In September, the Tor Browser team made four releases: 3.6.5, 3.6.6, 4.0-alpha-2, and 4.0-alpha-3[1,2,3].
3.6.5 and 4.0-alpha-2 were both described in our August status report. The work for those releases was done in August, it just happened that the release date itself fell on September 2nd. 3.6.6 and 4.0-alpha-3 were released to deal with a "chemspill" out-of-cycle Firefox release due to a TLS certificate forging vulnerability in NSS[4]. Several Mozilla engineers ensured that we had as much advanced notice as possible, and despite the last minute rush, we were able to release 3.6.6 on the same day as Mozilla released Firefox 24.8.1, and 4.0-alpha-3 the next day. We also took this opportunity to fix a startup hang[5] and a disk leak issue[6] in 3.6.6. In 4.0-alpha-3, we also identified and fixed several issues with the updater. We noticed that 4.0-alpha-2 would be unable to update to our new Firefox 31-based TBBs due to a versioning issue[7]. We also discovered that non-English users would be updated to the English TBB, due to a conflict with our locale spoofing mechanisms[8]. We also reduced the amount of information sent by TBB clients while updating. The original Firefox updater sent the OS version and GUI library version as URL parameters to the update server. We modified our update server scripts to provide this information inside of the response document without the need for URL parameters, so that TBB clients can merely inspect the document for their OS version, rather than telling the server about them[9]. With these fixes, we had several successful reports of people updating from 4.0-alpha-2 to 4.0-alpha-3. Note again that for safety and stability, these updates are still not fully automatic yet. You must go into "Help->About Tor browser->Check for Updates" to trigger the update mechanism. The rest of September was spent rebasing our patches and reviewing, testing, and updating everything to work with Firefox 31 ESR. This was no small task (the full set of tickets can be seen with the ff31-esr tag[10]), but we're pleased to report that by the end of the month, we produced working "nightly" snapshot binaries for all three platforms[11]. These snapshot binaries were also fully reproducible. Georg and I both independently compiled the entire Firefox 31-based TBB distribution and our binaries exactly matched the nightlies, byte-for-byte. The full list of tickets closed by the Tor Browser team in September can be seen using the TorBrowserTeam201409 tag on our bugtracker[12]. In October, our focus will be on finishing our remaining rebasing work by October 14th for the official end-of-life of Firefox 24. The remaining tickets can be seen by viewing the ff31-esr tag link[13]. Once this work is finished, we will be releasing 4.0-stable, with all of the changes in the 4.0-alpha series. At this point, we'll also update all of our upstream Mozilla tickets with the new versions of our patches[14]. On top of this, we're eager to set up a Mozilla Persona testing server to evaluate it for potential use as an abuse mitigation strategy[14]. We're also excited to debut our "Security Slider" in an alpha by the end of the month[15], and make progress on the underlying plumbing for circuit and exit node status reporting in the browser[16,17,18]. We will also be investigating several pending Mozilla patches for potential backport[19,20]. The full list of tickets that the Tor Browser team plans to work on in October can be seen using the TorBrowserTeam201410 tag on our bugtracker[21]. 1. https://blog.torproject.org/blog/tor-browser-365-and-40-alpha-2-are-released 2. https://blog.torproject.org/blog/tor-browser-366-released 3. https://blog.torproject.org/blog/tor-browser-40-alpha-3-released 4. https://www.mozilla.org/security/announce/2014/mfsa2014-73.html 5. https://trac.torproject.org/projects/tor/ticket/10804 6. https://trac.torproject.org/projects/tor/ticket/12998 7. https://trac.torproject.org/projects/tor/ticket/13049 8. https://trac.torproject.org/projects/tor/ticket/13245 9. https://trac.torproject.org/projects/tor/ticket/13047 10. https://trac.torproject.org/projects/tor/query?status=closed&keywords=~ff31-esr 11. https://lists.torproject.org/pipermail/tor-qa/2014-October/000474.html 12. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201409&status=closed 13. https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~ff31-esr 14. https://bugzilla.mozilla.org/buglist.cgi?quicksearch=ALL%20whiteboard:[tor] 15. https://trac.torproject.org/projects/tor/ticket/12193 16. https://trac.torproject.org/projects/tor/ticket/3455 17. https://trac.torproject.org/projects/tor/ticket/8641 18. https://trac.torproject.org/projects/tor/ticket/5752 19. https://trac.torproject.org/projects/tor/ticket/13033 20. https://trac.torproject.org/projects/tor/ticket/11955 21. https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam201410 -- Mike Perry
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
