anonym wrote (18 Oct 2012 11:19:41 GMT) :
> I suppose our (realisic) options boil down to:
> 1. Ship an old Iceweasel esr with good Torbutton.
> 2. Ship a new Iceweasel esr with bad Torbutton.
> How do we value "susceptibility to general browser exploits" vs.
> "susceptibility to Tor-specific anonymity attacks"? I think I'm more
> in favour of option 1, but I feel far from confident with
> this choice.
With enough known security issues at hand (10.0.8esr fixed 19 CVE's),
I guess an attacker could workaround or disable some of Torbutton's
protections, so it might rather be "susceptibility to general browser
exploits + some Tor-specific anonymity attacks" vs. "susceptibility to
even more Tor-specific anonymity attacks".
=> I think I'm sligthly in favour of option 2 (ship latest ESR),
but I don't feel very confident with this either :(
... and anyway, I'd rather go with option 3 (iceweasel + torbrowser
patches in temporary APT repostory) or maybe even option 4 (tbb's
torbrowser).
> How realistic is the following option?
> 3. Ship new Iceweasel esr + relevant TorBrowser patches that we build
> ourselves and host on some temporary APT repo so Torbutton becomes
> good?
I don't remember exactly where bertagaz left his experiments in this
field, but at least the package building part looked mostly done, no?
If it is so, on the infrastructure side, setting up a temporary APT
repository is easy. I guess I could get something ready (binary
packages + repository + branch merged into experimental) for the end
of next week -- help would be more than welcome on the package
building and testing side, though. (To what degree the result would be
hackish and temporary, I don't know -- depends on the time I manage to
gather for this task, and the help I get.)
Also, IIRC, Ague veto'ed this solution last time we faced a similar
issue, but I admit I don't remember why. Ague?