Have you ever wondered was makes the Tor Browser the Tor Browser? That is, what patch you would have to apply to Firefox in order to end up with a Tor Browser.
The answer is not really easy to get. I expected to do something like git clone tor-browser ; git diff firefox-upstream or so. But for an odd reason, the Tor Browser people do not import the pristine Firefox version to their repository. As a side note, the build instructions are a bit arcane. I was hoping for such an important tool to be built easily. But it requires root access and a wild container technology. Weird. In fact, this is preventing me from flatpaking the Tor Browser right now. But I’m working on it.
Long story story, to get the diff, do something like:
wget releases.mozilla.org/pub/firefox/releases/60.2.1esr/source/firefox-60.2.1esr.source.tar.xz git clone https://git.torproject.org/tor-browser.git cd tor-browser git checkout --orphan firefox tar --extract --strip-components=1 --file ../firefox-60.2.1esr.source.tar.xz git add . git commit -m 'firefox upstream import' git diff firefox...tor-browser-60.2.1esr-8.5-1-build1
Of course, you need to adjust the Firefox and the Tor Browser version in the future. I have imported the upstream firefox code into this repository so that you can make diffs as you like. Unfortunately, the Github Web interface does not show diffs of unrelated branches.
Thanks for looking at this! Sorry the instructions are not very helpful with this. They need some love. Please try the following commands. In particular, Mozilla use Mercurial as their primary version control system, but Tor use Git. Thankfully, Mozilla have a git mirror on Github where the Firefox repo may be tracked.
Specifically, the two branches (Firefox and Tor Browser) currently diverge at commit a392dafd47b65ea291e6d2f4b09894cf19b8eead. This is where Mozilla bookmarked their 60.3.0esr Build1 – https://hg.mozilla.org/releases/mozilla-esr60/log/FIREFOX_60_3_0esr_RELEASE
Tor Browser is currently using the tor-browser-60.3.0esr-8.0-1 branch for the stable Tor Browser. The alpha branch is tor-browser-60.3.0esr-8.5-1.
$ torsocks $ git clone https://git.torproject.org/tor-browser.git
$ cd tor-browser
$ git checkout tor-browser-60.3.0esr-8.0-1
$ git remote add gecko-dev https://github.com/mozilla/gecko-dev
$ torsocks git fetch gecko-dev
$ git diff gecko-dev/esr60
$git diff a392dafd47b65ea291e6d2f4b09894cf19b8eead
I hope this helps.
Tor team has a folder of patches that they apply to the source, but we (Firefox Security & Privacy)are including more and more if them into Firefox proper but behind compile time or runtime preferences. This will allow experimenting with privacy improvements for all of our users and also supports the Tor developers.
As a simple example you can make Firefox double – key all cookies, caches and other storage by the first party (i.e. Domain that’s in the address bar) with this addon https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/
There’s also https://addons.mozilla.org/en-US/firefox/addon/resist-fingerprinting/ but it breaks a few more websites.
There’s a whole lot more I could write, but this probably belongs into a blog post of its own.
Oh and BTW the most notable diffs are probably in the build system since Tor uses a special docker container and mingw (Firefox uses clang) for reproducible builds.