> Jacob Appelbaum: > I like this idea - though I wonder how users would feel about it? Will > they read it? Should it be our own RSS feed or an RSS feed of Mozilla's > data?
I don't like the idea. You need to worry about the upgrading behavior of casual users of TBB, who aren't going to bother to read advisories. Republishing advisories takes a lot of your valuable time. Added to that, every fucking tiny crash-bug in Firefox may grow to a full-blown exploit like we've seen. The people that do read the advisories, can find them at the Firefox ESR advisory page (https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html). I do think you might want to bother to link to that list of vulnerabilities when releasing a new version of TBB with an security-updated Firefox. I also like the approach of the TAILS project. They just start every single release announcement with 'Numerous security bugs found in TAILS X.XX', which makes it crystal clear for the average user they need to upgrade. Every time. Also: please make separate blog posts for regular and alpha releases. It's been confusing before. Make sure the regular release sits on top on the blog listing. Let me propose the announcement of June 26th as I would've (retrospectively) liked to see it: Subject: Security release. New Tor Browser Bundles. Body: All of the Tor Browser Bundles have been updated with the new Firefox 17.0.7esr. This includes fixes to <a href="https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html";>8 vulnerabilities</a>, of which 4 have critical impact, and 4 have high impact. We <b>strongly</b> urge you to update to the latest version of the Tor Browser Bundle (2.3.25-10) as soon as possible. [continue with download-easy link and list of updates] > Nadim Kobeissi: > How am I only interested in slinging mud?! How are you even allowed to > adopt a tone like this while doing your job as an advocate for Tor? I'm > simply trying to advocate for Tor not waiting five weeks before releasing > an advisory next time! Comments like this are really just not acceptable, > Jake. Nadim, you need to calm the fuck down. Take a deep breath, re-read your own emails, and consider whether you need to apologize for your unproductive stampede. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
