[tbb-dev] Proposal: extensions.update.enabled=false [tbb-fingerprinting]

Rusty Bird rustybird at openmailbox.org
Fri Apr 21 16:31:34 UTC 2017

Georg Koppen:
> We won't disable extension updates by flipping some preference in Tor
> Browser. Users who install extensions which we don't ship (even though
> this is strongly discouraged) should get updates.

Oh right, my bad for not thinking of that. It makes
extensions.update.enabled=false a non-starter, for sure.

> However, it is planned
> at least since the AMO pinning fiasco we witnessed last year (see
> #20146) that we essentially prevent all extensions *we* ship from
> auto-updating.

Even better!

> We'll start with doing so for HTTPS-Everywhere (#10394)
> which is currently blocked on HTTPS-Everywhere getting the ruleset
> updates disentangled from the extension updates. Once we are done with
> HTTPS-Everywhere and got some experience what this means for our
> releases we'll do the same with NoScript.

Thanks for the pointer to #10394.

Separate ruleset updates would be #2161, "Allow subscription to
external rule feeds"? Have you considered punting on that... I'm
obviously biased because my niche use case is a completely stateless
Tor Browser, and ruleset changes between releases would mean I'd have
to write yet another standalone updater (welp) to avoid the
fingerprinting issue. But the ticket also hasn't been modified in 3

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 931 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170421/fb904831/attachment.sig>

More information about the tbb-dev mailing list