[tor-talk] TBB 2.2.32 & Automatic Updates

[cgp3cg]

> This is a change in Firefox 6.0.2 where they list them so they can explicitly
> distrust them. If you click on Aurora->Preferences (or Options, I think, in
> Windows)->View Certificates->then click on any of the DigiNotar things present,
> it will say at the top "Explicitly Distrust [...]".

Ah, nice, I hadn't noticed this!

> You can see some more of that here: 
> https://hg.mozilla.org/releases/mozilla-release/rev/55b5cd1ce8fe
> 
> This basically superseded our (and their) patches, and I think the reason there
> are so many more listed is because they got all of them, including
> intermediaries. To be honest, while Mozilla has been very helpful and
> responsive to us, we don't have complete insight into their decision-making
> processes so we are trusting them to do the right thing here, at least right
> this minute with the given time-constraints. When things have settled down a
> bit more we will probably revisit how TBB handles certs overall. In essence,
> there has been a lot of turbulence with this release (which happened 2 weeks
> early because of this mess, and then went through a bunch of rapid changes
> immediately after) so everything is a bit wobbly.

Yes, this SSL kerfuffle is causing big headaches ...

> We're going to be making some more radical changes and the build/QA team is
> basically just me, for all platforms, except when other devs & volunteers pitch
> in. Would you be interested in helping us out with better testing?

Yep, ping me off list each time you've got a new release ready. (Debian
5 (haven't got around to upgrading yet ...))

May take me a few days to test, but I certainly will! (Will also force
me to upgrade and keep current ...)

-C