summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--gnu/packages/browser-extensions.scm26
-rw-r--r--gnu/packages/gnupg.scm3
-rw-r--r--gnu/packages/tor.scm282
3 files changed, 309 insertions, 2 deletions
diff --git a/gnu/packages/browser-extensions.scm b/gnu/packages/browser-extensions.scm
index 34dfa4b580..28b62ec9e3 100644
--- a/gnu/packages/browser-extensions.scm
+++ b/gnu/packages/browser-extensions.scm
@@ -21,6 +21,7 @@
 (define-module (gnu packages browser-extensions)
   #:use-module (guix gexp)
   #:use-module (guix packages)
+  #:use-module (guix download)
   #:use-module (guix git-download)
   #:use-module (guix build-system copy)
   #:use-module (guix build-system gnu)
@@ -251,3 +252,28 @@ with the @uref{https://keepassxc.org, KeePassXC} password manager.")
 
 (define-public keepassxc-browser/icecat
   (make-icecat-extension keepassxc-browser))
+
+(define noscript
+  (package
+    (name "noscript")
+    (version "11.4.29")
+    (source (origin
+              (method url-fetch/zipbomb)
+              (uri (string-append
+                    "https://noscript.net/download/releases/noscript-" version
+                    ".xpi"))
+              (sha256
+               (base32
+                "1k94zvv2ypmhc29f5d2zrvigwh1xgi5kwm1kqfxarwjyn108if85"))))
+    (build-system copy-build-system)
+    (properties '((addon-id . "{73a6fe31-595d-460b-a920-fcc0f8843232}")))
+    (arguments
+     `(#:install-plan '(("." ,(assq-ref properties 'addon-id)))))
+    (home-page "https://noscript.net")
+    (synopsis "Software providing extra protection for various browsers.")
+    (description "The NoScript Security Suite is a software providing extra
+protection for web browsers.")
+    (license license:gpl3+)))
+
+(define-public noscript/icecat
+  (make-icecat-extension noscript))
diff --git a/gnu/packages/gnupg.scm b/gnu/packages/gnupg.scm
index 2b6a5ec796..73e9c3a78a 100644
--- a/gnu/packages/gnupg.scm
+++ b/gnu/packages/gnupg.scm
@@ -70,7 +70,6 @@
   #:use-module (gnu packages swig)
   #:use-module (gnu packages texinfo)
   #:use-module (gnu packages tls)
-  #:use-module (gnu packages tor)
   #:use-module (gnu packages web)
   #:use-module (gnu packages xorg)
   #:use-module (gnu packages xdisorg)
@@ -1123,7 +1122,7 @@ files, to verify signatures, and to manage the private and public keys.")
            perl-try-tiny
            perl-type-tiny
            perl-types-path-tiny
-           torsocks))
+           (@ (gnu packages tor) torsocks))) ;avoid dependency loop
     (native-inputs
      (list perl-file-which
            perl-gnupg-interface
diff --git a/gnu/packages/tor.scm b/gnu/packages/tor.scm
index 4b356b6cc1..81e7d8ba69 100644
--- a/gnu/packages/tor.scm
+++ b/gnu/packages/tor.scm
@@ -36,11 +36,15 @@
   #:use-module (guix utils)
   #:use-module (guix download)
   #:use-module (guix git-download)
+  #:use-module (guix build-system copy)
   #:use-module (guix build-system gnu)
+  #:use-module (guix build-system mozilla)
   #:use-module (guix build-system python)
   #:use-module (guix build-system pyproject)
   #:use-module (gnu packages)
   #:use-module (gnu packages base)
+  #:use-module (gnu packages bash)
+  #:use-module (gnu packages browser-extensions)
   #:use-module (gnu packages libevent)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages check)
@@ -48,6 +52,7 @@
   #:use-module (gnu packages pcre)
   #:use-module (gnu packages freedesktop)
   #:use-module (gnu packages glib)
+  #:use-module (gnu packages gnuzilla)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages python)
   #:use-module (gnu packages python-check)
@@ -483,3 +488,280 @@ Potential client and exit connections are scrubbed of sensitive information.")
 the onion proxy and sets up proxy in user session, so you don't have to mess
 up with TOR on your system anymore.")
     (license license:gpl3+)))
+
+(define torbrowser-assets
+  ;; This is a prebuilt Torbrowser from which we take the assets we need.
