Opened 8 years ago

Closed 8 years ago

Last modified 2 years ago

#3554 closed defect (fixed)

TBB should not disable addon updates until Thandy works

Reported by: mikeperry Owned by: erinn
Priority: Immediate Milestone: TorBrowserBundle 2.2.x-stable
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

It is pretty dangerous to block addon updates if we have no way to update (or even inform) users whose TBBs are out of date. Auto-updating things like Torbutton will at least keep TBB users' fingerprints more in sync, making it less obvious when they run outdated, vulnerable versions..

For other Thandy-stopgaps, see #2285 and the tickets mentioned in the comments there.

Child Tickets

Change History (5)

comment:1 Changed 8 years ago by mikeperry

Priority: majorblocker

Bumping this to blocker because I think it is a serious issue that should be fixed in the next release unless there is some serious reason why it is a bad idea to allow addon updates.

comment:2 Changed 8 years ago by erinn

Status: newaccepted

I have no objection to changing this, from any security/safety perspective. But pardon my ignorance here: if we're no longer adding Torbutton to the official Firefox add-on site, do users still get the benefit of automatic updates for that extension?

comment:3 in reply to:  2 Changed 8 years ago by mikeperry

Replying to erinn:

I have no objection to changing this, from any security/safety perspective. But pardon my ignorance here: if we're no longer adding Torbutton to the official Firefox add-on site, do users still get the benefit of automatic updates for that extension?

Yes. We ship an update url in our install.rdf. Users will ping https://www.torproject.org/torbutton/updates.rdf for updates over tor.

comment:4 Changed 8 years ago by erinn

Resolution: fixed
Status: acceptedclosed

Add-on updates are enabled now, for all versions of TBB. Closing.

comment:5 Changed 2 years ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.