Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Tor in bundles #487

Open
special opened this issue Dec 2, 2016 · 12 comments
Open

Update Tor in bundles #487

special opened this issue Dec 2, 2016 · 12 comments
Labels
packaging
Milestone
Ready

Comments

@special
Copy link
Member

special commented Dec 2, 2016
edited by rburchell
Loading

This bug is about upgrading the bundled Tor to something more recent. Originally, this was about 0.2.8.10, but some other releases have come out subsequently, so I'm hijacking this to serve as a catch-all "we need to update Tor" bug.

Tor 0.2.8.10 is out, with some bugfixes that are relevant to ricochet:

 o Major bugfixes (client reliability, backport from 0.2.9.5-alpha):
   - When Tor leaves standby because of a new application request, open
     circuits as needed to serve that request. Previously, we would
     potentially wait a very long time. Fixes part of bug 19969; bugfix
     on 0.2.8.1-alpha.

 o Major bugfixes (client performance, backport from 0.2.9.5-alpha):
   - Clients now respond to new application stream requests immediately
     when they arrive, rather than waiting up to one second before
     starting to handle them. Fixes part of bug 19969; bugfix
     on 0.2.8.1-alpha.

 o Minor bugfixes (portability, backport from 0.2.9.6-rc):
   - Work around a bug in the OSX 10.12 SDK that would prevent us from
     successfully targeting earlier versions of OSX. Resolves
     ticket 20235.

This probably isn't worth a release on its own, but we should make a release relatively soon to include these fixes.
@special special changed the title Update Tor to 0.2.8.10 in bundles Update Tor to 0.2.8.12 in bundles Dec 19, 2016
@special
Copy link
Member Author

special commented Dec 19, 2016

Now up to 0.2.8.12. It should be possible to remove the macOS build patch (carefully, making sure to test pre-sierra).

0.2.8.12 fixes a medium-severity hidden services issue, but it will not crash Ricochet's builds, is not exploitable, and doesn't demand any particular urgency.

@ghost
Copy link

ghost commented Dec 20, 2016

Why not let user to choose other tor(or tor.exe)? Also, please consider moving tor to "tor" folder.

ricochet/tor/ <-- removable folder. If removed, Ricochet will ask user to specify tor's location.

Tor not found. Please choose tor.exe and click OK.
[ C:/Secured/Tor/Tor.exe ][ ... ]

@ghost
Copy link

ghost commented Dec 20, 2016

^
With this option above,

  1. You don't have to bundle with Tor anymore(and if you do, no need to worry about imidiate tor repack).
  2. User can use latest Tor with Ricochet; e.g., Use TBB's tor with Ricochet.

@rburchell
Copy link
Contributor

Not really on-topic for the issue, but:

Why not let user to choose other tor(or tor.exe)? Also, please consider moving tor to "tor" folder.

This is already possible, see https://github.com/ricochet-im/ricochet/blob/master/src/tor/TorManager.cpp#L274.

@ghost
Copy link

ghost commented Dec 21, 2016

@rburchell
In source-code level, yes. But where I can specify tor path(e.g., TBB(other folder)'s tor binary) in Ricochet GUI? Nothing at this moment, right?

@migueldemoura
Copy link

migueldemoura commented Jan 7, 2017
edited
Loading

You don't have to bundle with Tor anymore(and if you do, no need to worry about imidiate tor repack).

As much as I agree with you and welcome that option, you should notice that having tor bundled with ricochet is more user-friendly and ensures that the user only has to care about having the latest ricochet release. As one of ricochet's goals is being "easy for non-technical users" (see README.md), this could be approached in one of two ways:

  • Bundle tor with ricochet but allow a setting to override the tor exec;
  • Provide two download options for ricochet: one with tor, one without.

If you use ricochet from a distro's repos this is already mitigated by having tor as a dependency.
You can use ln in the meantime to achieve what you want.
This conversation should be moved into a separate issue.

@special special modified the milestone: Ready Jan 16, 2017
@ghost
Copy link

ghost commented Jan 28, 2017

Being "easy for non-technical users" is a good thing, of course.
However, adding a new option does not hurt anyone, right?

I suggest

Bundle tor with ricochet but allow a setting to override the tor exec;
this.

I'm using TBB, and I use my own tor instance(didn't use TBB's tor).
It'll be easy for me if you just allow people to use their own tor software for connection.

You can use ln in the meantime to achieve what you want.
Not everyone use Linux in daily computing you know...

