konfku...@riseup.net: >> Jacob Appelbaum: >> I like this idea - though I wonder how users would feel about it? Will >> they read it? Should it be our own RSS feed or an RSS feed of Mozilla's >> data? > > I don't like the idea. You need to worry about the upgrading behavior of > casual users of TBB, who aren't going to bother to read advisories. > Republishing advisories takes a lot of your valuable time. Added to that, > every fucking tiny crash-bug in Firefox may grow to a full-blown exploit > like we've seen. >
I tend to agree with this problem - almost any little bug can turn into an anonymity or security issue. :( > The people that do read the advisories, can find them at the Firefox ESR > advisory page > (https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html). > I do think you might want to bother to link to that list of > vulnerabilities when releasing a new version of TBB with an > security-updated Firefox. I also like the approach of the TAILS project. > They just start every single release announcement with 'Numerous security > bugs found in TAILS X.XX', which makes it crystal clear for the average > user they need to upgrade. Every time. I think linking to https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html is a good idea. I've emailed some people about it - I think it should go into the ChangeLog. > Also: please make separate blog posts for regular and alpha releases. It's > been confusing before. Make sure the regular release sits on top on the > blog listing. Good idea. > > Let me propose the announcement of June 26th as I would've > (retrospectively) liked to see it: > > Subject: Security release. New Tor Browser Bundles. > > Body: All of the Tor Browser Bundles have been updated with the new > Firefox 17.0.7esr. This includes fixes to <a > href="https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html">8 > vulnerabilities</a>, of which 4 have critical impact, and 4 have high > impact. We <b>strongly</b> urge you to update to the latest version of the > Tor Browser Bundle (2.3.25-10) as soon as possible. > > [continue with download-easy link and list of updates] Sounds very reasonable. > >> Nadim Kobeissi: >> How am I only interested in slinging mud?! How are you even allowed to >> adopt a tone like this while doing your job as an advocate for Tor? I'm >> simply trying to advocate for Tor not waiting five weeks before releasing >> an advisory next time! Comments like this are really just not acceptable, >> Jake. > > Nadim, you need to calm the fuck down. Take a deep breath, re-read your > own emails, and consider whether you need to apologize for your > unproductive stampede. > Our interactions don't need to be so stressful. Perhaps we'll all be calmer in the future... All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech