Asa Rossoff: > Jacob Appelbaum: >> Nadim Kobeissi: >>> >>> On 2013-08-06, at 11:46 AM, Al Billings <[email protected]> >>> wrote: >>> >>>> Nadim you seem confused by how this works. Tor doesn't need to >>>> issue advisories for Firefox issues. We, at Mozilla, already issue >>>> them. Perhaps they can link to them clearly but if you want to know >>>> about security issues Mozilla fixes in Firefox, you're best served >>>> by reading Mozilla advisories. There's not much point in >>>> duplicating them on a second site. Tor would be better served by >>>> writing advisories for its own, unique, security fixes. >>> >>> Tor doesn't need to issue advisories for Firefox issues. Tor needs to >>> issue advisories for Tor Browser issues, and not five weeks later >>> when s**t hits the fan. I really don't think one can reasonably >>> disagree with the above statement. Tor Browser is a Firefox fork. >> >> Should we issue a single advisory for each possible security issue that >> Firefox has already noted in their change log? Each confirmed security >> issue? Should we ask for a second CVE to cover each CVE they receive? >> >> Your point is unclear in practice. Please do spell it out and if >> possible, please demonstrate how you do so in your own projects? > > Just a couple friendly concepts. > Your message wasn't addressed to me. By the way, it didn't occur to me to > blame the Tor Project.
Thanks for your response! > > I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the > streets of the world, but it is obvious to me from my user standpoint that > the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to > determine which version of the underlying Firefox it is based on, which I > wouldn't expect the average user do to or know.). Ther average user of > neither software likely doesn't see or read security adviseries, although I > think they happily allow the latest versions o Firefox to automatically > update themselves. > Understood. > > TBB users are at special risk of being targeted for spying (according to > recent news reports), hacking/exploits (as is the case in this instance), > and this may be increasingly true in the future. > Probably, yes. I think that is a fair assessment - though it applies to anyone who uses privacy, security and anonymity software, I think. > Oops. I'm a slow typist (just getting up): > >>From Jacob Applebaum's next mail to a mail: >> I tend to like the Tails way of doing things - I have advocated for a >> little more linkage to security advisories. Still, I think it is not as >> critical as a secure updater or packaging TBB for various packaging >> systems. We're understaffed, so we tend to pick the few things we might >> accomplish and writing such advisory emails is weird unless there is an >> exceptional event. Firefox bugs and corresponding updates are not >> exceptional events. :( >> >> Also, I'll note even Tails doesn't reference sub-modules of the specific >> projects - they are just linking to DSA and related pages. > > The point I was getting to is that several parrallel strategies come to > mind: > (1) It would not be a bad idea to post applicable Firefox-issued security > avisories to one of your lists Part of the issue - from my perspective - is that 'applicable' is a bit nebulous. Nearly every bug *might* turn into an anonymity destroying bug with some engineering effort. > (2) Even have an RSS feed of them available through the TBB, as well as RSS > of TBB releases, and what security issues are covred including one advised > by Firefox. This could notify of stable, alpha and beta releases, so > everyone knows when security updates are available, possibly at the cost of > stability. I like this idea - though I wonder how users would feel about it? Will they read it? Should it be our own RSS feed or an RSS feed of Mozilla's data? > (3) When you get an update mechanism going, for stability reasons, you > probably want it to automatically only update to stable or beta releases[?]. I tend to prefer 'secure' update over 'automatic' update. > However, you could have a parrallel release schedule to get these upstream > patches out ASAP. I realize labor is involved here; but if at all > possible, updating your last stable patch to work with the latest Firefox > release ASAP and releasing it as a stable/beta while continuuing development > on a more major/feature-related update that will start as an alpha release > when ready. (possibly backporting some TBB-only-security fixes only to your > last patch when it makes sense). Sure, that seems reasonable. > > Obviously, this is free software, and you must work ithin the constraints of > your resources. The frequent security updates would have the most tangible > benefit for most users, but it would be a decent user service to notify of > security issues that apply/could apply to the TBB as well. > I think there is a balance here and I think adding more specific data to release notes is a reasonable improvement. I also think an RSS feed is a really good idea, thanks for that! I'll pass it on to those more involved with TBB releases these days and see what they think. > Thanks for your invaluable work. > Thanks for your positive feedback! All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
