Whonix Build Script needs an update

Support
1

Hello, I wasn’t sure if I should report this on Github or here, so I’ll make it brief.

Repo
https://github.com/Whonix/derivative-maker

Build commands

git clone --depth=1 --branch 17.0.4.5-developers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Whonix/derivative-maker.git
git fetch
git checkout --recurse-submodules 17.0.4.5-developers-only
./derivative-maker --flavor whonix-workstation-xfce --target qcow2 --repo true | tee ~/build.log

Error

+ /usr/libexec/helper-scripts/curl-prgrs --fail --fail --tlsv1.3 --proto =https --cert-status --retry-connrefused --retry 3 --retry-delay 3 --max-time 180 --location --output /var/cache/tb-binary/.cache/tb/files/tor-browser-linux64-12.5.3_ALL.tar.xz.asc https://www.torproject.org/dist/torbrowser/12.5.3/tor-browser-linux64-12.5.3_ALL.tar.xz.asc
+ curl_exit_code=22
+ curl_status_message='[22] - [HTTP page not retrieved. The requested url was not found or returned another error with the HTTP error code being 400 or above. This return code only appears if -f, --fail is used.]
+ DOWNLOAD_FAIL_HELP='<p>Possible reasons:</p>
<p>
<br></br>- Internet connectivity issue.
<br></br>- The download server is down.
<br></br>- File size exceeded (endless data attack triggered).
<br></br>- Tor Browser Downloader (by Whonix developers) has been broken due to upstream changes.

Cause

Global variables use tor browser version 12.5.3 but https://dist.torproject.org/torbrowser only offers versions 13.0.1, 13.0.2 and 13.0a6

tbb_version_folder=12.5.3
+ TBB_SIG_FILENAME=tor-browser-linux64-12.5.3_ALL.tar.xz.asc
+ TBB_PACKAGE_FILENAME=tor-browser-linux64-12.5.3_ALL.tar.xz
+ TBB_SIG_LINK=https://www.torproject.org/dist/torbrowser/12.5.3/tor-browser-linux64-12.5.3_ALL.tar.xz.asc
+ TBB_PACKAGE_LINK=https://www.torproject.org/dist/torbrowser/12.5.3/tor-browser-linux64-12.5.3_ALL.tar.xz

Edit:

I just noticed that in the master branch packages/kicksecure/tb-updater/usr/share/tb-updater/tbb_hardcoded_version correctly says “13.0.1”.
But for some reason the script still uses 12.5.3 in the tb-updater stage:

#####################################################################
## INFO: BEGIN: tb-updater postinst configure' '
#####################################################################
'
+ true 'INFO: debhelper beginning here.'
+ '[' configure = configure ']'
+ deb-systemd-helper unmask tb-updater-dispvm.service
+ deb-systemd-helper --quiet was-enabled tb-updater-dispvm.service
+ deb-systemd-helper enable tb-updater-dispvm.service
Created symlink /etc/systemd/system/multi-user.target.wants/tb-updater-dispvm.service → /lib/systemd/system/tb-updater-dispvm.service.
+ '[' configure = configure ']'
+ deb-systemd-helper unmask tb-updater-first-boot.service
+ deb-systemd-helper --quiet was-enabled tb-updater-first-boot.service
+ deb-systemd-helper enable tb-updater-first-boot.service
Created symlink /etc/systemd/system/multi-user.target.wants/tb-updater-first-boot.service → /lib/systemd/system/tb-updater-first-boot.service.
+ '[' configure = configure ']'
+ '[' -d /run/systemd/system ']'
+ true 'INFO: Done with debhelper.'
+ true 'anon_shared_inst_tb: '
+ true 'tb_onion: '
+ true 'tb_disable_anon_ws_dnf_conf: false'
+ download
+ mkdir --parents /var/cache/tb-binary
+ ischroot --default-false
+ chroot_maybe=--is-chroot
+ tool=update-torbrowser
+ update-torbrowser --is-chroot --postinst
+ set -o pipefail
+ set -o errtrace
+ '[' -n '' ']'
++ basename /usr/bin/update-torbrowser
+ SCRIPTNAME=update-torbrowser
+ '[' -n '' ']'
+ ICON=/usr/share/icons/icon-pack-dist/tbupdate.ico
+ trap tb_error_handler ERR
+ trap tb_signal_sigterm SIGTERM
+ trap tb_signal_sigint SIGINT
+ trap trap_sigusr2 SIGUSR2
+ export -f output
+ export -f outputfunc
+ tb_run_function main_function --is-chroot --postinst
+ case $tb_skip_functions in
+ true 'INFO: Running '\''main_function' --is-chroot '--postinst'\'', because tb_skip_functions does not include it.'
+ main_function --is-chroot --postinst
+ tb_run_function root_check --is-chroot --postinst
+ case $tb_skip_functions in
+ true 'INFO: Running '\''root_check' --is-chroot '--postinst'\'', because tb_skip_functions does not include it.'
+ root_check --is-chroot --postinst
+ '[' -e /run/qubes/this-is-templatevm ']'
+ grep -q '\-\-postinst'
+ echo --is-chroot --postinst
+ return 0
+ tb_run_function tb_sanity_tests
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_sanity_tests'\'', because tb_skip_functions does not include it.'
+ tb_sanity_tests
+ command -v id
+ command -v basename
+ command -v touch
+ command -v uname
+ command -v mkdir
+ command -v pidof
+ command -v chmod
+ command -v cp
+ command -v mv
+ command -v killall
+ command -v rm
+ command -v head
+ command -v tar
+ command -v date
+ command -v /usr/libexec/msgcollector/msgcollector
+ command -v /usr/libexec/msgcollector/pv_wrapper
+ command -v /usr/libexec/msgcollector/striphtml
+ command -v grep
+ command -v sed
+ command -v sort
+ command -v pv
+ command -v mkfifo
+ command -v jq
+ tb_run_function tb_config_folder_parser
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_config_folder_parser'\'', because tb_skip_functions does not include it.'
+ tb_config_folder_parser
+ true 'tb_settings_folder: '
+ '[' -n '' ']'
+ tb_settings_folder=torbrowser.d
+ shopt -s nullglob
+ local i
+ for i in /etc/${tb_settings_folder}/*.conf /usr/local/etc/${tb_settings_folder}/*.conf
+ bash -n /etc/torbrowser.d/30_default.conf
+ source /etc/torbrowser.d/30_default.conf
+ tb_run_function tb_parse_cmd_options --is-chroot --postinst
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_parse_cmd_options' --is-chroot '--postinst'\'', because tb_skip_functions does not include it.'
+ tb_parse_cmd_options --is-chroot --postinst
+ :
+ case $1 in
+ is_chroot=true
+ shift
+ :
+ case $1 in
+ tb_postinst=true
+ shift
+ :
+ case $1 in
+ break
+ true '/usr/bin/update-torbrowser $@: '
+ tb_run_function tb_preparation
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_preparation'\'', because tb_skip_functions does not include it.'
