Make it easy to start Tor Browser Bundle
Open, NormalPublic

Description

User story: I am an everyday user. When I browse the web, I want to use the Tor Browser Bundle so that my activity is private. I want an easy way to install TBB.

Suggested solution: Make torbrowser-launcher a default application. This way, when a user searches for "Tor" they will find the launcher (already packaged in PureOS) ready to use. The launcher will download and install TBB over the Tor router. TBB will thereafter update itself.

Suggested solution 2: (based on further discussion) Just package TBB for PureOS (and Debian?)

Notes:

  • The initial download and subsequent updates come directly from the Tor Project
  • torbrowser-launcher is not developed by the Tor Project, so there are occasionally compatibility issues, this means that updates to the launcher need to be released quickly (I currently use the "official" PPA for this reason)
  • This is the Debian-recommended way to install Tor Browser Bundle: https://wiki.debian.org/TorBrowser
d3vid created this task.Mar 1 2018, 11:23 AM
d3vid edited the task description. (Show Details)Mar 1 2018, 11:51 AM
This comment was removed by jonas.smedegaard.
jonas.smedegaard triaged this task as "Normal" priority.Mar 1 2018, 2:30 PM
d3vid changed the title from "Add torbrowser-launcher to default applications" to "Make it easy to start Tor Browser Bundle".Mar 5 2018, 11:28 AM
d3vid edited the task description. (Show Details)

FYI for all subscribers - the Tor Browser downloaded from PureOS repos hasn't worked for anyone over the past 6-7 months. To use the Tor Browser, we all have to download the package directly from their website. It would be great if this could be fixed in the PureOS repos so everyone could easily download and install the Tor Browser Bundle using "Software" in PureOS. See the following threads for more on this:

https://forums.puri.sm/t/tor-browser-does-not-start-anymore/2308
https://forums.puri.sm/t/cant-open-tor-once-installed-from-software/2414
https://forums.puri.sm/t/is-the-tor-browser-package-in-pureos-repos-broken/3001

What do we need to do to move this forward? We really need to have Tor Browser available in some form. @jonas.smedegaard I know we've had some discussions about software outside of PureOS repo in general. What's your suggested solution for shipping TBB (or do you suggest not shipping it)?

Also, this seems to be the only item keeping T519 open, and it's a good idea to put that to bed.

In my opinion, this issue should be solved by packaging Tor Browser for Debian main.

My guess(!) to the reason that others chose to instead package a sidechannel _installer_ distributed in Debian contrib, is that Tor Browser is in nature fast-changing so not possible to reach stable Debian. PureOS (in its current form as arolling release based on Debian testing) can make use of such package that is properly free but just changing too frequent to be suitable for Debian stable.

If PureOS later creates a stable (supergreen?) branch, then in my opinion fast moving packages like Tor Browser should be omitted from that branch.

On a related note (should be a filed as a separate issue if/when we want to discuss that further): In my opinion, PureOS should only expose its users to code that is security-tracked. Here that means if PureOS supergreen need to include Tor Browser, then PureOS must somehow get a security team that can track it - because Debian security team does *not* track treating testing packages as stable.

In my opinion, this issue should be solved by packaging Tor Browser for Debian main.

This isn't done anymore, likely for the reason you suggest.

My guess(!) to the reason that others chose to instead package a sidechannel _installer_ distributed in Debian contrib, is that Tor Browser is in nature fast-changing so not possible to reach stable Debian. PureOS (in its current form as arolling release based on Debian testing) can make use of such package that is properly free but just changing too frequent to be suitable for Debian stable.

If PureOS later creates a stable (supergreen?) branch, then in my opinion fast moving packages like Tor Browser should be omitted from that branch.

Right, that is usually the stated reason. In my opinion, it's a very wise one given that Tor is targeted by powerful and sophisticated actors. TBB also has an in-browser update mechanism / verification / warning system, so it would likely clash with a package manager at this point without modifications that I don't think anyone wants to be in charge of.

But I don't see why we would want to take the package from Debian contrib, when we can pull what we want from upstream TP repo. Seems like the same amount of work with less payoff.

On a related note (should be a filed as a separate issue if/when we want to discuss that further): In my opinion, PureOS should only expose its users to code that is security-tracked. Here that means if PureOS supergreen need to include Tor Browser, then PureOS must somehow get a security team that can track it - because Debian security team does *not* track treating testing packages as stable.