@ghost
Copy link

ghost commented Jan 28, 2017

On windows, firewall configuration sample:

Current:
X:/Tor/tor.exe: allow
R:/Ricochet/tor.exe: allow

Expected:
X:/Tor/tor.exe: allow (share one software)

@Rspigler Rspigler mentioned this issue Apr 25, 2017
Closed
@rburchell rburchell changed the title Update Tor to 0.2.8.12 in bundles Update Tor in bundles May 4, 2017
@Rspigler
Copy link

Rspigler commented Jun 2, 2017

I am bumping my bounty on this from $50 (#538) to $100.

Please view (spesmilo/electrum#2405 (comment)) for another bounty that I am currently paying off.

@kradan kradan mentioned this issue Jul 16, 2018
Open
@Bairnsfather
Copy link

I am glad tor comes bundled inside the Ricochet app.

  • It consumes minimal resources.
  • It comes signed on macOS.
  • Makes Ricochet.app self-contained & easy to install.
  • And possibly one more option I’m about to ask about, updating it manually seems fairly easy.

From the perspective of the developers of Ricochet (tor, etc…) what are the problems, or are there major problems, with merely copying tor out of the Tor Browser package? Is tor for Ricochet compiled in any special way that makes it potentially harmful to do the following? Or perhaps there are APIs which Ricochet uses against 0.2 tor that are gone or changed intentionally or unintentionally by the tor 0.3 branch? (For the sake of allowing less technical to follow along too…)

First I quit both Ricochet and Tor Browser.
• Open the /Applications folder.
• Context (right) click on the Ricochet app and choose Show Package Contents. Click a few times to get to the path below or copy it, press cmd-shift-G (or Finder > Go > Go to Folder…), paste it in, and hit return.
/Applications/Ricochet.app/Contents/MacOS/
In there are the Ricochet & tor binaries.
• Trash tor.

Leaving that window open, make a new Finder window to /Applications and (requires https://www.TorProject.org/download/download-easy.html.en installed) right click Tor Browser > Show Pack Contents, etc… until you're here:
/Applications/Tor Browser.app/Contents/MacOS/Tor/
Adjust this new window so you can see the window from the previous operation.

Moving latest tor from Tor Browser to Ricochet ________
• Select everything inside the Tor folder, hold down the option key, and drag them into the /Applications/Ricochet.app/Contents/MacOS/ folder. (Or copy any other way you'd like.)
• Rename 'tor.real' to 'tor' and you're done.
• Close both windows.
(As of Tor Browser 8.0.6 this means you copied libevent-2.1.6.dylib, a folder called PluggableTransports, and tor.real which you just renamed.)

Of course I encourage people to use the Tor Browser, but in terms of updating Ricochet, you're done with Tor Browser and Ricochet can now be launched as you normally do.

Checking it Works ________
I double checked the new tor is (apparently) working by (menubar) Ricochet > Preferences > Tor (tab) and I was glad to see everything reporting normally. Running: Yes. Control connected: Yes. Circuits established: Yes. Hidden service: Online. Version: 0.3.5.7

Ricochet 1.1.4 ships with tor 0.2.8.9, so it was kind of a big update of tor.

Minor Problems ________
The only problem I encountered in my very limited testing, were pending invitations broke. So I had to delete them and make them again.

I could write up better directions with screen shots for novices, and build in support for others who have take misc. stabs at the same, for example https://user-images.githubusercontent.com/42108382/48978307-8e252500-f0a1-11e8-8726-c526e4197578.png

Version 0.2.9.17 (see https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTorReleases) is the latest 0.2 branch with LTS, Long Term Support. Should I have updated my tor core to that one instead of the 0.3 branch I copied from Tor Browswer?

In case anyone is wondering, after performing this surgery, LittleSnitch (https://obdev.at/) on macOS 10.11 did't put up any alerts, neither did the OS.

On macOS 10.12, LittleSnitch put up a detailed dialog stating the previous rule had been for a binary signed by a different entity, then asked me what to do. Updating the rule worked fine.

On macOS 10.14 LittleSnitch also put up a dialog, a bit more strenuous of a warning, but also a more user friendly description.

@Rspigler
Copy link

Rspigler commented Mar 1, 2019

Work is ongoing here:
https://git.openprivacy.ca/openprivacy/libricochet-go

I think a version without Tor bundled could be beneficial for the developers to keep maintenance easier, but also for Qubes users to be able to run the IM in a VM with sys-whonix as the NetVM without a Tor over Tor situation.

@chairoom852
Copy link

chairoom852 commented Mar 2, 2019 via email

@Mikaela Mikaela mentioned this issue Mar 11, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
packaging
Projects
None yet
Milestone
Ready
Development

No branches or pull requests
6 participants
@special @rburchell @Bairnsfather @migueldemoura @Rspigler @chairoom852