Hi, and welcome back! 
They could be independent - while avoiding code duplication - by moving shared code to helper-scripts?
1 Like
I took a quick look at the changes. I think ultimately what we probably would want is the introduction of a new library (not sure what to call it, tor_manage or similar?), which would contain the shared code from both tools that each of them could call as needed. That could go into helper-scripts. In theory that would allow further frontends to be created in the future if need arose. I donât think itâs a good idea to copy code from anon-connection-wizard to tor-control-panel to separate them though, I think that will only create additional work.
(On an unrelated note, clicking the âNew identityâ button in tor-control-panel in Whonix-Gateway seems to do nothing, at least not anything visible. Tor Browser in the workstation remains open, no lines are printed to stdout, nothing changes as far as onion circuits, etc.)
1 Like
Both packages share share some code. The big difference being the way to generate torrc. In my dreamerâs view, the main reason to make TCP independent from ACW would be to have Tor Control Panel usable in plain Debian. For this, do you believe that any reference to Whonix home made external libraries would be accepted ? I might be wrong. @Patrick: Is there a chance for helper-scripts being accepted in Debian?
Do you mean additional work after they are separated? In that case, the only duplicate work I can foresee would be a change to tor bootstrap phases, and the maintenance of of bridges-default which, by the way, are outdated.
It would be great to have any / most / all package(s) by Kicksecure / Whonix in packages.debian.org.
I guess the same chances of getting ACW or TCP into Debian. Itâs very common for Debian to package libraries.
Should be specifically simple in case of ACW, TCP and helper-scripts as these are already have a /debian packaging folder for years.
The difficult part is finding an authorized uploader, Debian Developer, mentor or sponsor or becoming one oneself⊠References:
Yes. Code duplication creates additional work.
Good solutions are that donât duplicate code are:
- A) deprecate ACW, update TCP; all code in TCP; or
- B) deprecate TCP, update ACW; all code in ACW; or
- C) shared code in helper-scripts, keep ACW and TCP maintained
Personally I share @troubadourâs concern that helper-scripts probably wonât be accepted into Debian proper. A lot of its code is specific to Kicksecure/Whonix (such as sysmaint considerations in autologinchange, use of leaprun in some code, etc.). Whether by design or not, itâs become a âmore than one package needs this code? Great, letâs throw it hereâ multi-tool. Making it upstreamable would be nice, but we would likely need a ks-misc package or similar to receive all of the Kicksecure-specific bits.
Many Python applications in Debian depend on other libraries. Maybe the shared functionality of ACW and TCP can be placed into a new library, python3-torconfig or similar? Then both packages can depend on that library, That would avoid the problems with placing everything in helper-scripts. @Patrick would that work?
(With the topic of upstreaming, the current state of both ACW and TCP means that there is some Kicksecure-specific bits in there, like leaprun⊠perhaps it would be useful to have some code to check whether leaprun is available and only use it if so, otherwise fall back to pkexec like it used to use.)
1 Like
Is it realistic to clean up helper-scripts and make it suitable for inclusion into Debian?
The derivative specific parts would indeed be great if these were moved elsewhere.
Yet another option: Merge ACW and TCP into 1 package? Then we wouldnât need a shared package.
1 Like
We have a big dilemma here. Deprecating either package would be a pity. Solution C does not seem to be an option, according to the following posts.
As you mentioned, we would be left with privleap dependency. There is some work to revert to pkexec, if this is the solution.
Anyway, this an option to be weighted with
Do you mean merging a wizard and a controller? Considering the amount of shared code, It might be achievable , but there would have a choice for the user, to run either ACW or TCP, with a dialog box for example.
Any idea for the name of the new package?
1 Like
One package can ship multiple applications, so I think the start menu can be used to allow the user to choose which to launch, like we have now. Weâd just put the files of both packages into one package.
tor-config-progs? tor-config-utils? tor-control-apps? Not sure if any of those are good namesâŠ
1 Like
Alright, so letâs keep both.
We cannot use pkexec because we now have user-sysmaint-split on Whonix-Gateway.
But there could be if/else code. If there is user-sysmaint-split, use leaprun (privleap). Otherwise, use pkexec.
The Depends: privleap in debian/control can be removed. A Whonix-Gateway with user-sysmaint-split will come with privleap installed by default anyhow. So I am no worried about a missing dependency.
They can stay two different applications. Similar as theyâre looking right now.
The only simple thing I would do is:
Move all files from anon-connection-wizard to tor-control-panel. Done.
That would not change much. But then you could refactor / improve the code.
Possible but maybe not needed. (As per above.)
Yes. Either anon-connection-wizard or tor-control-panel.
No new name. No new package.
Just 1 thing gets merged into the other. Done. Simple.
Exactly.
Yes.
Iâd prefer not inventing any new package. Instead. the 2 packages ACW + TCP can be merged into a single one such as TCP only.
OK. For the moment, we use privleap and can decide later on the options.
To do firstly,
That was my original option. It might be not as simple as you word it, but we go for it and choose the name of the package tor-conrol-panel.
2 Likes
The merging of TCP and ACW is done.
There should be no change for the user, sdwdate-gui or whonix-gateway first installation.
There is still much redundant code, We are left with some refactoring in anon-connection-wizard, and some cleaning.
A couple of remarks:
Purging ACW (mandatory because of a leaprun conflict when building the new TCP) removes the Whonix meta packages. Trying to reinstall (say qubes-whonix-gateway) would reinstall TCP and ACW. I didnât look at he mechanics behind that, but I remember an similar old problem. @Patrick Is there any issue working without meta packages, since we can disable the check ?
sdwdate-gui imports tor_status from ACW. I didnât know the state of the refactoring/rewriting of sdwdate-gui in kicksecure. I forked it and installed it in the gateway to make the changes. No luck, there were tons of gui messages about socket not found or so in sys-whonix. Solution: purged and reinstalled with apt. I made the changes locally to get sdwdate-gui running.
1 Like
The packaging / meta packages are expected to cause zero issues. tor-control-panel debian/control file will be amended with Replaces: anon-connection-wizard.
Meanwhile if itâs an issue during development, use dummy-dependency. Example:
sudo dummy-dependency --yes --purge anon-connection-wizard
Weâll review and merge this after the initial release of Whonix 18.
Iâm looking at the changes now. Iâm a bit shocked to see just how much anon_connection_wizard.py changed when it was moved, and it seems like some parts I would have somewhat expected to still be there (like command_use_custom_bridge) are no longer used? Iâm only just getting started, so maybe it will all be made clear in time, but would like confirmation that this is indeed the intended âend resultâ code.
Edit: Looks like it is getting clearer as I read down further. I guess there was a lot of duplicate stuff to be merged together. Thank you for this!
1 Like
Unfortunately, I donât think this is ready to merge yet. There are multiple spots in the code that look broken, one of which will probably break custom bridges. This needs more testing and polish before review, IMO.
In case itâs useful, this is the diff of changes I made while reviewing. Itâs mostly addition of notes to parts that looked like they might not work, and some minor reformatting / refactoring. If itâs not useful, no problem, but just in case, here it is.
diff --git a/usr/lib/python3/dist-packages/tor_control_panel/anon_connection_wizard.py b/usr/lib/python3/dist-packages/tor_control_panel/anon_connection_wizard.py
index b57d137..ae0404f 100644
--- a/usr/lib/python3/dist-packages/tor_control_panel/anon_connection_wizard.py
+++ b/usr/lib/python3/dist-packages/tor_control_panel/anon_connection_wizard.py
@@ -28,7 +28,6 @@ class Common:
torrc_file_path = torrc_gen.torrc_path()
torrc_user_file_path = torrc_gen.user_path()
acw_comm_file_path = '/run/anon-connection-wizard/tor.conf'
- # torrc_file_path = ''
bridges_default_path = '/usr/share/anon-connection-wizard/bridges_default'
control_cookie_path = '/run/tor/control.authcookie'
@@ -46,15 +45,16 @@ class Common:
proxy_username = ''
proxy_password = ''
+ ## TODO: This never gets set to anything but an empty string.
init_tor_status = '' # it records the initial status of Tor, serving as a backup
disable_tor = False
- command_useBridges = 'UseBridges 1'
- command_use_custom_bridge = '# Custom Bridge is used:'
- command_obfs4 = 'ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy'
- command_snowflake = 'ClientTransportPlugin snowflake exec /usr/bin/snowflake-client'
- command_meek_lite = 'ClientTransportPlugin meek_lite exec /usr/bin/obfs4proxy'
- command_meek_azure_address = 'ajax.aspnetcdn.com\n'
+ #command_useBridges = 'UseBridges 1'
+ #command_use_custom_bridge = '# Custom Bridge is used:'
+ #command_obfs4 = 'ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy'
+ #command_snowflake = 'ClientTransportPlugin snowflake exec /usr/bin/snowflake-client'
+ #command_meek_lite = 'ClientTransportPlugin meek_lite exec /usr/bin/obfs4proxy'
+ #command_meek_azure_address = 'ajax.aspnetcdn.com\n'
font_title = QtGui.QFont()
font_title.setPointSize(13)
@@ -122,7 +122,7 @@ class ConnectionMainPage(QWizardPage):
self.label_1.setWordWrap(True)
self.label_1.setText('''
-<br>Before you connect to the Tor network, you need to provide information about this computer
+<br>Before you connect to the Tor network, you need to provide information about this computer\'s
Internet connection.''')
self.label_1.setFont(font_description_minor)
@@ -288,7 +288,7 @@ class BridgesWizardPage(QWizardPage):
self.custom_bridges_help.setEnabled(True)
self.custom_bridges_help.setText('&How to get Bridges?')
- self.custom_bridges_help.clicked.connect(info.custom_bridges_help)
+ self.custom_bridges_help.clicked.connect(info.show_custom_bridges_help)
self.default_option.setVisible(Common.use_default_bridges)
self.h_line.setVisible(Common.use_default_bridges)
@@ -310,9 +310,9 @@ class BridgesWizardPage(QWizardPage):
self.bridges_label.setVisible(state and self.default_option.isChecked())
self.bridges_combo.setVisible(state and self.default_option.isChecked())
- self.custom_label.setVisible(state and (self.custom_option.isChecked()))
- self.custom_bridges.setVisible(state and (self.custom_option.isChecked()))
- self.custom_bridges_help.setVisible(state and (self.custom_option.isChecked()))
+ self.custom_label.setVisible(state and self.custom_option.isChecked())
+ self.custom_bridges.setVisible(state and self.custom_option.isChecked())
+ self.custom_bridges_help.setVisible(state and self.custom_option.isChecked())
def show_default_bridge(self, default_option_checked):
if default_option_checked:
@@ -426,7 +426,7 @@ class ProxyWizardPage(QWizardPage):
self.ip_edit = QLineEdit()
self.port_label = QLabel()
self.port_edit = QLineEdit()
- self.user_label =QLabel()
+ self.user_label = QLabel()
self.user_edit = QLineEdit()
self.password_labal = QLabel()
self.password_edit = QTextEdit()
@@ -565,11 +565,11 @@ class ProxyWizardPage(QWizardPage):
except (ValueError, TypeError):
return False
- def set_next_button_state(self, state):
- if state:
- self.button(QWizard.NextButton).setEnabled(False)
- else:
- self.button(QWizard.NextButton).setEnabled(True)
+ #def set_next_button_state(self, state):
+ # if state:
+ # self.button(QWizard.NextButton).setEnabled(False)
+ # else:
+ # self.button(QWizard.NextButton).setEnabled(True)
def bridge_option_changed(self, text):
# socks4 does not require username and password
@@ -741,6 +741,8 @@ class AnonConnectionWizard(QWizard):
Common.proxy_port = self.args[3]
Common.proxy_username = self.args[4]
Common.proxy_password = self.args[5]
+ ## TODO: This may get set even if custom bridges are in use! Audit the
+ ## logic surrounding use_default_bridges.
Common.use_default_bridges = self.args[6]
Common.use_proxy = self.args[7]
@@ -804,17 +806,23 @@ class AnonConnectionWizard(QWizard):
self.bootstrap_thread.terminate()
buttonReply = QMessageBox.warning(self, 'Tor Controller Not Constructed', 'Tor controller \
cannot be constructed.')
+ ## TODO: Will we ever get a reply that isn't "QMessageBox.Ok"? If
+ ## so, what is the correct behavior if that happens?
if buttonReply == QMessageBox.Ok:
sys.exit(1)
elif bootstrap_phase == 'cookie_authentication_failed':
self.bootstrap_thread.terminate()
- buttonReply = QMessageBox(QMessageBox.Warning, 'Tor Controller Authentication Failed', '''Tor allows
- for authentication by reading it a cookie file, but we cannot read
+ buttonReply = QMessageBox(QMessageBox.Warning, 'Tor Controller Authentication Failed', '''Tor allows
+ for authentication by reading it a cookie file, but we cannot read
that file (probably due to permissions)''', QMessageBox.Ok)
+ ## TODO: Ditto, see above
if buttonReply == QMessageBox.Ok:
sys.exit(1)
+ ## TODO: Is this function called *after* a page change, or before? That
+ ## might affect what self.currentId() is set to. It looks like it's
+ ## probably called after.
def next_button_clicked(self):
# self.bridge_wizard_page.reformat_custom_bridge_input()
if self.currentId() == self.steps.index('connection_main_page'):
@@ -864,6 +872,10 @@ class AnonConnectionWizard(QWizard):
self.torrc_page.label_5.setText('None Selected')
else:
+ ## TODO: This conditional is broken; the final `else`
+ ## branch will never be called. I think an old
+ ## `use_bridges` and `use_default_bridges` were probably
+ ## merged together incorrectly.
if Common.use_default_bridges:
if Common.bridge_type == 'obfs4':
self.torrc_page.label_5.setText('Provided obfs4')
@@ -881,6 +893,9 @@ class AnonConnectionWizard(QWizard):
else:
self.torrc_page.label_5.setText('Custom vanilla')
+ ## TODO: Why do we say this twice in two labels? Furthermore,
+ ## why do we set label_7 at all when we proceed to overwrite
+ ## it with proxy details later on?
self.torrc_page.label_7.setText('Tor will be enabled.')
torrc_text = open(Common.torrc_file_path).read()
self.torrc_page.torrc.setPlainText(torrc_text)
@@ -935,6 +950,7 @@ class AnonConnectionWizard(QWizard):
self.tor_status_code = str(self.tor_status_result[1])
if self.tor_status == 'tor_enabled' or self.tor_status == 'tor_already_enabled':
+ ## TODO: But we just showed this progress bar above...
self.tor_status_page.bootstrap_progress.show()
self.bootstrap_thread = tor_bootstrap.TorBootstrap(self)
self.bootstrap_thread.signal.connect(self.update_bootstrap)
@@ -996,6 +1012,9 @@ class AnonConnectionWizard(QWizard):
except AttributeError:
pass
+ ## TODO: The logic behind the hiding and showing of FinishButton and
+ ## CancelButton is strange. Make sure it actually does what is
+ ## expected in all situations.
self.bootstrap_done = False
self.button(QWizard.FinishButton).hide()
self.button(QWizard.CancelButton).show()
@@ -1006,6 +1025,10 @@ class AnonConnectionWizard(QWizard):
self.bootstrap_thread.terminate()
## When user cancel Tor bootstrap,
## it is reasonable to assume user wants to disable Tor
+ ## TODO: Is it really? What if they cancelled becaues they
+ ## knew it wasn't going to work due to some easily correctable
+ ## external factor (i.e. someone tripped over a network
+ ## cable)?
tor_status.set_disabled()
# recover Tor to the initial status before the starting of anon_connection_wizard
diff --git a/usr/lib/python3/dist-packages/tor_control_panel/info.py b/usr/lib/python3/dist-packages/tor_control_panel/info.py
index 8a23e49..b5ff7ec 100644
--- a/usr/lib/python3/dist-packages/tor_control_panel/info.py
+++ b/usr/lib/python3/dist-packages/tor_control_panel/info.py
@@ -16,10 +16,10 @@ by using Tor Bridges, which are unlisted relays that are more difficult to block
<p>Tor bridges are the recommended way to circumvent Tor censorship. You should always take them as your first
option to help bypass censorship. However, if you are living in a heavily censored area where all the Tor bridges
-are blocked, you may need to use third-party censorship circumvention tools instead. In such a case, you should
+are blocked, you may need to use third-party censorship circumvention tools instead. In such a case, you should
choose not to use Tor bridges.</p>
-<p>Using a third-party censorship circumvention tool may harm your security and/or anonymity. However,
+<p>Using a third-party censorship circumvention tool may harm your security and/or anonymity. However,
if you do need it, the following is an instruction on how to connect to the Tor network using different
censorship circumvention tools:</p>
@@ -32,7 +32,7 @@ censorship circumvention tools:</p>
3. Configure a proxy.</blockquote>
<blockquote><b>3. Specialized Tool</b><br>
-1. Identify the tool's listening port, including protocol and port number; 2. Choose not to use Tor bridges on
+1. Identify the tool's listening port, including protocol and port number; 2. Choose not to use Tor bridges on
this page; 3. Click the "Next" button to proceed to the Proxy Configuration page; 4. Configure a proxy.</blockquote>
''', QtWidgets.QMessageBox.Ok)
reply.exec_()
@@ -40,9 +40,9 @@ this page; 3. Click the "Next" button to proceed to the Proxy Configuration page
def show_proxy_help():
reply = QtWidgets.QMessageBox(QtWidgets.QMessageBox.NoIcon, 'Proxy Configuration Help',
'''<p><b> Proxy Help</b></p>
- <p>In some situations, you may want to route your traffic through a proxy server
- before connecting to the Tor network. For example, if you are using a third-party
- censorship circumvention tool to bypass Tor censorship, you need to configure Tor
+ <p>In some situations, you may want to route your traffic through a proxy server
+ before connecting to the Tor network. For example, if you are using a third-party
+ censorship circumvention tool to bypass Tor censorship, you need to configure Tor
to connect to the tool's listening port.</p>
<p>The following is a brief explanation of what each field means and how to find the correct value:</p>
@@ -52,7 +52,7 @@ The proxy type is the protocol you use to communicate with the proxy server. Sin
you can try each to see which one works.</blockquote>
<blockquote><b>2. Proxy IP/hostname</b><br>
-You need to know the address you are trying to connect to. If connecting to a local proxy, use 127.0.0.1,
+You need to know the address you are trying to connect to. If connecting to a local proxy, use 127.0.0.1,
which refers to localhost.</blockquote>
<blockquote><b>3. Proxy Port Number</b><br>
@@ -64,25 +64,7 @@ If you do not know these, leave them blank and see if the connection succeeds. I
</blockquote>''', QtWidgets.QMessageBox.Ok)
reply.exec_()
-def custom_bridges_help():
- reply = QtWidgets.QMessageBox(QtWidgets.QMessageBox.NoIcon, 'Custom Bridges Help',
- '''
-<p>As an alternative to using the provided bridges, you can obtain a
-custom set of addresses using one of the following methods:</p>
-
-<p><b>1.</b> Use a web browser to visit:
-<b>https://bridges.torproject.org/options</b></p>
-
-<p><b>2.</b> Send an email to <b>bridges@torproject.org</b> with the line 'get bridges' in the body of the message.
- You must send this request from one of the following email providers
-(listed in order of preference):<br>
-https://www.riseup.net, https://mail.google.com, or https://mail.yahoo.com</p>
-<p>For assistance, visit <b>torproject.org/about/contact.html#support</b></p>
-<p>Paste the bridge list received from the Tor Project:</p>
-''', QtWidgets.QMessageBox.Ok)
- reply.exec_()
-
-def tcp_custom_bridges_help():
+def get_custom_bridges_help_text():
text = '''
<p>As an alternative to using the provided bridges, you can obtain a
custom set of addresses using one of the following methods:</p>
@@ -93,12 +75,16 @@ custom set of addresses using one of the following methods:</p>
<p><b>2.</b> Send an email to <b>bridges@torproject.org</b> with the line 'get bridges' in the body of the message.
