With https://bugzilla.mozilla.org/show_bug.cgi?id=1437942 Mozilla removed search engines from language packs which means one reason less for us to modify them which means in turn that it seems we can enable signature verification at least on Linux and Windows.
We should double-check whether we still need to have the bookmarks problem (legacy/trac#21879 (moved)) for macOS which would remain the only reason to not enable the signature check there.
intrigeri: Would that work for Tails if we enabled the signature check verification?
Trac: Summary: Re-enabled language pack signature checks for Linux and Windows and double-check macOS to Re-enable language pack signature checks for Linux and Windows and double-check macOS
intrigeri: Would that work for Tails if we enabled the signature check verification?
Thanks for caring! I've just checked and AFAICT, we use the langpacks, that we extract from your tarballs, as-is. So I don't see what can possibly go wrong (famous last words) by enabling signature verification for them. Still, I'd be more comfortable if this change was applied in a Tor Browser 9.0 alpha/beta/RC, before 9.0 final, so we have a chance to test it while it's still time to fix stuff :)
intrigeri: Would that work for Tails if we enabled the signature check verification?
Thanks for caring! I've just checked and AFAICT, we use the langpacks, that we extract from your tarballs, as-is. So I don't see what can possibly go wrong (famous last words) by enabling signature verification for them. Still, I'd be more comfortable if this change was applied in a Tor Browser 9.0 alpha/beta/RC, before 9.0 final, so we have a chance to test it while it's still time to fix stuff :)
Fair enough and sounds good. We'll plan to start building another alpha (the last one before 9.0) at the end of next week. I'll try to get the fix for this bug into it.
Okay, here is what I did: I double-checked that we are using the unmodified language packs on Windows and Linux (we do) and that enabling the signature check does not cause any issues on those platforms (it does not).
Moreover, I looked at the macOS bundles and it seems that we still need our bookmark issue workaround done in legacy/trac#21879 (moved), which is unfortunate. I wonder whether the reason for that is that macOS is the platform where we use the profile not in the bundle itself but I have not looked closer.
intrigeri: Would that work for Tails if we enabled the signature check verification?
Thanks for caring! I've just checked and AFAICT, we use the langpacks, that we extract from your tarballs, as-is. So I don't see what can possibly go wrong (famous last words) by enabling signature verification for them. Still, I'd be more comfortable if this change was applied in a Tor Browser 9.0 alpha/beta/RC, before 9.0 final, so we have a chance to test it while it's still time to fix stuff :)
Fair enough and sounds good. We'll plan to start building another alpha (the last one before 9.0) at the end of next week. I'll try to get the fix for this bug into it.
I confirm that with Tor Browser 9.0a8 in Tails, the langpacks still work :)