torbrowser-launcher - downloads code outside the control of PureOS
Closed, ResolvedPublic

Description

The very purpose of torbrowser-launcher is to bypass regular package maintenance of PureOS and install precompiled code from an external source.

This harms freedoms, in that we then cannot ensure that the external code comply with our constraints - e.g. GNU FSDG.

I suspect the Debian-but-released-only-in-contrib package was done that way due to the slow release cycle of Debian and the need for potentially quick update of the code. If that is the case, then a solution (other than simply giving up and kicking out torbrowser-bundle from PureOS) would be to replace with new package torbrowser - which could be maintained in Debian but there flagged as unreleasable similar to how other fast-moving code like Bitcoin is handled.

d3vid added a subscriber: d3vid.Mar 1 2018, 11:54 AM

I think you mean "torbrowser-launcher" above?

I think an everyday user will be happy as long as they can type "Tor" and get something that leads them to (a trusted copy of) the "Tor Browser Bundle".

d3vid added a comment.Mar 1 2018, 11:55 AM

Or can we get some kind of assurance from the Tor Project about the continued freedom of the Browser Bundle?

jonas.smedegaard changed the title from "torbrowser-bundle - downloads code outside the control of PureOS" to "torbrowser-launcher - downloads code outside the control of PureOS".Mar 1 2018, 12:54 PM
jonas.smedegaard edited the task description. (Show Details)

Indeed I confused the terms. Thanks for spotting - corrected now.

We might get assurance from Tor Project. That does not, however, change the fact that we rely on a third-party for governing our rules, which I find problematic.

d3vid added a comment.Mar 5 2018, 11:29 AM

Ok, I see what you mean!

jonas.smedegaard reassigned this task from jonas.smedegaard to mak.EditedApr 10 2018, 3:11 PM

Please drop our fork of torbrowser-launcher: It violates GNU FSDG in that we lack control over what code ends on our users' systems.

@jonas.smedegaard We deliberately added TorBrowser this way when creating PureOS back in the day. I never liked this at all, so personally I would like to remove the package, but I am not sure if we should do that, because the decision to have it that way was done on purpose.
@zlatan.todoric should the Tor Browser package be dropped from PureOS?

mak added a comment.Aug 8 2018, 5:49 PM

Since this was just mentioned again, I need feedback here... Go, or no go?
/me is for dropping it (at least temporarily).

mak closed this task as "Resolved".Aug 9 2018, 4:05 PM
Will remove the following packages from landing:

torbrowser-launcher | 0.2.8-4pureos1 | source, amd64

Maintainer: Purism developers <dev (!-at-!) puri.sm>

Checking reverse dependencies...
No dependency problem found.

Going to remove the packages now.

Add Comment