Test Vidalia & Tor Browser Bundles with libevent2
Hello or-talk, I've made a few test bundles with libevent2 and I'd like people to test them -- run them for a few days and make sure nothing too wacky happens as a result. These are not officially supported, and until the changes are incorporated with official packages, they will only be updated if I have time. How to report bugs on these packages When in doubt, use our bug tracker: https://trac.torproject.org The libevent bug tracker is here: http://sourceforge.net/tracker/?group_id=50884&atid=461322 For build problems I've requested help with, private email is fine. Windows --- The Vidalia bundle is using libevent 2.0.10-stable, OpenSSL 1.0.0c, and Tor 0.2.2.22-alpha: http://archive.torproject.org/tor-package-archive/technology-preview/vidalia-bundle-0.2.2.22-alpha-0.2.10-libevent2-test.exe http://archive.torproject.org/tor-package-archive/technology-preview/vidalia-bundle-0.2.2.22-alpha-0.2.10-libevent2-test.exe.asc The Tor Browser Bundle is a little more exciting, since it has the same changes as above, which means there's now a Windows Tor Browser Bundle with a Tor alpha in it whereas previously there was only a stable version: http://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-1.4.0-libevent2-dev_en-US.exe http://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-1.4.0-libevent2-dev_en-US.exe.asc Mac OS X Vidalia bundle with libevent 2.0.10-stable, OpenSSL 1.0.0c, and Tor 0.2.2.22-alpha. This *will not* work with 10.4. If anyone knows how to make OpenSSL 1.0.0c work with a 10.4 SDK, please contact me. http://archive.torproject.org/tor-package-archive/technology-preview/vidalia-bundle-0.2.2.22-alpha-0.2.10-libevent2-i386.dmg http://archive.torproject.org/tor-package-archive/technology-preview/vidalia-bundle-0.2.2.22-alpha-0.2.10-libevent2-i386.dmg.asc Tor Browser Bundle for OS X with the same changes as above, as well as the removal of Polipo: http://archive.torproject.org/tor-package-archive/technology-preview/TorBrowser-1.2.0-libevent2-dev-osx-i386-en-US.zip http://archive.torproject.org/tor-package-archive/technology-preview/TorBrowser-1.2.0-libevent2-dev-osx-i386-en-US.zip.asc Linux Tor Browser Bundle x86_64 only! I've updated libevent to libevent-2.0.10-stable, OpenSSL to 1.0.0c, and rebuilt OpenSSL with -Wa,--noexecstack which should prevent SELinux on the latest Fedora(s) from refusing to let it run. I built all of the libraries and binaries against a newer glibc (2.11.2-7) so if you're running an old one, it won't work. (This is not the support policy for official bundles, but Qt won't build against an OpenSSL built with -Wa,--noexecstack on Debian Lenny with glibc 2.7 for reasons I've yet to figure out. Anyone who might have insight into this is encouraged to email me.) http://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-gnu-linux-x86_64-1.2.0-libevent2-dev-en-US.tar.gz http://archive.torproject.org/tor-package-archive/technology-preview/tor-browser-gnu-linux-x86_64-1.2.0-libevent2-dev-en-US.tar.gz.asc Thanks, Erinn pgpWJlQD7szak.pgp Description: PGP signature
Re: Polipo bug reporting
* Andrew Lewman [2011:01:31 08:56 -0500]: > On Mon, 31 Jan 2011 12:20:10 + > "Geoff Down" wrote: > > Thank you Juliusz, I appreciate your efforts. > > Clearly Tor needs to ship with a working Polipo, so if this is a real > > fault would the bundle developers please revert to the version which > > was in the Vidalia 0.2.9 bundle, which is still working. > > The difference is that the PPC bundle with vidalia 0.2.9 was built on a > 10.3.9 ppc mac. However, the 10.3.9 machine died a smelly, melty > death during a build a few months ago. The current bundles are built on > a 10.5 ppc mac with backwards compatibility for 10.3.9 (at least > according to xcode/gcc). > > Clearly Apple's backwards compatibility options don't work. They're built with backwards compatibility for 10.4. 10.3 is not supported at this point, unless someone sends me a patch. pgp7posSna6m0.pgp Description: PGP signature
Re: Polipo bug Re: Tor 0.2.2.21-alpha is out (security patches)
* Geoff Down [2011:01:20 12:56 +]: > The Polipo in > https://www.torproject.org/dist/vidalia-bundles/vidalia-bundle-0.2.2.21-alpha-0.2.10-ppc-1.dmg > is broken: > > dyld: /Applications/Vidalia.app.new/Contents/MacOS/polipo Undefined > symbols: > /Applications/Vidalia.app.new/Contents/MacOS/polipo undefined reference > to ___stderrp expected to be defined in /usr/lib/libSystem.B.dylib > /Applications/Vidalia.app.new/Contents/MacOS/polipo undefined reference > to ___stdoutp expected to be defined in /usr/lib/libSystem.B.dylib > Trace/BPT trap Hi Geoff, Which version of OS X are you using? pgpkt9CBu6wTb.pgp Description: PGP signature
Re: Tor Distros Repository Problems (serious!)
