvdwB6SwSvao WB9oKhs0WGQo6pgYXjtE9JhU8MB7HoJfYICYE6dFKUC5EoHGxQl1BOmOeZY7Y8oc 0zVdNJ7SeCD7xvvR6wNbiKAfEo3tp4Np+yp2HI6HGnTFhmIcUI9iDoDo4RzNzC8O 7t1noPh9r9s7f1FGdsI01UnBPO5pzEJ1m3RYNmSEhQpQ3ZYCC3b69hxObjNRIatM lQFRpnZ6iH7ixKS6I4RCAtScyekmpVwr7R4K3j36kIFRct9vrUd/CP5/I4tvHTi9 JmZcyfko/MNMEeg0s+4mVrAftfGWrCCpV6p/uZhknZpSLbin7TFcnww6eMOrliQS 056s/yIq4uOSDVjDNVwJvqUKa63XXLijetpL6dSbOc5BLd7g004v55lQBz/NEfnG 6HK+vyZMQ5iaJpw+KbkpZ20ORrOFL/+3PLX1x8O2CV1UBiwmPFteyhvFBpuAHljf fVoNDm20tom+CJpWD7sqkwZqyAPTPSjz0FdhRzdXRhO1sMcuUcIBd3QcpYw= =kzRK -----END PGP SIGNATURE----- --Pd0ReVV5GZGQvF3a--