All checksums have been double-checked against existing RMD160 and
SHA512 hashes
Unfetchable distfiles (fetched conditionally?):
./security/cyrus-sasl/distinfo cyrus-sasl-dedad73e5e7a75d01a5f3d5a6702ab8ccd2ff40d.patch.v2
This version updates Firefox to 78.13.0esr. This version includes
important security updates to Firefox.
Warning:
Tor Browser will stop supporting version 2 onion services very
soon. Please see the previously published deprecation timeline.
Migrate your services and update your bookmarks to version 3 onion
services as soon as possible.
The full changelog since Tor Browser 10.5.2:
Windows + OS X + Linux
Update Firefox to 78.13.0esr
Update NoScript to 11.2.11
Bug 40041: Remove V2 Deprecation banner on about:tor for desktop
Bug 40506: Saved Logins not available in 10.5
Bug 40524: Update DuckDuckGo onion site URL in search preferences and onboarding
10.5.2
Windows + OS X + Linux
Update Firefox to 78.12.0esr
Bug 40497: Cannot set multiple pages as home pages in 10.5a17
Bug 40507: Full update is not downloaded after applying partial update fails
Bug 40510: open tabs get redirected to about:torconnect on restart
10.5.1
Android-only
10.5
All Platforms
Update NoScript to 11.2.9
Update Tor Launcher to 0.2.30
Translations update
Bug 25483: Provide Snowflake based on Pion for Windows, macOS, and Linux
Bug 33761: Remove unnecessary snowflake dependencies
Bug 40064: Bump libevent to 2.1.12
Bug 40137: Migrate https-everywhere storage to idb
Bug 40261: Bump versions of snowflake and webrtc
Bug 40263: Update domain front for Snowflake
Bug 40302: Update version of snowflake
Bug 40030: DuckDuckGo redirect to html doesn't work
Windows + OS X + Linux
Bug 27476: Implement about:torconnect captive portal within Tor Browser [tor-browser]
Bug 32228: Bookmark TPO support domains in Tor Browser
Bug 33803: Add a secondary nightly MAR signing key [tor-browser]
Bug 33954: Consider different approach for Bug 2176
Bug 34345: "Don't Bootstrap" Startup Mode
Bug 40011: Rename tor-browser-brand.ftl to brand.ftl
Bug 40012: Fix about:tor not loading some images in 82
Bug 40138: Move our primary nightly MAR signing key to tor-browser
Bug 40209: Implement Basic Crypto Safety
Bug 40428: Correct minor Cryptocurrency warning string typo
Bug 40429: Update Onboarding for 10.5
Bug 40455: Block or recover background requests after bootstrap
Bug 40456: Update the SecureDrop HTTPS-Everywhere update channel
Bug 40475: Include clearing CORS preflight cache
Bug 40478: Onion alias url rewrite is broken
Bug 40484: Bootstrapping page show Quickstart text
Bug 40490: BridgeDB bridge captcha selection is broken in alpha
Bug 40495: Onion pattern is focusable by click on about:torconnect
Bug 40499: Onion Alias doesn't work with TOR_SKIP_LAUNCH
Linux
Bug 40089: Remove CentOS 6 support for Tor Browser 10.5
Build System
All Platforms
Update Go to 1.15.13
Bug 23631: Use rootless containers [tor-browser-build]
Bug 33693: Change snowflake and meek dummy address [tor-browser]
Bug 40016: getfpaths is not setting origin_project
Bug 40169: Update apt package cache after calling pre_pkginst, too
Bug 40194: Remove osname part in cbindgen filename
Windows + OS X + Linux
Bug 40081: Build Mozilla code with --enable-rust-simd
Bug 40104: Use our TMPDIR when creating our .mar files
Bug 40133: Bump Rust version for ESR 78 to 1.43.0
Bug 40166: Update apt cache before calling pre_pkginst in container-image config
Linux
Bug 26238: Move to Debian Jessie for our Linux builds
Bug 31729: Support Wayland
Bug 40041: Remove CentOS 6 support for 10.5 series
Bug 40103: Add i386 pkg-config path for linux-i686
Bug 40112: Strip libstdc++ we ship
Bug 40118: Add missing libdrm dev package to firefox container
Bug 40235: Bump apt for Jessie containers
This version updates Tor to 0.4.5.9, including important security
fixes.
Warning:
Tor Browser will stop supporting version 2 onion services later
this year. Please see the previously published deprecation timeline.
Migrate your services and update your bookmarks to version 3 onion
services as soon as possible.
