From patchwork Wed Jul 15 21:15:47 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Andr=C3=A9_Batista?= X-Patchwork-Id: 23238 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 0190B27BBE3; Wed, 15 Jul 2020 22:17:19 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,T_DKIM_INVALID, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTP id 8D11E27BBE1 for ; Wed, 15 Jul 2020 22:17:17 +0100 (BST) Received: from localhost ([::1]:48570 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1jvomD-0005cS-3n for patchwork@mira.cbaines.net; Wed, 15 Jul 2020 17:17:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56646) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvoly-0005c1-Qc for guix-patches@gnu.org; Wed, 15 Jul 2020 17:17:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:42220) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1jvoly-0007gN-H4 for guix-patches@gnu.org; Wed, 15 Jul 2020 17:17:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1jvoly-0004NG-AI for guix-patches@gnu.org; Wed, 15 Jul 2020 17:17:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#42380] [WIP] gnu: Add torbrowser-unbundle. Resent-From: =?utf-8?b?QW5kcsOp?= Batista Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 15 Jul 2020 21:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 42380 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: To: 42380@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.159484779216773 (code B ref -1); Wed, 15 Jul 2020 21:17:02 +0000 Received: (at submit) by debbugs.gnu.org; 15 Jul 2020 21:16:32 +0000 Received: from localhost ([127.0.0.1]:53766 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvolI-0004MI-Ta for submit@debbugs.gnu.org; Wed, 15 Jul 2020 17:16:31 -0400 Received: from lists.gnu.org ([209.51.188.17]:35540) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1jvolE-0004M8-8X for submit@debbugs.gnu.org; Wed, 15 Jul 2020 17:16:20 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56368) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvolE-0005N5-2q for guix-patches@gnu.org; Wed, 15 Jul 2020 17:16:16 -0400 Received: from mx1.riseup.net ([198.252.153.129]:44422) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jvol7-0007K9-Sy for guix-patches@gnu.org; Wed, 15 Jul 2020 17:16:15 -0400 Received: from capuchin.riseup.net (capuchin-pn.riseup.net [10.0.1.176]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "*.riseup.net", Issuer "Sectigo RSA Domain Validation Secure Server CA" (not verified)) by mx1.riseup.net (Postfix) with ESMTPS id 4B6VYM1ztKzFdxM for ; Wed, 15 Jul 2020 14:16:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1594847767; bh=SVlWcFrq/mhJe4ruNJLi/VsrCx9CxMLmIyB5MaQth2U=; h=Date:From:To:Subject:From; b=Xc0ks9PPkX03eqt8X8m7jkV+fWNlvtIWugTpgQOP82aAkL/Xq86ygNFjK3sevY0ev 3koO+hBZxEj+GO7ctDVl8xcfJNZJUg0sbs03LvbhSYCjbGx6bxKGunoQZbXKqN6CBp YbzILPve5XNA+U5THSfPZX1pk3XSV7gvwstmhDC0= X-Riseup-User-ID: 8CB70C45CD92722A3A815FDFEAC3B41DFF70BFD506D1B2428183B4D40B040602 Received: from [127.0.0.1] (localhost [127.0.0.1]) by capuchin.riseup.net (Postfix) with ESMTPSA id 4B6VYJ3R9Gz8sjr for ; Wed, 15 Jul 2020 14:16:03 -0700 (PDT) Date: Wed, 15 Jul 2020 18:15:47 -0300 From: =?utf-8?b?QW5kcsOp?= Batista Message-ID: <20200715211547.GA17146@andel> MIME-Version: 1.0 Content-Disposition: inline Received-SPF: pass client-ip=198.252.153.129; envelope-from=nandre@riseup.net; helo=mx1.riseup.