GitLab

Torbutton as pure Firefox extension is now deprecated. The project now advocates to use TorBrowserBundle instead.

For users of Debian (and its derivative, Tails being one of them), it would probably be good to offer a more streamlined experience and ship TorBrowser as a Debian package.

In order to preserve the anonymity set, this browser should work as close as possible to the one shipped in the TorBrowserBundle.

The Debian policy states that a package should not contain any embedded code copy. So simply shipping the result of TorBrowserBundle build is not an option.

Mike Hommey (maintainer of Iceweasel) and Moritz Muehlenhoff (from the security team) are both ok to create a iceweasel-src package that would contain the source files needed to build a patched Firefox. A Debian package could apply specific Tor patches on top of that to build something close to core TorBrowser.

The rest of the features are provided through Firefox extensions. TBB is currently shipped HTTPS-Everywhere, NoScript and Torbutton. All of these extensions are already in Debian.

Having TorBrowser installed system-wide do open a new class of problems, though:

• Profiles should probably be saved in a different directory in user $HOME than Iceweasel or official Firefox.
• The ideal way to deal with system-wide extensions would probably be that: a new profile would start with all system extensions disabled except for the one shipped in TBB. By going through the Add-ons panel, user could re-enable more of them (even those that could lead to anonymity breaches).

Once a tor-browser binary package is in Debian, we can also have it depend on Vidalia and have a TorBrowser icon start the later, like TBB does.

I hope I have not overlooked anything on the various issues involved…