标题:Tor浏览器13.0a4(Android,Windows,macOS,Linux)
作者:理查德
日期:2023-09-17 14:35:15
内容:
Tor 浏览器 13.0a4 现在可以从 Tor 浏览器下载页面和我们的发行版目录中获得。
此版本将 Firefox 更新到 115.2.1esr,包括错误修复、稳定性改进和重要的安全更新。我们还从 Firefox 117 向后移植了特定于 Android 的安全更新。
这是我们在 13.0 系列中的第四个 alpha 版本,代表了从 Firefox 102-esr 到 Firefox 115-esr 的过渡。这是建立在一年的上游Firefox更改的基础上的,因此alpha测试人员应该会遇到问题。如果您发现任何问题,请在我们的 gitlab 或 Tor 项目论坛上报告。
我们正在进行年度 esr 过渡审计,我们审查 Mozilla 一年的工作,着眼于会对 Tor 浏览器用户产生负面影响的隐私和安全问题。这将在我们将 13.0 alpha 系列转换为稳定系列之前完成。有风险的用户应保留在基于 102-esr 的 12.5 稳定系列上,该系列将继续接收安全更新,直到 13.0 alpha 提升为稳定版。
作为 13.0a3 发布帖子的提醒,我们已经使所有构建输出的命名方案相互一致。如果您是下游打包者或以其他方式下载脚本或自动化中的 Tor 浏览器工件,那么一旦 13.0 alpha 稳定下来,除了增加版本号之外,您还有更多工作要做。我们当前的所有构建输出都可以在分发目录中找到
引导后您登陆的 about:tor 页面已针对我们的桌面平台进行了重写。作为这个过程的一部分,作为 tor 集成后端重写的一部分,我们删除了 about:tor 页面中发生的自动 tor 网络连接检查 (https://check.torproject.org)。
这个检查是 tor-launcher 时代的遗留问题,当时启动和引导 tor 守护进程是由一个扩展处理的,该扩展在 Firefox 浏览器界面呈现给用户之前运行。由于 about:connection 中更紧密的 tor 集成和浏览器内引导体验,此检查背后的遗留逻辑有时会失败,并为一些用户呈现臭名昭著的“死机红屏”,即使他们的 tor 连接很好。
也就是说,在使用默认配置时,我们收到的所有用户点击此屏幕的报告都是误报。此页面上的检查有意义的条件不再存在,现在只会使用户感到困惑。最重要的是,Tor 浏览器在非默认配置中使用的两个主要环境(Tails 和 Whonix)不使用内置的 about:tor 页面作为主页或新选项卡。
成功完成引导过程的具有默认配置的 Tor 浏览器用户基本上无法进入这样一种情况:他们能够在不连接到进程拥有的 Tor 守护进程的情况下加载 about:tor。如果它们连接到 tor 守护进程,那么如果在引导后与 Tor 网络的连接失败,则检查将成功或超时。如果 tor 守护进程崩溃或无法启动,则浏览器的代理设置会阻止 Web 流量流向用户系统之外的任何地方
在短期内,我们将在about:tor页面中添加一些ux,供未使用默认配置的用户轻松检查其配置是否正确并按预期使用Tor。
从长远来看(在 13.5 时间范围内),我们计划将此 tor 检查直接集成到 about:connection 状态机中,这样我们就可以避免默认配置中的误报,同时让您高枕无忧,Web 流量正在正确路由。我们还可能会为非默认配置中的用户迭代 about:tor ux。
Our Tor Browser Android release should be pretty close to final in terms of changes, apart from bug fixes or tweaks required by our annual ESR code-audit. The rendering+branding errors from 13.0a3 have been resolved. If you are able, please be sure to take the Tor Browser Android alpha for a spin, and especially try using bridges!
如果从早于 13.0a3 的版本开始,则某些用户当前无法生成增量更新。13.0a2 和 13.0a1 上的用户将首先下载小型增量更新,重新启动后无法应用它,然后下载完整的大型更新。这不应该导致除了您宝贵的时间之外失去任何有价值的东西。
它正在 tor-browser#42101 中被跟踪。
生成生成的调试标头当前不可重现。这仅影响调试信息,不会影响用户。此处正在跟踪此问题。它将在今年晚些时候 13.0 alpha 系列过渡到稳定版之前修复,或者我们将默认禁用此开发人员功能以确保完全匹配版本。
我们要感谢志愿者贡献者cypherpunks1对tor-browser#41876和tor-browser#41740的修复。
自 Tor 浏览器 13.0a3 以来的完整更新日志是:
This release updates Firefox to 115.2.1esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 117.
This is our fourth alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.
As a reminder from the 13.0a3 release post, we have made the naming scheme for all of our build outputs mutually consistent. If you are a downstream packager or in some other way download Tor Browser artifacts in scripts or automation, you will have a bit more work to do beyond bumping the version number once the 13.0 alpha stabilizes. All of our current build outputs can be found in the distribution directory
The about:tor page you land on after bootstrapping has been rewritten for our Desktop platforms. As part of this process, and as part of the tor integration back-end rewrite, we have removed the automatic tor network connectivity check ( https://check.torproject.org ) which occurred in the about:tor page.
This check was a hold-over from the tor-launcher days when launching and bootstrapping the tor daemon was handled by an extension which ran before the Firefox browser interface was presented to the user. As a result of the tighter tor integration and in-browser bootstrapping experience in about:connection, the legacy logic behind this check would sometimes fail and present some users with the infamous 'red screen of death', even if their tor connection was fine.
That is to say, all of the reports we have received of users hitting this screen were false-positives when using the default configuration. The conditions for which the check on this page made sense no longer exist and now only serve to confuse users. On top of that, the two main environments where Tor Browser is used in a non-default configuration where the check is arguably useful (Tails and Whonix) do not use the built-in about:tor page for home or new-tab.
Tor Browser users with the default configuration who successfully go through the bootstrapping process essentially cannot get into a situation where they are able to load about:tor while not being connected to the process-owned tor daemon. If they are connected to the tor daemon, then the check will either succeed or timeout if the connection to the Tor Network fails after bootstrapping. If the tor daemon has crashed or failed to launch, then the browser's proxy settings prevent web traffic from going anywhere outside the users system
In the short term, we will be adding some ux to the about:tor page for users who are not using a default configuration to easily check that their configuration is correct and using tor as expected.
Longer-term (in the 13.5 time-frame) we plan on integrating this tor check directly into the about:connection state-machine so we can avoid false-positives in the default configuration while also providing peace-of-mind that web traffic is being routed correctly. We will also likely iterate on the about:tor ux for users in non-default configurations.
Our Tor Browser Android release should be pretty close to final in terms of changes, apart from bug fixes or tweaks required by our annual ESR code-audit. The rendering+branding errors from 13.0a3 have been resolved. If you are able, please be sure to take the Tor Browser Android alpha for a spin, and especially try using bridges!
Build to build incremental updates are currently failing for some users if you are starting at a version older than 13.0a3. Users on 13.0a2 and 13.0a1 will first download the small incremental update, fail to apply it after a re-launch, and then download the full large update. This should not result in losing anything of value apart from your precious time.
It is being tracked in tor-browser#42101.
Building generated debug headers are not currently reproducible. This only affects debug info and does not affect users. This issue is being tracked here. It will either be fixed before the 13.0 alpha series transitions to stable later this year, or we will disable this developer feature by default to ensure fully matching builds.
We would like to thank volunteer contributor cypherpunks1 for their fixes for tor-browser#41876 and tor-browser#41740.
The full changelog since Tor Browser 13.0a3 is: