Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump netlayer to use tor binaries from verified tor-browser v9.5.4 #4601

Closed
wants to merge 1 commit into from
Closed

Bump netlayer to use tor binaries from verified tor-browser v9.5.4 #4601

wants to merge 1 commit into from

Conversation

cd2357
Copy link
Contributor

@cd2357 cd2357 commented Oct 6, 2020

Use a netlayer version that includes tor binaries extracted from the latest tor browser v9.5.4.

For simplicity:

  • use netlayer version cdbe476 (based on commit cdbe476 from this branch)
    • the referenced branch = previously used netlayer v0.6.8 + a change to use following tor-binary
  • above netlayer bumps tor-binary dependency to f3bc31f (based on commit f3bc31f from this branch)
    • the referenced branch = previously used tor-binary dependency + change A + change B
      • change A: extract tor binaries from tor-browser v9.5.4 (instead of 9.5.3 used previously)
      • change B: update the extraction and build process to check if the SHA-256 hashes of the tor-browser binaries match the official ones (instead of SHA-512 hashes used previously, which are not published in the official tor repo anymore)
        • this ensures the build only succeeds if the downloaded tor-browser binaries (used to extract the tor binaries) match the official checksums

Note: The tor binaries in tor-browser v9.5.4 are the same version as from v9.5.3 (namely tor v0.4.3.6, as per the tor-browser changelog).

So this PR doesn't bring or change any tor or netlayer functionality. It only ensures that the used tor binaries were extracted from verified tor-browser packages. The tor binaries are delivered as dependencies of netlayer.

Fixes #4593

@cd2357
Bump netlayer to use tor binary from tor browser v9.5.4
02f5225 
Upgrade netlayer to a version that uses tor binaries extracted from the latest tor-browser v9.5.4.

The tor binaries in tor-browser v9.5.4 are the same version as from tor-browser 9.5.3 (namely tor v0.4.3.6). However, they were extracted from tor-browser binaries with matching SHA-256 hashes to the official browser binaries in https://dist.torproject.org/torbrowser/9.5.4/sha256sums-signed-build.txt
chimp1984
chimp1984 approved these changes Oct 6, 2020
View reviewed changes
Copy link
Contributor

@chimp1984 chimp1984 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK

@cd2357 cd2357 mentioned this pull request Oct 6, 2020
Merged
@cd2357
Copy link
Contributor Author

cd2357 commented Oct 7, 2020

Closing this, since the alternative #4604 was merged.

@cd2357 cd2357 closed this Oct 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chimp1984 chimp1984 chimp1984 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Extend build script with ability to verify tor binaries delivered with netlayer
2 participants
@cd2357 @chimp1984