This version updates Firefox to 78.11esr. This version includes
important security updates to Firefox for Desktop.
Warning:
Tor Browser will stop supporting version 2 onion services later
this year. Please see the previously published deprecation timeline.
Migrate your services and update your bookmarks to version 3 onion
services as soon as possible.
10.0.12:
Update Firefox to 78.8.0esr
Bug 40026: Create survey banner on about:tor for desktop
Bug 40287: Switch DDG search from POST to GET
10.0.11:
Windows-only.
Changes:
10.0.10:
Not found.
10.0.9:
The full changelog since Desktop and Android Tor Browser 10.0.8 is:
All Platforms
Update NoScript to 11.1.9
Windows + OS X + Linux
Update Firefox to 78.7.0esr
Bug 40249: Remove EOY 2020 Campaign
Build System
All Platforms
Update Go to 1.14.14
10.0.8:
The full changelog since Desktop and Android Tor Browser 10.0.7 is:
All Platforms
Update NoScript to 11.1.7
Windows + OS X + Linux
Update Firefox to 78.6.1esr
This release updates Firefox for desktops to 78.6.0esr and Firefox
for Android to 84.1.0. This release includes important security
updates to Firefox for Desktop, and similar important security
updates to Firefox for Android.
The full changelog since Desktop and Android Tor Browser 10.0.6 is:
All Platforms
Update HTTPS Everywhere to 2020.11.17
Bug 40166: Disable security.certerrors.mitm.auto_enable_enterprise_roots
Bug 40176: Update openssl to 1.1.1i
Windows + OS X + Linux
Update Firefox to 78.6.0esr
Android
Update Firefox to 84.1.0
Update NoScript to 11.1.6
Linux
Bug 40226: Crash on Fedora Workstation Rawhide GNOME
Build System
All Platforms
Bug 40139: Pick up rbm commit for bug 40008
Bug 40161: Update Go compiler to 1.14.13
Android
Bug 40128: Allow updating Fenix allowed_addons.json
Bug 40140: Create own Gradle project
Bug 40155: Update toolchain for Fenix 84
Bug 40156: Update Fenix and dependencies to 84.0.0-beta2
Bug 40163: Avoid checking hash of .pom files
Bug 40171: Include all uniffi-rs artifacts into application-services
Bug 40184: Update Fenix and deps to 84.1.0
10.0.6
All Platforms
Bug 40175: Update obfs4proxy's TLS certificate public key pinning
This release updates Firefox to 78.5.0esr and updates Tor to 0.4.4.6.
This release includes important security updates to Firefox.
The full changelog since Tor Browser 10.0.4 (Desktop) is:
Windows + OS X + Linux
Update Firefox to 78.5.0esr
Update Tor to 0.4.4.6
Bug 40212: Add new default obfs4 bridge
This release updates NoScript to 11.1.5 and includes an important security update to Firefox.
The full changelog since Tor Browser 10.0.2 (Desktop) is:
Windows + OS X + Linux
Update NoScript to 11.1.5
Bug 40021: Keep page shown after Tor Browser update purple
Bug 40022: EOY November Update - Matching
Bug 40219: Backport Mozilla Bug 1675905
Translations update
Build System
Windows + OS X + Linux
Update Go to 1.14.11
Bug 40141: Include "desktop" in signed tag
This release updates Firefox to 78.4.0esr and NoScript to 11.1.3.
This release includes important security updates to Firefox.
Note: Now Javascript on the Safest security level is governed by
NoScript again. It was set as false when on Safest in 9.5a9. The
javascript.enabled preference was reset to true for everyone using
Safest beginning in Tor Browser 10.0 and you must re-set it as
false if that is your preference.
