[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

konfkukor at riseup.net konfkukor at riseup.net
Tue Aug 6 04:24:19 PDT 2013 

> Jacob Appelbaum:
> I like this idea - though I wonder how users would feel about it? Will
> they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
> data?

I don't like the idea. You need to worry about the upgrading behavior of
casual users of TBB, who aren't going to bother to read advisories.
Republishing advisories takes a lot of your valuable time. Added to that,
every fucking tiny crash-bug in Firefox may grow to a full-blown exploit
like we've seen.

The people that do read the advisories, can find them at the Firefox ESR
advisory page
(https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html).
I do think you might want to bother to link to that list of
vulnerabilities when releasing a new version of TBB with an
security-updated Firefox. I also like the approach of the TAILS project.
They just start every single release announcement with 'Numerous security
bugs found in TAILS X.XX', which makes it crystal clear for the average
user they need to upgrade. Every time.

Also: please make separate blog posts for regular and alpha releases. It's
been confusing before. Make sure the regular release sits on top on the
blog listing.

Let me propose the announcement of June 26th as I would've
(retrospectively) liked to see it:

Subject: Security release. New Tor Browser Bundles.

Body: All of the Tor Browser Bundles have been updated with the new
Firefox 17.0.7esr. This includes fixes to <a
href="https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html">8
vulnerabilities</a>, of which 4 have critical impact, and 4 have high
impact. We <b>strongly</b> urge you to update to the latest version of the
Tor Browser Bundle (2.3.25-10) as soon as possible.

[continue with download-easy link and list of updates]

> Nadim Kobeissi:
> How am I only interested in slinging mud?! How are you even allowed to
> adopt a tone like this while doing your job as an advocate for Tor? I'm
> simply trying to advocate for Tor not waiting five weeks before releasing
> an advisory next time! Comments like this are really just not acceptable,
> Jake.

Nadim, you need to calm the fuck down. Take a deep breath, re-read your
own emails, and consider whether you need to apologize for your
unproductive stampede.

More information about the liberationtech mailing list