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/07/15 17:16:07 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Hello Guix! The patch bellow adds a torbrowser-unbundle variable, but it needs a bit of working before merging into master. I've inserted many comments on the code regarding issues which need attention and questions that remained. I've decided to send this early notice so I can ask some questions and get criticism before I go too deep on the wrong direction. As the name implies it does not bundle tor and to use it, you need to have a properly configured system instance. You also need to configure a ControlPort and a HashedControlPassword if you want to be able to get new identities while browsing and if you don't want to keep seeing a warning on startup page. It will create/change permissions on ${HOME}/Data and use the native Downloads dir. It does not have bundled fonts, so you will be fingerprintable on levels bellow safest. It does not have support for obfs4 bridges yet. There is no startup script for now, you are advised to invoke it with '--class "Tor Browser"'. Now for the questions: - Should it keep unbundled? If so, should we try to unbundle the https-everywhere and noscript extensions? - Is it acceptable to use to use the noscript .xpi, instead of building? Upstream just grabs it from addons.mozilla. There does not appear to be blobs and the GPL full text is inside it. - Should we try change the app name at build time or is it enough to adapt the name of the startup script (which is not the for now, but is certainly needed)? - Any other things that I've been blind to? If you don't have time to review the code, but has processing power available, build it with rounds=2 or try to cross compile for i686 and comment back. Thanks, From 2a9d31c9422de3d7486da6c2ef3e15c3496c7e69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Batista?= Date: Wed, 15 Jul 2020 17:24:04 -0300 Subject: [PATCH] gnu: Add torbrowser-unbundle. To: guix-patches@gnu.org * gnu/packages/tor.scm (torbrowser-unbundle): New variable. --- gnu/packages/tor.scm | 634 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 633 insertions(+), 1 deletion(-) diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm index c852c54a5b..528a528403 100644 --- a/gnu/packages/tor.scm +++ b/gnu/packages/tor.scm @@ -49,7 +49,49 @@ #:use-module (gnu packages qt) #:use-module (gnu packages autotools) #:use-module (gnu packages tls) - #:use-module (gnu packages w3m)) + #:use-module (gnu packages w3m) + ;; New flags start here. Verify if they are all needed. + #:use-module ((srfi srfi-1) #:hide (zip)) + #:use-module (ice-9 match) + #:use-module ((guix licenses) #:prefix license:) + #:use-module (guix gexp) + #:use-module (guix store) + #:use-module (guix monads) + #:use-module (guix build-system cargo) + #:use-module (guix build-system trivial) + #:use-module (gnu packages admin) + #:use-module (gnu packages audio) + #:use-module (gnu packages autotools) + #:use-module (gnu packages bash) + #:use-module (gnu packages databases) + #:use-module (gnu packages glib) + #:use-module (gnu packages gtk) + #:use-module (gnu packages gnome) + #:use-module (gnu packages libcanberra) + #:use-module (gnu packages cups) + #:use-module (gnu packages kerberos) + #:use-module (gnu packages perl) + #:use-module (gnu packages compression) + #:use-module (gnu packages fontutils) + #:use-module (gnu packages libreoffice) ;for hunspell + #:use-module (gnu packages image) + #:use-module (gnu packages libffi) + #:use-module (gnu packages pulseaudio) + #:use-module (gnu packages node) + #:use-module (gnu packages xorg) + #:use-module (gnu packages gl) + #:use-module (gnu packages assembly) + #:use-module (gnu packages rust) + #:use-module (gnu packages rust-apps) + #:use-module (gnu packages llvm) + #:use-module (gnu packages nss) + #:use-module (gnu packages icu4c) + #:use-module (gnu packages video) + #:use-module (gnu packages xiph) + #:use-module (gnu packages xdisorg) + #:use-module (gnu packages readline) + #:use-module (gnu packages vim) ; for xxd + #:use-module (gnu packages sqlite)) (define-public tor (package @@ -324,3 +366,593 @@ statistics and status reports on: Potential client and exit connections are scrubbed of sensitive information.") (license license:gpl3+))) + +;; Imported from gnuzilla.scm, make it public there? +(define* (computed-origin-method gexp-promise hash-algo hash + #:optional (name "source") + #:key (system (%current-system)) + (guile (default-guile))) + "Return a derivation that executes the G-expression that results +from forcing GEXP-PROMISE." + (mlet %store-monad ((guile (package->derivation guile system))) + (gexp->derivation (or name "computed-origin") + (force gexp-promise) + #:graft? #f ;nothing to graft + #:system system + #:guile-for-build guile))) + +(define %torbrowser-version "68.10.0esr-9.5-1") +(define %torbrowser-build-id "20200709000000") ;must be of the form YYYYMMDDhhmmss + +;; (Un)fortunatly TorBrowser has it's own reproducible build system - RBM - which +;; automates the build process for them and compiles TorBrowser from a range of +;; repositories and produces a range of tarballs for different architectures and +;; locales. So we need to nit-pick what is needed for guix and produce our own +;; tarball. See https://gitweb.torproject.org/builders/tor-browser-build.git/projects/\ +;; {tor-browser,firefox}/{build,config} for the rationale applied here. When built from its +;; unpatched repo, the 'mozconfig' is different and it errors out on missing +;; torbutton source code. If we patch 'toolkit/moz.build', it compiles successfuly +;; but the browser does not run and even if it ran, it would be missing most of +;; its funcionality. See also the Hacking on TorBrowser document for a high level +;; introduction (https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking). +;; +;; WARNING: For now it still lacks the bundled fonts, obfs4 bridge and locales. +;; If used on level below safest, the browser accessible fonts are fingerprintable. +;; On safest, it doesn't seem to be distinguishable from upstream bundle according +;; to https://panopticlick.eff.org. To access some features, users need to +;; configure the ControlPort and HashedControlPassword in system torrc and set +;; TOR_CONTROL_PASSWD accordingly before launching the Browser (ControlPort defaults to +;; 9051). Without this, the browser will work (try https://check.torproject.org) but +;; user is presented with a startup page that tells something is wrong. +(define torbrowser-source + (let* ((torbrowser-commit "75c2bb720d4ceb76231e8ecc3455754bf05ba19b") + (torbrowser-version %torbrowser-version) + (upstream-torbrowser-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/tor-browser.git") + (commit torbrowser-commit))) + (file-name (git-file-name "tor-browser" torbrowser-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "19sk46k2bqa72il46pdl534nk2g3fi6l7m7kbglddccxv19ck0k4")))) + + ;; Not used yet, mainly useful for references and for a patched start-tor-browser + ;; script in the near future. + (torbrowser-build-commit "e94ba3a7677f7051a14b2304427ec8393a450fdc") + (torbrowser-build-version "9.5") + (upstream-torbrowser-build-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/builders/tor-browser-build.git") + (commit torbrowser-build-commit))) + (file-name (git-file-name "tor-browser-build" torbrowser-build-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "1jgkrsckcjgr1lgcwahzdrcasmpghs2ppz6w80fya89pa5d6r0gv")))) + + (torbutton-commit "ebe2bedab44e38f18c7968bd327d99eef7660f34") + (torbutton-version "9.5") + (upstream-torbutton-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/torbutton.git") + (commit torbutton-commit))) + (file-name (git-file-name "torbutton" torbutton-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "03xdyszab1a8j98xv6440v4lq58jkfqgmhxc2a62qz8q085d2x83")))) + + (tor-launcher-commit "b4838d339a84c5ebebd91a0ba6b22d44ecda97b1") + (tor-launcher-version "0.2.21") + (upstream-tor-launcher-source + (origin + (method git-fetch) + (uri (git-reference + (url "https://git.torproject.org/tor-launcher.git") + (commit tor-launcher-commit))) + (file-name (git-file-name "tor-launcher" tor-launcher-version)) + ;; Substitute for hash syntax. + (sha256 + (base32 + "0xxwyw1j6dkm2a24kg1564k701p5ikfzs1f9n0gflvlzz9427haf")))) + + ;; TorBrowser uses its own git repo but it appears to be unpatched from upstream + ;; and it does no provide a tarball, so let's try upstream for now. + (https-everywhere-version "2020.5.20") + (upstream-https-everywhere-source + (origin + (method url-fetch) + (uri (string-append "https://github.com/EFForg/https-everywhere/archive/" + https-everywhere-version ".tar.gz")) + ;; Substitute for hash syntax. + (sha256 + (base32 + "027lga3z0a4d7s95id861das7g0k29p7pqh9xd77jm87f7w4l763")))) + + ;; TorBrowser 9.5.1 actualy uses v11.0.32, but let's get latest release. + ;; TorProject uses the .xpi instead of compiling the source code. + (noscript-xpi-version "11.0.34") + (upstream-noscript-xpi + (origin + (method url-fetch) + (uri (string-append "https://secure.informaction.com/download/releases/noscript-" + noscript-xpi-version ".xpi")) + (sha256 + (base32 + "0y45925ms2bk9d42zbgwcdb2sif8kqlbaflkz15q08gi7vgki6km")))) + + ;; Not used for now. It uses curl to update TLDs at build time which will make + ;; the build unreproducible. Also it uses LWM::Simple module which is not available + ;; on guix. Moreover, it complains about perl not having regexp capabilities. Patch + ;; build script, translate it to guile or just use the .xpi as upstream does? + (noscript-version "11.0.34") + (upstream-noscript-source + (origin + (method url-fetch) + (uri (string-append "https://github.com/hackademix/noscript/archive/" + noscript-version ".tar.gz")) + ;; Substitute for hash syntax. + (sha256 + (base32 + "1amhdwc62cnp1i7vx4zyqd7iyj52rcr5ks9a39viczpqgfgk7hfy"))))) + + ;; Now we bundle the grabbed sources. + (origin + (method computed-origin-method) + (file-name (string-append "torbrowser-" %torbrowser-version ".tar.xz")) + (sha256 #f) + (uri + (delay + (with-imported-modules '((guix build utils)) + #~(begin + (use-modules (guix build utils)) + (let ((torbrowser-dir (string-append "torbrowser-" #$torbrowser-version)) + (torbutton-dir "toolkit/torproject/torbutton") + (tor-launcher-dir "browser/extensions/tor-launcher") + (tbb-scripts-dir "tbb-scripts") + (https-everywhere "https-everywhere.tar.gz") + (noscript "noscript.tar.gz") + (noscript-xpi "noscript.xpi")) + + (set-path-environment-variable + "PATH" '("bin") + (list #+(canonical-package bash) + #+(canonical-package xz) + #+(canonical-package tar))) + + (format #t "Copying torbrowser source to writable path ...~%") + (force-output) + (copy-recursively #+upstream-torbrowser-source + torbrowser-dir + #:log (%make-void-port "w")) + + (with-directory-excursion torbrowser-dir + (format #t "Setting torbutton to writable...~%") + (force-output) + (make-file-writable torbutton-dir) + + (format #t "Copying torbutton source to torbrowser...~%") + (force-output) + (copy-recursively #+upstream-torbutton-source + torbutton-dir + #:log (%make-void-port "w")) + + (format #t "Copying tor-launcher source to torbrowser...~%") + (force-output) + (copy-recursively #+upstream-tor-launcher-source + tor-launcher-dir + #:log (%make-void-port "w")) + + (format #t "Copying tor-browser-build source to torbrowser...~%") + (force-output) + (mkdir tbb-scripts-dir) + (copy-recursively #+upstream-torbrowser-build-source + tbb-scripts-dir + #:log (%make-void-port "w")) + + (format #t "Copying https-everywhere source to torbrowser...~%") + (force-output) + (copy-file #+upstream-https-everywhere-source + https-everywhere) + + (format #t "Copying noscript source to torbrowser...~%") + (force-output) + (copy-file #+upstream-noscript-source + noscript) + + (format #t "Copying noscript xpi to torbrowser...~%") + (force-output) + (copy-file #+upstream-noscript-xpi + "noscript.xpi")) + + (invoke "tar" "cvfa" #$output + ;; Avoid non-determinism in the archive. For now just copy icecat timestamp. + "--mtime=@315619200" ; 1980-01-02 UTC + "--owner=root:0" + "--group=root:0" + "--sort=name" + torbrowser-dir) + #t)))))))) + +(define-public torbrowser-unbundle + (package + (name "torbrowser-unbundle") + (version %torbrowser-version) + (source torbrowser-source) + (build-system gnu-build-system) + (inputs + `(("alsa-lib" ,alsa-lib) + ("bzip2" ,bzip2) + ("cups" ,cups) + ("dbus-glib" ,dbus-glib) + ("gdk-pixbuf" ,gdk-pixbuf) + ("glib" ,glib) + ("gtk+" ,gtk+) + ("gtk+-2" ,gtk+-2) + ("graphite2" ,graphite2) + ("pango" ,pango) + ("freetype" ,freetype) + ("harfbuzz" ,harfbuzz) + ("libcanberra" ,libcanberra) + ("libgnome" ,libgnome) + ("libjpeg-turbo" ,libjpeg-turbo) + ("libogg" ,libogg) + ;; ("libtheora" ,libtheora) ; wants theora-1.2, not yet released + ("libvorbis" ,libvorbis) + ("libxft" ,libxft) + ("libevent" ,libevent) + ("libxinerama" ,libxinerama) + ("libxscrnsaver" ,libxscrnsaver) + ("libxcomposite" ,libxcomposite) + ("libxt" ,libxt) + ("libffi" ,libffi) + ("ffmpeg" ,ffmpeg) + ("libvpx" ,libvpx) + ("icu4c" ,icu4c) + ("pixman" ,pixman) + ("pulseaudio" ,pulseaudio) + ("mesa" ,mesa) + ("mit-krb5" ,mit-krb5) + ;; See + ;; and related comments in the 'remove-bundled-libraries' phase. + ;; UNBUNDLE-ME! ("nspr" ,nspr) + ;; UNBUNDLE-ME! ("nss" ,nss) + ("shared-mime-info" ,shared-mime-info) + ("sqlite" ,sqlite) + ("startup-notification" ,startup-notification) + ("unzip" ,unzip) + ("zip" ,zip) + ("zlib" ,zlib))) + (native-inputs + `(("patch" ,(canonical-package patch)) + ("rust" ,rust) + ("cargo" ,rust "cargo") + ("rust-cbindgen" ,rust-cbindgen) + ("llvm" ,llvm) + ("clang" ,clang) + ("perl" ,perl) + ("node" ,node) + ("openssl" ,openssl) ; Required for building https-everywhere + ("tar" ,tar) ; for untaring extensions + ("util-linux" ,util-linux) ; for getopt on https-everywhere build + ("xxd" ,xxd) ; for https-everywhere build + ("python" ,python) + ("python2" ,python-2.7) + ("python2-pysqlite" ,python2-pysqlite) + ("yasm" ,yasm) + ("nasm" ,nasm) ; XXX FIXME: only needed on x86_64 and i686 + ("pkg-config" ,pkg-config) + ("autoconf" ,autoconf-2.13) + ("which" ,which))) + (arguments + `(#:tests? #f ; Some tests are autodone by mach on build fase. + + ;; XXX: There are RUNPATH issues such as + ;; $prefix/lib/icecat-31.6.0/plugin-container NEEDing libmozalloc.so, + ;; which is not in its RUNPATH, but they appear to be harmless in + ;; practice somehow. See . + ;; + ;; Is this needed? + #:validate-runpath? #f + + #:imported-modules ,%cargo-utils-modules ;for `generate-all-checksums' + + ;; Verify which modules are actually needed. + #:modules ((ice-9 ftw) + (ice-9 rdelim) + (ice-9 regex) + (ice-9 match) + (srfi srfi-34) + (srfi srfi-35) + (rnrs bytevectors) + (rnrs io ports) + (guix elf) + (guix build gremlin) + (guix build utils) + (sxml simple) + ,@%gnu-build-system-modules) + + #:phases + (modify-phases %standard-phases + (add-after 'unpack 'unpack-extensions + (lambda* (#:key inputs native-inputs #:allow-other-keys) + (let ((https-everywhere-archive "https-everywhere.tar.gz") + (https-everywhere-srcdir "https-everywhere-src") + (noscript-archive "noscript.tar.gz") + (noscript-srcdir "noscript-src") + (bash (which "bash"))) + + (setenv "SHELL" bash) + + (mkdir https-everywhere-srcdir) + (mkdir noscript-srcdir) + (invoke "tar" "xf" https-everywhere-archive "--strip-components=1" + "-C" https-everywhere-srcdir) + (invoke "tar" "xf" noscript-archive "--strip-components=1" + "-C" noscript-srcdir)))) + + ;; Not used yet. For start-tor-browser patch and possibly others. + (add-after 'unpack-extensions 'apply-guix-specific-patches + (lambda* (#:key inputs native-inputs #:allow-other-keys) + (let ((patch (string-append (assoc-ref (or native-inputs inputs) + "patch") + "/bin/patch"))) + (for-each (match-lambda + ((label . file) + (when (and (string-prefix? "torbrowser-" label) + (string-suffix? ".patch" label)) + (format #t "applying '~a'...~%" file) + (invoke patch "--force" "--no-backup-if-mismatch" + "-p1" "--input" file)))) + (or native-inputs inputs))) + #t)) + + ;; On mach build system this is done on configure. + (delete 'bootstrap) + + (add-after 'patch-source-shebangs 'patch-cargo-checksums + (lambda _ + (use-modules (guix build cargo-utils)) + (let ((null-hash "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")) + (substitute* '("Cargo.lock" "gfx/wr/Cargo.lock") + (("(\"checksum .* = )\".*\"" all name) + (string-append name "\"" null-hash "\""))) + (generate-all-checksums "third_party/rust")) + #t)) + + (add-after 'build 'neutralize-store-references + (lambda _ + ;; Mangle the store references to compilers & other build tools in + ;; about:buildconfig, reducing TorBrowser's closure significant. + ;; The resulting files are saved in lib/firefox/omni.ja + (substitute* "objdir/dist/bin/chrome/toolkit/content/global/buildconfig.html" + (((format #f "(~a/)([0-9a-df-np-sv-z]{32})" + (regexp-quote (%store-directory))) _ store hash) + (string-append store + (string-take hash 8) + "" + (string-drop hash 8)))) + #t)) + + (replace 'configure + (lambda* (#:key inputs outputs configure-flags #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (bash (which "bash")) + ;; Is this needed? + (flags `(,(string-append "--prefix=" out) + ,@configure-flags))) + + (setenv "SHELL" bash) + (setenv "AUTOCONF" (string-append + (assoc-ref %build-inputs "autoconf") + "/bin/autoconf")) + (setenv "CONFIG_SHELL" bash) + (setenv "PYTHON" (string-append + (assoc-ref inputs "python2") + "/bin/python")) + (setenv "MOZ_BUILD_DATE" ,%torbrowser-build-id) ; avoid timestamp. + (setenv "LDFLAGS" (string-append + "-Wl,-rpath=" + (assoc-ref outputs "out") + "/lib/firefox")) + + ;; Maybe remove --disable-strip since tor-builder strips on another step + ;; See tor-browser-build.git/projects/firefox/build:231. + ;; Add flag for changing app name to torbrowser or use this name for the start script? + (substitute* ".mozconfig" + ;; Arch independent builddir. + (("(mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/obj).*" _ m) + (string-append m "dir\n")) + (("ac_add_options --disable-tor-launcher") "") + ;; We won't be building incrementals. + (("ac_add_options --enable-signmar") "") + (("ac_add_options --enable-verify-mar") "") + (("ac_add_options --with-tor-browser-version=dev-build") + (string-append "ac_add_options --with-tor-browser-version=org.gnu\n" + "ac_add_options --with-unsigned-addon-scopes=app\n" + "ac_add_options --enable-pulseaudio\n" + "ac_add_options --disable-debug-symbols\n" + "ac_add_options --disable-updater\n" + "ac_add_options --disable-gconf\n" + ;; Other syslibs that can be unbundled? (nss, nspr) + "ac_add_options --enable-system-pixman\n" + "ac_add_options --enable-system-ffi\n" + "ac_add_options --with-system-bz2\n" + "ac_add_options --with-system-icu\n" + "ac_add_options --with-system-jpeg\n" + "ac_add_options --with-system-libevent\n" + "ac_add_options --with-system-zlib\n" + ;; Without these clang is not found. + "ac_add_options --with-clang-path=" + (assoc-ref %build-inputs "clang") "/bin/clang\n" + "ac_add_options --with-libclang-path=" + (assoc-ref %build-inputs "clang") "/lib\n"))) + + ;; See tor-browser-build.git/projects/tor-browser/RelativeLink/start-tor-browser:307 on running + ;; with system tor instance. + (substitute* "browser/app/profile/000-tor-browser.js" + (("(pref\\(\"network.proxy.socks_port\").*" _ m) + (string-append m ", 9050);\n")) + (("(pref\\(\"extensions.torbutton.loglevel\").*" _ m) + (string-append m ",2);\n")) + (("(pref\\(\"extensions.torbutton.logmethod\").*" _ m) + (string-append m ",0);\n")) + (("(pref\\(\"extensions.torbutton.inserted_button\").*" _ m) + (string-append m ",true);\n")) + (("(pref\\(\"extensions.torbutton.launch_warning\").*" _ m) + (string-append m ",false);\n")) + ;; TorBrowser updates are disabled on mozconfig, but let's make sure. + (("(pref\\(\"extensions.torbutton.versioncheck_enabled\").*" _ m) + (string-append m ",false);\n"))) + + (substitute* "browser/extensions/tor-launcher/src/defaults/preferences/torlauncher-prefs.js" + (("(pref\\(\"extensions.torlauncher.start_tor\").*" _ m) + (string-append m ", false);\n")) + (("(pref\\(\"extensions.torlauncher.prompt_at_startup\").*" _ m) + (string-append m ", false);\n")) + ;; Investigate this one: "extensions.torlauncher.only_configure_tor" + ;; on 'tl-util.jsm', would it be a nice addition? + (("(pref\\(\"extensions.torlauncher.should_remove_meek_helper_profiles\").*" _ m) + (string-append m ", false);\n")) + (("(pref\\(\"extensions.torlauncher.loglevel\").*" _ m) + (string-append m ", 2);\n")) + (("(pref\\(\"extensions.torlauncher.logmethod\").*" _ m) + (string-append m ", 0);\n")) + (("(pref\\(\"extensions.torlauncher.control_port\").*" _ m) + (string-append m ", 9051);\n"))) + + ;; For user data outside the guix store. Dirty hack. Maybe worth a patch upstream to create a + ;; configure flag for guix. It will create/modify permissions on 'Data' dir on $HOME. It also + ;; means that TorBrowser will share the Downloads dir on home and not keep its own. + ;; Work on start-tor-browser script to set a TorBrowser own home. + (substitute* "xpcom/io/TorFileUtils.cpp" + (("ANDROID") "GNUGUIX")) + (substitute* "old-configure.in" + (("(AC_SUBST\\(TOR_BROWSER_DISABLE_TOR_LAUNCHER\\))" _ m) + (string-append m "\n AC_DEFINE(GNUGUIX)\n"))) + + ;; TODO: change prefs to block autoupdate app and extensions. + + (newline) + (format #t "Invoking mach configure ...~%") + (force-output) + (invoke "./mach" "configure")))) + + ;; Building noscript from source is failing for now. So its sources remain unused. + (add-after 'configure 'build-extensions + (lambda* (#:key inputs native-inputs #:allow-other-keys) + (let* ((bash (which "bash"))) + + (setenv "SHELL" bash) + + ;; Python3.6 is hardcoded on these scripts. Using v3.8 appears to be harmless. + (with-directory-excursion "https-everywhere-src" + (substitute* '("install-dev-dependencies.sh" + "make.sh" + "hooks/precommit" + "test/firefox.sh" + "test/manual.sh" + "test/script.py" + "test/validations.sh" + "utils/create_zip.py" + "utils/merge-rulesets.py" + "utils/setversion.py" + "utils/zipfile_deterministic.py") + (("python3.6") "python3")) + + ;; Failing to generate the xpi, but copy-dir appears to be enough. + ;; Failing on missing 'wasm'? + (invoke "./make.sh"))))) + + (replace 'build + (lambda _ (invoke "./mach" "build"))) + + ;; TorBrowser just do a stage-package here and copy files to its places. + (replace 'install + (lambda* (#:key inputs outputs configure-flags #:allow-other-keys) + (let* ((out (assoc-ref outputs "out")) + (builddir "objdir/dist/firefox") + (libdir (string-append out "/lib/firefox")) + (bindir (string-append out "/bin")) + (noscript-id "{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi") + (extdir (string-append libdir "/browser/extensions"))) + + ;; (display "string\n") should be enough here, chage this. + (format #t "Staging package ...~%") + (force-output) + (invoke "./mach" "build" "stage-package") + (format #t "Deleting spurious files ...~%") + (force-output) + ;; TorBrowser doesn't use those. See: tor-browser-build.git/projects/firefox/build:167 + (for-each delete-file `(,(string-append builddir "/firefox-bin") + ,(string-append builddir "/libfreeblpriv3.chk") + ,(string-append builddir "/libnssdbm3.chk") + ,(string-append builddir "/libsoftokn3.chk"))) + + (format #t "Creating install dirs ...~%") + (force-output) + (mkdir-p libdir) + (mkdir bindir) + + (format #t "Copying files to install dirs ...~%") + (force-output) + (copy-recursively builddir (string-append libdir "/") + #:log (%make-void-port "w")) + + (format #t "Linking binary ...~%") + (force-output) + (symlink (string-append libdir "/firefox") + (string-append bindir "/firefox")) + + (format #t "Copying extensions to default path ...~%") + (force-output) + (mkdir-p extdir) + (format #t "Copying noscript ...~%") + (force-output) + (copy-file "noscript.xpi" (string-append extdir "/" noscript-id)) + (format #t "Copying https-everywhere ...~%") + (force-output) + (if (file-exists? "https-everywhere-src/pkg/https-everywhere-2020.5.20~pre-eff.xpi") + (copy-file "https-everywhere-src/pkg/https-everywhere-2020.5.20~pre-eff.xpi" + (string-append extdir "/https-everywhere-eff@eff.org.xpi")) + (copy-recursively "https-everywhere-src/pkg/xpi-eff" + (string-append extdir "/https-everywhere-eff@eff.org"))) + #:log (%make-void-port "w"))))))) + + ;; Thunderbird doesn't provide any .desktop file, but TorBrowser does, however it's staged not installed, let's see. + ;; + ;; Is this needed? Try to play webmedia! + ;;(add-after 'install 'wrap-program + ;; (lambda* (#:key inputs outputs #:allow-other-keys) + ;; (let* ((out (assoc-ref outputs "out")) + ;; (lib (string-append out "/lib")) + ;; (gtk (assoc-ref inputs "gtk+")) + ;; (gtk-share (string-append gtk "/share")) + ;; (pulseaudio (assoc-ref inputs "pulseaudio")) + ;; (pulseaudio-lib (string-append pulseaudio "/lib"))) + ;; (wrap-program (car (find-files lib "^firefox$")) + ;; `("XDG_DATA_DIRS" prefix (,gtk-share)) + ;; `("LD_LIBRARY_PATH" prefix (,pulseaudio-lib))) + ;; #t)))))) + (home-page "https://www.torproject.org") + (synopsis "Anonymous browser derived from Mozilla Firefox") + (description + "TorBrowser is the Tor Project version of the Firefox browser. It is +the only recommended way to anonymously browse the web that is supported by +the project. It modifies firefox in order to avoid many know application level +attacks on the privacy of Tor users. + +WARNING: This is not the official TorBrowser and is currently on testing. +If you have issues using it, do not bother Tor Developers, as it is not the +official bundle provided by the Tor Project. Use at your own risk and please +report back on guix channels. This version does not bundle @code{tor}, you need +to configure it as a system service and set ControlPort and HashedControlPassword +to access some features.") + (license license:mpl2.0))) ;and others, see toolkit/content/license.html