[tor-dev] [Proposal] A simple way to make Tor-Browser-Bundle more portable and secure
Jessica Frazelle
me at jessfraz.com
Sat Oct 29 13:54:57 UTC 2016
There must already be a version of Tor working with musl since there are
Alpine Linux packages for Tor. I'm sure they dynamically link but it's
seems like patching that would be the way to go.
https://pkgs.alpinelinux.org/package/edge/community/x86_64/tor
On Oct 29, 2016 06:51, "Daniel Simon" <ddanielsimonn at gmail.com> wrote:
> Anyone got further into this?
> It would be a joint-project between musl and tor organizations.
> Maybe for GSoC 2017 if nobody works on it until then?
>
>
> On Mon, May 9, 2016 at 11:15 AM, Daniel Simon <ddanielsimonn at gmail.com>
> wrote:
> > Hello.
> >
> > How it's currently done - The Tor Browser Bundle is dynamically linked
> > against glibc.
> >
> > Security problem - The Tor Browser Bundle has the risk of information
> > about the host system's library ecosystem leaking out onto the
> > network.
> >
> > Portability problem - The Tor Browser Bundle can't be run on systems
> > that don't use glibc, making it unusable due to different syscalls.
> >
> > Solution proposed - Static link the Tor Browser Bundle with musl
> > libc.[1] It is a simple and fast libc implementation that was
> > especially crafted for static linking. This would solve both security
> > and portability issues.
> >
> > What is Tor developers' opinion about this? I personally don't see any
> > drawbacks and would be interested in discussing this further.
> >
> > Sincerely,
> > Daniel
> >
> > [1] https://www.musl-libc.org/
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20161029/e65991d2/attachment.html>
More information about the tor-dev
mailing list