Jacob Appelbaum: > Nadim Kobeissi: >> >> On 2013-08-06, at 11:46 AM, Al Billings <[email protected]> >> wrote: >> >>> Nadim you seem confused by how this works. Tor doesn't need to >>> issue advisories for Firefox issues. We, at Mozilla, already issue >>> them. Perhaps they can link to them clearly but if you want to know >>> about security issues Mozilla fixes in Firefox, you're best served >>> by reading Mozilla advisories. There's not much point in >>> duplicating them on a second site. Tor would be better served by >>> writing advisories for its own, unique, security fixes. >> >> Tor doesn't need to issue advisories for Firefox issues. Tor needs to >> issue advisories for Tor Browser issues, and not five weeks later >> when s**t hits the fan. I really don't think one can reasonably >> disagree with the above statement. Tor Browser is a Firefox fork. > > Should we issue a single advisory for each possible security issue that > Firefox has already noted in their change log? Each confirmed security > issue? Should we ask for a second CVE to cover each CVE they receive? > > Your point is unclear in practice. Please do spell it out and if > possible, please demonstrate how you do so in your own projects?
Just a couple friendly concepts. Your message wasn't addressed to me. By the way, it didn't occur to me to blame the Tor Project. I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the streets of the world, but it is obvious to me from my user standpoint that the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to determine which version of the underlying Firefox it is based on, which I wouldn't expect the average user do to or know.). Ther average user of neither software likely doesn't see or read security adviseries, although I think they happily allow the latest versions o Firefox to automatically update themselves. TBB users are at special risk of being targeted for spying (according to recent news reports), hacking/exploits (as is the case in this instance), and this may be increasingly true in the future. Oops. I'm a slow typist (just getting up): >From Jacob Applebaum's next mail to a mail: > I tend to like the Tails way of doing things - I have advocated for a > little more linkage to security advisories. Still, I think it is not as > critical as a secure updater or packaging TBB for various packaging > systems. We're understaffed, so we tend to pick the few things we might > accomplish and writing such advisory emails is weird unless there is an > exceptional event. Firefox bugs and corresponding updates are not > exceptional events. :( > > Also, I'll note even Tails doesn't reference sub-modules of the specific > projects - they are just linking to DSA and related pages. The point I was getting to is that several parrallel strategies come to mind: (1) It would not be a bad idea to post applicable Firefox-issued security avisories to one of your lists (2) Even have an RSS feed of them available through the TBB, as well as RSS of TBB releases, and what security issues are covred including one advised by Firefox. This could notify of stable, alpha and beta releases, so everyone knows when security updates are available, possibly at the cost of stability. (3) When you get an update mechanism going, for stability reasons, you probably want it to automatically only update to stable or beta releases[?]. However, you could have a parrallel release schedule to get these upstream patches out ASAP. I realize labor is involved here; but if at all possible, updating your last stable patch to work with the latest Firefox release ASAP and releasing it as a stable/beta while continuuing development on a more major/feature-related update that will start as an alpha release when ready. (possibly backporting some TBB-only-security fixes only to your last patch when it makes sense). Obviously, this is free software, and you must work ithin the constraints of your resources. The frequent security updates would have the most tangible benefit for most users, but it would be a decent user service to notify of security issues that apply/could apply to the TBB as well. Thanks for your invaluable work. Asa -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