+ tb_preparation
+ '[' -n '' ']'
+ tb_wiki=Tor_Browser
+ '[' -n '' ']'
+ tb_title='Tor Browser'
+ '[' '!' true = true ']'
+ command -v qubesdb-read
+ '[' -n '' ']'
+ is_qubes=false
+ test -f /run/qubes/this-is-templatevm
+ '[' true = true ']'
+ echo 'INFO: chroot: is_chroot=true'
INFO: chroot: is_chroot=true
+ tb_settings_chroot_common
+ '[' '!' '' = false ']'
+ '[' -n '' ']'
+ tb_updater_run=true
+ '[' -n '' ']'
+ anon_shared_inst_tb=closed
+ '[' -n '' ']'
+ TB_NO_TOR_CON_CHECK=1
+ '[' -n '' ']'
+ CURL_PROXY=--fail
+ '[' -n false ']'
+ test -f /run/qubes/this-is-templatevm
+ '[' true = true ']'
+ tb_settings_postinst_common
+ '[' -n '' ']'
+ tb_confirm_update_skip=true
+ '[' -n '' ']'
+ tb_confirm_installation_skip=true
+ '[' -n '' ']'
+ NOKILLTB=1
+ '[' -n '' ']'
+ noaskstart=true
+ '[' -n '' ']'
+ TB_INPUT=none
+ '[' -n '' ']'
+ export TB_USE_MSGCOLLECTOR=false
+ TB_USE_MSGCOLLECTOR=false
+ '[' -n '' ']'
+ tbb_use_hardcoded_version=true
+ '[' -n closed ']'
+ test -f /run/qubes/this-is-templatevm
+ '[' '' = true ']'
+ '[' '' = '' ']'
+ tb_user_home=/root
+ '[' /root = /root ']'
+ tb_user_home=/var/cache/tb-binary
+ tb_auto_set_user_home_msg='Automatically setting download folder to /var/cache/tb-binary, because running as root.'
+ '[' -n '' ']'
+ IDENTIFIER=torbrowser-downloader
+ '[' -n '' ']'
+ tb_install_folder=tb
+ '[' -n '' ']'
+ tb_install_folder_dot=.tb
+ '[' -n '' ']'
+ tb_browser_name=tor-browser
+ '[' -n '' ']'
+ tb_bin=torbrowser
+ '[' -n '' ']'
+ tb_home_folder=/var/cache/tb-binary/.tb
+ '[' -n '' ']'
+ tb_browser_folder=/var/cache/tb-binary/.tb/tor-browser
+ '[' -n '' ']'
+ tb_cache_folder=/var/cache/tb-binary/.cache/tb
+ '[' -n '' ']'
+ tb_temp_folder=/var/cache/tb-binary/.cache/tb/temp
+ '[' -n '' ']'
+ tb_downloaded_files_folder=/var/cache/tb-binary/.cache/tb/files
+ '[' -n '' ']'
+ tb_gpg_tmp_dir=/var/cache/tb-binary/.cache/tb/gpgtmpdir
+ '[' -n '' ']'
+ tb_extract_temp_folder=/var/cache/tb-binary/.cache/tb/tor-browser
+ '[' -n '' ']'
+ tb_local_version_file=/var/cache/tb-binary/.tb/tor-browser/Browser/tbb_version.json
+ '[' -n '' ']'
+ tbb_download_alpha_version=false
+ '[' -n '' ']'
+ TB_KEEP_OLD_VERSIONS_COUNT=0
+ '[' '!' true = true ']'
+ '[' true = true ']'
+ '[' /var/cache/tb-binary/.cache/tb/files = /var/cache/tb-binary/.cache/tb/files ']'
+ echo 'rm -r -f '\''/var/cache/tb-binary/.cache/tb/files'\'''
rm -r -f '/var/cache/tb-binary/.cache/tb/files'
+ rm -r -f /var/cache/tb-binary/.cache/tb/files
+ TEMP_DIR=/var/cache/tb-binary/.cache/tb/temp
+ export TEMP_DIR
+ rm --recursive --force /var/cache/tb-binary/.cache/tb/temp
+ mkdir --parents /var/cache/tb-binary/.cache/tb/temp
+ '[' '' = '' ']'
+ echo 'INFO: Auto detecting ARCH...'
INFO: Auto detecting ARCH...
++ uname --machine
+ ARCH=x86_64
+ echo 'INFO: ARCH '\''x86_64'\'' detected.'
INFO: ARCH 'x86_64' detected.
+ '[' '' = '' ']'
+ echo 'INFO: Auto detecting ARCH_DOWNLOAD...'
INFO: Auto detecting ARCH_DOWNLOAD...
+ '[' x86_64 = i386 ']'
+ grep --quiet aarch64
+ echo x86_64
+ '[' false = true ']'
+ '[' x86_64 = x86_64 ']'
+ '[' -n '' ']'
+ ARCH_DOWNLOAD=linux64
+ echo 'INFO: ARCH_DOWNLOAD '\''linux64'\'' detected.'
INFO: ARCH_DOWNLOAD 'linux64' detected.
+ source /usr/libexec/tb-updater/version-parser
+ '[' '' = '' ']'
+ '[' :0 = '' ']'
+ display=:0
+ '[' '' = '' ']'
+ local my_tty_exit_code
+ my_tty_exit_code=0
++ tty
+ my_tty=/dev/pts/0
+ '[' '!' 0 = 0 ']'
+ '[' /dev/pts/0 = '' ']'
++ whoami
+ who_ami=root
+ TITLE='Tor Browser Downloader (by Whonix developers)'
+ output_tool=/usr/libexec/msgcollector/msgcollector
+ output=output
+ output --icon /usr/share/icons/icon-pack-dist/tbupdate.ico
+ outputfunc --icon /usr/share/icons/icon-pack-dist/tbupdate.ico
+ true 'outputfunc: args: --icon' /usr/share/icons/icon-pack-dist/tbupdate.ico
+ '[' /usr/libexec/msgcollector/msgcollector = '' ']'
+ '[' false = false ']'
+ true
+ case $1 in
+ break
++ /usr/libexec/msgcollector/striphtml ''
+ MSG=
+ '[' '!' '' = '' ']'
+ true
