Re: [tor-talk] Firefox vs. Tor Browser Bundle release cycles

[Al Billings <albill@xxxxxxxxxxxxxx>]

Iâll also add that a two or three day delta on releases (which is most of those listed) is pretty damned good.

The bugs in those releases arenât public. Diffing changes and trying to contract zero days is actually quite hard as well. If you were talking about a month long difference in dates, Iâd be more concerned.

Also, all bugs arenât created equal. As you can see looking at the Firefox Known Vulnerabilities page atÂhttp://www.mozilla.org/security/known-vulnerabilities/firefox.html, most of the fixes are not sec-critical rated bugs. Sec-critical and (some) sec-high rated issues are the ones that give a real possibility for drive by zero days. Even then, many of these have no known weaponized exploit and are simply dangerous in theory. One of the things Mozilla does before a sec-critical or sec-high bug goes in is look at how easy it is to weaponize as well as where in the ship cycle the release is in order to avoid long windows of exposure after checkin. Two or three days on top of that is not the primary danger.

If you want to focus on greater and lesser degrees of danger, Iâd say focus on why ESR versus mainline Firefox releases for TBBâs basis (and the fact that the current TBB is from a now out of support ESR17 branch).

Otherwise, this conversation isnât terribly useful, as much as you may find it interesting. :-)

Al
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk