Hans-Christoph Steiner: > Georg Koppen: >> Hans-Christoph Steiner: >>> >>> Hey all, >>> >>> I'm currently working on tor for Android as part of a Guardian Project >>> project. One key goal is making a shareable, reproducible build process >>> for the tor daemon for Android. Then this would be published to >>> MavenCentral as an Android AAR package to be used in all the apps that >>> include tor (Tor Browser, Orbot, Briar, Thali, etc). I have cleaned up >>> the existing build process a lot, so now I'm down to troubleshooting >>> reproducible issues. >>> >>> First off, can anyone see any objections to switching Tor Browser, >>> Orbot, Briar, etc. to use GPG-signed reproducible binaries via >>> MavenCentral for the tor dameon? >> >> We want to include building tor and all its dependencies in >> tor-browser-build/rbm to have the latest tor for Android in our nightly >> builds and respective alpha and stable versions in our alpha and stable >> browsers. We have a ticket for that for a while now in our bug tracker >> but did not get to it so far.[1] The plan is to pick that work up in >> November after Tor Browser 9 is out. >> >> As to whether other projects would be interested in that, dunno. But I >> guess some at least would? >> >> Georg >> >> [1] The parent ticket for that work is: >> https://trac.torproject.org/projects/tor/ticket/28704. > > If building tor+libevent+openssl+libz+liblzma for Android was done > reproducibly and shipped via MavenCentral, would you consider using it? > Seems like we'd want this tor binary to be synced to the Tor Browser > version requirements anyway, since that's the "standard configuration".
What about our nightly build requirement? Oh, and to complicate that: we build tor nightlies with Rust enabled to be able to test Rust code. And would do so for Android, too. And to further complicate matters: we plan to switch to NSS to test that part of tor in a Tor Browser context as well. (It's been long on the agenda but I finally want to get to that after Tor Browser 9 is out) And then there has been times where we actually needed to ship tor patches ourselves because they were not merged/released yet (although, luckily that's been a while ago). There might be need for such an option in the future, too. So, all in all I am skeptical that Tor Browser fits into your plans. Georg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