+ output --parenttty /dev/pts/0
+ outputfunc --parenttty /dev/pts/0
+ true 'outputfunc: args: --parenttty' /dev/pts/0
+ '[' /usr/libexec/msgcollector/msgcollector = '' ']'
+ '[' false = false ']'
+ true
+ case $1 in
+ break
++ /usr/libexec/msgcollector/striphtml ''
+ MSG=
+ '[' '!' '' = '' ']'
+ true
+ output --whoami root
+ outputfunc --whoami root
+ true 'outputfunc: args: --whoami' root
+ '[' /usr/libexec/msgcollector/msgcollector = '' ']'
+ '[' false = false ']'
+ true
+ case $1 in
+ break
++ /usr/libexec/msgcollector/striphtml ''
+ MSG=
+ '[' '!' '' = '' ']'
+ true
+ output --titlex 'Tor Browser Downloader (by Whonix developers)'
+ outputfunc --titlex 'Tor Browser Downloader (by Whonix developers)'
+ true 'outputfunc: args: --titlex' 'Tor Browser Downloader (by Whonix developers)'
+ '[' /usr/libexec/msgcollector/msgcollector = '' ']'
+ '[' false = false ']'
+ true
+ case $1 in
+ break
++ /usr/libexec/msgcollector/striphtml ''
+ MSG=
+ '[' '!' '' = '' ']'
+ true
+ output --titlecli 'Tor Browser Downloader (by Whonix developers)'
+ outputfunc --titlecli 'Tor Browser Downloader (by Whonix developers)'
+ true 'outputfunc: args: --titlecli' 'Tor Browser Downloader (by Whonix developers)'
+ '[' /usr/libexec/msgcollector/msgcollector = '' ']'
+ '[' false = false ']'
+ true
+ case $1 in
+ break
++ /usr/libexec/msgcollector/striphtml ''
+ MSG=
+ '[' '!' '' = '' ']'
+ true
+ export output_tool
+ export output
+ export IDENTIFIER
+ export who_ami
+ ret=0
+ command -v curl.anondist-orig
+ '[' 0 = 0 ']'
+ CURL=curl.anondist-orig
+ '[' '' = '' ']'
+ '[' '' = true ']'
+ '[' -x /usr/libexec/helper-scripts/curl-prgrs ']'
+ CURL_PRGRS=/usr/libexec/helper-scripts/curl-prgrs
+ export CURL
+ mkdir --parents /var/cache/tb-binary/.tb
+ mkdir --parents /var/cache/tb-binary/.cache/tb
+ mkdir --parents /var/cache/tb-binary/.cache/tb/files
+ '[' false = true ']'
+ '[' -n '' ']'
+ TBB_RELEASE_CHANNEL=release
+ '[' linux64 = linux-arm64 ']'
+ '[' -n '' ']'
+ TBB_DOWNLOAD_APPENDIX=
+ '[' '' = true ']'
+ '[' linux64 = linux-arm64 ']'
+ '[' -n '' ']'
+ tbb_download_base_url=https://www.torproject.org
+ '[' -n '' ']'
+ TBB_REMOTE_FOLDER=https://www.torproject.org/dist/torbrowser
+ '[' -n '' ']'
+ CURL_FORCE_SSL='--tlsv1.3 --proto =https --cert-status'
+ '[' -n '' ']'
+ TBB_VERSIONS_FILE_LINK=https://aus1.torproject.org/torbrowser/update_3/release/downloads.json
+ '[' '' = 1 ']'
+ test -f /run/qubes/this-is-templatevm
+ '[' -f /usr/share/whonix/marker ']'
++ /usr/libexec/helper-scripts/settings_echo
+ eval 'GATEWAY_IP="10.152.152.10"' 'gateway_control_port="9051"'
++ GATEWAY_IP=10.152.152.10
++ gateway_control_port=9051
+ '[' -n '' ']'
+ SOCKS_PORT_TBB_DOWNLOAD=9115
+ '[' '' = '' ']'
+ local uuid_temp
++ cat /proc/sys/kernel/random/uuid
+ uuid_temp=43956e99-2022-4877-9f15-a85e3c9f033f
+ socks_user_name=tb-updater
+ socks_user_name=tb-updater_43956e99-2022-4877-9f15-a85e3c9f033f
+ '[' -n --fail ']'
+ echo 'INFO: CURL_PROXY: --fail'
INFO: CURL_PROXY: --fail
+ '[' -n '' ']'
+ RecommendedTBBVersions=/var/cache/tb-binary/.cache/tb/RecommendedTBBVersions
+ '[' -n '' ']'
+ tbb_version_last_downloaded_save_file=/var/cache/tb-binary/.cache/tb/tbb_version_last_downloaded_save_file
+ '[' -f /var/cache/tb-binary/.cache/tb/tbb_version_last_downloaded_save_file ']'
+ '[' -n '' ']'
+ tbb_version_previous_downloaded_version=none
+ test -f /usr/share/whonix/marker
+ '[' '!' 'Automatically setting download folder to /var/cache/tb-binary, because running as root.' = '' ']'
+ echo 'INFO: Automatically setting download folder to /var/cache/tb-binary, because running as root.'
INFO: Automatically setting download folder to /var/cache/tb-binary, because running as root.
+ tb_run_function tb_stdin
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_stdin'\'', because tb_skip_functions does not include it.'
+ tb_stdin
+ '[' '!' none = '' ']'
+ true 'INFO: TB_INPUT is already set to '\''none'\'', skipping auto detection, ok.'
+ return 0
+ tb_run_function tb_qubes_dvm_template
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_qubes_dvm_template'\'', because tb_skip_functions does not include it.'
+ tb_qubes_dvm_template
+ grep -q --invert-match '\-dvm'
+ echo ''
+ echo 'INFO: Not running inside Qubes Disposable Template, ok.'
INFO: Not running inside Qubes Disposable Template, ok.
+ return 0
+ tb_run_function tb_anon_ws_dns_conf
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_anon_ws_dns_conf'\'', because tb_skip_functions does not include it.'
+ tb_anon_ws_dns_conf
+ true 'tb_disable_anon_ws_dnf_conf: false'
+ '[' false = true ']'
+ tb_run_function tb_local_version_detection
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_local_version_detection'\'', because tb_skip_functions does not include it.'
+ tb_local_version_detection
+ true 'INFO: tbb_download_alpha_version: false'
+ '[' false = true ']'
+ source /usr/share/tb-updater/tbb_hardcoded_version
++ tbb_hardcoded_version=12.5.3
+ echo 'INFO: Using stable version. For alpha version, see: https://www.whonix.org/wiki/Tor_Browser#Alpha'
INFO: Using stable version. For alpha version, see: https://www.whonix.org/wiki/Tor_Browser#Alpha
+ '[' true = true ']'
+ '[' -n '' ']'
+ tbb_version=12.5.3
+ echo 'INFO: tbb_hardcoded_version: 12.5.3'
INFO: tbb_hardcoded_version: 12.5.3
+ '[' -n '' ']'
+ tbb_folder=/var/cache/tb-binary/.tb/tor-browser
+ tb_run_function tbbversion_installed
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tbbversion_installed'\'', because tb_skip_functions does not include it.'
+ tbbversion_installed
+ tbb_locally_installed_version='UNKNOWN. Please report this Whonix Bug!'
+ tbb_locally_installed_version_detect_success=0
+ '[' '!' -d /var/cache/tb-binary/.tb/tor-browser ']'
+ tbb_locally_installed_version='None installed. (Folder <code>/var/cache/tb-binary/.tb/tor-browser</code> does not exist.)'
+ return 0
+ '[' -d /var/cache/tb-binary/.tb/tor-browser ']'
+ installed_or_not_result=false
+ installed_or_not_text='Tor Browser is currently not installed.
(Folder /var/cache/tb-binary/.tb/tor-browser does not exist.)'
+ '[' '' == true ']'
+ tb_run_function tb_skip_if_higher_or_equal_version_already_downloaded
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_skip_if_higher_or_equal_version_already_downloaded'\'', because tb_skip_functions does not include it.'
+ tb_skip_if_higher_or_equal_version_already_downloaded
+ '[' '!' true = true ']'
+ '[' none = none ']'
+ return 0
+ tb_run_function tb_connectivity_checks_tor
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_connectivity_checks_tor'\'', because tb_skip_functions does not include it.'
+ tb_connectivity_checks_tor
+ '[' '' = 1 ']'
+ '[' 1 = 1 ']'
+ return 0
+ tb_run_function tb_connectivity_checks_curl
+ case $tb_skip_functions in
+ true 'INFO: Running '\''tb_connectivity_checks_curl'\'', because tb_skip_functions does not include it.'
+ tb_connectivity_checks_curl
+ '[' '' = 1 ']'
+ '[' x86_64 = arm64 ']'
+ tb_notify_details='Checking connectivity... Will take a moment...'
+ echo 'INFO: Running connectivity check...  Downloading...: https://www.torproject.org'
INFO: Running connectivity check...  Downloading...: https://www.torproject.org
+ '[' -n '' ']'
+ timeout_connectivity_checks_curl=180
+ export CURL_PRGRS_MAX_FILE_SIZE_BYTES=2097152
+ CURL_PRGRS_MAX_FILE_SIZE_BYTES=2097152
+ export CURL_OUT_FILE=/var/cache/tb-binary/.cache/tb/temp/tbb_remote_folder
+ CURL_OUT_FILE=/var/cache/tb-binary/.cache/tb/temp/tbb_remote_folder
+ rm --force /var/cache/tb-binary/.cache/tb/temp/tbb_remote_folder
+ curl_download_max_time=180
+ curl_download_target_url=https://www.torproject.org
+ tb_download_common_exit_on_fail=false
+ tb_download_common
+ '[' '' = 1 ']'
++ cat /proc/sys/kernel/random/uuid
+ progressbaridx=a061b4be-d63c-4b63-a94a-1bc16ed22f33
+ tb_notify_msg='Download
----------------------------------------------------------------------
Checking connectivity... Will take a moment...'

