This patch restructures the expression and wrapper to minimize Nix store
references captured by the user's state directory.
The previous version would write lots of references to the Nix store into
the user's state directory, resulting in synchronization issues between
the Store and the local state directory. At best, this would cause TBB to
stop working when the version used to instantiate the local state was
garbage collected; at worst, a user would continue to use the old version
even after an upgrade.
To solve the issue, hard-code as much as possible at the Store side and
minimize the amount of stuff being copied into the local state dir.
Currently, only a few files generated at firefox startup and fontconfig
cache files end up capturing store paths; these files are simply removed
upon every startup. Otherwise, no capture should occur and the user
should always be using the TBB associated with the tor-browser wrapper
script.
To check for stale Store paths, do
`grep -Ero '/nix/store/[^/]+' ~/.local/share/tor-browser`
This command should *never* return any other store path than the one
associated with the current tor-browser wrapper script, even after an
update (assuming you've run tor-browser at least once after updating).
Deviations from this general rule are considered bugs from now on.
Note that no attempt has been made to support pluggable transports; they
are still broken with this patch (to be fixed in a follow-up patch).
User visible changes:
- Wrapper retains only environment variables required for TBB to work
- pulseaudioSupport can be toggled independently of mediaSupport (the
latter weakly implies the former).
- Store local state under $TBB_HOME. Defaults to $XDG_DATA_HOME/tor-browser
- Stop obnoxious first-run stuff (NoScript redirect, in particular)
- Set desktop item GenericName to Web Browser
Some minor enhancements:
- Disable Hydra builds
- Specify system -> source mapping to make it easier to
extend supported platforms.
Saves about 5.2 MiB.
To use geoip, add something like
```
GeoIPFile ${tor.geoip}/share/tor/geoip
GeoIPv6File ${tor.geoip}/share/tor/geoip6
```
to torrc
The 0.2.9 series is now a long-term support release, which will
receive backported security fixes until at least 2020.
tor should now build against libressl, as in
```nix
tor.override { openssl = libressl; }
```
Also re-enable the test-suite; works fine on my end.
Fixes https://github.com/NixOS/nixpkgs/issues/20840
Some notes for future reference:
- Firefox only supports legacy gstreamer (0.10)
- gmp and ffmpeg are appearantly used by gst-ffmpeg so must be in the
library search path
- Setting GST_DEBUG="*:3" or so was useful in figuring out what to add
- Remove redundant preConfigure
torsocks installs into $libdir/torsocks, so setting libdir=$out/lib
doesn't really help. To put the shared objects into $out/lib we'd have
to manually move them into $out and patch various files (the script
itself expects $libdir/torsocks).
- Use nativeBuildInputs
Per upstream, this contains primarily stability & performance fixes.
Notably, the relase fixes a bug that would sometimes make clients
unusable after leaving standby mode, as well as plugging a memory leak.
Also:
- Turn patchPhase into postPatch
- Add systemd and libcap on linux (and also pkgconfig for detection);
we should be able to change the service unit to Type=notify
- Disable checks for now, the test-suite is failing in sandbox due to
lack of network
This patch fixes an issue introduced by b897f825942b63ab790cad9ed66c8a79cbb3fc2d
where the bundled tor fails to run.
The error message claims that it cannot communicate with tor, but what actually
happens is that tor never runs at all, because it is invoked with a non-existent
rc file. Specifying an absolute path to the torrc-defaults file fixes the
problem. For good measure, we specify an absolute path to the tor executable
itself as well; we want as little autodetection logic as possible.
Note that users of torbrowser *must* remove the existing `~/.torbrowser4` folder
for this to take effect, otherwise torbrowser will continue to use extension
data from the previous release (this is why some existing users were able to
successfully use the new torbrowser version, see
https://github.com/NixOS/nixpkgs/pull/15854).
- Fix install of man page
- Remove redundant for loop
- Access python interpreter via pythonPackages
- Remove redundant build inputs (captured via replacement anyway)
- Fix install location of sample rc file. For whatever reason, the
install script ends up thinking it needs to use tor-arm, so override
it
- Clarify meta.description
This brings the wrapper closer to the upstream wrapper.
Briefly,
- exec to prevent the shell from hanging around
- do not connect to session manager
- set WM_CLASS to "Tor Browser"
- use fonts.conf from the torbrowser bundle
The most complex problems were from dealing with switches reverted in
the meantime (gcc5, gmp6, ncurses6).
It's likely that darwin is (still) broken nontrivially.
This seems to have been confusing people, using both xlibs and xorg, etc.
- Avoided renaming local (and different) xlibs binding in gcc*.
- Fixed cases where both xorg and xlibs were used.
Hopefully everything still works as before.
