[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian security / porting support and embedded codebases

Neil Williams:
> On Tue, 26 Feb 2013 11:53:31 +0000
> adrelanos <adrelanos@riseup.net> wrote:
> 
>> Neil Williams:
>>> On Mon, 25 Feb 2013 21:09:19 +0000
>>> adrelanos <adrelanos@riseup.net> wrote:
>>>
>>>> 1) Tor Browser
>>>>
>>>> It can't make it's way into Debian due to "no code duplication policy".
>>>
>>> i.e. security support and porting ability.
>>>
>>> Every time a codebase gets duplicated amongst a variety of packages,
>>> there are inevitable problems:
>>>
>>> 0: bugs in one version take forever to get fixed in all versions
>>>
>>> 1: security fixes in the embedded code need to be applied across many
>>> packages instead of one. As security support this may need to be done
>>> quickly and is therefore best done in a single package not dozens.
>>>
>>> 2: porting packages embedding that code becomes more difficult
>>> because, again, changes need to be pushed through all copies, each of
>>> which have their own build systems / patch systems / compatibility
>>> issues. You cannot generally just copy the one patch into each package,
>>> each one has to fit into the rest of the packaging and be tested.
>>>
>>> Embedding code within packages *makes more work for everyone*. It is a
>>> *bad* thing to do.
> 
>> My point is, in this case, what you propose, is only more secure in
>> theory, but not for the users who are actually using Tor Browser on Debian.
> 
> Not Debian's problem. There are other browsers.

No browsers for anonymous browsing. And no, pointing any random browser
to a system Tor isn't anonymous.

>> In conclusion, from an outsider perspective, Debian users who are using
>> Tor Browser are in reality currently less secure, because they have to
>> download it from the torproject.org website manually and could be more
>> secure, if they could download and update it through the Debian mechanism.
> 
> Correct. That involves removing the embedded code. No ifs, no buts, no
> exclusions. Do it properly and work willingly with the security team
> and the porters or just don't bother.

I recognize, we have different priorities. I am just giving feedback and
stating my opinion about things.

>> As for porting, they currently have Linux 686, Linux x86_64, Win 32, osx
>> i386 and osx x86_64 builds.
> 
> So no armel, armhf, arm64, mips, mipsel, sparc, powerpc let alone the
> BSD and Hurd ports.

I never understood what most of these platforms are important for.
Especially the Hurd one.

I often saw requests like "can you make your Windows app working with
Linux please?" or "can you make your Linux app working with Windows
please?" or for x64, Android, Windows mobile or iphone builds. Never for
most of these other platforms.

Tails developers:
How frequent are requests for armel, armhf, arm64, mips, mipsel, sparc,
powerpc, Hurd ports?

> Fix the codebase

Not sure if it's possible at all. Code review at mozilla takes ages,
they are not interested in general and what in meanwhile?

> make it fully portable or there
> is no point considering inclusion in Debian.

The point is: people are interested in anonymous browsers - there are
none in Debian.
Reply to: