#33939: Decide which components of Fenix to rip out, disable, or use
 Reporter:  gk                                |          Owner:  tbb-team
     Type:  task                              |         Status:  new
 Priority:  High                              |      Milestone:
Component:  Applications/Tor Browser          |        Version:
 Severity:  Normal                            |     Resolution:
 Keywords:  tbb-mobile, TorBrowserTeam202004  |  Actual Points:
Parent ID:  #33184                            |         Points:
 Reviewer:                                    |        Sponsor:
                                              |  Sponsor58-must

Comment (by gk):

 Replying to [comment:6 sysrqb]:
 > Replying to [comment:5 gk]:
 > > Thanks, that's a good start. Two thoughts while skimming the list (I
 did not look carefully yet)
 > >
 > > 1) At least the progressive web apps (PWA) part should probably be in
 the Must Audit section. We even have a ticket for that already: #25845 :)
 > That's probably a smart thing, yes. PWA is only available in non-private
 browsing mode in Fennec, but we should audit it in Fenix. Indeed, PWA is
 available in private browsing mode in Fenix...
 > >
 > > 2) I was wondering how the dependencies those dependencies have would
 influence where we put them category-wise. So, starting with one layer
 seems good to me but I feel we might need to dig deeper to have a final
 assessment. One of the things I am already wary of is getting all the
 application-services parts roped in "for free". Not all components are
 probably needing that (I've not checked) but I bet some would move into
 the Must Audit part alone due to that. And there's probably other stuff
 that is bubbling in this morass, under the quiet surface... :)
 > Ideally, we should audit everything, but I don't think that is
 realistic. We should quickly look at all components in the `Include`
 category and confirm they do not make any network calls or expose
 personal/device information. I placed them in this category purely based
 on my assumption of how these components are implemented.

 Just to be clear: I was _not_ saying we need to audit everything (yes,
 ideally we would), just that it might be worth looking in particular at
 the Mozilla dependencies of those dependencies to figure out whether
 things should be re-categorized so that we have a closer second look on
 components that really need it (even if the dependency check you did or
 the assumptions you had indicated otherwise).

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33939#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
tor-bugs mailing list

Reply via email to