Privacy threat due to 2 out-of-the-box bugs in ubuntu 13.10 Unity Tor Browser

[QIII]

I asked you that in this thread purposely so the answer would be here and not in a link somewhere else. You will have to forgive me, because it was a deliberately leading question. You installed it from a third-party source over which Canonical has no control. Is it reasonable to assume that if a third-party package does not work, then the fault is with Ubuntu? That the Ubuntu developers have some fault?

If you buy an aftermarket product at an auto parts store and find that it does not fit your Ford, is there a problem with your Ford?

The fact is that installing the TBB on Ubuntu does cause a problem. It is not the case that the problem is Ubuntu's nor is it the case that the Ubuntu developers are responsible to address that problem. That it does not work on Ubuntu and "only" Ubuntu is not particularly surprising, since Unity is only used on Ubuntu as installed by default.

The correct place to report this is torproject.org -- which is exactly what is stated at the bottom of the bug report. The Ubuntu developers are under no obligation to design Ubuntu in order to be sure that the TBB, or any other particular piece of software, works with it.

Whether or not blatantly not making sure it works with some particular piece of software is wise is a different matter entirely.

On the other hand, should torproject.org have to do a lot of extra work to make sure the TBB works with a DE like unity that is unique to one distro? Probably not, and I wouldn't blame them for not expending the effort.

[deadflowr]

You should go back to your bug report and fill in what package was affected.
You only named Ubuntu.
hence the invalid.
Click the arrow on the bugs line (the line with Ubuntu > invalid > blah, blah)
then add the package name affected to the package line.

[QIII]

The problem is that the package involved is a third-party package over which Canonical has no control. There is no Canonical repo package to report the bug against.

[deadflowr]

tor's in universe repo.
same with vidalia.

If another version is installed that's another matter.

[QIII]

This is the Tor Browser Bundle from torproject.org, not the tor and vidalia packages from the Canonical repo.

Which is why the last comment before the bug report was closed as invalid said that it should be reported to torproject.org. If there were a MOTU packaging the Tor Browser Bundle for the Universe repo, that would be different.

But it is clear that there is definitely a big problem that affects Ubuntu users here.

[deadflowr]

This is the Tor Browser Bundle from torproject.org, not the tor and vidalia packages from the repo.

In that case, the OP should follow the advice in post #3 in the invalid bug report.
Upstream is always better anyway.

[Damico]

The only comment in the Ubuntu bug report said to file it to Tor, so, as always dutifully following instructions, I ran a search, and didn't find the bug reported, so, I then filed the bug report with that organization, as referenced below:
URL = https://trac.torproject.org/projects/tor/ticket/10730
Title = Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser Bundle (including Vidalia issues)

[QIII]

Which is exactly where the report needed to go.

My point is not that this isn't a problem. It most certainly is. Ubuntu users should be alerted to it.

But this is a condition that arises as a result of the installation of a third-party package that Canonical can't fix. It's not a bug with Ubuntu/Unity.

The fact that this is the third thread I've been in that started out almost exactly the same with such similar verbiage leads me to suspect that there is some misinformation or misunderstanding circulating out there in the ether which has been incorrectly laid at the feet of the wrong party.

A warning is certainly appropriate. Calling it a bug with Unity/Ubuntu is not. Everyone would be better served if this were dealt with appropriately.

[Damico]

I asked you that in this thread purposely so the answer would be here and not in a link somewhere else. You will have to forgive me, because it was a deliberately leading question. You installed it from a third-party source over which Canonical has no control. Is it reasonable to assume that if a third-party package does not work, then the fault is with Ubuntu? That the Ubuntu developers have some fault?

Thanks for explaining, because, for a second there, I had thought that Canonical might have a tested repo for the Tor Browser Bundle (which would have been welcomed with open arms).

Yes. I shall be very clear with a few things:
1. The Tor Browser Bundle is a very specific combination of things, with settings and other customizations, such that it's not the same as just installing Tor + Privoxy + Vidalia + Firefox (although if you were really competent, you could probably make it very similar by installing those separate packages, and customizing them the same way - but nobody does that because the TBB does it for you).
2. My Tor Browser Bundle tarball was obtained from the standard Tor web site (and not from Canonical).
3. The moment I unpacked and ran it, I could see that things were not right (I've been using the TBB for years on a variety of platforms - so I know how it's supposed to work).
4. I googled first as always, and I read everything I could find on this, which seemed to indicate the problem was in Ubuntu (but who am I to say, as I'm really just the victim, and the messenger, at the same time).
5. Let's be up front that I am not really the guy to report these things. I care. I see the problem. Everyone on Ubuntu 13.10 sees the same problem. But still, I'm not technical enough to be the guy reporting this to anyone. But, if it's me, it's me. (I'm ok with that; I just want to be honest that I've never filed a Canonical or Tor bug report in my life before this week!).
6. Let's also be just as clear that I said, from the beginning, that I have no firm idea WHERE the bug lies. I just know it exists on Ubuntu 13.10, and it does not exist on my RHEL6, CentOS6, and Windows installations.
7. So, I said, from the beginning, that I "assume" (knowing full well what that word indicates and what it can do to you and me) the bug is in Canonical's code.

At the moment, there is a bug opened (and I think immediately invalidated) to Canonical; and another one to Tor that I just opened a few minutes ago.
UBUNTU: https://bugs.launchpad.net/ubuntu/+bug/1272025
TITLE: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser Bundle (including Vidalia)

TOR: https://trac.torproject.org/projects/tor/ticket/10730
TITLE: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser Bundle (including Vidalia issues)

I really don't know what more I can do to get this bug addressed by whomever it belongs to.

[Damico]

My point is not that this isn't a problem. It most certainly is. Ubuntu users should be alerted to it.
But this is a condition that arises as a result of the installation of a third-party package that Canonical can't fix. It's not a bug with Ubuntu/Unity.

I apologize that I just saw this, so, it's good that we agree that this "issue" can easily compromise a Ubuntu user's identity (and it's a usability issue even without that as a repercussion).
So, at the moment, we'll just have to see what the tor project folks say about the bug I filed a little while ago to them.

It may be worth noting there is one other Tor-related bug that I filed to Canonical today, which appears to actually have roots in Debian code - but again - I'm just the messenger and not the guy to flesh this out any further than I already have:

Here is that Canonical bug report:
Title: Tor Browser Bundle on Ubuntu 13.10 is useless until/unless one manually kills the ibus process
Url: https://bugs.launchpad.net/ubuntu/+bug/1272032

And here is the corollary report at the Tor Project:
Title: Keyboard does not work in 64-bit TBB 2.3.25-10 and 3.0 when ibus is running
Url: https://trac.torproject.org/projects/tor/ticket/9353

In both these bugs, it "appears" to me, the problem is in the operating system, but, that's an assumption on my part which I am NOT technically astute enough to accurately make.
So, I will just have to let the bug reports speak for themselves, over time - as I'm really just the victim here - and I'm simply being a messenger - but one who isn't qualified to flesh these out further.