Opened 4 years ago

Last modified 9 months ago

#18326 new defect

Creating incremental MAR files should not include Tor Browser version in meta data

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-rbm, tbb-update
Cc: boklm, mcs, brade Actual Points:
Parent ID: #18325 Points:
Reviewer: Sponsor:

Description

While trying to build the incrementals for 5.5.2 on a machine that had older mar-tools I ended up with them not matching incrementals built on other machines. Upon investigation it turned out that the browser versions gets embedded in the MAR files' metadata. There is no need for doing that actually.

Child Tickets

Change History (8)

comment:1 Changed 4 years ago by gk

Component: - Select a componentTor Browser
Keywords: tbb-gitian added
Owner: set to tbb-team
Parent ID: #18325

Not sure if that is actually a child ticket of #18325 but it might be so.

comment:2 Changed 4 years ago by mcs

I think we do need this but I am not 100% sure. Mozilla embedded the version number in the MAR file to ensure that a MAR won't be applied that downgrades the browser to an older version.

comment:3 Changed 4 years ago by mcs

Also, there may be a way to set a different version using the MAR tools (I will have to look to be sure). If that is possible we could avoid a dependency on the exact tools that are built with the browser.

comment:4 in reply to:  2 Changed 4 years ago by gk

Replying to mcs:

I think we do need this but I am not 100% sure. Mozilla embedded the version number in the MAR file to ensure that a MAR won't be applied that downgrades the browser to an older version.

Hmm, if this is actually a security feature then this is fine to me and I think we might have to live with it. I don't remember that one in particular to be honest. But it's been a while that I looked closer at the updater related code...

comment:5 Changed 4 years ago by mcs

The mar program does have an option to update the product info block:

  Refresh the product information block of a MAR file:
    mar [-H MARChannelID] [-V ProductVersion] [-C workingDir] -i unsigned_archive_to_refresh.mar

That means it should work to run a command like this before signing:

  mar -H release -V 5.5.2 -i unsigned.mar

I think I have successfully used a command like that before when Kathy and I were doing some testing but I did not try it today.

comment:6 Changed 2 years ago by gk

Keywords: tbb-rbm added; tbb-gitian removed

Moving over to rbm

comment:7 Changed 9 months ago by gk

Keywords: tbb-updater added

comment:8 Changed 9 months ago by gk

Keywords: tbb-update added; tbb-updater removed

Renaming keyword to make it a bit broader

Note: See TracTickets for help on using tickets.