[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #32418 [Applications/Tor Browser]: Torbrowser tells on every start, that it can't update although it is newest



#32418: Torbrowser tells on every start, that it can't update although it is newest
--------------------------------------+-----------------------------------
 Reporter:  Yeti                      |          Owner:  tbb-team
     Type:  defect                    |         Status:  needs_information
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-update                |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+-----------------------------------
Changes (by mcs):

 * cc: tbb-team (added)


Comment:

 Replying to [comment:7 Yeti]:
 > Status "needs_information"... which information is needed exactly?

 I believe I changed the status to `needs_information` after I posted
 comment:4. We discussed this ticket during our Tor Browser meeting on
 25-November-2019. The consensus was that we should avoid creating and
 maintaining a patch for this if we can possibly avoid doing so (we know
 Mozilla will not accept such a patch). Some suggestions were made during
 the meeting which we have now investigated:

 Idea 1: Tell users to set `app.update.url` to a value that will not cause
 an update prompt. Unfortunately, end-users cannot do this in a way that
 persists across browser restarts (this is by design; Mozilla does not want
 malware to be able to easily disable updates).

 Idea 2: Learn from what Tails did to address this issue (see
 https://redmine.tails.boum.org/code/projects/tails/repository/revisions/e43247dd2558dd391342855796e18c3186a43807).
 Tails uses a multi-faceted approach:
 1. Permanently point the `app.update.url` preference to a non-existent
 place. Tails accomplishes this by modifying one of the `omni.ja` files
 within the Tor Browser package, which is not a solution we can recommend
 to end-users.
 2. Set `app.update.disabledForTesting` to `true`. Unfortunately, that
 preference has no effect outside of test runs, i.e., it is ignored unless
 the browser is running under Marionette control.
 3. Set `app.update.doorhanger` to `false`. This will suppress most of the
 update-related prompts. However, the  older update UI will be used which
 means that eventually a windowed prompt will be shown to tell users that
 their browser may be out of date. Also, this is not a long term solution
 because Mozilla removed support for this pref from recent versions of
 Firefox. However, it is something that end-users can experiment with in
 Tor Browser 9.x.
 4. Set `app.update.auto` to `false`. This will prevent automatic updates
 but won't suppress prompts or prevent download attempts. Tails sets this
 as a "defense in depth" measure to avoid any chance of an automatic
 update. I don't think this will be helpful for the scenario covered by
 this ticket.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/32418#comment:8>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs