[Tor-BSD] Porting Tor Browser to the BSDs

[George Rosamond]

attila:
> Libertas <libertas at mykolab.com> writes:
>>
>> Has anyone looked into this? I talked to the maintainer of the OpenBSD
>> Firefox port, but he wasn't very interested and pointed out the
>> difficulty caused by the deterministic build system.
>>
>> I can verify that it doesn't work out of the box, but haven't had time
>> to play with it much more than that. I think that the Tor Browser is an
>> increasingly important tool, and that it's a problem that it isn't
>> available on the BSDs.
>>
>> Thoughts? Suggestions?
> 
> I have been looking into this on and off for a little while.  My focus
> has been an OpenBSD port, but I'm sure a lot of what I've run into is
> true across BSDs.  My thoughts so far:
> 
> tor-browser development seems awfully Linux-centric; no thought is
> given to portability outside of {Linux,OSX,Windows}.  The gitian-based
> build system must be ditched in a BSD context.  Instead the right
> thing to do is a set of ports, the most important of which is the
> tor-browser.  I have started on this by wading through the diffs
> between the tor-browser-31.4.0esr-4.5-1 branch in the tor-browser git
> repo and esr31.4.0, which is thankfully what happens to be in
> OpenBSD-current ports.  There are a lot of diffs, obviously, and the
> end result is going to be a port with a huge honking patches/
> subdir... a maintainability nightmare, at least on the surface.
> 
> There are many diffs that are all about the build system which I will
> ditch; this will probably cause me problems elsewhere.  There is also
> the matter of tor-button, which, for the record, I consider an
> abomination.  I think I understand why the tor-browser ppl insist on
> keeping it around but I am sorely tempted to find another way...
> 
> This last sentiment sort of saturates my thinking on moving forward
> with tor-browser.  There has been a lot of good work done, for
> instance in anti-fingerprinting measures, but then a lot of what's
> going on leaves me with a bad feeling, like this:
>    <https://trac.torproject.org/projects/tor/ticket/9387>
> 
> The amount of heat and steam expended on coming up with a slider that
> says:
> 
>       more usable <--------------> most secure
> 
> truly depresses me.  I do not want to use a browser that has such a
> thing in it.  I don't think this is a good use of time.  I think a
> better use of time would've been doing something about the thousands
> of remaining uses of sprintf, strcat and strcpy... at least there are
> a few hundred uses of strl{cat,cpy}.  My point is: if the idea is that
> tor-browser is not just for tor but is a better, more secure,
> standards-compliant and plugin-averse browser for the masses then
> adding new (ridiculous) features when there are so many papercuts and
> sucking chest-wounds to attend to first rubs me the wrong way.  I
> generally use the term "linux attitude" as a placeholder for this
> approach to development in general, but then I'm typing this on a
> thinkpad running OpenBSD, so...
> 
> Anyway, my status is that I'm still wading through the patches and
> working my way towards a www/tor-browser port that is based on the
> www/firefox-esr port.  I will try to get a git repo up somewhere for
> review and collaboration in the next day or two.  There is still quite
> a ways to go before a working tor-browser and that is only one
> component of the tbb, which presents a whole 'nother kettle of fish
> when it comes to porting...
> 
> More later.  I am on the tor-bsd list, just slow to respond... sorry.

Not sure why this thread died, after someone who's been working on this
for a while replies...

Anyways, I think the main question is what to build and how.

It seems clear that it needs to be completely separated from the current
Linux builds, and start from a more "BSD-ish" basis. Ideally, the result
is something easily portable to the other BSDs, not to mention to other
POSIX-esque systems if there's a need.

Without going into more details, I think that once attila has the git
repo up, we can start playing with it.

There's a lot of questions to deal with as attila notes, working the
patches, dealing with the underlying stuff strcat, strcpy and all, and
then the actual fingerprint of this browser.

g