Opened 7 years ago

Closed 7 years ago

Last modified 21 months ago

#5801 closed defect (fixed)

TBB 2.3.12-alpha-2-* is unsafe, but still recommended

Reported by: rransom Owned by: erinn
Priority: Immediate Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Normal Keywords:
Cc: Sebastian Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Once again, the ‘current’ alpha TBB isn't current enough.

Child Tickets

Attachments (1)

0001-Unrecommend-the-2.3.12-alpha-versions.patch (730 bytes) - added by nickm 7 years ago.

Download all attachments as: .zip

Change History (13)

comment:1 Changed 7 years ago by Sebastian

I think that's somewhat expected. Probably, we should turn off the version check in alpha tbb and instead just say "this is alpha, possibly outdated, more buggy, bla" so we stop running into this trouble.

comment:2 Changed 7 years ago by arma

How close are we to being able to trigger TBB alpha builds when we trigger new builds? In theory it should just be more computing time and more bytes to transfer afterwards, yes?

If our TBB-with-Tor-alpha builds are going to commonly ship with known-insecure Firefoxes, that seems like a poor plan.

(Insert plug for TBB nightlies here.)

comment:3 in reply to:  2 Changed 7 years ago by Sebastian

Replying to arma:

How close are we to being able to trigger TBB alpha builds when we trigger new builds? In theory it should just be more computing time and more bytes to transfer afterwards, yes?

Yes. Except we still have disk space issues on the VMs, and there was some fuckup where the build improvements for TBB only got applied to the stable branch. This is being reworked atm so that it'll be easier, and when we then have the diskspace we should be able to build new TBBs more rapidly. Still, it is conceivable that it takes a while to adapt Torbutton to the new Firefox release, and that mike will prioritize something else before getting a new alpha out, etc.

If our TBB-with-Tor-alpha builds are going to commonly ship with known-insecure Firefoxes, that seems like a poor plan.

(Insert plug for TBB nightlies here.)

Yup. Nightlies will come, but that wants even more diskspace, and it also won't auto-upgrade to latest firefox, because firefox nightlies break everyday and we won't keep up with them. For the other components, that'll be included.

comment:4 Changed 7 years ago by rransom

Priority: majorblocker

This package has been known to be remotely exploitable for over a month. Unrecommend it.

comment:5 Changed 7 years ago by runa

We should have put up a blog post and/or written an email to tor-talk about this a long time ago. Until today, I didn't know that TBB 2.3.12-alpha-2-* was unsafe.

comment:6 Changed 7 years ago by nickm

What's the holdup about changing the recommended version in the git repo? We really should not let those users stay on an unsafe version.

Unless we can get the next TBB out *last week*, we should just remove the 2.3.x versions from the recommended list.

comment:7 Changed 7 years ago by nickm

See attached patch; is there any reason we can't just apply that?

comment:8 Changed 7 years ago by arma

I think it would be smart to apply it.

Hopefully in a few days we'll learn from Erinn what we can do to help her (or somebody else) make 0.2.3 packages in a more consistent way.

comment:9 Changed 7 years ago by slacka

I NEED to use the 2.3 branch because I'm located in China. 2.2 is blocked here. tor-browser-2.3.19-alpha-1_en-US was a disaster. tor-browser-2.3.20 is also causing me lots of problems. Can you please release a 2.3 that is based off of more stable code for us in stuck here China?

comment:10 in reply to:  9 Changed 7 years ago by arma

Replying to slacka:

I NEED to use the 2.3 branch because I'm located in China. 2.2 is blocked here. tor-browser-2.3.19-alpha-1_en-US was a disaster. tor-browser-2.3.20 is also causing me lots of problems. Can you please release a 2.3 that is based off of more stable code for us in stuck here China?

This is probably the wrong ticket. Also, the 2.3.20 bundle is supposed to be pretty good. If it has specific bugs, please open tickets for them.

comment:11 Changed 7 years ago by erinn

Resolution: fixed
Status: newclosed

I'm closing this since the alpha bundles are now being regularly updated.

comment:12 Changed 21 months ago by teor

Severity: Normal

Set all tickets without a severity to "Normal"

Note: See TracTickets for help on using tickets.