* wirelesssnow...@safe-mail.net [2011:01:17 22:46 -0500]: > *BOTH* files are *EXACTLY* the *SAME*! They are the public key from > the would be signer, but the .asc files are NOT the correctly signed > files from the signer's public key. The .asc files are WORTHLESS and > gpg issues an error if you try and verify the .asc files: > > #gpg: verify signatures failed: Unexpected error > > Why? Because it's not a valid signature at all, it's a duplicate copy of the > public key which is also found in RPM-GPG-KEY-torproject.org ! What happens when you verify it with 'rpm -K file.rpm'? The signatures made for the rpms are made with rpm, not gpg, though it is a gpg key in the backend. Please read this page to understand how rpms are signed: http://www.vitki.net/ru/book/page/how-create-yum-repository And see the commands listed here in the rpm {--addsign} part: http://www.tin.org/bin/man.cgi?section=8&topic=rpmsign pgp1KYsJ7pRSO.pgp Description: PGP signature
Re: Question about torbrowser for mac
* Erinn Clark [2010:10:27 10:16 +]: > I'll see if it will actually work in another location so it'll show up, > because > it should. It just didn't originally. Fixed in master: https://gitweb.torproject.org/torbrowser.git/commitdiff/0bb1302a23d4e41b262d03185a33099fdc2a5964 The fix will be out with the next release, which will probably happen in the next week or two. *** To unsubscribe, send an e-mail to majord...@torproject.org with unsubscribe or-talkin the body. http://archives.seul.org/or/talk/
Re: Question about torbrowser for mac
* Justin Aplin [2010:10:27 01:46 -0400]: > >Thats why i was confirning whether the torbutton was intentionally > >left our of the package and covered by noscript > > I don't see Torbutton installed either (latest browser bundle on OSX > 10.5), but I was under the assumption that the functionality of > Torbutton was built into the custom version of the browser itself, so > having it installed as a separate extension would be unnecessary. > Since the package is designed as a "portable secure browser", there > should be no reason to disable that functionality. What exactly are > you trying to do? This is actually a weird Firefox thing -- depending on where you install the extensions, they either show up in the add-on list or they don't. The Torbutton extension is installed somewhere different from the other extensions, because that was how I got it to work originally. So it's installed, and it works, it's just some accidental ninja obfuscation happening. (Incidentally, it *does* show for me on 10.5, so it took me a while to figure out what was happening.) BTW, does the Torbutton toggle button show in the bottom right of the browser for either of you? I'll see if it will actually work in another location so it'll show up, because it should. It just didn't originally. signature.asc Description: Digital signature
Re: New Bundle Version 1.3.10
* M [2010:10:16 18:48 +]: > Why the switch to noscript? and link on the issue? Hey there, I am working on writing this up -- I sat down with Mike Perry, the Torbutton developer, and we went over what each of the Firefox extensions added. It's not in any kind of proper document yet, but here are my notes about the new extensions so you aren't left hanging for too much longer: HTTPS-Everywhere - pre-emptively converts http URLs into https URLs for many popular sites that support https NoScript - majority of options are disabled - allows users to globally toggle javascript - provide click-to-play placeholders in the event that users want to set torbutton to enable plugins BetterPrivacy - exists only to delete flash cookies in the event that users allow plugins and run certain flash apps. it cleans up any data that flash might write outside of our control. (backup mechanism.) I'll let you know when I have a fuller analysis available. Thanks, Erinn signature.asc Description: Digital signature
Tor Browser Bundle for Mac OS X released
Hi everyone, Tor Browser Bundle for Mac OS X is now available for the i386 architecture in 11 languages. Snow Leopard users: please read about the known bugs at the bottom of this email. The Tor Browser Bundle lets you use Tor without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser and is self-contained. You can download it from the Tor Browser page which also has instructions about how to extract and use it. https://www.torproject.org/torbrowser/ The bundle comes with the following software: * Tor 0.2.2.15-alpha * Vidalia 0.2.10 -- cross-platform controller GUI for the Tor software * Polipo 1.0.4.1 -- caching web proxy * Firefox/Namoroka 3.6.9 -- web browser * Torbutton 1.2.5 -- Firefox extension to enable or disable the browser's use of Tor * NoScript 2.0.2.3 -- Firefox extension to only allow scripts from trusted sites * HTTPS-Everywhere 0.2.2 -- Firefox extension to provide encryption to a major number of websites This is a beta version which has primarily been tested on an i386 Leopard machine. Early testers on Snow Leopard report that Firefox does not launch the first time they launch the Tor Browser Bundle app. The workaround for this is currently to stop Tor with Vidalia and then restart it. They also say that the Torbutton status bar on the bottom of the Firefox window does not show up, but Torbutton functions properly. Please give us feedback and file bugs. (Reposted not-quite-verbatim from: https://blog.torproject.org/blog/tor-browser-bundle-mac-os-x) signature.asc Description: Digital signature
Re: The State of the DNS and Tor Union (also: a DNS UDP - >TCP shim)
* Jacob Appelbaum [2010:07:02 18:15 -0700]: > === Installing ttdnsd with dpkg > > If you have our Debian package repository added to your sources.list > file, installing ttdnsd is as easy as: > > apt-get update > apt-get install ttdnsd For those of you trying to get ttnsd packages this way, they won't be up until about 12am PST tonight. signature.asc Description: Digital signature
Re: Firefox quits when attempting to download
Hi, Can you rm tor-browser_en-US/Lib/libz* and try again? I think that'll fix the crash for now and I'll have a real fix in the next bundle. signature.asc Description: Digital signature
Re: Firefox quits when attempting to download
* emigrant [2010:03:29 21:25 +0530]: > On Mon, 2010-03-29 at 16:01 +0530, emigrant wrote: > > i use the new tor bundle for linux. > > whenever i try to download some thing from zshare, rapdishare etc.. > > firefox instantly quits. > > > > any idea? > > thank you very much. > > this is the error iv gotten: > > Qt: Session management error: None of the authentication protocols > specified are supported Hi, 1. Can you re-run it with: ./start-tor-browser --debug and send me the vidalia-debug-log? I think I know what's causing it to crash, but want to be sure. 2. Which distribution/version of Linux are you using? I need to look into this but I think there may be some differences in how session management is handled between versions of Qt which would cause authentication failures. Thanks, Erinn signature.asc Description: Digital signature
Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
* arshad [2010:03:28 11:58 +0530]: > On Sat, 2010-03-27 at 12:00 -0400, Faraaz Damji wrote: > > If that matches, make sure your version of tar is un-gzipping before > > un-tarring (try 'tar -xzvf FILE.tar.gz', or 'gzip -dc FILE.tar.gz | > > tar > > -xv') > > > thanks it extracted. > but when i click on the executable script nothing is happening. even > setting permission to 777 doesn't make any difference. > any idea? Thanks for pointing this out. Clicking on it seems to work on some distributions and not others, but ideally it will work on all systems. I've given myself a feature request bug (#1332) and will fix this in a future version. signature.asc Description: Digital signature
Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
* Brendan Compton [2010:03:28 21:43 -0500]: > Just wanted to point out that maybe the Tor volunteer page should be updated > to reflect the fact that this is a 'completed' project. It's still listed > as a good coding project for Google's 2010 Summer of Code. Maybe at the > very least change it to "working beta has been released" so that any > applicants considering it know what they'd be getting into. I've updated this in svn as well to reflect the current status. I will note here, as well, that if anyone wants to help do security auditing I am all ears. I am specifically interested in finding traces left behind on Linux systems and though I have done some preliminary auditing and not been able to find much, I'm sure there are plenty of people out there who can help. So if you're reading this now, please contact me. :) > Thanks for the Linux Browser Bundle goodness. No problem. Please let me know if you encounter any problems. signature.asc Description: Digital signature