Tor Browser 10.0 -- September 22 2020
* Windows + OS X + Linux
* Update Firefox to 78.3.0esr
* Update Tor to 0.4.4.5
* Update Tor Launcher to 0.2.25
* Bug 32174: Replace XUL <textbox> with <html:input>
* Bug 33890: Rename XUL files to XHTML
* Bug 33862: Fix usages of createTransport API
* Bug 33906: Fix Tor-Launcher issues for Firefox 75
* Bug 33998: Use CSS grid instead of XUL grid
* Bug 34164: Tor Launcher deadlocks during startup (Firefox 77)
* Bug 34206: Tor Launcher button labels are missing (Firefox 76)
* Bug 40002: After rebasing to 80.0b2 moat is broken [tor-launcher]
* Translations update
* Update NoScript to 11.0.44
* Bug 40093: Youtube videos on safer produce an error [tor-browser]
* Translations update
* Bug 10394: Let Tor Browser update HTTPS Everywhere
* Bug 11154: Disable TLS 1.0 (and 1.1) by default
* Bug 16931: Sanitize the add-on blocklist update URL
* Bug 17374: Disable 1024-DH Encryption by default
* Bug 21601: Remove unused media.webaudio.enabled pref
* Bug 30682: Disable Intermediate CA Preloading
* Bug 30812: Exempt about: pages from Resist Fingerprinting
* Bug 31918+33533+40024+40037: Rebase Tor Browser esr68 patches for ESR 78 [tor-browser]
* Bug 32612: Update MAR_CHANNEL_ID for the alpha
* Bug 32886: Separate treatment of @media interaction features for desktop and android
* Bug 33534: Review FF release notes from FF69 to latest (FF78)
* Bug 33697: Use old search config based on list.json
* Bug 33721: PDF Viewer is not working in the safest security level
* Bug 33734: Set MOZ_NORMANDY to False
* Bug 33737: Fix aboutDialog.js error for Firefox nightlies
* Bug 33848: Disable Enhanced Tracking Protection
* Bug 33851: Patch out Parental Controls detection and logging
* Bug 33852: Clean up about:logins to not mention Sync
* Bug 33856: Set browser.privatebrowsing.forceMediaMemoryCache to True
* Bug 33862: Fix usages of createTransport API
* Bug 33867: Disable password manager and password generation
* Bug 33890: Rename XUL files to XHTML
* Bug 33892: Add brandProductName to brand.dtd and brand.properties
* Bug 33962: Uplift patch for bug 5741 (dns leak protection)
* Bug 34125: API change in protocolProxyService.registerChannelFilter
* Bug 40001: Generate tor-browser-brand.ftl when importing translations [torbutton]
* Bug 40002: Remove about:pioneer [tor-browser]
* Bug 40002: Fix generateNSGetFactory being moved to ComponentUtils [torbutton]
* Bug 40003: Adapt code for L10nRegistry API changes [torbutton]
* Bug 40005: Initialize the identity UI before setting up the circuit display [torbutton]
* Bug 40006: Fix new identity for 81 [torbutton]
* Bug 40007: Move SecurityPrefs initialization to the StartupObserver component [torbutton]
* Bug 40008: Style fixes for 78 [torbutton]
* Bug 40016: Update Snowflake to discover NAT type [tor-browser-build]
* Bug 40017: Audit Firefox 68-78 diff for proxy issues [tor-browser]
* Bug 40022: Update new icons in Tor Browser branding [tor-browser]
* Bug 40025: Revert add-on permissions due to Mozilla's 1560059 [tor-browser]
* Bug 40036: Remove product version/update channel from #13379 patch [tor-browser]
* Bug 40038: Review RemoteSettings for ESR 78 [tor-browser]
* Bug 40048: Disable various ESR78 features via prefs [tor-browser]
* Bug 40059: Verify our external helper patch is still working [tor-browser]
* Bug 40066: Update existing prefs for ESR 78 [tor-browser]
* Bug 40066: Remove default bridge 37.218.240.34 [tor-browser-build]
* Bug 40073: Disable remote Public Suffix List fetching [tor-browser]
* Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere [tor-browser-build]
* Bug 40078: Backport patches for bug 1651680 for now [tor-browser]
* Bug 40082: Let JavaScript on safest setting handled by NoScript again [tor-browser]
* Bug 40088: Moat "Submit" button does not work
* Bug 40090: Disable v3 add-on blocklist for now [tor-browser]
* Bug 40091: Load HTTPS Everywhere as a builtin addon [tor-browser]
* Bug 40102: Fix UI bugs in Tor Browser 10.0 alpha [tor-browser]
* Bug 40106: Cannot install addons in full screen mode [tor-browser]
* Bug 40109: Playing video breaks after reloading pages [tor-browser]
* Bug 40119: Enable v3 extension blocklisting again [tor-browser]
* Windows
* Bug 33855: Don't use site's icon as window icon in Windows in private mode
* Bug 40061: Omit the Windows default browser agent from the build [tor-browser]
* OS X
* Bug 32252: Tor Browser does not display correctly in VMWare Fusion on macOS (mojave)
* Build System
* Windows + OS X + Linux
* Bump Go to 1.14.7
* Bug 31845: Bump GCC version to 9.3.0
* Bug 34011: Bump clang to 9.0.1
* Bug 34014: Enable sqlite3 support in Python
* Bug 34390: Don't copy DBM libraries anymore
