Re: [Tails-dev] Proposal: Add support for curl (does ALL_PRO…

このメッセージを削除

このメッセージに返信
著者: David A. Wheeler
日付:  
To: The Tails public development discussion list
題目: Re: [Tails-dev] Proposal: Add support for curl (does ALL_PROXY fix it?)


> On Feb 7, 2023, at 4:04 AM, boyska <boyska@???> wrote:
>
> On 2/6/23 19:00, David A. Wheeler wrote:
>>> oh yeah, we all like curl. I wonder what kind of user needs curl, though.
>>> You mentioned that some packages in Debian will "just work" if curl is working. Can you name any of them? I think that would be very valuable info!
>> Sorry, what I meant was, "I expect that some packages in Debian will "just work" if curl is working".
>> I don't have a specific list.
>
> However, we try to add feature to Tails when they are improving something for our personas (see https://tails.boum.org/contribute/personas/ ). In this specific case, I think we don't have an example of how can curl, directly or indirectly, help our personas.
>
> It's really easy to add the configuration you propose to Tails. But it will add to our QA process: if we tell our users that they can expect curl to work fine, we'd better test it regularly!
>
> All in all, the cost is low but not negligible, while the benefit for our personas seems to be zero. So my personal opinion is that it's not worth it *until* there is a clear use case that is helped by supporting curl.


Fair enough. Quick *technical* arguments for curl:
* curl, when configured using ALL_PROXY, can handle IPv6. torsocks can't handle IPv6, and thus wget can't either. The Tor Browser handles IPv6 just fine.
* curl has a lot of capabilities not in wget. E.g., it can work as a pipe, support more protocols, enables uploading, and is easily called as a library. See: https://daniel.haxx.se/docs/curl-vs-wget.html
* I believe many packages depend on curl, though I didn't find a way to quickly do reverse dependency searches on Debian packages to verify this.

Those aren't personas, of course. Also, I *completely* understand the concern about adding to the QA process. Also, segfault made a good point that with torsocks, people can add "--isolate". I can see why that'd be important to some users. The same effect is possible with curl and SOCKS, but that can't be done with the trivial curl configuration file approach I presented (sadly). I've learned that torsocks creates this isolation by creating a special SOCKS "user" for each invocation that uses the process ID and seconds-since-epoch as part of the name. That's doable with curl, by setting the environment variable ALL_PROXY with this dynamic information at runtime. I believe this is how to do this (which even duplicates the torsocks username format even though that's not necessary; if I'm missing something let me know):
ALL_PROXY="socks5://torsocks-$$%3a$(date +%s):0@127.0.0.1:9050" curl-or-some-command-using-curl ...

That said, clearly the Tails project already expects that some users will install additional software. So I suggest modifying the documentation to provide *some* tips to users on how to deal with differences when running on Tails (in particular the network and dot files). The current documentation never mentions torsocks or any other related issues. Then you don't have to do more QA, and if later on someone raises a persona, you're a step ahead.

So I suggest modifying this chapter:
https://tails.boum.org/doc/persistent_storage/additional_software/index.en.html
by adding a new section just after "Installing additional software" called
"Using additional software". Move the text of "Additional configuration" (Some packages...)
into that section, followed by something like the proposed text below.

--- David A. Wheeler


Proposed new text for "Using additional software" (after the "Additional configuration" text):

~~~~
Tails handles network access differently than a typical system.
Application programs that access the network must send their "normal" network communication ("TCP packets")
through something called a SOCKS service. This usually requires extra steps before the application
will successfully communicate over a network.

In many cases, you can get networking applications to work using the "torsocks" command line application. Torsocks enables many programs to work, but note that it does *not* support IPv6. To use torsocks, on the command line, run this followed by the COMMAND you wish to use with network access:

torsocks --isolate COMMAND

The program "curl" includes support for SOCKS. It's been reported to us that you can also run curl, and many programs that use curl, on the command line using this format (the "username" before the "@" symbol implements Tor stream isolation):

ALL_PROXY="socks5://torsocks-$$%3a$(date +%s):0@127.0.0.1:9050" COMMAND

More generally, for other applications that access the network, configure them to use the SOCKS proxy at IP address 127.0.0.1 (aka "home") with port 9050. We would suggest creating a SOCKS username which is different each time the application is used in a new session; this counters correlation between different sessions. The password for the SOCKS username is "0"; this isn't a security problem because we're using the username only for stream isolation, not for access control. Only TCP communications are supported; UDP communications are generally blocked. Tails is configured so that lookups of computer names (aka "DNS lookups") will work as long as the application uses the system configuration. Applications that ignore the system configuration for DNS lookups, and attempt to resolve computer names themselves, will fail to resolve those names.

As always, be cautious when accessing the network this way. In particular, logging in to any server will eliminate anonymity to that server. Also, as noted earlier, additional software is not directly supported by Tails. However, if you have important general tips or recommendations, please let us know.

~~~~