I wonder if it would make sense to install
anon-shared-build-apt-sources-tpo by default, and to have Whonix Gateway depend on the exact tor version that’s currently bundled in the latest stable Tor Browser release?
Whenever the Whonix Gateway tor version is out of sync with the mainline Tor Browser tor version, it’s a potential fingerprinting hazard.
That would come with some disadvantages documented under Tor integration in Whonix ™ Development Notes starting from:
2. Use latest stable in TPO repository […]
I am not saying it shouldn’t be done. Only linking to previous thoughts to consider before making such a big change.
What versions are provided by
deb.torproject.org is not being kept fully synchronous. It’s contributed, maintained by Peter Palfrader (also a Debian developer) last time I checked. Great year long service btw! However, The Tor Project does not orchestrate TBB and
deb.torproject.org releases being always having the same/compatible versions.
By hard coding a version dependency it would break the build process as soon as
deb.torproject.org changes. When
deb.torproject.org is changed is unpredictable form my point of view.
Indeed. A price to pay for Tor / Tor Browser isolation. But I don’t think it can be resolved without having Tor Browser + Debian
tor package being properly maintained in
packages.debian.org (which is unfortunately highly unlikely for Tor Browser, not happening for a decade or so) while
deb.torproject.org can have different versions (mostly Tor Browser using a newer version than available in
deb.torproject.org but it could also happen vice versa) because it’s all different development teams and release cycles,
deb.torproject.org, Tor core, TBB.
handy for reference:
Above link still lists:
In other words, not yet available from deb.torproject.org.
Version 0.4.7 will be be stable soon enough.
Is now in the testers repository.
Now in stable repository.
0.4.7.8 not yet available from
deb.torproject.org - refer to Tor integration in Whonix - #19 by Patrick on how to check that has changed. Once available, I upload to
0.4.7.8 is now in all repositories.
Prerequisite knowledge: Reading above linked announcements. Therefore skipping
0.4.7.9 (introduced new urgency bug) and waiting for
(Tor integration in Whonix - #19 by Patrick)
0.4.7.10 is now in the testers repository.
This is in all repositories for a while now. (Since Whonix 188.8.131.52 - for VirtualBox - Point Release!)
[tor-announce] Tor stable release 0.4.7.11
This is in the testers repository since a few days.
This is now in the stable repository.