Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:03:48Zhttps://gitlab.torproject.org/legacy/trac/-/issues/30497Add Donate link in about:tor2020-06-16T01:03:48ZAntonelaantonela@torproject.orgAdd Donate link in about:torThe Fundraising Team suggested to include a Donate link in `about:tor`.
This ticket aims to track also its implementation.The Fundraising Team suggested to include a Donate link in `about:tor`.
This ticket aims to track also its implementation.https://gitlab.torproject.org/legacy/trac/-/issues/29045ask tor to leave dormant mode2020-06-16T01:03:07ZMark Smithask tor to leave dormant modeIn #28624, tor was changed to remember dormant state across restarts. Since Tor Browser in nearly every case is started by a real person who expects to access one or more websites after starting the browser, it makes sense to ask tor to ...In #28624, tor was changed to remember dormant state across restarts. Since Tor Browser in nearly every case is started by a real person who expects to access one or more websites after starting the browser, it makes sense to ask tor to come out of dormant mode every time we start tor.
This can be done by issuing a `SIGNAL ACTIVE` control port command, although we could also ask the network team to add a `torrc` option to get this behavior.
For more background, see the following tor-dev message thread:
https://lists.torproject.org/pipermail/tor-dev/2018-December/013588.htmlKathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/30372Backport Letterboxing2020-06-16T01:03:04ZTom Rittertom@ritter.vgBackport LetterboxingHere's the set of patches, in order, for the esr60 backport:
https://hg.mozilla.org/try/rev/744a475c948ee8c987d43a6348deca5e9a4a5a61
https://hg.mozilla.org/try/rev/feeb219584667f53e2c6cd2ddcfcaa89fb6ee243
https://hg.mozilla.org/try/rev/...Here's the set of patches, in order, for the esr60 backport:
https://hg.mozilla.org/try/rev/744a475c948ee8c987d43a6348deca5e9a4a5a61
https://hg.mozilla.org/try/rev/feeb219584667f53e2c6cd2ddcfcaa89fb6ee243
https://hg.mozilla.org/try/rev/a550c321f24c823efcb2e8033e6c802f9cd6e44b
https://hg.mozilla.org/try/rev/a5d945dd5b7070c810b93eddd0232d646b73fc2d
https://hg.mozilla.org/try/rev/b58bfc0bdc2451715ec895fbd06f40061fa301f9
https://hg.mozilla.org/try/rev/1b23145ed904be055bf0efe1000e03ec50c02cb3
https://hg.mozilla.org/try/rev/0b1eef9eeb06668fc06b3b4d877daaf957c3c1dahttps://gitlab.torproject.org/legacy/trac/-/issues/30136Decide whether to use "Tor Browser" or "Tor Browser for Android" for mobile s...2020-06-16T01:02:30ZGeorg KoppenDecide whether to use "Tor Browser" or "Tor Browser for Android" for mobile stableIn #28622 the question came up whether we should use "Tor Browser" or "Tor Browser for Android" for mobile. I think the former as Android is yet another platform besides Windows, macOS, and Linux. We only have one browser that serves all...In #28622 the question came up whether we should use "Tor Browser" or "Tor Browser for Android" for mobile. I think the former as Android is yet another platform besides Windows, macOS, and Linux. We only have one browser that serves all the platforms.https://gitlab.torproject.org/legacy/trac/-/issues/30371Don't change the content provider name2022-07-06T22:10:18ZMatthew FinkelDon't change the content provider nameAs an immediate fix for the bug mentioned in ticket:29757#comment:2, we should delete the `tor-android-service` patch. This allows installing multiple versions of the app side-by-side.As an immediate fix for the bug mentioned in ticket:29757#comment:2, we should delete the `tor-android-service` patch. This allows installing multiple versions of the app side-by-side.https://gitlab.torproject.org/legacy/trac/-/issues/29969Drag-and-drop search causes NoScript XSS warning2020-06-16T01:02:00ZcypherpunksDrag-and-drop search causes NoScript XSS warningSelect some text and drag it onto the current tab or new tab to create a search.
Example warning:
NoScript detected a potential Cross-Site Scripting attack
from https://trac.torproject.org to https://duckduckgo.com.
Suspicious data:
...Select some text and drag it onto the current tab or new tab to create a search.
Example warning:
NoScript detected a potential Cross-Site Scripting attack
from https://trac.torproject.org to https://duckduckgo.com.
