[tbb-dev] Should we delay Tails 3.2? [Was: Tor Browser release is postponed by two days]

Georg Koppen gk at torproject.org
Wed Sep 27 06:19:00 UTC 2017

> Georg Koppen:
>> Hi,
>> Just to inform you about things we learned a couple of minutes ago: the
>> Firefox release is due on Thursday. It got postponed by two days mainly
>> to give 57 beta more publicity.
>> We'll follow and release Tor Browser on Thursday as well.
> Got it! It makes sense for you Tor Browser folks, since the Firefox security issues fixed in ESR 52.3 are not publicly known yet (at least in theory, but the code changes have been out for a week so they can have been reverse-engineered).
> But what about Tails? Tails 3.2, which is ready to be published right now, would fix several publicly known security issues for our users, including some potential RCEs (Thunderbird, libsoup, ...). Of course, some of these issues have been out for weeks already, so what's two more days of delay? Still, it makes me want to remember/re-evaluate *why* we always wait on Mozilla.
> What are your feelings around this? What are the arguments for/against releasing early?

Not sure what you mean with "early", probably not as soon as one
critical security bugfix lands on the esr52 branch (because there are
many :) ). Releasing once candidate build1 is done then? It sometimes
happens that additional changes get pushed and a buildN is done or that
some of the patches need to get backed out due to issues Mozilla found
during their Q&A. I guess you don't want that risk either?

> TBH this has always seemed odd to me. I remember argument for this being about us behaving like good Free Software community members by coordinating releases. I wonder if they really care, especially given our users' position. So, let's ask them!

I don't know whether they care but that argument has some weight for me
at least.

> Tor Browser folks, would you care if we released Tails 3.2 right now, so we in effect release Tor Browser 7.0.6 way before you? What do you feel about this in general?

Fine with me.


> As for asking Mozilla, I'm not even sure who/where to ask. Does any one have a clue?
> Cheers!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tbb-dev/attachments/20170927/5085c56b/attachment.sig>

More information about the tbb-dev mailing list