[tbb-bugs] #33939 [Applications/Tor Browser]: Decide which components of Fenix to rip out, disable, or use
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Jun 12 06:18:46 UTC 2020
#33939: Decide which components of Fenix to rip out, disable, or use
----------------------------------------------+----------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: High | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-mobile, TorBrowserTeam202006 | Actual Points:
Parent ID: #33661 | Points:
Reviewer: | Sponsor:
| Sponsor58-must
----------------------------------------------+----------------------------
Comment (by gk):
Replying to [comment:16 sysrqb]:
> Replying to [comment:14 gk]:
> > Replying to [comment:13 sysrqb]:
> > > Replying to [comment:3 sysrqb]:
> > > > The follow list partitions the dependencies into "include",
"exclude", "disable", and "must-audit" sets
> > > >
> > > > "Must Audit" includes dependencies that we could allow depending
on their implementation
> > > >
> > > > "Disable" includes dependencies that we probably do not want and
we should always use "Dummy" implementations
> > > >
> > > > "Disable" and "Exclude" may merge into a single set.
> > > >
> > > > === Include ===
> > > > {{{
> > > > > # GeckoView
> > > > > mozilla_browser_engine_gecko_nightly -> org.mozilla.components
:browser-engine-gecko-nightly
> > > > > mozilla_browser_engine_gecko_beta -> org.mozilla.components
:browser-engine-gecko-beta
> > >
> > > #34177
> >
> > One thing I've been thinking about the requirement for having multiple
engines included at the same time when building is how to make sure we
avoid that when actually building releases/alphas. I am not sure yet how
to do that in the best way. I started playing with ripping things our in
`android-components` so that we e.g. don't require some `gecko_nightly`
code anymore. But it feels a bit awkward so far.
> >
> > The reason for doing that is tha I don't want to land in a situation
that due to a bug not-proxy-safe and not audited nightly code is suddenly
used in our builds. That's not a problem with geckoview per se as there is
a branch per series (`mozilla-central` -> `gecko_nightly`, `mozilla-beta`
-> `gecko_beta` etc.) but that's not the case anymore for those
dependencies in `android-components` and `fenix`.
>
> Do you suggest we only keep `beta` and `production`? Should we simply
carry a patch that deletes/comments-out the geckoNightly variant, so it
can never be built accidentally?
I am not sure yet which approach we should take. I've not looked close
enough to decide which of several potential approaches would be best.
However, what I like to see is either geckoFoo not being around when
building geckoBar OR using geckoFoo when building geckoBar failing hard OR
removing the dependencies that rope in geckoFoo when building geckoBar
OR... So, yeah, it should not be possible to use geckoFoo accidentally (be
it due to a bug or some other issues) when building geckoBar (using "Foo"
and "Bar" here because that holds for any of the Nightly, Beta, and
Production variant).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33939#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list