Suspicious data:
(POST)https://gitlab.torproject.org/legacy/trac/-/issues/30319Drop FTE related bits in Tor Browser2020-06-16T01:02:55ZGeorg KoppenDrop FTE related bits in Tor BrowserFTE is unmaintained and hardly used by Tor Browser users. Moreover, it is not available on all platforms/architectures due to a bunch of reasons (see #24195 for 64bit Windows and #18495 for macOS). Windows is going away entirely as well ...FTE is unmaintained and hardly used by Tor Browser users. Moreover, it is not available on all platforms/architectures due to a bunch of reasons (see #24195 for 64bit Windows and #18495 for macOS). Windows is going away entirely as well shortly with the transition to Debian Stretch (see: #29319 and #29307 for the rationale). We should drop the remaining bits in Tor Browser while we are moving to Tor Browser 9 and close #28521 as well.
I had some hope for getting Marionette included into Tor Browser 9 which is why I wrote a patch for getting it tested in our nightly builds (see: #29623). However, it's not clear yet whether that happens or whether that would be a smart idea given its state, alas.https://gitlab.torproject.org/legacy/trac/-/issues/30448gtk2/libmozgtk.so is not stripped2020-06-16T01:03:35Zboklmgtk2/libmozgtk.so is not strippedIn `projects/firefox/build` we use this loop to strip and generate debuginfo for the firefox *.so files we include in the bundle:
```
for LIB in Browser/*.so Browser/firefox.real Browser/plugin-container Browser/updater
```
I think we s...In `projects/firefox/build` we use this loop to strip and generate debuginfo for the firefox *.so files we include in the bundle:
```
for LIB in Browser/*.so Browser/firefox.real Browser/plugin-container Browser/updater
```
I think we should add `gtk2/*.so` to this loop.
In the same place we also remove the RUNPATH in case selfrando is used.https://gitlab.torproject.org/legacy/trac/-/issues/28044Integrate Tor Launcher into tor-browser2020-06-13T17:44:15ZGeorg KoppenIntegrate Tor Launcher into tor-browserWe need to move away from our XPCOM extensions, Tor Launcher being one of them. As for Tor Browser it might be hard/impossible, if we tried to reimplement everything Tor Launcher does with the WebExtensions API. Instead we plan to integr...We need to move away from our XPCOM extensions, Tor Launcher being one of them. As for Tor Browser it might be hard/impossible, if we tried to reimplement everything Tor Launcher does with the WebExtensions API. Instead we plan to integrate it tighter into the browser itself making use of its capabilities.
This ticket is the parent ticket for this plan.
We need probably a proposal making sure we have the plan right before going to implement it.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/29627Moat: add support for obfsproxy's meek_lite2022-06-17T17:52:52ZMark SmithMoat: add support for obfsproxy's meek_liteWe should improve the Moat client support in Tor Launcher so it will work with obfsproxy's meek_lite implementation (as well as with dcf's meek implementation). The main reason it does not currently work is because the code inside Tor La...We should improve the Moat client support in Tor Launcher so it will work with obfsproxy's meek_lite implementation (as well as with dcf's meek implementation). The main reason it does not currently work is because the code inside Tor Launcher that interacts with the PT program relies on command line parameters instead of SOCKS args to pass info to the PT.
For more background, see ticket:29430#comment:5 and other related comments within #29430.Kathleen BradeKathleen Bradehttps://gitlab.torproject.org/legacy/trac/-/issues/30491Move our macOS builds to Debian Stretch2020-06-16T01:03:47ZGeorg KoppenMove our macOS builds to Debian StretchIn #29307 we switched the host of our Windows builds from Debian Jessie to Stretch. We should do the same for macOS builds. We should have this done for Tor Browser 9, I think.In #29307 we switched the host of our Windows builds from Debian Jessie to Stretch. We should do the same for macOS builds. We should have this done for Tor Browser 9, I think.https://gitlab.torproject.org/legacy/trac/-/issues/30560Onboarding toolbar graphic doesn't match actual toolbar after upgrade2020-06-16T01:04:06ZMatthew FinkelOnboarding toolbar graphic doesn't match actual toolbar after upgradeOne of my installations just updated to 8.5, but the Onboarding screen doesn't match the actual toolbar.One of my installations just updated to 8.5, but the Onboarding screen doesn't match the actual toolbar.https://gitlab.torproject.org/legacy/trac/-/issues/30571Point to https://tb-manual.torproject.org/security-settings/ for slider details2020-06-16T01:04:10ZGeorg KoppenPoint to https://tb-manual.torproject.org/security-settings/ for slider detailsWe are currently pointing to https://tb-manual.torproject.org/security-settings.html for more details about the security slider. However, that should have been https://tb-manual.torproject.org/security-settings/.We are currently pointing to https://tb-manual.torproject.org/security-settings.html