[tbb-dev] Proposal: extensions.update.enabled=false [tbb-fingerprinting]

Yawning Angel yawning at schwanenlied.me
Fri Apr 21 14:49:09 UTC 2017

On Fri, 21 Apr 2017 09:51:00 +0000
Georg Koppen <gk at torproject.org> wrote:
> We won't disable extension updates by flipping some preference in Tor
> Browser. Users who install extensions which we don't ship (even though
> this is strongly discouraged) should get updates. However, it is
> planned at least since the AMO pinning fiasco we witnessed last year
> (see #20146) that we essentially prevent all extensions *we* ship from
> auto-updating. We'll start with doing so for HTTPS-Everywhere (#10394)
> which is currently blocked on HTTPS-Everywhere getting the ruleset
> updates disentangled from the extension updates. Once we are done with
> HTTPS-Everywhere and got some experience what this means for our
> releases we'll do the same with NoScript.

The sandbox has a different threat model than Tor Browser does, and I
don't particularly see a need for behavior to be consistent.

In the future, after none of the built in addons are auto-updated, I may
consider re-enabling the addon updater depending on how the user
configures the extension directory (if it's read-only, there's no point
in doing checks, obviously).


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170421/fd77c478/attachment.sig>

More information about the tbb-dev mailing list