Bad idea to have TBB in a stable repo, for the reasons you state.

I believe Tor Browser (previously named Tor Browser Bundle a.k.k. TBB) itself was never packaged for Debian, nor released with PureOS.

torbrowser-launcher is still in Debian: https://packages.debian.org/torbrowser-launcher

torbrowser-launcher was previously custom-added to PureOS (custom because it is in Debian contrib not Debian main) but that custom-inclusion has not been maintained, leading to current(?) situation of PureOS users being offered an old broken torbrowser-launcher.

What I recommend is to package Tor Browser itself(!) for Debian main, even if that package is known to likely never reach stable Debian release - because it is beneficial for rolling releases like PureOS.

I do not recommend that PureOS bypass Debian and pull directly from upstream - either as PureOS-specific development effort (a package) or by our users (a script like torbrowser-bundle). The amount of work is less but we loose the security tracking and wider use (more eyeballs) from Debian.

I do not recommend that PureOS bypass Debian and pull directly from upstream - either as PureOS-specific development effort (a package) or by our users (a script like torbrowser-bundle). The amount of work is less but we loose the security tracking and wider use (more eyeballs) from Debian.

I understand this perspective, but what happens when a 0-day drops and then Tor Browser prompts the user to update with big arrows in the browser? I know more eyeballs generally means better/safer software, but in this case I fear there's a high likelihood we won't be able to patch quickly enough and, perhaps worse, users will try updating with the in-browser mechanism which may break things.

I will try to do some digging into history here and see how quickly Debian is able to patch Tor packages when there's a serious vuln. Any insight on that is appreciated.

0-day issues with Tor Browser should be handled exactly same as 0-day issues for all parts of PureOS: By PureOS developers issuing a bugfix.

Allowing upstream to bypass PureOS distribution effectively making upstream co-distributor which opens up a can of worms.

I believe there is no data from Debian specifically on 0-days for Tor Browser, because Tor Browsr (I believe) has never been packaged for Debian.

jonas.smedegaard added a comment.EditedOct 12 2018, 12:01 PM

In-browser mechanisms to bypass APT is severe bugs that should be fixed by patching them away, as is currently done for PureBrowser.

(reminder: Feel free to disagree - I don't state universal facts here, just am inconsistent in adding "in my opinion"...)

Let me rephrase: The Tor Browser launcher/downloader *has* been packaged for Debian. I believe it has lagged behind in updates, even in my past experience, but I would want more concrete information on that.

I hear what you're saying with TB, I really do, but it is such an important piece of software for people in at-risk situations, that I really see the benefit of pulling from upstream, or as close to upstream as possible. In my opinion, Tor Browser having a clash with PureOS at the UI level etc. is a much better bug to have than one that exposes users to surveillance... that could get out of hand if we meet our goals in reaching lots and lots of users with Purism devices.

Agreed, torbrowser-launcher has been and still is in debian (just not main).
However, since that package bypasses APT, Debian has effectively passed on the maintenance of Tor Browser itself (not the bypassing script, but that it less relevant) to upstream, so how responsive the Debian security team has been regarding torbrowser-lanucher is irrelevant to 0-days of Tor Browser itself.

I am not talking about _cosmetic_ bugs to the user interface.
What I talk about is governance being all PureOS, not upstream - no matter if done in background by a script or done by presenting users with a big red button (which works when bypasses APT when activating it). If governance is not solely PureOS, then that to me is a severe bug, regardless of how it presents itself.

I agree that a merely cosmetic bug of user interface showing warnings that software is outdated is a less severe bug.

Is it in your opinion more important to fix immediately (i.e. no time to wait for PureOS, we must hand over the keys to the castle to upstream) bugs in Tor Browser, or do you find it equally important that we (as they become available) enable mechanisms for the Linux developers and GNOME developers and any other upstreams to address 0-days in their code?

Is it in your opinion more important to fix immediately (i.e. no time to wait for PureOS, we must hand over the keys to the castle to upstream) bugs in Tor Browser, or do you find it equally important that we (as they become available) enable mechanisms for the Linux developers and GNOME developers and any other upstreams to address 0-days in their code?

I actually conceive of the problem differently:

It's the Tor Project's position that the most important thing is immediate patching through direct mechanisms in Tor Browser. When you're promising real anonymity and encouraging whistleblowers, activists, and journalists to use it, the risks with exposing people in the field are too great. If we consider Tor Browser an important asset for PureOS (and I think most everyone is on the same page there), it's wise to follow TP's lead.