Edit2: The git command seems to be the problem.
The command below, which I believe is recommended in the wiki, pulls an older version of tb-updater which has tbb_hardcoded_version 12.5.3. I will experiment to find the correct git command.

git clone --depth=1 --branch 17.0.4.5-developers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Whonix/derivative-maker.git

Edit3:
I think the correct git command should be:

git clone --depth=1 --branch master --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Whonix/derivative-maker.git
2

  • I can confirm that this git command from the wiki breaks building with --flavor whonix-workstation-xfce (and any tag)
    git clone --depth=1 --branch 17.0.4.5-developers-only --jobs=4 --recurse-submodules --shallow-submodules https://github.com/Whonix/derivative-maker.git

  • This is because an older version of the tbb_hardcoded_version is pulled with version 12.5.3 instead of current 13.0.1
    packages/kicksecure/tb-updater/usr/share/tb-updater/tbb_hardcoded_version

  • When the script attempts to download torbrowser it fails because https://dist.torproject.org/torbrowser does not contain version 12.5.3 (or any version older than 13.0.1)

  • The master branch of derivative-maker has the correct tbb_hardcoded_version 13.0.1, but any and all tags I checked, meaning 17.0.5.9-developers-only all the way to 16.1.1.5-stable always contain an outdated version.

  • The only workaround I can find is to modify tbb_hardcoded_version and build with the following command:
    ./derivative-maker --flavor whonix-workstation-xfce --target qcow2 --repo true --allow-untagged true --allow-uncommitted true

Is there another way to fix this with a git command that updates these type of files from the master branch? Both git clone --recurse-submodules --shallow-submodules and git clone --recursive always pull outdated versions of tbb_hardcoded_version, regardless which tag is used. (developers-only, testers-only or stable)

3

Prepend tbb_version to overrule.

tbb_version="13.0.1" ~/derivative-maker/derivative-maker

More answers later.

1 Like
4

Hey man, I don’t just want to sit around and let you do all the work so I dug some more.

I think the real problem is in:
packages/kicksecure/tb-updater/usr/bin/update-torbrowser

The referrals are dead, it seems.

