Opened 6 years ago

Last modified 2 weeks ago

#10498 new defect

Get only the NoScript we want to our users

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords: tbb-security, noscript
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Noscript is Firefox extension, known for years security tool and simplest way to stop stuff. Author of Noscript never used public repository for demonstrating development progress, all known code was available as standalone archive or file from AMO. However, author used to sign components of archive before 2.6.6.9 version. All we have now to try guess files wasn't modified on a way, and still chance to recreate history of development by hands or by 3rd party repository for versions difference

TBB takes Noscript from servers of AMO during building and run-time addon updates. Do we trust them so much?

Child Tickets

Change History (7)

comment:1 Changed 6 years ago by cypherpunks

Resolution: not a bug
Status: newclosed

comment:2 Changed 2 years ago by cypherpunks

Component: Applications/Tor bundles/installationApplications/Tor Browser
Keywords: tbb-security added
Resolution: not a bug
Severity: Major
Status: closedreopened
Type: taskdefect

The fact: NoScript is an integral part of Tor Browser.
That means its development process should be integrated with the Tor Project.
The main goal is to start doing code review.
To simplify this its repo could be added to git.tpo, and also see https://forums.informaction.com/viewtopic.php?p=10981#p9221

comment:3 Changed 2 years ago by cypherpunks

Maone actions seem to be malicious.

comment:4 in reply to:  3 Changed 2 years ago by cypherpunks

Replying to cypherpunks:

Maone actions seem to be malicious.

Proof? Otherwise that's just FUD.

comment:5 Changed 18 months ago by traumschule

Keywords: noscript added

comment:6 Changed 2 weeks ago by gk

Owner: changed from erinn to tbb-team
Status: reopenedassigned
Summary: Noscript. Path of trust.Get only the NoScript we want to our users

NoScript development is visible on Github: https://github.com/hackademix/noscript. But, yes, we should have a) a process of code review and ideally we'd b) update NoScript versions in Tor Browser only after having inspected them. (Both tasks/processes could be handled in child tickets)

comment:7 Changed 2 weeks ago by gk

Status: assignednew
Note: See TracTickets for help on using tickets.