Mark Smith:
On 3/24/14, 8:59 AM, Lunar wrote:
Mark Smith:
Radical proposal of the day: Can we use the Firefox major version number in the Tor Browser version? This would mean that TBB versions would be 24.0, 24.1, 24.1.1, etc.
How would you support what is currently out there: Tor Browser 3.5.3 as the stable branch and Tor Browser 3.6-beta-1 as the beta branch? Both are based on 24.4.0esr.
This is a good question.
We do not need to exactly match the Firefox version numbers; I think just using the major revision number in our TBB version numbers would be sufficient for us to avoid the need to patch Firefox's updater code. But we would need to come up with a way to partition the version number space, e.g.,
Stable: 24.0, 24.0.1, 24.0.2, ... Beta: 24.1b1, 24.1b2, 24.1b3, ...
The problem with this is that it will be confusing to have a 24.1b1 Tor Browser that is based on Firefox 24.4.0esr. The only thing people could assume is that the first portion of the Tor Browser number matches the first portion of the Firefox version. But they might tend to assume more of a relationship since our version numbers would so closely resemble Firefox's.
I am not sure how many people look closely at version numbers though. Most people just care that a higher version number implies newer software.
Is there a reason why we need to use their exact version numbers? What if we just formatted and stored existing TBB versions in the same way that Firefox does?
We would need version update patches for each TBB release to get applied to the corresponding tor-browser.git branch/tag we use, but that isn't terribly hard.
As for changes to the updater that Mozilla would want: We do want to do some analysis and work to harden the updater against the attacks enumerated by the TUF/Thandy literature. Mozilla has done some of this work, but we probably will want to make some more changes. Making our Tor Browser specific changes as minimal as possible will make this easier.