[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #12620 [Tor Browser]: Rebase TBB patches to Firefox 31 and add unit tests
#12620: Rebase TBB patches to Firefox 31 and add unit tests
-------------------------+-------------------------------------------------
Reporter: gk | Owner: tbb-team
Type: task | Status: new
Priority: major | Milestone:
Component: Tor | Version:
Browser | Keywords: TorBrowserTeam201408D, ff31-esr,
Resolution: | tbb-rebase, tbb-firefox-patch
Actual Points: | Parent ID:
Points: |
-------------------------+-------------------------------------------------
Comment (by mikeperry):
Replying to [comment:17 gk]:
> Two other thoughts:
>
> 1) What is the rationale for including the patch for #2874 into ESR 31?
Reading #2874 it seems to me the issue is resolved in ESR 31 by Mozilla
itself and comment:16:ticket:2874 does not convince me (yet) as there are
numerous ways to distinguish ESR 24 and ESR 31 users and we don't aim at
making them undistinguishable. I'd like to see the patches we need as a
kind of roadmap of things still in need of getting upstreamed and I wonder
how the patch in question would fit into that picture (but, admittedly,
maybe the picture is wrong to begin with)...
Mozilla also sometimes makes interface changes in point releases, and
interfaces can vary between platforms and OS versions. I think we want
this entire Components.* hierarchy gone, not just defanged.
> 2) I wonder whether we should still include the patch for #5741. For
one, Mozilla fixed that leak
(https://bugzilla.mozilla.org/show_bug.cgi?id=751465). Then, we added a
unit test making sure that nothing gets backed out wrt the WebSocket
protocol which leads to another round of DNS bypassing tor
(https://bugzilla.mozilla.org/show_bug.cgi?id=971153). Now, we can even
observe the respective notification in Torbutton to be extra sure that no
leaks happening (might be a good QA thing...). The only argument for
including the patch in ESR 31 I currently can come up with is that ws://
is the only protocol currently being tested in the unit test. If that is a
show-stopper, fair enough (I planned to add tests for the remaining non-
internal protocols + getting them merged into ESR 38).
They fixed the WebSockets leak, but the second part of the #5741 patch was
to ensure against any additional forms of DNS leak. It also saved our
users from being told by StartPage to enter www.startpage.com in "no
proxies for" line of the proxy settings, since not being able to do that
resolution prevented that from working.
I think for defense in depth, we should keep the DNS service piece of
patch.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12620#comment:19>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs