New Alpha Release: Tor Browser 14.0a1

Tor Browser 14.0a1 is now available from the Tor Browser download page and also from our distribution directory.

This version includes important security updates to Firefox.

This is a Desktop-only release.

It's that time of the year again!

If you pay attention to the various developer channels you may see a lot of talk happening about the 'ESR transition', the 'major Tor Browser rebase', the 'feature audit', 'bugzilla ticket triage', etc. These phrases (and more I'm sure) are referring to the various pieces of work we do every year around the summer that naturally fallout from Mozilla updating their long-term support version of Firefox to the next major version.

So, what does any of this mean?

Firefox maintains a version of Firefox which only receives security updates for about a year called Firefox ESR (Extended Support Release). This release channel is intended by Mozilla for organisations to deploy to their users to minimise the maintenance burden associated with maintaining a rapidly changing piece of software. This slower update cadence also makes it an attractive base for us to build Tor Browser from!

However, Firefox cannot just keep maintaining some legacy version of Firefox forever. And, as this version of Firefox is not getting feature updates, the rest of the internet would begin to move on before long anyway. So, every year Mozilla bumps the current ESR to the current 'rapid release' version of Firefox, and organisations are expected to upgrade. This means we have to upgrade Tor Browser too, or else we also risk going out of date and becoming insecure.

So, every summer we transition Tor Browser from the previous ESR version to the new ESR version (115 to 128 this year). The work involved can be roughly split up into three categories:

Getting it building

Tor Browser itself is roughly a couple hundred of patches sitting atop the Firefox source-code. We cannot give an exact count, as the number actually fluctuates a lot over time for a number of reasons:

• Patches become upstreamed to Mozilla and become part of Firefox, so we no longer need them
• Backports and workarounds required for the previous version of Firefox are no longer needed or relevant
• Patches become squashed together or split apart to improve organisation
• New features, new patches!

Traditionally, we have updated our patches all at once, from the previous major ESR version to latest major ESR version. This represents typically 11 to 13 major versions of Firefox difference, which can result in a lot of code-churn in the systems which our patches modify. A large change in the underlying Firefox source can result in a large change to our patches for them to apply.

However, this year we tried an iterative approach; rebasing our patches onto each intervening version (e.g.: 115 to 116; 116 to 117 etc) rather than rebasing from the previous ESR to the current one (e.g.: 115 to 128). This seems to have been a good experiment, because many more (but much smaller) rebases were comparatively easy to review and we were able to begin this rebase work earlier this year.

After we have rebased the patches and are able to make local builds, we then need to update our cross-platform build system. This typically involves updating build toolchains, signing scripts, and fixing any new build-reproducibility issues.

Once this work is done, we are able to build and release the first Tor Browser Alpha based on the latest Firefox ESR! But there is still more to do...

Auditing the upstream changes

The next block of work involves reviewing all of the new functionality present in the latest Firefox which was not present in the previous version of Firefox. We triage all of the closed upstream Bugzilla issues associated with each intervening Firefox version, and all of the git patches with an associated upstream issue. Interesting or somehow 'scary' issues are added to a list for further review.

We then review all of these selected issues and evaluate what (if any) work needs to be done before Tor Browser Alpha can be promoted to Tor Browser Stable.

Updating our patches

Finally, we develop new patches required to fix critical bugs and resolve any issues identified in the audit. The scope of this work is difficult to estimate ahead of time, since it depends entirely on the work which has happened upstream in the past year. This is typically the longest phase of the ESR transition, and delay can make things inconvenient.

The entire ESR transition process takes several months to complete. During this time, the previous version of Firefox ESR is reaching end-of-life. Typically, Mozilla only maintains the previous major ESR version for about 3 months after the next major ESR version has been released. This year, Firefox 128 ESR was released in July and the last ESR 115 update is September 3rd. At the end of this window, security exploits present in ESR 115 will not be fixed by Mozilla. This means we have a proverbial ticking clock counting down before the stable version of Tor Browser becomes out of date.

If we are unable to complete the required work before this window ends, then things get a little bit interesting. If it gets to this point, then we will continue releasing ESR 115-based Tor Browser and manually backport security-fixes from ESR 128. This is better than nothing, but as time goes on there is an increased risk that ESR 115-specific vulnerabilities will be discovered by our adversaries and go both undiscovered and unpatched by us. This would not be an ideal situation to be in.

Current Status

So where are we at in this process now?

So far we have rebased the Tor Browser Desktop patches and updated part of the build-system. The Android-specific Tor Browser patches are in the process of being updated, and the Android-specific build-system updates are next on the list. We have started the triage process and have opened many review tickets for upstream changes. We have also started investigating some of these resulting issues and developing patches to resolve them.

Send us your feedback

If you find a bug or have a suggestion for how we could improve this release, please let us know.

Full changelog

The full changelog since Tor Browser 13.5a9 is:

• All Platforms
  • Updated NoScript to 11.4.31
  • Bug tor-browser#41328: Follow firefox ESMify for Bug 1308512
  • Bug tor-browser#42441: Evaluate RR version-by-RR version rebases instead of ESR-to-ESR
  • Bug tor-browser#42683: Create script to generate issue triage csv's from bugzilla query and git scraping
• Windows + macOS + Linux
  • Updated Firefox to 128.0esr
  • Bug tor-browser#42687: Disable Privacy-Preserving Attribution
• Build System
  • All Platforms
    • Updated Go to 1.22.5
    • Bug tor-browser#42470: Add merge request CI for linting
    • Bug tor-browser#42722: clang-format and localization linters are not running
    • Bug tor-browser-build#40964: Create new Tor Browser gpg subkey
    • Bug tor-browser-build#41155: Update toolchains for ESR128
    • Bug tor-browser-build#41156: Split the Rust configuration options
    • Bug tor-browser-build#41166: Use the GitHub repository for firefox-l10n
    • Bug tor-browser-build#41168: deploy_update_responses-$channel.sh should check that it is not reverting an update in an other channel
    • Bug tor-browser-build#41184: Update generate blog post script to use new blog header images
    • Bug tor-browser-build#41189: Add matzfan to list of downstream projects in alpha release-prep template
    • Bug tor-browser-build#41190: Add morgan.gpg to keyrings and list of valid keyrings in firefox+geckoview
    • Bug tor-browser-build#41191: Remove richard.gpg from keyrings and list of valid keyrings in firefox+geckoview
    • Bug tor-browser-build#41195: Update Go to 1.22
    • Bug tor-browser-bundle-testsuite#40078: Update tools/tb-build-06-start-nightly-build after tor-browser-build#40829
  • Windows
    • Bug tor-browser-build#29318: Drop mingw-w64/gcc toolchain
    • Bug tor-browser-build#29320: Use mingw-w64/clang toolchain to build Rust
    • Bug tor-browser-build#41177: Include Windows installer without -portable- in download json files
  • Windows + macOS
    • Bug tor-browser-build#41197: Modify update-responses to prevent upgrades on unsupported Windows and macOS versions