* Bug 34391: Remove unused --enable-signmar option
* Bug 40004: Adapt Rust project for Firefox 78 ESR [tor-browser-build]
* Bug 40005: Adapt Node project for Firefox 78 ESR [tor-browser-build]
* Bug 40006: Adapt cbindgen for Firefox 78 ESR [tor-browser-build]
* Bug 40037: Move projects over to clang-source [tor-browser-build]
* Bug 40026: Fix full .mar creation for esr78 [tor-browser-build]
* Bug 40027: Fix incremental .mar creation for esr78 [tor-browser-build]
* Bug 40028: Do not reference unset env variables [tor-browser-build]
* Bug 40031: Add licenses for kcp-go and smux. [tor-browser-build]
* Bug 40045: Fix complete .mar file creation for dmg2mar [tor-browser-build]
* Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1 [tor-browser-build]
* Bug 40087: Deterministically add HTTPS Everywhere into omni.ja [tor-browser-build]
* Windows
* Bug 34230: Update Windows toolchain for Firefox 78 ESR
* Bug 40015: Use only 64bit fxc2 [tor-browser-build]
* Bug 40017: Enable stripping again on Windows [tor-browser-build]
* Bug 40052: Bump NSIS to 3.06.1 [tor-browser-build]
* Bug 40061: Omit the Windows default browser agent from the build [tor-browser]
* Bug 40071: Be explicit about no SEH with mingw-w64 on 32bit systems [tor-browser-build]
* Bug 40077: Don't pass --no-insert-timestamp when building Firefox [tor-browser-build]
* Bug 40090: NSIS 3.06.1 based builds are not reproducible anymore [tor-browser-build]
* OS X
* Bug 34229: Update macOS toolchain for Firefox 78 ESR
* Bug 40003: Update cctools version for Firefox 78 ESR [tor-browser-build]
* Bug 40018: Add libtapi project for cctools [tor-browser-build]
* Bug 40019: Ship our own runtime library for macOS [tor-browser-build]
* Linux
* Bug 34359: Adapt abicheck.cc to deal with newer GCC version
* Bug 34386: Fix up clang compilation on Linux
* Bug 40053: Also create the langpacks tarball for non-release builds [tor-browser-build]
Tor Browser 10.0a7 -- September 14 2020
* Windows + OS X + Linux
* Update Tor Launcher to 0.2.24
* Update NoScript to 11.0.43
* Translations update
* Bug 10394: Let Tor Browser update HTTPS Everywhere
* Bug 32017: Use ExtensionStorageIDB again
* Bug 40006: Fix new identity for 81 [torbutton]
* Bug 40007: Move SecurityPrefs initialization to the StartupObserver component [torbutton]
* Bug 40008: Style fixes for 78 [torbutton]
* Bug 40066: Remove default bridge 37.218.240.34 [tor-browser-build]
* Bug 40073: Repack omni.ja to include builtin HTTPS Everywhere [tor-browser-build]
* Bug 40091: Load HTTPS Everywhere as a builtin addon [tor-browser]
* Bug 40102: Fix UI bugs in Tor Browser 10.0 alpha [tor-browser]
* Bug 40109: Playing video breaks after reloading pages [tor-browser]
* Big 40119: Enable v3 extension blocklisting again [tor-browser]
* Build System
* Windows + OS X + Linux
* Bump Go to 1.14.7
* Bug 40031: Add licenses for kcp-go and smux. [tor-browser-build]
* Bug 40045: Fix complete .mar file creation for dmg2mar [tor-browser-build]
* Bug 40065: Bump debootstrap-image ubuntu_version to 20.04.1 [tor-browser-build]
* Bug 40087: Deterministically add HTTPS Everywhere into omni.ja [tor-browser-build]
* Windows
* Bug 40052: Bump NSIS to 3.06.1 [tor-browser-build]
* Bug 40071: Be explicit about no SEH with mingw-w64 on 32bit systems [tor-browser-build]
* Bug 40077: Don't pass --no-insert-timestamp when building Firefox [tor-browser-build]
* Bug 40090: NSIS 3.06.1 based builds are not reproducible anymore [tor-browser-build]
Tor Browser 10.0a6 -- August 26 2020
* All Platforms
* Update HTTPS Everywhere to 2020.08.13
* Windows + OS X + Linux
* Update Firefox to 78.2.0esr
* Update Tor Launcher to 0.2.23
* Bug 40002: After rebasing to 80.0b2 moat is broken [tor-launcher]
* Translations update
* Update NoScript to 11.0.39
* Bug 21601: Remove unused media.webaudio.enabled pref
* Bug 40002: Remove about:pioneer [tor-browser]
* Bug 40082: Let JavaScript on safest setting handled by NoScript again [tor-browser]
* Bug 40088: Moat "Submit" button does not work
* Bug 40090: Disable v3 add-on blocklist for now [tor-browser]
* OS X
* Bug 40015: Tor Browser broken on MacOS 11 Big Sur
* Android
* Update Firefox to 68.12.0esr
* Update NoScript to 11.0.38
* Update Tor to 0.4.4.4-rc
* Build System
* Windows + OS X + Linux
* Bump Go to 1.13.15
* Linux
* Bug 40053: Also create the langpacks tarball for non-release builds [tor-browser-build]
The webauthn API is disabled by default in the Tor Browser:
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26614
In order to use it, risking the consequences since the Tor Project
has not audited its anonymity properties, you have to explicitly
enable security.webauthn.webauthn=true in about:config.
