[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Jacob Appelbaum
jacob at appelbaum.net
Mon Aug 5 17:19:11 PDT 2013
Griffin Boyce:
> Al,
>
> We may have to disagree as to the way forward. I hate to be
> contentious, but it seems unlikely that Tor applied a patch without
> reading firefox's changelog. Two days ago I presented a talk which
> emphasized how useful Tor is -- and I stand by that. Tor is still the
> best option for maintaining one's anonymity.
>
Hi Griffin,
Do you plan to release security advisories for all updates to the Linux
kernel, GNU user space utilities and other dependences in the commotion
router firmware?
I suppose no but perhaps I'm mistaken? Has anyone done so with new
commotion releases? I don't see[0][1] such notes, am I missing something?
It seems impractical to note every change from downstream projects.
Clearly you seem to disagree but I do wonder where you draw the line?
Do your projects have some example where we might see the line in
action, so to speak?
As far as I can tell, we issued a security advisory within twenty-four
hours. We spent more than a full day of multiple people's time working
non-stop to understand the scope, the impact and the outcomes of this
issue. We were already working on this task when you and another decided
to jump up and down to let us know that we were failures by any other
name. I'd say thanks but that isn't the word that comes to mind...
The Tor Project does not triage every single Mozilla Firefox bug. We do
try to understand which bugs are security critical. We do aim to track
and put our energy into ensuring our browser uses the latest ESR
releases. This generally includes lots of code fixes, security as well
as other kinds of fixes, though we may not always fully understand every
issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
of effort to forward port our privacy preserving patches as they are not
in the mainline Mozilla repositories. We did this as we always do with
TBB releases and we released patched versions of the software before we
ever even learned of the exploit discovered this weekend that targets
old, unpatched users:
2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)
By a general count, it was around a month ago that we released patched
versions. We normally just note that we've bumped the included projects
to their latest stable versions - though in the case of our latest
alpha, we specifically said[2]:
"In addition to providing important security updates to Firefox and Tor,
these release binaries should now be exactly reproducible from the
source code by anyone."
Do you think that we should include that text with every single release?
ie: "This update provides important security updates to Firefox and Tor"
or something along those lines? Shall we just put that in every single
release note? Is that really helpful?
If you have a suggestion for how we might improve, I'm open to hearing
it - though as far as I am able to tell - there isn't much to be done
except to say "security update" next to "firefox update" in our normal
release notes. That isn't very helpful as nearly every Firefox update in
ESR is a security or stability related release.
Please do feel free to suggest something constructive - if we have room
for improvement, we're happy to make it!
All the best,
Jacob
[0] https://commotionwireless.net/download/openwrt
[1]
https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing
[2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
More information about the liberationtech
mailing list