Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 4a739220a298
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 39f9b468687b
Choose a head ref
  • 2 commits
  • 5 files changed
  • 4 contributors

Commits on Jan 10, 2020

  1. firefoxPackages.tor-browser*, tor-browser-bundle: remove 

    These are all based on firefox versions with known vulnerabilities
exploited in the wild.

We seriously shouldn't ship this in nixpkgs, especially not for
sensitive applications as the Tor Browser.

`tor-browser-bundle` is just a wrapper around
`firefoxPackages.tor-browser`, so let's remove it too.

`tor-browser-bundle-bin` is the much safer bet, which is individually
downloaded from `dist.torproject.org` and just `patchelf`-ed locally to
work on NixOS.

Co-Authored-By: Alyssa Ross <hi@alyssa.is>
Co-Authored-By: Andreas Rammhold <andreas@rammhold.de>
Co-Authored-By: Graham Christensen <graham@grahamc.com>
    @flokli @alyssais
    @andir @grahamc
    4 people committed Jan 10, 2020

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    1efaa03 View commit details

  2. Merge pull request #77452 from flokli/tor-remove-insecure 

    firefoxPackages.tor-browser*, tor-browser-bundle: remove
    @flokli
    flokli authored Jan 10, 2020

    Unverified

    This commit is not signed, but one or more authors requires that any commit attributed to them is signed.
    Learn about vigilant mode
    Copy the full SHA
    39f9b46 View commit details
92 changes: 3 additions & 89 deletions pkgs/applications/networking/browsers/firefox/packages.nix
View file
Original file line number Diff line number Diff line change
@@ -196,94 +196,8 @@ in {
meta.knownVulnerabilities = [ "Support ended in August 2018." ];
};

}) // (let

tbcommon = args: common (args // {
pname = "tor-browser";
isTorBrowserLike = true;

unpackPhase = ''
# fetchFromGitHub produces ro sources, root dir gets a name that
# is too long for shebangs. fixing
cp -a $src tor-browser
chmod -R +w tor-browser
cd tor-browser
# set times for xpi archives
find . -exec touch -d'2010-01-01 00:00' {} \;
'';

meta = (args.meta or {}) // {
description = "A web browser built from TorBrowser source tree";
longDescription = ''
This is a version of TorBrowser with bundle-related patches
reverted.
I.e. it's a variant of Firefox with less fingerprinting and
some isolation features you can't get with any extensions.
Or, alternatively, a variant of TorBrowser that works like any
other UNIX program and doesn't expect you to run it from a
bundle.
It will use your default Firefox profile if you're not careful
even! Be careful!
It will clash with firefox binary if you install both. But it
should not be a problem because you should run browsers in
separate users/VMs anyway.
Create new profile by starting it as
$ firefox -ProfileManager
and then configure it to use your tor instance.
Or just use `tor-browser-bundle` package that packs this
`tor-browser` back into a sanely-built bundle.
'';
homepage = "https://www.torproject.org/projects/torbrowser.html";
platforms = lib.platforms.unix;
license = with lib.licenses; [ mpl20 bsd3 ];
};
});

in rec {

tor-browser-7-5 = (tbcommon {
ffversion = "52.9.0esr";
tbversion = "7.5.6";

# FIXME: fetchFromGitHub is not ideal, unpacked source is >900Mb
src = fetchFromGitHub {
owner = "SLNOS";
repo = "tor-browser";
# branch "tor-browser-52.9.0esr-7.5-2-slnos"
rev = "95bb92d552876a1f4260edf68fda5faa3eb36ad8";
sha256 = "1ykn3yg4s36g2cpzxbz7s995c33ij8kgyvghx38z4i8siaqxdddy";
};
}).override {
gtk3Support = false;
};

tor-browser-8-5 = tbcommon rec {
ffversion = "60.9.0esr";
tbversion = "8.5.6";

# FIXME: fetchFromGitHub is not ideal, unpacked source is >900Mb
src = fetchFromGitHub {
owner = "SLNOS";
repo = "tor-browser";
# branch "tor-browser-60.9.0esr-8.5-2-slnos"
rev = "0489ae3158cd8c0e16c2e78b94083d8cbf0209dc";
sha256 = "0y5s7d8pg8ak990dp8d801j9823igaibfhv9hsa79nib5yllifzs";
};

patches = [
missing-documentation-patch
];
};

tor-browser = tor-browser-8-5;
tor-browser-7-5 = throw "firefoxPackages.tor-browser-7-5 was removed because it was out of date and inadequately maintained. Please use tor-browser-bundle-bin instead. See #77452.";
tor-browser-8-5 = throw "firefoxPackages.tor-browser-8-5 was removed because it was out of date and inadequately maintained. Please use tor-browser-bundle-bin instead. See #77452.";
tor-browser = throw "firefoxPackages.tor-browser was removed because it was out of date and inadequately maintained. Please use tor-browser-bundle-bin instead. See #77452.";

})
13 changes: 9 additions & 4 deletions pkgs/applications/networking/browsers/tor-browser-bundle-bin/default.nix
View file
Original file line number Diff line number Diff line change
@@ -54,9 +54,6 @@

# Extra preferences
, extraPrefs ? ""

# For meta
, tor-browser-bundle
}:

with stdenv.lib;
@@ -394,7 +391,15 @@ stdenv.mkDerivation rec {

meta = with stdenv.lib; {
description = "Tor Browser Bundle built by torproject.org";
longDescription = tor-browser-bundle.meta.longDescription;
longDescription = ''
Tor Browser Bundle is a bundle of the Tor daemon, Tor Browser (heavily patched version of
Firefox), several essential extensions for Tor Browser, and some tools that glue those
together with a convenient UI.
`tor-browser-bundle-bin` package is the official version built by torproject.org patched with
`patchelf` to work under nix and with bundled scripts adapted to the read-only nature of
the `/nix/store`.
'';
homepage = "https://www.torproject.org/";
platforms = attrNames srcs;
maintainers = with maintainers; [ offline matejc doublec thoughtpolice joachifm hax404 cap ];
Loading