Trac issueshttps://gitlab.torproject.org/legacy/trac/-/issues2020-06-16T01:13:10Zhttps://gitlab.torproject.org/legacy/trac/-/issues/4234Deploy experimental builds using the Firefox update process2020-06-16T01:13:10ZMike PerryDeploy experimental builds using the Firefox update processSure, it's probably not hardened against version downgrade attacks, interruption attacks, no-progress attacks, and maybe not even against CA compromises.
But it's gotta be better than nothing, and maybe it is easily serviceable into so...Sure, it's probably not hardened against version downgrade attacks, interruption attacks, no-progress attacks, and maybe not even against CA compromises.
But it's gotta be better than nothing, and maybe it is easily serviceable into something that will work for us.
Users are having a hard time manually working with our TBB packages if they want to preserve bookmarks, settings, and history, and are getting themselves into trouble by copying pieces of them over each other incorrectly while trying to manually upgrade:
https://lists.torproject.org/pipermail/tor-talk/2011-October/021771.html
I think any form of process that automates this for them is a step above status quo. It's just a matter of finding out if it is significantly less time+effort to deploy than Thandy, and what the security tradeoffs are.TorBrowserBundle 2.3.x-stableMark SmithMark Smithhttps://gitlab.torproject.org/legacy/trac/-/issues/10389Make Firefox updater work with TB 3.x2020-06-15T23:17:23ZTom LowenthalMake Firefox updater work with TB 3.xChronos: phase onehttps://gitlab.torproject.org/legacy/trac/-/issues/10390Update over Tor2020-06-15T23:17:24ZTom LowenthalUpdate over TorThe Torbrowser updater works over Tor rather than over the regular network.The Torbrowser updater works over Tor rather than over the regular network.Chronos: phase twohttps://gitlab.torproject.org/legacy/trac/-/issues/10391Update via a hidden service2020-06-15T23:17:24ZTom LowenthalUpdate via a hidden serviceThe Torbrowser updater obtains updates via a Tor hidden service which can handle this load.The Torbrowser updater obtains updates via a Tor hidden service which can handle this load.Chronos: phase twohttps://gitlab.torproject.org/legacy/trac/-/issues/10392Torbrowser updates are signed and verified by the updater2020-06-15T23:17:24ZTom LowenthalTorbrowser updates are signed and verified by the updaterChronos: phase twohttps://gitlab.torproject.org/legacy/trac/-/issues/10395Tor's consensus lists Torbrowser updates2020-06-13T14:48:21ZTom LowenthalTor's consensus lists Torbrowser updatesTor's consensus lists not only recommended versions of Torbrowser, but also the version numbers, names, and hashes of incremental updates.Tor's consensus lists not only recommended versions of Torbrowser, but also the version numbers, names, and hashes of incremental updates.Tor: 0.2.6.x-finalMike PerryMike Perryhttps://gitlab.torproject.org/legacy/trac/-/issues/10396Reproducible MARs2020-06-15T23:17:27ZTom LowenthalReproducible MARsThe incremental updates used by the Torbrowser updater are reproducibly built.The incremental updates used by the Torbrowser updater are reproducibly built.Chronos: phase two