The very purpose of torbrowser-launcher is to bypass regular package maintenance of PureOS and install precompiled code from an external source.
This harms freedoms, in that we then cannot ensure that the external code comply with our constraints - e.g. GNU FSDG.
| Status | Assigned | Task | ||
|---|---|---|---|---|
| Wontfix | jeremiah.foster | T519 PureOS isn't as secure as it says it is | ||
| Open | jeremiah.foster | T347 Make it easy to start Tor Browser Bundle | ||
| Resolved | mak | T348 torbrowser-launcher - downloads code outside the control of PureOS |
I suspect the Debian-but-released-only-in-contrib package was done that way due to the slow release cycle of Debian and the need for potentially quick update of the code. If that is the case, then a solution (other than simply giving up and kicking out torbrowser-bundle from PureOS) would be to replace with new package torbrowser - which could be maintained in Debian but there flagged as unreleasable similar to how other fast-moving code like Bitcoin is handled.
I think you mean "torbrowser-launcher" above?
I think an everyday user will be happy as long as they can type "Tor" and get something that leads them to (a trusted copy of) the "Tor Browser Bundle".
Or can we get some kind of assurance from the Tor Project about the continued freedom of the Browser Bundle?
We might get assurance from Tor Project. That does not, however, change the fact that we rely on a third-party for governing our rules, which I find problematic.
Please drop our fork of torbrowser-launcher: It violates GNU FSDG in that we lack control over what code ends on our users' systems.
@jonas.smedegaard We deliberately added TorBrowser this way when creating PureOS back in the day. I never liked this at all, so personally I would like to remove the package, but I am not sure if we should do that, because the decision to have it that way was done on purpose.
@zlatan.todoric should the Tor Browser package be dropped from PureOS?
Since this was just mentioned again, I need feedback here... Go, or no go?
/me is for dropping it (at least temporarily).
Will remove the following packages from landing: torbrowser-launcher | 0.2.8-4pureos1 | source, amd64 Maintainer: Purism developers <dev (!-at-!) puri.sm> Checking reverse dependencies... No dependency problem found. Going to remove the packages now.