+  (package
+    (name "torbrowser-assets")
+    ;; To find the last version, look at https://www.torproject.org/download/.
+    (version "13.0.8")
+    (source
+     (origin
+       (method url-fetch)
+       (uri
+        (string-append
+         "https://archive.torproject.org/tor-package-archive/torbrowser/"
+         version "/tor-browser-linux-x86_64-" version ".tar.xz"))
+       (sha256
+        (base32
+         "0v67x3pa0mga970andlz58k2wz8b8x7aman8gkkahnd003h9qgvq"))))
+    (arguments
+     (list
+      #:install-plan
+      ''(("Browser" "." #:include-regexp
+          ("^\\./TorBrowser/Data/Tor/torrc-defaults"
+           "^\\./fonts/"
+           "^\\./fontconfig/fonts.conf")))))
+    (build-system copy-build-system)
+    (home-page "https://www.torproject.org")
+    (synopsis "Tor Browser assets")
+    (description "This package contains fonts and configuration files for Tor
+Browser.")
+    (license license:silofl1.1)))
+
+;; Must be of the form YYYYMMDDhhmmss as in `date +%Y%m%d%H%M%S`.
+(define %moz-build-date "20231219173144")
+
+(define-public torbrowser
+  (package
+    (inherit icecat-minimal)
+    (name "torbrowser")
+    ;; To find the last version, browse
+    ;; https://archive.torproject.org/tor-package-archive/torbrowser/<version>
+    ;; (<version> is the version of the `torbrowser-assets` package).  There
+    ;; should be only one archive that starts with "src-firefox-tor-browser-".
+    (version "115.6.0esr-13.0-1-build2")
+    (source
+     (origin
+       (method url-fetch)
+       (uri
+        (string-append
+         "https://archive.torproject.org/tor-package-archive/torbrowser/"
+         (package-version torbrowser-assets)
+         "/src-firefox-tor-browser-" version ".tar.xz"))
+       (sha256
+        (base32
+         "1c0p8aya7sh7nmawngkyzx2r02mvl9nd53hx2bl0jwvsj1vxxhca"))))
+    (build-system mozilla-build-system)
+    (arguments
+     (substitute-keyword-arguments (package-arguments icecat-minimal)
+       ((#:configure-flags flags '())
+        #~(cons*
+           "--without-relative-data-dir" ;store is read-only
+           "--disable-base-browser-update"
+           ;; Default is "default", which is the same as "nightly".
+           "--enable-update-channel=release"
+           "--with-user-appdir=.torbrowser"
+           "--with-branding=browser/branding/tb-release"
+           (string-append "--prefix=" #$output)
+           (string-append "--with-base-browser-version="
+                          #$(package-version
+                             (this-package-input "torbrowser-assets")))
+           #$flags))
+       ((#:phases phases)
+        #~(modify-phases #$phases
+            (add-before 'configure 'setenv
+              (lambda _
+                (setenv "CONFIG_SHELL" (which "bash"))
+                ;; Install location is prefix/lib/$MOZ_APP_NAME.  Also
+                ;; $MOZ_APP_NAME is the executable name.  Default is
+                ;; "firefox".
+                (setenv "MOZ_APP_NAME" "torbrowser")
+                ;; Profile location (relative to "~/.").  Default is
+                ;; lower($MOZ_APP_VENDOR/$MOZ_APP_BASENAME), which is:
+                ;; ~/.tor project/firefox.
+                (setenv "MOZ_APP_PROFILE" "torbrowser/browser")
+                ;; WM_CLASS (default is "$MOZ_APP_NAME-$MOZ_UPDATE_CHANNEL").
+                (setenv "MOZ_APP_REMOTINGNAME" "Tor Browser")
+                ;; Persistent state directory for the build system (default is
+                ;; $HOME/.mozbuild).
+                (setenv "MOZBUILD_STATE_PATH"
+                        (in-vicinity (getcwd) ".mozbuild"))
+                ;; Make build reproducible.
