These are all based on firefox versions with known vulnerabilities
exploited in the wild.
We seriously shouldn't ship this in nixpkgs, especially not for
sensitive applications as the Tor Browser.
`tor-browser-bundle` is just a wrapper around
`firefoxPackages.tor-browser`, so let's remove it too.
`tor-browser-bundle-bin` is the much safer bet, which is individually
downloaded from `dist.torproject.org` and just `patchelf`-ed locally to
work on NixOS.
Co-Authored-By: Alyssa Ross <hi@alyssa.is>
Co-Authored-By: Andreas Rammhold <andreas@rammhold.de>
Co-Authored-By: Graham Christensen <graham@grahamc.com>
The Tor Browser Bundle is free software under various licenses:
> Can I distribute Tor?
>
> Yes.
>
> The Tor software is free software. This means we give you the rights
> to redistribute the Tor software, either modified or unmodified,
> either for a fee or gratis. You don't have to ask us for specific
> permission.
>
> However, if you want to redistribute the Tor software you must follow
> our LICENSE. Essentially this means that you need to include our
> LICENSE file along with whatever part of the Tor software you're
> distributing.
>
> Most people who ask us this question don't want to distribute just the
> Tor software, though. They want to distribute the Tor Browser. This
> includes Firefox Extended Support Release, and the NoScript and
> HTTPS-Everywhere extensions. You will need to follow the license for
> those programs as well. Both of those Firefox extensions are
> distributed under the GNU General Public License, while Firefox ESR is
> released under the Mozilla Public License. The simplest way to obey
> their licenses is to include the source code for these programs
> everywhere you include the bundles themselves.
(https://www.torproject.org/docs/faq.html.en#DistributingTor)
tor-browser-bundle-bin is already marked as licenses.free, so it doesn't
really make sense that this one is marked as unfree.
The original browser bundle expects to run from a bundled directory,
typically under user's home. This version creates a firefox distribution
with preloaded extensions and settings that functions more like an
ordinary firefox installation.
The approach used here could be generalized to allow specification of
custom firefox distributions. Eventually, the code will be factored so
that the tbb is just an instance of that more general construct (firefox
base + extensions + prefs).
Currently, we use the latest upstream versions of extensions and so on.
Eventually we want to track the upstream bundle more closely and ideally
use the exact same inputs (firefox source, extension sources).
To avoid mixing up profile data, all runtime state is stored under
$XDG_DATA_HOME/tor-browser.
Major TODO items
- Pluggable transports
- Upstream TBB version parity
- Avoid fetchgit
- Build NoScript from source (no upstream source repo, however, must rely
on third-parties)
- Improved notation for packaging extensions
- Feature parity with the binary bundle (apulse and runtime purity, in
particular)
