On Fri, 1 Aug 2014 12:45:23 +0000 (UTC) Lisa Minogue <[email protected]> wrote:
> Tails' developers are nice people, trying to help people take back > their individual privacy rights. > > However, I feel that when there are bugs found in the latest version > of Tails 1.1 by third parties or otherwise, the least the Tails' > developers could do is to send out a warning or advisory to everyone > on the mailing list. There's a warning that is displayed whenever Tails is booted, though I suppose there could have been a notice sent to the mailing list(s). That said, I think users are much more likely to see the notice which is displayed when Tails is started. > Moreover Tails' developers should remove Tails 1.1 from the website > instead of providing a workaround. In this case the fix is to > remove/uninstall i2p package. I'd argue that removing the i2p package is overkill, per se, because the vulnerability requires - I2P to be running (users are explicitly advised to NOT start I2P in Tails 1.1, so people should heed this warning) - visiting a malicious I2P site This bug is bad, but not nearly as serious as a bug in Linux, Firefox or Tor since those bugs will undoubtedly affect everyone that uses Tails. Thus far, there have been no reports of anyone getting bitten by this bug in the wild. Since I2P is not started by default, (IMHO) the risk to users is approaching 0. I don't think an "emergency release" for the I2P bug is needed, and neither do the actual Tails devs. Those that would mostly benefit from an "emergency Tails release" would be those that use I2P on Tails--a small subset of Tails users. > About two years ago one of Tails' developers specifically cautioned > people against adding and/or removing packages from the Tails' ISO as > it would lead to anonymity being compromised. Apples and oranges. The Tails developers (obviously) know that removing the I2P package won't create any problems. That advice that you're referring to was advising *general users* to avoid doing it *in case* it could lead to anonymity being breached. With the removal of this *one* package in particular, anonymity cannot possibly be compromised. > Hence I am dismayed to learn that Tails' developers do not heed their > own advice. If users go removing things on their own, they *could* harm their anonymity; that doesn't mean that they *will* always harm their anonymity by removing software. With this specific example, there is absolutely _NO WAY_ that anonymity can be breached if users follow the instructions noted in the security advisory. $0.02
signature.asc
Description: PGP signature
_______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
