> On Feb 7, 2023, at 4:04 AM, boyska <boy...@riseup.net> wrote:
>
> On 2/6/23 19:00, David A. Wheeler wrote:
>>> oh yeah, we all like curl. I wonder what kind of user needs curl, though.
>>> You mentioned that some packages in Debian will "just work" if curl is
>>> working. Can you name any of them? I think that would be very valuable info!
>> Sorry, what I meant was, "I expect that some packages in Debian will "just
>> work" if curl is working".
>> I don't have a specific list.
>
> However, we try to add feature to Tails when they are improving something for
> our personas (see https://tails.boum.org/contribute/personas/ ). In this
> specific case, I think we don't have an example of how can curl, directly or
> indirectly, help our personas.
>
> It's really easy to add the configuration you propose to Tails. But it will
> add to our QA process: if we tell our users that they can expect curl to work
> fine, we'd better test it regularly!
>
> All in all, the cost is low but not negligible, while the benefit for our
> personas seems to be zero. So my personal opinion is that it's not worth it
> *until* there is a clear use case that is helped by supporting curl.
Fair enough. Quick *technical* arguments for curl:
* curl, when configured using ALL_PROXY, can handle IPv6. torsocks can't handle
IPv6, and thus wget can't either. The Tor Browser handles IPv6 just fine.
* curl has a lot of capabilities not in wget. E.g., it can work as a pipe,
support more protocols, enables uploading, and is easily called as a library.
See: https://daniel.haxx.se/docs/curl-vs-wget.html
* I believe many packages depend on curl, though I didn't find a way to quickly
do reverse dependency searches on Debian packages to verify this.
Those aren't personas, of course. Also, I *completely* understand the concern
about adding to the QA process. Also, segfault made a good point that with
torsocks, people can add "--isolate". I can see why that'd be important to some
users. The same effect is possible with curl and SOCKS, but that can't be done
with the trivial curl configuration file approach I presented (sadly). I've
learned that torsocks creates this isolation by creating a special SOCKS "user"
for each invocation that uses the process ID and seconds-since-epoch as part of
the name. That's doable with curl, by setting the environment variable
ALL_PROXY with this dynamic information at runtime. I believe this is how to do
this (which even duplicates the torsocks username format even though that's not
necessary; if I'm missing something let me know):
ALL_PROXY="socks5://torsocks-$$%3a$(date +%s):0@127.0.0.1:9050"
curl-or-some-command-using-curl ...
That said, clearly the Tails project already expects that some users will
install additional software. So I suggest modifying the documentation to
provide *some* tips to users on how to deal with differences when running on
Tails (in particular the network and dot files). The current documentation
never mentions torsocks or any other related issues. Then you don't have to do
more QA, and if later on someone raises a persona, you're a step ahead.
So I suggest modifying this chapter:
https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html
by adding a new section just after "Installing additional software" called
"Using additional software". Move the text of "Additional configuration" (Some
packages...)
into that section, followed by something like the proposed text below.
--- David A. Wheeler
Proposed new text for "Using additional software" (after the "Additional
configuration" text):
~~~~
Tails handles network access differently than a typical system.
Application programs that access the network must send their "normal" network
communication ("TCP packets")
through something called a SOCKS service. This usually requires extra steps
before the application
will successfully communicate over a network.
In many cases, you can get networking applications to work using the "torsocks"
command line application. Torsocks enables many programs to work, but note that
it does *not* support IPv6. To use torsocks, on the command line, run this
followed by the COMMAND you wish to use with network access:
torsocks --isolate COMMAND
The program "curl" includes support for SOCKS. It's been reported to us that
you can also run curl, and many programs that use curl, on the command line
using this format (the "username" before the "@" symbol implements Tor stream
isolation):
ALL_PROXY="socks5://torsocks-$$%3a$(date +%s):0@127.0.0.1:9050" COMMAND
More generally, for other applications that access the network, configure them
to use the SOCKS proxy at IP address 127.0.0.1 (aka "home") with port 9050. We
would suggest creating a SOCKS username which is different each time the
application is used in a new session; this counters correlation between
different sessions. The password for the SOCKS username is "0"; this isn't a
security problem because we're using the username only for stream isolation,
not for access control. Only TCP communications are supported; UDP
communications are generally blocked. Tails is configured so that lookups of
computer names (aka "DNS lookups") will work as long as the application uses
the system configuration. Applications that ignore the system configuration for
DNS lookups, and attempt to resolve computer names themselves, will fail to
resolve those names.
As always, be cautious when accessing the network this way. In particular,
logging in to any server will eliminate anonymity to that server. Also, as
noted earlier, additional software is not directly supported by Tails. However,
if you have important general tips or recommendations, please let us know.
~~~~
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
