[tor-talk] TBB 2.2.32 & Automatic Updates

[Mike Perry]

Thus spake sigi (tornode at cpunk.de):

> Sorry, but at this point, I'm really asking myself, how I can trust 
> the concept of the torproject anymore? Some time ago, the users were 
> warned about the use of Torbutton with Firefox >3.6 - now the torproject 
> recommends to use their TorBrowserBundle - but it has automatic updates 
> for the browser included and some DigiNotar certificates? 

You are misunderstanding the situation. See other replies.

Please bear with us. The DigiNotar fiasco forced us to release the
Firefox 6-based TBBs as "stable" at least 2 weeks early (if not a full
month), because we were unable to do source modifications to Firefox
3.6 on Windows to properly deal with the certificate updates and the
initial "Dutch exemption".

We would appreciate it if you tried to help us by diagnosing bugs and
issues rather than calling our integrity into question over bugs that
slipped in during a very high pressure situation.

> I'm confused. And I'd like some clarification here. Possibly I should 
> switch back to my own browser-profile with torbutton? Is it as safe to 
> use the Torbrowserbundle, as it was one year ago to use tor with your 
> own browser with Torbutton? Is there any improvement? 

We hope to better answer these questions in a Tor Browser Bundle
design document. Just one of the many other items that were supposed
to go into a new "stable" release that got pushed aside due to recent
events:
https://trac.torproject.org/projects/tor/ticket/3812



-- 
Mike Perry
Mad Computer Scientist
fscked.org evil labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20110905/4110fa2c/attachment.pgp>