Debian doesn't package TB, as you said, and instead has basically a downloader script, which may or may not grab the latest version as quickly as our at-risk users need it (and, really, all user need it no matter what their threat model is... they're not using an anonymous Web browser for no reason).

If the downloader in Debian contrib is actually modified swiftly to download the latest TB, then we should use it, and perhaps it's worth opening a conversation with the Debian packagers on that and expressing our concerns (which perhaps are only my concerns).

In the recent past, Linux kernel vulns are patched the same day, even within a few hours with recent vulns, and in all the big distros like Debian, Ubuntu, RHEL at approximately the same time. Everyone scrambles or the bugs are disclosed privately ahead of time to the devs so they're ready-to-go when the vuln is disclosed to the public.

It seems to me that GNOME packages are altered a lot for the Debian system, so grabbing from upstream would be a nightmare. But, also, I do think the extra eyes on that code are extremely valuable.

So, if you're asking if I consider TB a special case, yes I do. I might also say the same for E2EE platforms that are in popular use in the field, but that would take a case-by-case discussion to sort out.

A thought - If the issue is PureOS/Purism governance, then maybe we just take the TB downloader package from Debian contrib and start maintaining it in-house, making sure we have someone tracking changes in upstream TB very closely so we don't lag behind, and building a good relationship with Tor Project where we give them a heads up that we're doing this. We should also build a relationship with the Debian package managers for that downloader script... it's quite possible they're happy for us to be the maintainers for Debian contrib as well. But maybe not.

Do we have this capability with current bandwidth and resources (let's *not* discuss that in a public bugtracker and take this to another forum if you and the rest of the PureOS dev team agree on this solution).

I believe I understand you opinion on this. I then disagree, however.

Sure, feel free to discuss it further either here or elsewhere as you see fit - I shall not continue further without you.

sean.obrien added a comment.EditedOct 12 2018, 4:36 PM

Sure let's discuss more (edit: in another medium). I intend to solve the root problem identified by @thegoat above:

FYI for all subscribers - the Tor Browser downloaded from PureOS repos hasn't worked for anyone over the past 6-7 months. To use the Tor Browser, we all have to download the package directly from their website.

Whatever solution is chosen, it needs to be tangibly better than someone downloading TB directly, or we've failed.

I want TB to be packaged by PureOS and installed by default on PureOS unless there is some Free Software licensing issue that would prevent this (I don't believe there is).

This thread has already discussed why the fast-moving project may have been abandoned (or at least outdated) in upstream Debian. It doesn't appear this situation is going to change upstream so we need to resolve it ourselves. This means we need to package TB ourselves in PureOS. It is an important enough privacy tool that it is worth the resources it will take to maintain the package within PureOS directly.

I'm going to assign this issue to @chris.lamb to spearhead. Chris please let me know if there are other PureOS tickets in your queue that would interfere with making this your top priority (off list in email is fine) and we can figure out how to prioritize everything.

d3vid assigned this task to chris.lamb.Oct 24 2018, 1:06 PM

@kyle.rankin Thanks for adding me to this ticket and apologies that it took longer than anticipated to get around to replying; I not only had to read the extended discussion here, I also had to do some research in order to work out what the situation is.

As it happens, Debian maintains these packages (and adjacent ones) in the "Privacy Maintainers" team:

https://wiki.debian.org/Teams/PkgPrivacyMaintainers

Quickly in terms of bandwidth, on entirely practical considerations alone (I will not comment on the philosophical issues here as they have been discussed at-length above) packaging TB itself similarly to upstream repos is going to be a bit of a challenge just to get something working at first and this does not count the ongoing maintenance overhead of that, alas.

We could perhaps liase with the Tails folks on this (?), but otherwise the only real option is to ensure that the torbrowser-launcher continues to work properly. (If it does not, are there bug reports on this?)

thanks @mladen.pejakovic that is helpful. I made some slight wording changes to the warning so we don't scare away users. I'll be working with Jeremiah on this to see if we can come up with a smoother solution, but this wiki entry is much needed in the meantime.

chris.lamb removed chris.lamb as the assignee of this task.Feb 26 2019, 6:38 PM

Going to unassign myself for the time being. :)

In T347#11724, @mladen wrote:

I have followed these instructions exactly but Tor is not showing up in my applications... what do I do to get Tor to work?

Add Comment