So if you definitely want to log into a web site using U2F in spite
of that, with location privacy but not anonymity, then these patches
now enable it to work on NetBSD (with the caveat that enabling
security.webauthn.webauthn=true applies also to any web site that
tries to use the webauthn API, not just the ones you want to log
into).
Tor Browser 9.5.3 -- July 28 2020
* All Platforms
* Update Firefox to 68.11.0esr
* Update NoScript to 11.0.34
* Update Tor to 0.4.3.6
Tor Browser 9.5.2 -- July 7 2020
* Android
* Update Firefox to 68.10.1esr
This release updates Firefox to 68.10.0esr and NoScript to 11.0.32.
Also, this release features important security updates to Firefox.
The full changelog since Tor Browser 9.5 is:
All Platforms
Update Firefox to 68.10.0esr
Update NoScript to 11.0.32
Translations update
Bug 40009: Improve tor's client auth stability
Windows + OS X + Linux
Bug 34361: "Prioritize .onion sites when known" appears under General
Bug 34362: Improve Onion Service Authentication prompt
Bug 34369: Fix learn more link in Onion Auth prompt
Bug 34379: Fix learn more for Onion-Location
Bug 34347: The Tor Network part on the onboarding is not new anymore
This release includes important security updates to Firefox.
This new Tor Browser release is focused on helping users understand
onion services.
Tor's onion routing remains the best way to achieve end-to-end
anonymous communication on the Internet. With onion services (.onion
addresses), website administrators can provide their users with
anonymous connections that are metadata-free or that hide metadata
from any third party. Onion services are also one of the few
censorship circumvention technologies that allow users to route
around censorship while simultaneously protecting their privacy
and identity.
For the first time, Tor Browser users on desktop will be able to
opt-in for using onion sites automatically whenever the website
makes them available. For years, some websites have invisibly used
onion services with alternative services (alt-svc), and this
continues to be an excellent choice. Now, there is also an opt-in
mechanism available for websites that want their users to know
about their onion service that invites them to upgrade their
connection via the .onion address.
This release updates Firefox to 68.8.0esr, NoScript to 11.0.25, and OpenSSL to 1.1.1g.
Also, this release features important security updates to Firefox.
The full changelog since Tor Browser 9.0.9 is:
All Platforms
Update Firefox to 68.8.0esr
Bump NoScript to 11.0.25
Windows + OS X + Linux
Bug 34017: Bump openssl version to 1.1.1g
Install and use the fonts distributed with the Linux binary of tor-browser.
Reduces fingerprinting possibilities based on installed fonts.
Idea from Caspar Schutijser, the OpenBSD ports maintainer, and
based on his patch for OpenBSD ports.
Automatically install the noscript extension.
(https-everywhere package is ready, but doesn't work.)
Change the default path in the home directory to ".tor-browser"
to be more similar to other mozilla products.
By default, use the standard tor port. No separate instance
of tor is started for tor-browser from pkgsrc.
All Platforms
Update Firefox to 68.7.0esr
Bump NoScript to 11.0.23
Bug 33630: Remove noisebridge01 default bridge
Windows + OS X + Linux
Bug 33771: Update some existing licenses and add Libevent license
Bug 33723: Bump openssl version to 1.1.1f
Tor Browser 9.0.8 -- April 5 2020
* All Platforms
* Mozilla Bug 1620818 - Release nsDocShell::mContentViewer properly
* Mozilla Bug 1626728 - Normalize shutdown
