Tor Browser 13.0a2 is now available from the Tor Browser download page and also from our distribution directory.
This release updates Firefox to 115.1.0esr, including bug fixes, stability improvements and important security updates. We also backported the Android-specific security updates from Firefox 116.
This is our second alpha release in the 13.0 series which represents a transition from Firefox 102-esr to Firefox 115-esr. This builds on a year's worth of upstream Firefox changes, so alpha-testers should expect to run into issues. If you find any issues, please report them on our gitlab or on the Tor Project forum.
We are in the middle of our annual esr transition audit, where we review Mozilla's year's worth of work with an eye for privacy and security issues that would negatively affect Tor Browser users. This will be completed before we transition the 13.0 alpha series to stable. At-risk users should remain on the 102-esr based 12.5 stable series which will continue to receive security updates until 13.0 alpha is promoted to stable.
We have been working on some major refactors and rewrites to the tor daemon controller code in Tor Browser for Desktop. We are unifying and modernizing the competing implementations of various control port interface methods formerly found in the legacy torbutton and tor-launcher components into encapsulated JavaScript modules within the Firefox codebase. This work is part of long-term plan of necessary code-cleanup and lays the groundwork for supporting alternate tor backends besides the legacy tor daemon.
However, all this code-churn does open up opportunity for new behaviour due to fixed bugs or due to the introduction of new ones. If you use Tor Browser in a non-standard/non-default configuration (either via Firefox preferences or custom environment variables) please ensure things are working as expected for your configuration with this alpha release!
The areas affected by these changes include:
This is also the first Tor Browser release including a tor daemon with the new onion service proof-of-work ddos prevention feature. See Proposal 327 for background and the gitlab issue regarding the implementation.
This is our first Android release based on the Firefox 115esr series. Some things are still a bit rough around the edges but, to our knowledge, there are not any known regressions to the browser's core functionality.
To ensure that we are shipping binaries which only contain the functionality we believe they do, we use a reproducible build strategy. The basic idea is that multiple users with build machines running on different networks independently pull down and build the same source code. We then verify that the built binaries we ultimately sign and ship to users are bit for bit identical. This gives us reasonable confidence that our releases have not been compromised and contain only the functionality found in our source code.
During the 13.0a2 release cycle, we have enabled generating debug information for our supported windows platforms to make trouble-shooting windows-specific issues easier. This debug information includes PDB symbols (which map addresses in the binaries to locations in the firefox source code) and generated C/C++ headers. Unfortunately, the header generation is not deterministic, and so different builders will generate different (though semantically equivalent) outputs.
What this means is that, taken as a whole, our builds are not currently matching. However, the mismatched parts only appear in this debug info which is separate from the actual application that is shipped to end-users (this non-matching debug info needs to be actively sought out and is only useful for developers debugging an issue).
This issue is being tracked here. It will either be fixed before the 13.0 alpha series transitions to stable later this year, or we will disable this developer feature by default to ensure fully matching builds.
There are various graphical bugs in the bootstrapping and landing pages in Tor Browser for Android including misaligned text and Firefox branding. The Tor Browser onboarding for first-time users is also missing. These issues (among others) are being tracked here, here and here.
We would like to thank volunteer contributor FlexFoot for their fix for tor-browser-build#40615. The full changelog since Tor Browser 13.0a1 is: