Opened 7 months ago

Last modified 7 months ago

#32896 new enhancement

Keep track of security updates to parts of Tor Browser

Reported by: gk Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: tom Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Tor Browser is actually bundle containing a bunch of software pieces like Firefox, Tor, NoScript, OpenSSL. For some of those pieces (like Firefox, Tor, NoScript) there is a way to keep track of security issues and their fixes, be it due to code inspection and notification or, kind of, due to automatic updates as in the NoScript case. But that does not hold for every piece of the bundle.

We should two things to have at least a better overview about potential security issues we want to fix:

a) We need to come up with all the parts of the bundle parts we think we should track for security issues.

b) We need to actually track those pieces.

Mozilla had a third-party library alert tjr worked on a while back, which we might be able to look at for help.

Child Tickets

Change History (2)

comment:1 Changed 7 months ago by tom

​third-party library alert is abandoned with no plans of revival. It was ugly and hacky and required constant maintenance. But... it kinda worked with a lot of hand-feeding?

You could replace it with something as simple as subscribing a tb-security alias to some -announce lists (or, if they don't exist an rss-to-email script that looks at rss feeds of branches/tags from github...)

comment:2 in reply to:  1 Changed 7 months ago by pili

Replying to tom:

You could replace it with something as simple as subscribing a tb-security alias to some -announce lists (or, if they don't exist an rss-to-email script that looks at rss feeds of branches/tags from github...)

I would be happy to jump in at b) and receive these alerts (as a member of an email group for example) if there is no easy way to automate...

Note: See TracTickets for help on using tickets.