Re: [Tails-dev] Security implications: moving code from Ver…

Delete this message

Reply to this message
Author: sajolida
To: The Tails public development discussion list
Subject: Re: [Tails-dev] Security implications: moving code from Verification Extension to our website
> Hi all,
> In summary of this discussion, I would conclude that we agree that we
> can and should abandon the Verification Extension and move the code to
> our website.
> Thank you all for your insightful ideas & comments.

Full ack.

Regarding JS caching:

- I agree with intrigeri that the caching might become a bit more
sensitive than the current situation. For example, since we rolled out
the current page, we haven't done any security update to the JS on the
page and only functionality updates, while we did push security updates
to the code of the extension (mostly Forge updates).

- But I agree with Ulrike that we shouldn't block on solving #16091 as
we can rely on the URL parameter trick (eg. 4e30a3e59b) to force
reloading resources after security updates.

We should include a check about this in the release process for updating
this code. We won't be releasing extensions anymore but we should keep
at least the test suite in a checklist whenever we update this code or
new ESRs come out, etc.