Re: Tor Browser Bundle for GNU/Linux 1.0.0 Released
* Jim [2010:03:28 02:54 -0600]: > The fingerprints for your your signing keys seem to be missing from > the "verifying signatures" page: > > https://www.torproject.org/verifying-signatures Thanks for mentioning this. I've updated this in svn and it will go out in the next website push. signature.asc Description: Digital signature
Tor Browser Bundle for GNU/Linux 1.0.0 Released
https://blog.torproject.org/blog/tor-browser-bundle-gnulinux Tor Browser Bundle for GNU/Linux is now available for x86 and x86_64 architectures in 12 languages. The Tor Browser Bundle lets you use Tor without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser and is self-contained. You can download it from the Tor Browser page which also has instructions about how to extract and use it. http://www.torproject.org/torbrowser/ The bundle comes with the following software: * Tor 0.2.2.10-alpha * Vidalia 0.2.7 * Polipo 1.0.4.1 * Firefox 3.5.8 * Torbutton 1.2.4 * NoScript 1.9.9.57 * BetterPrivacy 1.4.7 This is a beta version, so please test it and file bugs! https://bugs.torproject.org/ signature.asc Description: Digital signature
RPM repo changes
Hi everyone, It is now possible to track either stable or experimental releases of Tor. The RPM repos have been updated for each distro: http://deb.torproject.org/torproject.org/rpm/ In order to use these you'll need to update your repo config file. For example, if you're on FC12 and want to track the experimental branch, you'd use: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/fc12-alpha/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org In addition to that, the signing key is now the same for all repositories. I will leave the old keys up to give people time to transition, but they are going to disappear in two weeks. I highly recommend switching now if you're using anything besides this one: http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org Erinn signature.asc Description: Digital signature
Linux (32-bit) TBB -- seeking testers
Hi everyone, I've been working on making a Linux Tor Browser Bundle and I need some testers with 32-bit Linux systems. This is extremely alpha -- do not expect it to work perfectly and don't depend on it for privacy (unless you happen to be running Debian unstable, like me, where it seems to work flawlessly every time). Pre-requisites: you need to at least be able to run Firefox already and you need to shutdown Tor, Polipo/Privoxy, and Vidalia. Existing Firefoxes/Iceweasels do not need to be shutdown. It can be found here: http://erinn.org/~e/tbb-linux32-030710.tgz http://erinn.org/~e/tbb-linux32-030710.tgz.asc If it doesn't work for you, please do the following: - Tell me your Linux distribution - Send me any relevant shell output - Run ./start-tor-browser --debug and send me the vidalia-debug-log - From within the TBB directory, run: 'strace -f -e open -o ff-opens.log ./App/Firefox/firefox -no-remote -profile ./Data/profile' and send me the output Known issues General - If it doesn't launch Firefox the first time, try closing everything and re-launching. SuSE - It might complain about not being able to find the display if you launch from shell - System xulrunner via /etc/gre.d/*.conf hijacks Firefox - It runs, but torbutton doesn't appear to work (in my VM, 11.2). Preliminary testing indicates that it runs on 11.0 Fedora - It makes SELinux pretty unhappy Libraries - If you get a libxml2 error about gzopen64 in the debug log, please check your system for an old zlib: https://bugs.launchpad.net/ubuntu/+source/libxml2/+bug/151045 signature.asc Description: Digital signature
Re: Tor & Vidalia RPM repositories
Addendum: If you're downloading the rpms by hand, you'll need to fetch the accompanying .asc file so that rpm can import the key into its keyring. You can do this by downloading it and running: rpm --import foo.asc You can check the sigs with: gpg --verify foo.asc rpm -K foo.rpm Also, the previous zypper stanza was incorrect. This is the right one: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/suse/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-suse-torproject.org signature.asc Description: Digital signature
Re: Tor & Vidalia RPM repositories
* thomas.hluch...@netcologne.de [2010:02:04 16:21 +0100]: > > Please let me know if you have any problems! > > Yes, I have. First I got the vidalia-SuSE Package, but my system doesnt like > it. > # cat /etc/SuSE-release > openSUSE 11.0 (i586) > VERSION = 11.0 > > It refuses to install: [...] > # gpg --verify vidalia-0.2.7-1.suse11_3.i586.rpm.asc > gpg: Keine gültigen OpenPGP-Daten gefunden. > gpg: verify signatures failed: Unerwarteter Fehler > > # rpm -qip vidalia-0.2.7-1.suse11_3.i586.rpm > error: vidalia-0.2.7-1.suse11_3.i586.rpm: Header V4 RSA/SHA1 signature: BAD, > key ID 63fee659 > > I have your PublicKey with SIG 63FEE659, so the RPM seems to be invalid. This is a problem with rpm itself. It doesn't seem to be backwards compatible so packages signed with new versions of rpm are broken on older versions of rpm. I've uploaded newly signed packages to http://deb.torproject.org/torproject.org/rpm/suse/ and someone tested them on 11.1. Do these work for you? I also had the zypper repo stanza wrong in my last email. For OpenSuSe, it is now: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/suse/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-suse-torproject.org > The program "qmake" couldnt be found at my system. I searched alot, but it > seems to be not installed. I searched the SuSE repos, didnt find anything. > Searched a little bit in the web, all sites pretend its very normal to have > qmake ready & run, except my box. qmake is in the libqt4-devel package. Erinn signature.asc Description: Digital signature
Tor & Vidalia RPM repositories
Hi everyone, I've setup an RPM (yum/zypper) repository for Tor and Vidalia. The following distros/releases are available: Fedora: fc10, fc11, fc12 OpenSuSe: 11 CentOS: 4, 5 Vidalia is available for fc11, fc12, and OpenSuse. Tor is available for CentOS 4 and 5, fc10, and OpenSuse. I've tested all except the fc10 repository. There may be key problems with that one, so if anyone is testing for fc10, please let me know if it works. General feedback is also encouraged/welcome. Depending on your distro, add these to your yum and zypper .repo files (or create a tor.repo file): OpenSuSe in /etc/zypp/repos.d/: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/suse/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/suse/RPM-GPG-KEY-torproject.org fc10 in /etc/yum.repos.d/: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/fc10/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org fc11 in /etc/yum/repos.d/: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/fc11/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org fc12 in /etc/yum/repos.d/: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/fc12/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org CentOS4 in /etc/yum/repos.d/: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/centos4/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-centos-torproject.org CentOS5 in /etc/yum/repos.d/: [torproject] name=Tor and Vidalia enabled=1 autorefresh=0 baseurl=http://deb.torproject.org/torproject.org/rpm/centos5/ type=rpm-md gpgcheck=1 gpgkey=http://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-centos-torproject.org Please let me know if you have any problems! Thanks, Erinn signature.asc Description: Digital signature
New Vidalia Debian/Ubuntu packages on deb.tp.o
Hi everyone, I've uploaded Vidalia 0.2.6 Debian and Ubuntu packages to http://deb.torproject.org/ . Please test and let me know if you have any problems! To install/upgrade, please follow the instructions found here: https://www.torproject.org/docs/debian.html.en The packages are available for i386 and amd64 in the following releases: Debian: lenny, squeeze, unstable Ubuntu: intrepid, jaunty, karmic From the Vidalia release announcement here: https://blog.torproject.org/blog/vidalia-026-released On November 2, we released Vidalia 0.2.6. Primarily a bugfix release for OS X issues. The changed items are: * Remove the erroneous comma in the default vidalia.conf in the Mac OS X drag-and-drop bundle, since we now dump whatever the user types into a QString rather than parsing it into a QStringList. * Updated the Arabic, Russian and Slovenian translations. Thanks, Erinn signature.asc Description: Digital signature