Once upon a time, the Tor Browser Bundle was an actual bundle. It included Firefox, the Tor daemon, and Torbutton, the extension to turn on and off the Tor mode in the browser.

This toggle model was not great and extremely confusing to some users. This and other problems led to the creation of Tor Browser: this article contains more details about this story.

From a technical point of view, Torbutton did not really go away. The visible button disappeared, but much of the related code remained.

Part of the state isolation code was not necessary anymore because Tor Browser always runs in private browsing mode or was dropped over the years thanks to Firefox improvements and the Tor Uplift initiative. However, the circuit display, the first-party domain circuit isolation, and other parts of the existing code were still needed. As a result, Torbutton continued to live for many years as a Tor Browser-only built-in extension on its separate repository and included in the browser with git submodules (even though the browser was non-functional without it). New patches and functionalities were written in the Firefox code that constitutes Tor Browser, and the Torbutton code was changed only to fix existing bugs or to keep it working in new versions of Firefox. … [Leggi il resto]

Ten days ago, Mullvad released Mullvad Browser. I was involved in its development, being part of the applications team at the Tor Project.

So, I would like to use this occasion to describe how we maintain Tor Browser and the similarities with Mullvad Browser.

Firefox ESR

Tor Browser is a fork of Firefox. However, we are a small team, and we cannot stay on pass with the rapid release channel of Mozilla.

Instead, our starting point is the extended support release, the version geared towards enterprises.

It is not an old Firefox, but a channel Mozilla actively supports for about one year. Like the rapid release, it receives monthly updates, typically only with security patches. It rarely receives new features.

This is an enormous advantage because we can quickly update Tor Browser without auditing the changes. Moreover, these few changes are unlikely to create conflicts to be manually merged and reviewed carefully. … [Leggi il resto]