 [ -n "$TBB_VERSIONS_FILE_LINK" ] || TBB_VERSIONS_FILE_LINK="http://ot3ivcdxmalbsbponeeq5222hftpf3pqil24q3s5ejwo5t52l65qusid.onion/torbrowser/update_3/${TBB_RELEASE_CHANNEL}/downloads.json"

[ -n "$TBB_VERSIONS_FILE_LINK" ] || TBB_VERSIONS_FILE_LINK="https://aus1.torproject.org/torbrowser/update_3/${TBB_RELEASE_CHANNEL}/downloads.json"

So when tb_update_check() tries to find the version via $TBB_VERSIONS_FILE_LINK it fails, and hardcoded is the fallback.

tb_update_check() {
   
if [ ! "$tbb_version" = "" ]; then
      true "INFO: tbb_version already set to '$tbb_version'. Skipping $FUNCNAME, ok."
      return 0
   fi

   ## do not re-download Tor Browser if a previous build already did
   if [ "$DEV_BUILD_PASSTHROUGH" = "1" ]; then
      if [ -d "$tb_browser_folder" ]; then
         echo "$SCRIPTNAME: Not downloading $tb_title again, because folder $tb_browser_folder already exists."
         tb_exit_function 0
      fi
   fi

   tb_notify_details="Checking $tb_title version... Will take a moment..."
   echo "INFO: Find out latest version... Downloading...: $TBB_VERSIONS_FILE_LINK"

   [ -n "$timeout_version_file_download" ] || timeout_version_file_download=180
   ## 1 MB = 1048576 bytes
   ## 2 MB = 2097152 bytes
   ## Export CURL_PRGRS_MAX_FILE_SIZE_BYTES, so $CURL_PRGRS can read it.
   export CURL_PRGRS_MAX_FILE_SIZE_BYTES="2097152"
   ## Export CURL_OUT_FILE, so $CURL_PRGRS can read it.
   export CURL_OUT_FILE="$RecommendedTBBVersions"
   rm --force "$CURL_OUT_FILE"
   curl_download_max_time="$timeout_version_file_download"
   curl_download_target_url="$TBB_VERSIONS_FILE_LINK"
   tb_download_common_exit_on_fail="8"
   tb_download_common

   test -f "$RecommendedTBBVersions"
}
5

If the link format changed, and it did indeed change, then tbb_version won’t work.

6

Should I make a commit? I think I fixed the check but I feel self-conscious offering my bum code to the likes of you guys lol.

7

Commit what? It’s already fixed in git and in all repositories as per linked forum thread.

Any other fixes such as…

…ability to set these environment variables at the derivative-maker level in case that would be helpful for future builds would be appreciated.

I suggest to start with small changes to see how this is going.

8

Yes, that’s what I meant, the tbb_version being set correctly at the derivative-maker level, including all those environment variables.

I assume that people who don’t know to set tbb_version prior to running the script, will simply all get build errors because curl fails to load the correct version.

As far as I can see, all the aforementioned ev variables are set after the update function

One thing I don’t understand is why the latest version isn’t simply pulled inside tbb_version directly after the curl, if it is empty, instead of checking whether it is not empty via ! "$tbb_version" = "", when it never gets assigned at that point.

Assuming that TBB_VERSIONS_FILE_LINK="https://aus1.torproject.org/torbrowser/update_3/${TBB_RELEASE_CHANNEL}/downloads.json"

Before:

if [ ! "$tbb_version" = "" ]; then
      true "INFO: tbb_version already set to '$tbb_version'. Skipping $FUNCNAME, ok."
      return 0
   fi

After:

[ -z "$tbb_version" ] && { tbb_version=$(curl -s "$TBB_VERSIONS_FILE_LINK" | jq -r ".version"); \
echo "INFO: tbb_version set to latest $tbb_version. ok."; return 0; }

Obviously the original curl command is superior with error code handling etc. but that could still be used of course.

Or just a simple || that enables hardcoded if it fails
Like tbb_version=$(curl -s "$TBB_VERSIONS_FILE_LINK" | jq -r ".version") || tbb_use_hardcoded_version = "true"

Edit:

I see now that tbb_version is actually not empty at tb_update_check() level. Ok then I would check if the current value matches the latest version, and if it doesn’t then overwrite with latest:

#Discount curl error handling
tbb_latest_version=$(curl -s "$TBB_VERSIONS_FILE_LINK" | jq -r ".version")

[ "$tbb_latest_version" -eq "$tbb_version" ] || tbb_version="$tbb_latest_version"
9
  • version downgrade protection
  • reproducible builds
2 Likes
10

Two options:

  • A) in the future, mirroring Index of /torbrowser on kicksecure.com (hopefully TPO supports rsync, then we could rsync it but without deleting files). This would help to avoid version upgrades and link format changes to break stable releases.
  • B) maintaining a new stable point release after link format changes. It will come at some point but I don’t have an ETA.