From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/10683 Path: news.gmane.org!.POSTED!not-for-mail From: Jessica Frazelle Newsgroups: gmane.network.tor.devel,gmane.linux.lib.musl.general Subject: Re: [Proposal] A simple way to make Tor-Browser-Bundle more portable and secure Date: Sat, 29 Oct 2016 06:54:57 -0700 Message-ID: References: Reply-To: tor-dev-AQ2JdjIqcwS4QsDJlTKKhWD2FQJk+8+b@public.gmane.org NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8338245765219398355==" X-Trace: blaine.gmane.org 1477749332 16521 195.159.176.226 (29 Oct 2016 13:55:32 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 29 Oct 2016 13:55:32 +0000 (UTC) Cc: musl-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org To: tor-dev-AQ2JdjIqcwS4QsDJlTKKhWD2FQJk+8+b@public.gmane.org Original-X-From: tor-dev-bounces-AQ2JdjIqcwS4QsDJlTKKhWD2FQJk+8+b@public.gmane.org Sat Oct 29 15:55:28 2016 Return-path: Envelope-to: gntd-or-dev@m.gmane.org Original-Received: from eugeni.torproject.org ([138.201.14.202]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c0U6G-0001EC-1E for gntd-or-dev@m.gmane.org; Sat, 29 Oct 2016 15:55:08 +0200 Original-Received: from eugeni.torproject.org (localhost [127.0.0.1]) by eugeni.torproject.org (Postfix) with ESMTP id 6E609E093E; Sat, 29 Oct 2016 13:55:07 +0000 (UTC) Original-Received: from localhost (localhost [127.0.0.1]) by eugeni.torproject.org (Postfix) with ESMTP id 698F2E093B for ; Sat, 29 Oct 2016 13:55:02 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at Original-Received: from eugeni.torproject.org ([127.0.0.1]) by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRG5vTj4YKVj for ; Sat, 29 Oct 2016 13:55:02 +0000 (UTC) Original-Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (not verified)) by eugeni.torproject.org (Postfix) with ESMTPS id 09518E0939 for ; Sat, 29 Oct 2016 13:55:02 +0000 (UTC) Original-Received: by mail-it0-x22e.google.com with SMTP id e187so18691205itc.0 for ; Sat, 29 Oct 2016 06:55:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jessfraz.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=e9723Ae43aklf52RaNQ/Eik6b93Of7EeSBLKW1WaqGQ=; b=AuZLpJHmWxebtydTWNloyRxodL8ODWWnZ7cDUsodk3XwrLUTZ6oqmyVj2Yr3xqy4ZN qQ3IQJqRg6BjThMH0NucmSbhzub5faE+lT9x55HsDID2ltvz9sEHzDH13mqGU0CDI4xs glVMplxqTaFeAkm4cPt8t7AAlgxVGSfXlvkao= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=e9723Ae43aklf52RaNQ/Eik6b93Of7EeSBLKW1WaqGQ=; b=mhC99O+UU0tUBxTjLUYPUYMRn+goA70O3mwbAukdtU95GijwXgrpIwRNf04Q2cYE9Y TXVyS29BZGnf/e5eg75D2i/x0NXS/spisvuCzWXx9MeaE6ocqi7zB/ms5zscI4tQfF8b u6EZe62CiI2csGm9osK3kal1KRijJwCgJcifySTaz/hPW2QCv5vTCNnDU4tWwNMKXqQv zr7xwfefdhD8gCtHj9KAlSyeAQ/C0/N2LlLNXCkJmAhEp4+CvocvGN6i6WKo0DoJCruy AMaPYjqRJYoFu5S1lUEUXrzo9k5HxE2XZTz8Fs/Qa0skp1MeVSq7xc5hi38heSb+HUcE 0yFw== X-Gm-Message-State: ABUngvcaKYUBKDfJ49HG9UciUbCb9RRIICSR6GngC3gHfWHn4WsPnpa0+yttfsyI5uMEBD8GAhxX8GcfEpCGBG6l X-Received: by 10.36.233.70 with SMTP id f67mr2443182ith.42.1477749298649; Sat, 29 Oct 2016 06:54:58 -0700 (PDT) Original-Received: by 10.64.19.136 with HTTP; Sat, 29 Oct 2016 06:54:57 -0700 (PDT) Original-Received: by 10.64.19.136 with HTTP; Sat, 29 Oct 2016 06:54:57 -0700 (PDT) In-Reply-To: X-BeenThere: tor-dev-AQ2JdjIqcwS4QsDJlTKKhWD2FQJk+8+b@public.gmane.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: discussion regarding Tor development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: tor-dev-bounces-AQ2JdjIqcwS4QsDJlTKKhWD2FQJk+8+b@public.gmane.org Original-Sender: "tor-dev" Xref: news.gmane.org gmane.network.tor.devel:9355 gmane.linux.lib.musl.general:10683 Archived-At: --===============8338245765219398355== Content-Type: multipart/alternative; boundary=94eb2c0384dc03868305400152ce --94eb2c0384dc03868305400152ce Content-Type: text/plain; charset=UTF-8 There must already be a version of Tor working with musl since there are Alpine Linux packages for Tor. I'm sure they dynamically link but it's seems like patching that would be the way to go. https://pkgs.alpinelinux.org/package/edge/community/x86_64/tor On Oct 29, 2016 06:51, "Daniel Simon" wrote: > Anyone got further into this? > It would be a joint-project between musl and tor organizations. > Maybe for GSoC 2017 if nobody works on it until then? > > > On Mon, May 9, 2016 at 11:15 AM, Daniel Simon > wrote: > > Hello. > > > > How it's currently done - The Tor Browser Bundle is dynamically linked > > against glibc. > > > > Security problem - The Tor Browser Bundle has the risk of information > > about the host system's library ecosystem leaking out onto the > > network. > > > > Portability problem - The Tor Browser Bundle can't be run on systems > > that don't use glibc, making it unusable due to different syscalls. > > > > Solution proposed - Static link the Tor Browser Bundle with musl > > libc.[1] It is a simple and fast libc implementation that was > > especially crafted for static linking. This would solve both security > > and portability issues. > > > > What is Tor developers' opinion about this? I personally don't see any > > drawbacks and would be interested in discussing this further. > > > > Sincerely, > > Daniel > > > > [1] https://www.musl-libc.org/ > _______________________________________________ > tor-dev mailing list > tor-dev-AQ2JdjIqcwS4QsDJlTKKhWD2FQJk+8+b@public.gmane.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > --94eb2c0384dc03868305400152ce Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

There must already be a version of Tor working with musl sin= ce there are Alpine Linux packages for Tor. I'm sure they dynamically l= ink but it's seems like patching that would be the way to go.

https://pkgs.alpinelinux.org/package/edge/community/x86_64/t= or


On Oct 29, 2016 0= 6:51, "Daniel Simon" <ddanielsimonn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
Anyone got further into this?
It would be a joint-project between musl and tor organizations.
Maybe for GSoC 2017 if nobody works on it until then?


On Mon, May 9, 2016 at 11:15 AM, Daniel Simon <ddanielsimonn-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> Hello.
>
> How it's currently done - The Tor Browser Bundle is dynamically li= nked
> against glibc.
>
> Security problem - The Tor Browser Bundle has the risk of information<= br> > about the host system's library ecosystem leaking out onto the
> network.
>
> Portability problem - The Tor Browser Bundle can't be run on syste= ms
> that don't use glibc, making it unusable due to different syscalls= .
>
> Solution proposed - Static link the Tor Browser Bundle with musl
> libc.[1] It is a simple and fast libc implementation that was
> especially crafted for static linking. This would solve both security<= br> > and portability issues.
>
> What is Tor developers' opinion about this? I personally don't= see any
> drawbacks and would be interested in discussing this further.
>
> Sincerely,
> Daniel
>
> [1] https://www.musl-libc.org/
_______________________________________________
tor-dev mailing list
tor-dev-AQ2JdjIqcwS4QsDJlTKKhSm6D+HspMUB@public.gmane.org= g
https://lists.torproject.org/cgi-b= in/mailman/listinfo/tor-dev
--94eb2c0384dc03868305400152ce-- --===============8338245765219398355== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KdG9yLWRldiBt YWlsaW5nIGxpc3QKdG9yLWRldkBsaXN0cy50b3Jwcm9qZWN0Lm9yZwpodHRwczovL2xpc3RzLnRv cnByb2plY3Qub3JnL2NnaS1iaW4vbWFpbG1hbi9saXN0aW5mby90b3ItZGV2Cg== --===============8338245765219398355==--