Hans-Christoph Steiner:
Georg Koppen:
Hans-Christoph Steiner:
Hey all,
I'm currently working on tor for Android as part of a Guardian Project project. One key goal is making a shareable, reproducible build process for the tor daemon for Android. Then this would be published to MavenCentral as an Android AAR package to be used in all the apps that include tor (Tor Browser, Orbot, Briar, Thali, etc). I have cleaned up the existing build process a lot, so now I'm down to troubleshooting reproducible issues.
First off, can anyone see any objections to switching Tor Browser, Orbot, Briar, etc. to use GPG-signed reproducible binaries via MavenCentral for the tor dameon?
We want to include building tor and all its dependencies in tor-browser-build/rbm to have the latest tor for Android in our nightly builds and respective alpha and stable versions in our alpha and stable browsers. We have a ticket for that for a while now in our bug tracker but did not get to it so far.[1] The plan is to pick that work up in November after Tor Browser 9 is out.
As to whether other projects would be interested in that, dunno. But I guess some at least would?
Georg
[1] The parent ticket for that work is: https://trac.torproject.org/projects/tor/ticket/28704.
If building tor+libevent+openssl+libz+liblzma for Android was done reproducibly and shipped via MavenCentral, would you consider using it? Seems like we'd want this tor binary to be synced to the Tor Browser version requirements anyway, since that's the "standard configuration".
What about our nightly build requirement? Oh, and to complicate that: we build tor nightlies with Rust enabled to be able to test Rust code. And would do so for Android, too. And to further complicate matters: we plan to switch to NSS to test that part of tor in a Tor Browser context as well. (It's been long on the agenda but I finally want to get to that after Tor Browser 9 is out)
And then there has been times where we actually needed to ship tor patches ourselves because they were not merged/released yet (although, luckily that's been a while ago). There might be need for such an option in the future, too.
So, all in all I am skeptical that Tor Browser fits into your plans.
Georg