Opened 5 years ago

Closed 4 years ago

#8341 closed defect (fixed)

torbirdy seems to set thunderbird to automantically check for updates

Reported by: cypherpunks Owned by: sukhbir
Priority: Medium Milestone:
Component: Applications/TorBirdy Version:
Severity: Keywords: automatic updates torbirdy
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I am using the recent torbirdy 0.1.0. with Thunderbird 17.0 on GNU Linux.

It seems torbirdy is changing my preference setting for "Automatically check for updates for...Thunderbird" and it also sets to "automatically download the updates."

Even if I change the setting back to do not check, and shutdown thunderbird, the setting returns to automatic updates when I restart.

The problem only occurs when torbirdy addon is enabled.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by sukhbir

Owner: changed from ioerror to sukhbir
Status: newassigned

Yes, this is the expected behavior and TorBirdy enforces this setting. To know more about this, read Before using TorBirdy

If we disable updates, then the chances of Thunderbird being exploitable increase from the date when you install TorBirdy.

Is there any reason why you want to disable the updates? Note that during updates, your connection is still being routed through Tor, so you should not be worried (if this is the reason).

comment:2 Changed 4 years ago by mikeperry

I don't think Torbirdy should force this pref either to on or to off. While I agree that it should be enabled, the auto-updater is problematic to force because there are good reasons not to trust it fully right now, primarily among them is the incomplete pinning support for the Mozilla update server cert. Last I checked they pin only the CA, and not the actual leaf key (though this will be improving soon).

Perhaps what you can do instead of forcing prefs like this is have a part of the setup wizard or some other popup dialog that tells the user about potentially insecure prefs, with a checkbox for "Never ask again" and a button that says "Set all of these prefs to the recommended settings".

See nsIPromptService.confirmEx() for a ready-made prompting API that could be used for this:
https://developer.mozilla.org/en-US/docs/XPCOM_Interface_Reference/nsIPromptService#confirmEx%28%29

comment:3 Changed 4 years ago by sukhbir

Resolution: fixed
Status: assignedclosed

We are no longer forcing updates; it is up to to the users to decide if they want it enabled/disabled. Mike's suggestion is good but since we don't have any sort of a setup wizard yet, we are going with the above solution for now.

Marking this as fixed.

Note: See TracTickets for help on using tickets.