Re: [Bug-gnuzilla] IceCat distribution delay and the NSA

2017-03-13 Thread Mark H Weaver 
David Hedlund  writes:

> I got icecat-45.7.0 too in Trisquel 7.
>
> But it doesn't really matter because the latest Firefox ESR is 52.0.

IceCat 45.8.0 would also be fine for now, if it existed.  Firefox ESR
45.8.0 was released at about the same time as 52.0, and includes fixes
for the same security flaws that were addressed in 52.0.  However, if
the recent pattern holds, 45.8.0 will be the last 45.x release, so we'll
have urgent need of IceCat 52.1 as soon as Firefox ESR 52.1 is released.
Ideally, that work would begin before 52.1 comes out.

IceCat 45.7.0 includes several published security flaws that are
believed to allow remote code execution, and is therefore no longer safe
to use unless you use the version packaged in GNU Guix, which includes
security fixes cherry-picked from upstream Firefox ESR 45.8.0.  The only
fix I left out was a fix to the bundled copy of Cairo, since we don't
use the bundled Cairo in Guix, and our system Cairo already has the fix.

As far as I know, Guix is the only distro that promptly cherry-picks
upstream fixes for IceCat.  However, it's unlikely that I'll be able to
backport all fixes from 52.x to 45.x, so when 52.1 is released, even
Guix users will be in trouble until IceCat 52.x appears.

   Mark

--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat distribution delay and the NSA

2017-03-13 Thread Narcis Garcia 
Okay, I see now that, using the belenos-updates repository, Icecat
45.7.0 is available.
Perfect now.


El 13/03/17 a les 00:00, mdn ha escrit:
>> The good side of Trisquel is that publishes binary packages that can be
>> installed on most APT/Dpkg based operating systems. I've been using this
>> for many Ubuntu installations.
> 
>> The bad side is that last IceCat version (for Trisquel 7 and still for
>> 8) is 31.2.0
> 
> Are you shure about that ?
> Because I updated trisquel and I got the 45.7.0.
> 
> 
> 
> --
> http://gnuzilla.gnu.org
> 

--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat distribution delay and the NSA

2017-03-12 Thread mdn 
>The good side of Trisquel is that publishes binary packages that can be
>installed on most APT/Dpkg based operating systems. I've been using this
>for many Ubuntu installations.

>The bad side is that last IceCat version (for Trisquel 7 and still for
>8) is 31.2.0

Are you shure about that ?
Because I updated trisquel and I got the 45.7.0.



signature.asc
Description: OpenPGP digital signature
--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat distribution delay and the NSA

2017-03-12 Thread Narcis Garcia 
The good side of Trisquel is that publishes binary packages that can be
installed on most APT/Dpkg based operating systems. I've been using this
for many Ubuntu installations.

The bad side is that last IceCat version (for Trisquel 7 and still for
8) is 31.2.0


El 12/03/17 a les 04:38, David Hedlund ha escrit:
> IceCat will be part of Trisquel 8.
> 
> On 2017-03-09 15:17, Gary Driggs wrote:
>> On Mar 9, 2017, David Hedlund wrote:
>>
>>> IceCat should release new versions from the upstream release as
>>> _soon_ as it has been released. Users of delayed libre-upstream forks
>>> are exploited by the NSA:
>>
>> how is an updated browser going to help if your OS isn't under your
>> control?
>>
>>
>>
>>
>> --
>> http://gnuzilla.gnu.org
> 
> 
> 
> --
> http://gnuzilla.gnu.org
> 

--
http://gnuzilla.gnu.org

Re: [Bug-gnuzilla] IceCat distribution delay and the NSA

2017-03-09 Thread Narcis Garcia 
Disagree. It's important to evaluate and fix Mozilla software before
assuming it's at IceCat quality level. I mean that quality in privacy
and security terms by default.


El 09/03/17 a les 13:49, David Hedlund ha escrit:
> [[[ To any NSA and FBI agents reading my email: please consider ]]]
> [[[ whether defending the US Constitution against all enemies, ]]]
> [[[ foreign or domestic, requires you to follow Snowden's example. ]]]
> [[[ Use this signature in you own emails to campaign for it. ]]]
> 
> 
> IceCat should release new versions from the upstream release as _soon_
> as it has been released. Users of delayed libre-upstream forks are
> exploited by the NSA:
> 
> 
> From https://en.wikipedia.org/wiki/Vault_7
> 
> *Vault 7* is a series of documents that WikiLeaks
>  began to release on March 7,
> 2017 that detail activities of the United States
>  Central Intelligence
> Agency  to
> perform electronic surveillance and cyber warfare
> . According to WikiLeaks
> founder Julian Assange ,
> Vault 7 is the most comprehensive release of US spying files ever made
> public.^[1]
> 
> The files, dated from 2013–2016, include details on software
> capabilities of the agency, such as the ability to compromise smart TVs
> ,^[2]
> 
> smartphones , including Apple
> 's iPhone
>  and phones running Google
> 's Android
>  operating
> system, as well as operating systems
>  such as Microsoft
> Windows , macOS
> , and Linux
> .
> 
> It also said that it would postpone releasing the source code for the
> cyber weapons, which is reportedly several hundred million lines long,
> "until a consensus emerges on the technical and political nature of the
> C.I.A.'s program and how such 'weapons' should be analyzed, disarmed and
> published."
> 
> The CIA lost control of the majority of its hacking arsenal including
> malware , weaponized zero day
> exploits ,
> malware remote control systems
>  and
> associated documentation. This extraordinary collection, which amounts
> to more than several hundred million lines of code, gives its possessor
> the entire hacking capacity of the CIA
> 
> --
> David Hedlund
> 
> 
> --
> http://gnuzilla.gnu.org
> 

--
http://gnuzilla.gnu.org

[Bug-gnuzilla] IceCat distribution delay and the NSA

2017-03-09 Thread David Hedlund 

[[[ To any NSA and FBI agents reading my email: please consider ]]]
[[[ whether defending the US Constitution against all enemies, ]]]
[[[ foreign or domestic, requires you to follow Snowden's example. ]]]
[[[ Use this signature in you own emails to campaign for it. ]]]


IceCat should release new versions from the upstream release as _soon_ 
as it has been released. Users of delayed libre-upstream forks are 
exploited by the NSA:



From https://en.wikipedia.org/wiki/Vault_7

*Vault 7* is a series of documents that WikiLeaks 
 began to release on March 7, 
2017 that detail activities of the United States 
 Central Intelligence 
Agency  to 
perform electronic surveillance and cyber warfare 
. According to WikiLeaks 
founder Julian Assange , 
Vault 7 is the most comprehensive release of US spying files ever made 
public.^[1] 
 
The files, dated from 2013–2016, include details on software 
capabilities of the agency, such as the ability to compromise smart TVs 
,^[2] 
 
smartphones , including Apple 
's iPhone 
 and phones running Google 
's Android 
 operating 
system, as well as operating systems 
 such as Microsoft 
Windows , macOS 
, and Linux 
.


It also said that it would postpone releasing the source code for the 
cyber weapons, which is reportedly several hundred million lines long, 
"until a consensus emerges on the technical and political nature of the 
C.I.A.'s program and how such 'weapons' should be analyzed, disarmed and 
published."


The CIA lost control of the majority of its hacking arsenal including 
malware , weaponized zero day 
exploits , 
malware remote control systems 
 and 
associated documentation. This extraordinary collection, which amounts 
to more than several hundred million lines of code, gives its possessor 
the entire hacking capacity of the CIA


--
David Hedlund
--
http://gnuzilla.gnu.org