On Tue, Feb 21, 2012 at 05:57:06PM +0100, Jérémy Bobbio wrote: > Thanks for the bug report. I am fully aware of this issue. Please see > upstream ticket [1] and also the minutes of the meeting we had during > last DebConf [2] which discussed how to proceed as well. > > What currently needs to be done is to see how a patched version of > Iceweasel can be integrated in Debian. Mike Homey agreed to add a > iceweasel-src package to iceweasel binary, but what should goes in this > package is yet to be determined. One other issue is how to eventually > have two sets of similar shared libraries co-installable. Help welcome, > there is a lot a work to be done.
Hi Jérémy, I just wanted to step in and give my point of view, which I think is quite similar to that of the Tor project. We're not just talking about a few patches which add some functionality. There's been a lot of work involved in security audit of Firefox codebase, and there's ongoing research that will likely result in new changes in the UI models (for example, see the browser tab references in https://gitweb.torproject.org/torspec.git/blob/HEAD:/proposals/171-separate-streams.txt) Some of the security problems have NOT been resolved in a way that can be integrated in Firefox. The requirements both projects are incompatible! For example, Tor Browser disables or restricts actual functionality (e.g. HTML5 canvas) which most Firefox users expect to be present. In addition, future development of Firefox will introduce changes which can't go into Tor Browser until they've been audited for anonimity. Remember that both projects have different goals, and anonimity is not an absolute must in Firefox development. Is it feasible for the Iceweasel maintainer in Debian to put a release on hold because it hasn't been completely audited for leakages? This is one of the things that would need to be resolved. I recommend that you give an in-depth read to the Tor Browser design document, it's been an eye-opener for me: https://www.torproject.org/projects/torbrowser/design/ I think the only solution at this point (and at least for years to come) to provide anonymous browsing in Debian is to use secure browsers. This could be Tor Browser or maybe others (xxxterm looks promising). In the meantime, I believe that providing torbutton does more harm than good, because it provides the *illusion* of security rather than security itself. Please, I urge you to reconsider. -- Robert Millan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