+                (setenv "MOZ_BUILD_DATE" #$%moz-build-date)))
+            (add-before 'configure 'mozconfig
+              (lambda* (#:key configure-flags #:allow-other-keys)
+                (with-output-to-file "mozconfig"
+                  (lambda ()
+                    (format #t ". $topsrcdir/mozconfig-linux-x86_64~%")
+                    (for-each (lambda (flag)
+                                (format #t "ac_add_options ~a~%" flag))
+                              configure-flags)))))
+            (replace 'configure
+              (lambda _
+                (invoke "./mach" "configure")))
+            (add-before 'build 'fix-addons-placeholder
+              (lambda _
+                (substitute*
+                    "toolkit/locales/en-US/toolkit/about/aboutAddons.ftl"
+                  (("addons.mozilla.org") "gnuzilla.gnu.org"))))
+            (add-after 'install 'deploy-assets
+              (lambda _
+                (let ((assets #$(this-package-input "torbrowser-assets"))
+                      (lib (in-vicinity #$output "lib/torbrowser"))
+                      (tor #$(this-package-input "tor-client")))
+                  ;; TorBrowser/Data/Tor/torrc-defaults
+                  (copy-recursively (in-vicinity assets "TorBrowser")
+                                    (in-vicinity lib "TorBrowser"))
+                  ;; The geoip and geoip6 files are in the same directory as
+                  ;; torrc-defaults.  (See TorProcess.sys.mjs.)
+                  (mkdir-p (in-vicinity lib "TorBrowser/Data/Tor"))
+                  (copy-file (in-vicinity tor "share/tor/geoip")
+                             (in-vicinity lib "TorBrowser/Data/Tor/geoip"))
+                  (copy-file (in-vicinity tor "share/tor/geoip6")
+                             (in-vicinity lib "TorBrowser/Data/Tor/geoip6"))
+                  ;; Fonts
+                  (copy-recursively (in-vicinity assets "fontconfig")
+                                    (in-vicinity lib "fontconfig"))
+                  (substitute* (in-vicinity lib "fontconfig/fonts.conf")
+                    (("<dir>fonts</dir>")
+                     (format #f "<dir>~a</dir>" (in-vicinity lib "fonts"))))
+                  (delete-file-recursively (in-vicinity lib "fonts"))
+                  (copy-recursively (in-vicinity assets "fonts")
+                                    (in-vicinity lib "fonts")))))
+            (replace 'build-sandbox-whitelist
+              (lambda* (#:key inputs #:allow-other-keys)
+                (define (runpath-of lib)
+                  (call-with-input-file lib
+                    (compose elf-dynamic-info-runpath
+                             elf-dynamic-info
+                             parse-elf
+                             get-bytevector-all)))
+                (define (runpaths-of-input label)
+                  (let* ((dir (string-append (assoc-ref inputs label) "/lib"))
+                         (libs (find-files dir "\\.so$")))
+                    (append-map runpath-of libs)))
+                ;; Populate the sandbox read-path whitelist as needed by ffmpeg.
+                (let* ((whitelist
+                        (map (cut string-append <> "/")
+                             (delete-duplicates
+                              `(,(string-append (assoc-ref inputs "shared-mime-info")
+                                                "/share/mime")
+                                ,@(append-map runpaths-of-input
+                                              '("mesa" "ffmpeg"))))))
+                       (whitelist-string (string-join whitelist ",")))
+                  (with-output-to-file "whitelist.txt"
+                    (lambda ()
+                      (display whitelist-string))))))
+            (add-after 'install 'autoconfig
+              (lambda* (#:key inputs #:allow-other-keys)
+                (let ((lib (in-vicinity #$output "lib/torbrowser"))
+                      (config-file "tor-browser.cfg"))
+                  (with-output-to-file (in-vicinity
+                                        lib "defaults/pref/autoconfig.js")
+                    (lambda ()
+                      (format #t "// first line must be a comment~%")
+                      (format #t "pref(~s, ~s);~%"
+                              "general.config.filename" config-file)
+                      (format #t "pref(~s, ~a);~%"
+                              "general.config.obscure_value" "0")))
+                  (with-output-to-file (in-vicinity lib config-file)
+                    (lambda ()
+                      (format #t "// first line must be a comment~%")
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.torlauncher.torrc-defaults_path"
+                              (in-vicinity
+                               lib "TorBrowser/Data/Tor/torrc-defaults"))
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.torlauncher.tor_path"
+                              (search-input-file inputs "bin/tor"))
+                      ;; Required for Guix packaged extensions
+                      ;; SCOPE_PROFILE=1, SCOPE_APPLICATION=4, SCOPE_SYSTEM=8
+                      ;; Default is 5.
