[tor-talk] TBB 2.2.32 & Automatic Updates
cgp3cg
cgp3cg at gmail.com
Mon Sep 5 21:52:56 UTC 2011
On 05/09/11 21:09, Erinn Clark wrote:
> * cgp3cg <cgp3cg at gmail.com> [2011:09:05 16:19 +1000]:
>> Hi,
>>
>> Just downloaded TBB 2.2.32 for Linux
>> (tor-browser-gnu-linux-i686-2.2.32-3-dev-en-US.tar.gz) and was surprised
>> to find FF set to automatically check for and download updates. This
>> seems like a significant change, and I can't find a record in my
>> archives, nor in a quick scan through the changelog.
>>
>> Was this deliberate and did I miss something?
>
> No, this is not deliberate and must be a bug. The prefs.js we ship has:
>
> user_pref("app.update.auto", false);
> user_pref("app.update.enabled", false);
>
> https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/build-scripts/config/no-polipo-4.0.js
>
> We enabled addon updates because we believe it is safer, but that is a
> different setting. I see in my own TBB that app.update.auto has been set to
> true, but I certainly didn't make it that way either as a user or developer.
>
> Thanks for noticing, I'm going to add fixing this to our next update (September
> 10th).
Thanks Erinn,
I've also discovered that with this version FF defaults to saving
passwords, and that there a 4 CA certificates present for DigiNotar and
2 for DigiNotar B.V.
The first isn't a huge issue, but according to the changelog for 2.2.32-2:
* Update Firefox to 6.0.1, with an additional patch to exclude
DigiNotar completely
I've also had a quick poke at a few older versions (the only ones I have
handy):
- 2.2.25 (FF 4.0.1)
- 1.1.3 (FF 3.6.13)
and both only show 1 CA cert for DigiNotar. Stock standard FF 6.0 also
only had one, and it's now gone completely from 6.0.1 ... so why the
presence of four in TBB?
Thanks
-C
More information about the tor-talk
mailing list