You must send this request from one of the following email providers
(listed in order of preference):<br>
-https://www.riseup.net, https://mail.google.com, or https://mail.yahoo.com</p>
+https://www.riseup.net, or https://mail.google.com</p>
<p>For assistance, visit <b>torproject.org/about/contact.html#support</b></p>
<p>Paste the bridge list received from the Tor Project:</p>
'''
return text
+def show_custom_bridges_help():
+ reply = QtWidgets.QMessageBox(QtWidgets.QMessageBox.NoIcon, 'Custom Bridges Help', get_custom_bridges_help_text(), QtWidgets.QMessageBox.Ok)
+ reply.exec_()
+
def tor_stopped():
text = [
'''<b>Tor is running.</b>
diff --git a/usr/lib/python3/dist-packages/tor_control_panel/tor_control_panel.py b/usr/lib/python3/dist-packages/tor_control_panel/tor_control_panel.py
index 2ebb09d..0ca9d31 100644
--- a/usr/lib/python3/dist-packages/tor_control_panel/tor_control_panel.py
+++ b/usr/lib/python3/dist-packages/tor_control_panel/tor_control_panel.py
@@ -389,7 +389,7 @@ class TorControlPanel(QDialog):
self.custom_accept_button.setFlat(True)
self.custom_bridges_help.setWordWrap(True)
self.custom_bridges_help.setTextInteractionFlags(Qt.TextSelectableByMouse)
- self.custom_bridges_help.setText(info.tcp_custom_bridges_help())
+ self.custom_bridges_help.setText(info.get_custom_bridges_help_text())
self.newnym_box.setMaximumHeight(130)
self.newnym_button.setMaximumWidth(120)
diff --git a/usr/lib/python3/dist-packages/tor_control_panel/torrc_gen.py b/usr/lib/python3/dist-packages/tor_control_panel/torrc_gen.py
index 3ae07b7..3cc69d5 100644
--- a/usr/lib/python3/dist-packages/tor_control_panel/torrc_gen.py
+++ b/usr/lib/python3/dist-packages/tor_control_panel/torrc_gen.py
@@ -19,7 +19,8 @@ torrc_user_file_path = '/usr/local/etc/torrc.d/50_user.conf'
bridges_default_path = '/usr/share/anon-connection-wizard/bridges_default'
command_useBridges = 'UseBridges 1\n'
-command_use_custom_bridge = '# Custom Bridge is used:'
+## TODO: This variable doesn't seem to be used anymore, what did we do with it?
+#command_use_custom_bridge = '# Custom Bridge is used:'
bridges_command = [ 'ClientTransportPlugin obfs4 exec /usr/bin/obfs4proxy\n',
1 Like
Itâs certainly not ready to be merged yet. The last push is one week old and it has evolved since.
The reason for the multiple pushes is just for backup, in case my workflow breaks down. It happened once.
ACW has changed a lot, mainly because of he rewriting of each wizard page with dynamic widgets instead of setting the geometry for each one, which I believe would look awful to any pyqt GUI developer. And a lot of duplicate or useless code. The final version should be readable.
The custom bridges have been back for a while, among other features.
At the moment, Iâm fighting with minor bugs.
2 Likes
As on screenshot https://www.whonix.org/w/images/e/e4/Tor-control-panel-utilities.png
New Identity
Same functionality as Tor Button âNew Identityâ, except
âŠ
That wording needs improvement. Tor Button is no longer part of Tor Browser. âSame functionalityâ might not mean much to most users. âNew identityâ is kinda a grandiose claim we derived from Tor Browser.
New suggested wording:
Label / Button: Request new Tor circuit
Text below: Use a fresh Tor route for new connections. This asks Tor to build new circuits, so future connections might take a different path (and might use a different Tor exit relay). Technically, this sendssignal NEWNYMto Tor. For more information, see Stream Isolation: Easy.
Agreed that the whole wording is unclear, if not confusing.
I will improve it when the rewriting of TCP and ACW is complete, and at the condition that this utility makes any sense.
2 Likes
A quick update, without much details.
The upgrade to Qubes 4.3 and whonix 18 was a steep hill to climb.
ACW and TCP has been rewritten. Among other features, they retrieve the previous settings, including custom bridges.
NEWNYM is removed for the time being (doing research on tor control socket/port)
TCP âDisable networkâ crash the applictaion. Looking into it.
Last but not least, in my whonix-gateway-dev, a fork of kicksecure/sddwdate-gui was used. I do not know which version is used, but it was crashing on âstrict_config_parserâ. With the version from whonix-gateway-18. one line (143) was changed and it works.
There is still some work left, but could you review the changes, knowing that we are still far from square one, which is to make it plain Debian compatible.
1 Like
Some work was done.âRequest new Tor circuitâ is working. Still trying to fix âDisable networkâ in TCP, which is not working either with the last update.
Back to the update; in my dev gateway, it crashes everything leaprun command on
ERROR; could not connect to privleapd!
I must admit that Iâm a bit lost.
2 Likes