+                      (format #t "pref(~s, ~a);~%"
+                              "extensions.enabledScopes" "13")
+                      (format #t "pref(~s, ~s);~%"
+                              "security.sandbox.content.read_path_whitelist"
+                              (call-with-input-file "whitelist.txt"
+                                get-string-all))
+                      ;; Add-ons pannel (see settings.js in Icecat source).
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.getAddons.search.browseURL"
+                              "https://gnuzilla.gnu.org/mozzarella")
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.getAddons.get.url"
+                              "https://gnuzilla.gnu.org/mozzarella")
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.getAddons.link.url"
+                              "https://gnuzilla.gnu.org/mozzarella")
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.getAddons.discovery.api_url"
+                              "https://gnuzilla.gnu.org/mozzarella")
+                      (format #t "pref(~s, ~s);~%"
+                              "extensions.getAddons.langpacks.url"
+                              "https://gnuzilla.gnu.org/mozzarella")
+                      (format #t "pref(~s, ~s);~%"
+                              "lightweightThemes.getMoreURL"
+                              "https://gnuzilla.gnu.org/mozzarella"))))))
+            (replace 'wrap-program
+              (lambda* (#:key inputs #:allow-other-keys)
+                (let* ((gtk #$(this-package-input "gtk+"))
+                       (gtk-share (string-append gtk "/share"))
+                       (fonts.conf (in-vicinity
+                                    #$output
+                                    "lib/torbrowser/fontconfig/fonts.conf"))
+                       (ld-libs '#$(cons
+                                    (file-append
+                                     (this-package-input "libcanberra")
+                                     "/lib/gtk-3.0/modules")
+                                    (map
+                                     (lambda (label)
+                                       (file-append
+                                        (this-package-input label) "/lib"))
+                                     '("libpng-apng"
+                                       "libxscrnsaver"
+                                       "mesa"
+                                       "pciutils"
+                                       "mit-krb5"
+                                       "eudev"
+                                       "pulseaudio"
+                                       "libnotify")))))
+                  (wrap-program
+                      (in-vicinity #$output "lib/torbrowser/torbrowser")
+                    `("XDG_DATA_DIRS" prefix (,gtk-share))
+                    `("LD_LIBRARY_PATH" prefix ,ld-libs)
+                    `("FONTCONFIG_FILE" prefix (,fonts.conf))))))
+            (replace 'install-desktop-entry
+              (lambda _
+                (let ((apps (in-vicinity #$output "share/applications")))
+                  (mkdir-p apps)
+                  (make-desktop-entry-file
+                   (in-vicinity apps "torbrowser.desktop")
+                   #:name "Tor Browser"
+                   #:exec
+                   (format #f "~a %u" (in-vicinity #$output "bin/torbrowser"))
+                   #:comment
+                   "Tor Browser is +1 for privacy and -1 for mass surveillance"
+                   #:categories '("Network" "WebBrowser" "Security")
+                   #:startup-w-m-class "Tor Browser"
+                   #:icon "tor-browser"))))
+            (replace 'install-icons
+              (lambda* (#:key inputs #:allow-other-keys)
+                (for-each
+                 (lambda (size)
+                   (let ((oldpath (string-append
+                                   "browser/branding/tb-release/default"
+                                   size ".png"))
+                         (newpath (string-append #$output
+                                                 "/share/icons/hicolor/"
+                                                 size "x" size "/apps")))
+                     (mkdir-p newpath)
+                     (copy-file oldpath
+                                (in-vicinity newpath "tor-browser.png"))))
+                 '("16" "22" "24" "32" "48" "64" "128" "256"))))))))
+    (inputs
+     (modify-inputs (package-inputs icecat-minimal)
+       (append bash-minimal
+               tor-client
+               torbrowser-assets)))
+    (propagated-inputs
+     (list noscript/icecat))
+    (home-page "https://www.torproject.org")
+    (synopsis "Anonymous browser derived from Mozilla Firefox")
+    (description
+     "Tor Browser is the Tor Project version of Firefox browser.  It is the
+only recommended way to anonymously browse the web that is supported by the
+project.  It modifies Firefox in order to avoid many know application level
+attacks on the privacy of Tor users.")
+    (license license:mpl2.0)))       ;And others, see
+                                     ;toolkit/content/license.html