for more details about the security slider. However, that should have been https://tb-manual.torproject.org/security-settings/.https://gitlab.torproject.org/legacy/trac/-/issues/30480rbm should check that a signed tag object contains the expected tag name2020-06-13T17:39:32Zboklmrbm should check that a signed tag object contains the expected tag nameWhen we use the `tag_gpg_id` option, rbm will check that a tag is gpg signed. However it does not check that the tag object contains the expected tag name, and git does not check that either. As discussed in #30479, this can allow rollba...When we use the `tag_gpg_id` option, rbm will check that a tag is gpg signed. However it does not check that the tag object contains the expected tag name, and git does not check that either. As discussed in #30479, this can allow rollback attacks.boklmboklmhttps://gitlab.torproject.org/legacy/trac/-/issues/29319Remove FTE support in Windows bundles2020-06-16T01:02:55ZGeorg KoppenRemove FTE support in Windows bundlesWe have FTE support in our 32bit bundles but lack it for 64bit Windows ones (#24195). Given that FTE support is going away soon and that we want to fix #29307 for our mingw-w64/clang toolchain we rip out FTE from 32bit bundles as well.We have FTE support in our 32bit bundles but lack it for 64bit Windows ones (#24195). Given that FTE support is going away soon and that we want to fix #29307 for our mingw-w64/clang toolchain we rip out FTE from 32bit bundles as well.https://gitlab.torproject.org/legacy/trac/-/issues/30404Remove Orbot Project2020-06-16T01:03:17ZShane IsbellRemove Orbot ProjectOrbot project is no longer needed. The UI has moved to firefox project, while the service has moved to tor-android-service.Orbot project is no longer needed. The UI has moved to firefox project, while the service has moved to tor-android-service.https://gitlab.torproject.org/legacy/trac/-/issues/30377Remove Selfrando from our build system2020-06-16T01:03:06ZGeorg KoppenRemove Selfrando from our build systemWe don't plan to move forward with Selfrando deployment as it is not much more work for a browser attacker to bypass it, it's not available on all platforms, and it has some issues (like delayed load in e10s mode, see: #26579). Additiona...We don't plan to move forward with Selfrando deployment as it is not much more work for a browser attacker to bypass it, it's not available on all platforms, and it has some issues (like delayed load in e10s mode, see: #26579). Additionally, it's work to fix build breakage (in `elfutils`) to make what we build with compatible with newer GCCs. And I expect another round of Firefox compilation issues when switching to ESR 68.
All in all I think the gains for our alphas are not worth the effort.https://gitlab.torproject.org/legacy/trac/-/issues/30457Retire six default bridges that are now offline2020-06-16T01:03:36ZPhilipp Winterphw@torproject.orgRetire six default bridges that are now offlineWe currently have six default bridges that are no longer operated. See [our list](https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/DefaultBridges) for details:
* Two obfs3 bridges, originally run by Paul Pearce
* Three FTE b...We currently have six default bridges that are no longer operated. See [our list](https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/DefaultBridges) for details:
* Two obfs3 bridges, originally run by Paul Pearce
* Three FTE bridges, originally run by Kevin Dyer
* One obfs4 bridge, originally run by Henry de Valence
There's also an obfs4 bridge operated by Tom van der Woerdt, which will disappear at the end of August, but we can take care of that in a separate ticket.
In a minute, I'll push a patch that will remove these six bridges.https://gitlab.torproject.org/legacy/trac/-/issues/30069Security slider and about:tor strings are untranslated in Tor Browser for And...2020-06-16T01:02:16ZGeorg KoppenSecurity slider and about:tor strings are untranslated in Tor Browser for AndroidEven though we ship a multi-locale .apk the security slider and `about:tor` strings are always en-US only even though other extensions and the browser interface are properly translated.Even though we ship a multi-locale .apk the security slider and `about:tor` strings are always en-US only even though other extensions and the browser interface are properly translated.https://gitlab.torproject.org/legacy/trac/-/issues/30451snowflake-client has executable stack2020-06-13T18:20:02Zboklmsnowflake-client has executable stackRunning this command shows that the `snowflake-client` binary has an executable stack:
```
$ readelf -W -l TorBrowser/Tor/PluggableTransports/snowflake-client | grep GNU_STACK
GNU_STACK 0x000000 0x0000000000000000 0x00000000000000...Running this command shows that the `snowflake-client` binary has an executable stack:
```
$ readelf -W -l TorBrowser/Tor/PluggableTransports/snowflake-client | grep GNU_STACK
GNU_STACK 0x000000 0x0000000000000000 0x0000000000000000 0x000000 0x000000 RWE 0x10
```
(RWE should be RW when the stack is not executable)Cecylia BocovichCecylia Bocovich