From debbugs-submit-bounces@debbugs.gnu.org Fri Jul 09 23:10:33 2021 Received: (at 42380) by debbugs.gnu.org; 10 Jul 2021 03:10:33 +0000 Received: from localhost ([127.0.0.1]:60077 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m23Nw-000320-SU for submit@debbugs.gnu.org; Fri, 09 Jul 2021 23:10:33 -0400 Received: from mx1.riseup.net ([198.252.153.129]:55896) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1m23Nt-00031n-T2 for 42380@debbugs.gnu.org; Fri, 09 Jul 2021 23:10:32 -0400 Received: from fews2.riseup.net (fews2-pn.riseup.net [10.0.1.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4GMFQS2J15zDr2X; Fri, 9 Jul 2021 20:10:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1625886624; bh=eQ+xWSJUpM5Hkye7sBtfb56h8j34QL6oDGrsNH2DlxA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Ybm6+Ng9+ZI6ASRXTIgEHKBf20Q95qJlc1MmPOqM5HXtYBPUrSonvZMV5XlPux+sO h4T75kp7NSdeEPw7YIPWnLXORSy9nVJ0Dz4U9CB8OH3gYyB5rJF1+rRikrsjpWOAQt shiZiMKXrsQ4Z3pn7OhkGSROVJjvsj5sG9TQ5E70= X-Riseup-User-ID: DAE85AA38352A7E3A8063A33ABBCEAD7E27CB47E01C9968B2BEDA9A6BE98E3CD Received: from [127.0.0.1] (localhost [127.0.0.1]) by fews2.riseup.net (Postfix) with ESMTPSA id 4GMFQQ6d4Pz1xph; Fri, 9 Jul 2021 20:10:22 -0700 (PDT) Date: Sat, 10 Jul 2021 00:10:15 -0300 From: =?iso-8859-1?Q?Andr=E9?= Batista To: Maxime Devos Subject: Re: [bug#42380] [PATCH v5 9/9] gnu: Add torbrowser-unbundle. Message-ID: References: <88c9104dbc255f94f73b0dae2dad41ae23cc3448.1622687706.git.nandre@riseup.net> <347e91d0ce7f96882f70a081b208c388153cd6b8.1622693271.git.nandre@riseup.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="UAekGVlxuPaM6vpM" Content-Disposition: inline In-Reply-To: X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 42380 Cc: 42380@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) --UAekGVlxuPaM6vpM Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Maxim, I don't know why but I've overlooked your message when it first arrived, I'm sorry and thanks for your help. qui 03 jun 2021 =C3=A0s 23:07:23 (1622772443), maximedevos@telenet.be envio= u: > > + GenericName=3DWeb Browser > > + Comment=3DTor Browser is +1 for privacy and =E2=88=921 for mass surve= illance > > + Categories=3DNetwork;WebBrowser;Security; > > +-Exec=3Dsh -c '"$(dirname "$*")"/Browser/start-tor-browser --detach ||= ([ ! -x "$(dirname "$*")"/Browser/start-tor-browser ] && "$(dirname "$*")"= /start-tor-browser --detach)' dummy %k > > +-X-TorBrowser-ExecShell=3D./Browser/start-tor-browser --detach > > +-Icon=3Dweb-browser > > ++Exec=3Dsh -c start-tor-browser > > ++X-TorBrowser-ExecShell=3Dstart-tor-browser --detach > > ++Icon=3Dtorbrowser >=20 > What's the reason for switching the icon from web-browser to torbrowser? If I'm not mistaken, this was done to get the newer icon set from sources. Without this change it was getting the older icons which were still available. I'll check this again. > Also, the guixy way would be to simply replace "$(dirname "$*")/STUFF" > by /gnu/store/[...]/MORE-STUF/STUFF. > Otherwise, you're assuming "sh" is in the profile. It would also > be possible to replace "sh" with (string-append (assoc-ref inputs "bash")= "/bin/sh") > I guess. You are right, I'm getting warnings on sh or bash when compiling. > > + # First, make sure DISPLAY is set. If it isn't, we're hosed; scream > > +@@ -134,8 +142,8 @@ > > + ;; > > + -l | --log) > > + if [ -z "$2" -o "${2:0:1}" =3D=3D "-" ]; then > > +- printf "Logging Tor Browser debug information to tor-bro= wser.log\n" > > +- logfile=3D"../tor-browser.log" > > ++ printf "Logging Tor Browser debug information to torbrow= ser.log\n" >=20 > Why rename tor-browser.log to torbrowser.log? I think this had no reason other than my personal choice. > > + [...] > > ++# Try to be agnostic to where we're being started from, check if file= s are on its > > ++# default paths and chdir to TBB_HOME > > ++if [ -e "${TORRC}" ]; then > > ++ cd "${TBB_HOME}" > > ++else > > ++ mkdir -p "${TBB_HOME}" > > ++ cp -R "${TBB_STORE_DATA}" "${TBB_HOME}" > > ++ chmod -R 700 "${TBB_HOME}" > > ++ mkdir -p "${TBB_PROFILE}" > > ++ echo "user_pref(\"extensions.torlauncher.torrc-defaults_path\", \"= ${TORRC}\");"\ > > ++ > "${TBB_PROFILE}/user.js" > > ++ echo "ClientTransportPlugin meek_lite,obfs2,obfs3,obfs4,scramblesu= it exec ${TBB_STORE_PATH}/TorBrowser/Tor/PluggableTransports/obfs4proxy"\ > > ++ >> "${TORRC}" > > ++ cd "${TBB_HOME}" > > + fi >=20 > "mkdir" and "cp" are from coreutils, which are not guaranteed to be in > the profile. I'd suggest: >=20 > (1) (preferred) use substitute* in a build phase to replace > 'mkdir' and 'cp' & co with the absolute store path > (2) or add coreutils to propagated-inputs >=20 > Likewise for sed.=20 Noted. I'll write a build phase. > > [...] > >=20 > > + if [ "$register_desktop_app" -eq 1 ]; then > > + mkdir -p "$HOME/.local/share/applications/" > > +- cp ../start-tor-browser.desktop "$HOME/.local/share/applications/" > > ++ cp "${TBB_STORE_PATH}/start-tor-browser.desktop" "$HOME/.local/share= /applications/" > > + update-desktop-database "$HOME/.local/share/applications/" > > + printf "Tor Browser has been registered as a desktop app for this us= er in ~/.local/share/applications/\n" > > + exit 0 >=20 > Is this required on Guix and would it work well on Guix? Copying .desktop= files around > seems counter to =E2=80=98Guix suppots transactional upgrades and roll-ba= cks, [...]. [...] > reproducible operating systems=E2=80=99 and not very functional. Shouldn't > "guix install torbrowser-unbundle" be sufficient? Yes, it should. I think I was trying to change things as little as possible from what the official bundle does/provides, but I agree that it would be better to just remove this part of the script and have it behave as an ordinary application. > noscript seems an useful extension for IceCat as well. > Maybe move it to gnuzilla.scm? Maybe move https-everywhere > there as well? (Separate issue: https-everywhere seems to > be bundled in IceCat ...) I was thinking the better outcome would be to have something as it was done for ungoogled-chromium to provide extensions that would be compatible with both icecat and torbrowser. Unfortunatly, I've been unable to address most of the things I had intended for now at least. I'll also keep a note on this and address it as soon as I can. > Why are you copying the source code to somewhere else? Because I did not know any better. > This doesn't seem to accomplish anything. I would suggest > something like: >=20 > ;; Source code of =E2=80=98HTTPS Everywhere WASM Library=E2=80=99, > ;; licensed as license:lgpl2.1+, used in 'https-everywhere' > ;; as an input. > (define https-everywhere-lib-wasm/source-code > (origin (method git-fetch) [...])) >=20 > Note that you can use 'origin' objects in 'inputs' and 'native-inputs'. Thanks, I did not know this. I'll change accordingly. > > + (license license:gpl2+)))) >=20 > The license file seems to tell something different: LGPL2.1+ instead of G= PL2+: > https://github.com/EFForg/https-everywhere-lib-wasm/blob/master/LICENSE Ouch. You are right. > > [...] > > + (native-inputs > > + `(("https-everywhere" ,https-everywhere) > > + ("noscript" ,noscript) >=20 > noscript and https-everywhere seem more like 'inputs' than > 'native-inputs' to me, but IIUC they are source-code only > and not compiled, so it doesn't really matter here I guess. Noted. > > + (make-file-writable (string-append tbb-scripts-dir > > + "/RelativeLink/start-tor-browser.desktop"))) > > + #t)) >=20 > Returning #t at the end of a phase is not required anymore. > The warning will disappear when core-updates is merged. Noted. > > + (replace 'configure > > + (lambda* (#:key inputs outputs configure-flags #:allow-= other-keys) > > + (let* ((out (assoc-ref outputs "out")) > > + (bash (which "bash")) > > + (flags `(,(string-append "--prefix=3D" out) > > + ,@configure-flags))) > > + (setenv "SHELL" bash) > > + (setenv "AUTOCONF" (string-append > > + (assoc-ref %build-inputs "autoc= onf") > > + "/bin/autoconf")) >=20 > In build phases, use 'inputs' or 'native-inputs' instead of %build-inputs. > It's more explicit, maybe there are other reasons as well. (Here it should > be native-inputs I guess). Noted. > > + (setenv "CONFIG_SHELL" bash) > > + (setenv "PYTHON" (string-append (assoc-ref inputs "= python-2") > > + "/bin/python")) >=20 > This most likely should be (assoc-ref (or native-inputs inputs) "python-2= ") > instead of (assoc-ref inputs "python-2"). >=20 > > + (setenv "CC" "gcc") ; needed when Stylo is enabled > This most likely should be ,(cc-for-target) instead of "gcc". >=20 > (The native-inputs/inputs and "gcc" / (cc-for-target) distinction is impo= rtant > when cross-compiling (though not all dependencies are cross-compilable cu= rrently, > so it's a bit moot for now.)) Noted. This and the previous code snippets came from Thunderbird if I remember correctly and I didn't really give it much tought. I'll try to address them both. > > + (add-after 'install-extensions 'link-binaries > > + (lambda* (#:key inputs native-inputs outputs #:allow-ot= her-keys) > You're not using 'native-inputs' in this build phase so you can remove it > from the arguments list. > > + [...] > > + (add-after 'link-binaries 'copy-bundle-data > > + (lambda* (#:key inputs native-inputs outputs #:allow-ot= her-keys) >=20 > Likewise. Noted. > > + (description > > + "Tor Browser is the Tor Project version of Firefox browser. It= is the only > > +recommended way to anonymously browse the web that is supported by the= project. > > +It modifies Firefox in order to avoid many know application level atta= cks on > > +the privacy of Tor users. > > + > > +WARNING: This is not the official Tor Browser and is currently on test= ing. Use > > +at your own risk and please report back on guix channels if you find a= ny > > +issues.") >=20 > This seems unnecessarily scary. All packages in guix are =E2=80=98at your= own risk=E2=80=99 > and every new package is =E2=80=98in testing=E2=80=99 for a while, whatev= er that means. > What about I wrote this to give some consideration to the fact that TorProject strongly advises people _NOT_ to build their own TorBrowsers and not to use anything other than the one they provide. I've also intended to make it clear that the anonymity set might be reduced and that guix users could be distinguished from other TB users, specially given the nature of guix would imply that at sometime or other guix users would even be using different software versions, which applies to extensions, libs and even the tor software under the hood. I also gathered that it would be sometime before this could be merged into guix and that maybe some users would find this recipe on the mailing lists and install themselves, so I thought it would be a good thing to be over scary rather than give a false impression that it was something one should do without a second thought. Thanks for your valuable input. I've been a little short on time and got stuck for a while, but I do intent to go back to it and when I do I'll contemplate your suggestions. Cheers, --UAekGVlxuPaM6vpM Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQG5BAABCgAjFiEEXo3OJhMk/jL9rLM1Nj97Uq5OMvYFAmDpD5MFgwPCZwAACgkQ Nj97Uq5OMvbDUQv+OtXE8vKwy10OUDXJIy0swIytBqOELyfN57EGE4+RtEZslnzT VUoPgtjZ8CydSSZTG18K9fkPDRarzya7PrDoLG22s4QjQe0Uk8hk8X/GSn0PAgi1 go9tZV3nSrZA8bpmq20JxzQ9lVNw6kpWwhkogz5djJR8qXppB+sY9R3ZxKQI9VTX hakSIWb1dtK4qZoBVD9QRK00/96VxioqQ9ZigHNFMlne9A1efyrUTmNfjpZ7aN4j rpbjZ3NqBXy81ZN+K1rVAvC3kZkW+zY+icpwRFJLRXX8YjagKjTLUbZle1dXmD8X m1hbt60fSAEtakzQbZQTrTT7d52cNDb78W10UfU/+d9UZZcmiU3YSxnZitRZouFG WeBMwKejbfmICtpTAGZ78bPQPO10PnWKxeE5KCo67BefjRefQG39Y+7sp8o0fdmb m5p88Oa/wwy44IvNU5IhC07BcbP20dNOlne5VXXyexV1p9N5N9T47si9uKd95KJ+ Oics4T/Zxs3zRUro =Dg+w -----END PGP SIGNATURE----- --UAekGVlxuPaM6vpM--