[Pkg-privacy-maintainers] Bug#926042: Bug#926042: torbrowser-launcher should not be included in Buster

Fri May 3 16:44:00 BST 2019

On 2019-05-03 17:15:59, intrigeri wrote:
> Hi,
>
> (slightly reordering quoted text)
>
> Antoine Beaupre:
>> So what will be the way forward for Debian users in buster?
>
>> TL;DR: TBL in backports or install by hand from TPO, AFAIK.
>
> Agreed.
>
>> What does Tails do with this?
>
> Tails only uses the torbrowser-launcher source package as a way to get
> its AppArmor profiles… that we then patch heavily to make them
> suitable for the weird way we install Tor Browser in Tails images.
>
>> So I see a few long-term solutions to the "how to install TBB in Debian"
>> problem in Buster:
>
>>  1. maintain through backports (seems to have been the option taken for
>>     stretch)
>
> That might be viable if the AppArmor profiles are disabled by default.

Why would we disable apparmor profiles?

>>  2. drop TBL and rewrite it as a one-shot installer, like we had for
>>     Flash, mstt-corefonts and still have (I suspect?) for other packages
>
> I'm curious: how would that installer differ from TBL in practice?
>
> It seems to me that current TBL is essentially a one-shot installer +
> a .desktop file + some AppArmor profiles.

I think TBL checks for updates at every start. Such a one-shot installer
would deploy TBB and get out of the way after.

>>  4. drop TBL and shipp TBB directly in Debian
>
>> Option 4, therefore, would require more ambitious packaging work. Maybe
>> we could talk with upstream to see if that would be possible? There are
>> Debian packages for Firefox, after all - how hard could it possibly be
>> to do the same for TBB? ;)
>
> This has been discussed numerous times in the past. I don't recall the
> details but what I remember is: it requires lots of hard work.
> Personally, I don't think it's worth the effort. There's a ticket on
> Tor's Trac about it, that might even have the relevant info.

"There's a ticket on Tor's Trac about it" is one of those statements
that sounds like "I have heard there is a green mouse crawling the
sewers of a small town in rural Kazhakstan with the encryption key to
the Russian nuclear arsenal".

In other words, do you have a ticket number because I have, like many
others, lost all hope of finding anything in Trac that I don't already
know where it is. ;)

>> Anyways, I would be glad to hear what the options are here and if this
>> inventory is complete!
>
> Here's one more option:
>
> 5. Ensure Tor Browser can be installed in GNOME Software
>    as a Flatpak or Snap
>
>    This would cover the initial installation via usual means for
>    non-technical users (GNOME Software). It provides sandboxing at
>    least as good as AppArmor's, without the UX cost.

That would be something I'd be happy to try, but it doesn't seem that
either is available now:

https://snapcraft.io/search?q=tor
https://flathub.org/apps/search/tor

(Observe, while you're there, how there are three possible "tor"
packages listed there, none of which are tor browser, and it's unclear
which one would be officially anything at all.)

Is there a ticket for "package TBB for flatpak or snap" on Trac as well?
;)

Thanks for your reply!

A.

-- 
I would defend the liberty of consenting adult creationists to practice
whatever intellectual perversions they like in the privacy of their own
homes; but it is also necessary to protect the young and innocent.
                        - Arthur C. Clarke