LogoSailfishOS Open Build Service > Request 674
Log In

Cancel

Request 674 (accepted)

Tor is a connection-based low-latency anonymous communication system.

Clients choose a source-routed path through a set of relays, and
negotiate a "virtual circuit" through the network, in which each relay
knows its predecessor and successor, but no others. Traffic flowing
down the circuit is decry [+]Tor is a connection-based low-latency anonymous communication system.

Clients choose a source-routed path through a set of relays, and
negotiate a "virtual circuit" through the network, in which each relay
knows its predecessor and successor, but no others. Traffic flowing
down the circuit is decrypted at each relay, which reveals the
downstream relay.

Basically, Tor provides a distributed network of relays. Users bounce
their TCP streams (web traffic, ftp, ssh, etc) around the relays, and
recipients, observers, and even the relays themselves have difficulty
learning which users connected to which destinations.

This package enables only a Tor client by default, but it can also be
configured as a relay and/or a hidden service easily.

Client applications can use the Tor network by connecting to the local
socks proxy interface provided by your Tor instance. If the application
itself does not come with socks support, you can use a socks client
such as torsocks.

Note that Tor does no protocol cleaning on application traffic. There
is a danger that application protocols and associated programs can be
induced to reveal information about the user. Tor depends on Torbutton
and similar protocol cleaners to solve this problem. For best
protection when web surfing, the Tor Project recommends that you use
the Tor Browser Bundle, a standalone tarball that includes static
builds of Tor, Torbutton, and a modified Firefox that is patched to fix
a variety of privacy bugs. [-]

Submit package home:nielnielsen / tor to package sailfishos:chum:1.0.8.19:testing / tor

The diff call for /source/sailfishos:chum:1.0.8.19:testing/tor?cmd=diff&orev=d41d8cd98f00b204e9800998ecf8427e&rev=c04ff6a809b68b5f16b909ab174e16de&view=xml&withissues=1 failed: project 'sailfishos:chum:1.0.8.19:testing' does not exist

Comments for request 674 (6)

Thomas B. tbr wrote over 9 years ago

Thanks for submitting this! I'm sure many users are interested in having TOR on their Sailfish devices.

As it is really important in this case that everything is right and no mistakes happen, I'll be inviting more people to review this. Also as the package contains non-upstream files AND some files seem to be run as root.

JFTR: Basic checkup is OK: Tarball is identical to upstream and GPG signature is fine.

Thomas B. tbr wrote over 9 years ago

After some further basic review I have strong reservations about the current state of packaging and will be forced to reject this SR. Please resubmit after addressing the following items: - It looks like the packaging tries to establish a general root backdoor on the device (suid root 'runasroot'), not acceptable! - The 'runasroot' binary comes without sources and can not be evaluated, not acceptable. (Irrelevant due to above, but still a general point, don't include random binaries.) - Operating as root on the nemo home directory, why?

Thomas B. tbr wrote over 9 years ago

By accident accepted the request, so proceeded to delete the package. At that time I noticed that it doesn't seem to build properly, maybe a missing devel package dependency.

Niel Nielsen nielnielsen wrote over 9 years ago

You need libevent to finish build

Niel Nielsen nielnielsen wrote over 9 years ago

Unfortunately root is needed to allow tor to access network with enough proviledges. This cant be changed easily. A work-around, is the runasroot binary which basically does nothing but allowing to run tor with enough priviledges. This way, tor itself will not need proviledges, but instead will be allowed by being opened from runasroot. Yes, this is not perfect, but as-is it cant be resolved in any other way. At least to my knowledge. So, basically, tor is run similar to a user issuing 'sudo tor".

Another thing. As I want to enable changing the tor icon to show the state of tor (running=green onion / stopped=red onion) I also need escalated proviledges in order to change the desktop icon.

Lastly, sailfishos as-is doesnt implement (socks)proxy that is working in the network settings. Thus, root is needed in order to change to proxy settings for sailfish-browser.

I understand if this cannot be accepted, and thus I will keep it on my opemrepos, as well as my account here.

Cheers

Oh! And You are right, users do enjoy this package. So, lets hope Jolla finds a way to allow nemo to access necessary files/folders without explicitly needing root.

Niel Nielsen nielnielsen wrote over 9 years ago

source for the runasroot is quite simple:

include

There's nothing to be done right now

Request History

Niel Nielsen nielnielsen created request over 9 years ago 
Tor is a connection-based low-latency anonymous  [+]Tor is a connection-based low-latency anonymous communication system.

Clients choose a source-routed path through a set of relays, and
negotiate a "virtual circuit" through the network, in which each relay
knows its predecessor and successor, but no others. Traffic flowing
down the circuit is decrypted at each relay, which reveals the
downstream relay.

Basically, Tor provides a distributed network of relays. Users bounce
their TCP streams (web traffic, ftp, ssh, etc) around the relays, and
recipients, observers, and even the relays themselves have difficulty
learning which users connected to which destinations.

This package enables only a Tor client by default, but it can also be
configured as a relay and/or a hidden service easily.

Client applications can use the Tor network by connecting to the local
socks proxy interface provided by your Tor instance. If the application
itself does not come with socks support, you can use a socks client
such as torsocks.

Note that Tor does no protocol cleaning on application traffic. There
is a danger that application protocols and associated programs can be
induced to reveal information about the user. Tor depends on Torbutton
and similar protocol cleaners to solve this problem. For best
protection when web surfing, the Tor Project recommends that you use
the Tor Browser Bundle, a standalone tarball that includes static
builds of Tor, Torbutton, and a modified Firefox that is patched to fix
a variety of privacy bugs. [-]
Thomas B. tbr Request got accepted over 9 years ago 
Current state of packaging is a severe security  [+]Current state of packaging is a severe security risk as it presumably opens a possibly uncontrolled root backdoor. Please resubmit after addressing this. [-]