Re: [PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade
This sounds suspiciously like it might be related: https://www.scientificlinux.org/category/sl-errata/slsa-20182834-1/ On Thu, Oct 4, 2018 at 6:20 AM Ben Koenig wrote: > Deleting user data without warning is bad. There are a number of decisions > in firefox that concern me as well, and if there really is a situation in > which it automagically overwrites user data, then that must be fixed. > > The idea that it works "fine for me" but not everyone is not applicable > here. While a feature may be less popular, that does not excuse the > unexpected deletion of user data. It doesn't matter if a feature was > changed or updated. Deleting data on a user's computer WITHOUT WARNING is > unacceptable and that is all there is to it. > > If you can reproduce the behavior then fixing it in the code is the only > acceptable answer. > Or maybe those of us on the use-case fringe deserve the discrimination > being dished out by the Twitter birds. > > > On Tue, Oct 2, 2018 at 9:04 PM Tomas Kuchta > wrote: > > > FWIWI, I have seen no Firefox issues whatsoever on both openSuse and > 16/18 > > LTS Ubuntu branches. > > > > Release notes would most likely mention settings location change and how > to > > proceed with the upgrade. I'd guess. > > > > -T > > > > > > On Tue, Oct 2, 2018, 1:37 PM Russell Senior > > wrote: > > > > > In my brief investigation, it might result from the location of > profiles > > > moving from one version to another. I can say that I, on firefox 62.0 > > from > > > Ubuntu, have not seen this behavior. Since distributions often tweak > > > builds, it's not beyond the realm of possibility that your > distribution's > > > packagers are at fault here. > > > > > > On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom > wrote: > > > > > > > > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote: > > > > > > Sometime in the last two days, automatic updates on my > > > > > > older 32 bit laptops "upgraded" to Firefox Quantum > > > > > > 60.2.1.esr, and my saved logins stopped working. I have > > > > > > backups, and I can restore a previous version of Firefox > > > > > > and my old .mozilla configuration files, then turn off > > > > > > updates, but perhaps there is a way to make this > > > > > > "upgrade" work. > > > > > > > > > > I'm running an old 32 bit distro on the laptops, which > > > > > will get upgraded to a recent 64 bit distro Real Soon Now. > > > > > Then I will upgrade myself to Chromium as John suggested. > > > > > > > > On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote: > > > > > Did you report the bug? > > > > > > > > Not yet - I need to ponder my use-case a bit, and think > > > > about how it differs from their (minimal) likely testing. > > > > > > > > My WAG is that this happened because we had browser windows > > > > open when updates are scheduled, and their user-neglecting > > > > code treats unlocked login/password files as "unencrypted". > > > > > > > > However, the fact that they would even conceive of deleting > > > > /any/ user-generated file without warning or permission > > > > suggests that their design goals are sociopathic and > > > > arrogant. I'll send them a bug report when I develop an > > > > easy-to-reproduce use case, but I expect it to be rejected. > > > > It won't be the first time they've done that to my reports. > > > > > > > > I hope the Chromium development team is more humane. If > > > > there is less code, there are fewer insecure interactions. > > > > Code evaluated by two different groups (Google developers > > > > and outsider repackagers) may be better tested. Many eyes > > > > make all bugs shallow; two sets of eyes makes bugs ever so > > > > slightly less deep. > > > > > > > > - > > > > > > > > As an aside, my original reason for becoming involved with > > > > "open-source" (long before Chris Peterson named it) was > > > > that even a non-programmer like me could understand it and > > > > find bugs. I found the Y2K error in BSD, and my suggested > > > > improvement was coded by Real Programmer(tm). When most of > > > > us become mere "code consumers", we eat whatever the "cooks > > > > in the fast food code kitchen" churn out. Some is great, > > > > some is absolutely awful, but the quantity of code is huge, > > > > and the combinatorial number of possible interactions is > > > > literally astronomical, more than the baryon count for the > > > > universe. That makes secure, high-reliability software > > > > impossible, even with "perfect" programmers and methods. > > > > > > > > Web browsers are vulnerable to their innate flaws, but > > > > also to the flaws and exploits in every scrap of active > > > > web content on the internet. Perhaps we need a two-stage > > > > process; our personal computers use plain-vanilla html > > > > browsers and external proxies that process all the varied > > > > crap out there into maximally simple html, with very few > > > > local extensions. That simplifies code on our machines, > > >
Re: [PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade
Deleting user data without warning is bad. There are a number of decisions in firefox that concern me as well, and if there really is a situation in which it automagically overwrites user data, then that must be fixed. The idea that it works "fine for me" but not everyone is not applicable here. While a feature may be less popular, that does not excuse the unexpected deletion of user data. It doesn't matter if a feature was changed or updated. Deleting data on a user's computer WITHOUT WARNING is unacceptable and that is all there is to it. If you can reproduce the behavior then fixing it in the code is the only acceptable answer. Or maybe those of us on the use-case fringe deserve the discrimination being dished out by the Twitter birds. On Tue, Oct 2, 2018 at 9:04 PM Tomas Kuchta wrote: > FWIWI, I have seen no Firefox issues whatsoever on both openSuse and 16/18 > LTS Ubuntu branches. > > Release notes would most likely mention settings location change and how to > proceed with the upgrade. I'd guess. > > -T > > > On Tue, Oct 2, 2018, 1:37 PM Russell Senior > wrote: > > > In my brief investigation, it might result from the location of profiles > > moving from one version to another. I can say that I, on firefox 62.0 > from > > Ubuntu, have not seen this behavior. Since distributions often tweak > > builds, it's not beyond the realm of possibility that your distribution's > > packagers are at fault here. > > > > On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom wrote: > > > > > > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote: > > > > > Sometime in the last two days, automatic updates on my > > > > > older 32 bit laptops "upgraded" to Firefox Quantum > > > > > 60.2.1.esr, and my saved logins stopped working. I have > > > > > backups, and I can restore a previous version of Firefox > > > > > and my old .mozilla configuration files, then turn off > > > > > updates, but perhaps there is a way to make this > > > > > "upgrade" work. > > > > > > > > I'm running an old 32 bit distro on the laptops, which > > > > will get upgraded to a recent 64 bit distro Real Soon Now. > > > > Then I will upgrade myself to Chromium as John suggested. > > > > > > On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote: > > > > Did you report the bug? > > > > > > Not yet - I need to ponder my use-case a bit, and think > > > about how it differs from their (minimal) likely testing. > > > > > > My WAG is that this happened because we had browser windows > > > open when updates are scheduled, and their user-neglecting > > > code treats unlocked login/password files as "unencrypted". > > > > > > However, the fact that they would even conceive of deleting > > > /any/ user-generated file without warning or permission > > > suggests that their design goals are sociopathic and > > > arrogant. I'll send them a bug report when I develop an > > > easy-to-reproduce use case, but I expect it to be rejected. > > > It won't be the first time they've done that to my reports. > > > > > > I hope the Chromium development team is more humane. If > > > there is less code, there are fewer insecure interactions. > > > Code evaluated by two different groups (Google developers > > > and outsider repackagers) may be better tested. Many eyes > > > make all bugs shallow; two sets of eyes makes bugs ever so > > > slightly less deep. > > > > > > - > > > > > > As an aside, my original reason for becoming involved with > > > "open-source" (long before Chris Peterson named it) was > > > that even a non-programmer like me could understand it and > > > find bugs. I found the Y2K error in BSD, and my suggested > > > improvement was coded by Real Programmer(tm). When most of > > > us become mere "code consumers", we eat whatever the "cooks > > > in the fast food code kitchen" churn out. Some is great, > > > some is absolutely awful, but the quantity of code is huge, > > > and the combinatorial number of possible interactions is > > > literally astronomical, more than the baryon count for the > > > universe. That makes secure, high-reliability software > > > impossible, even with "perfect" programmers and methods. > > > > > > Web browsers are vulnerable to their innate flaws, but > > > also to the flaws and exploits in every scrap of active > > > web content on the internet. Perhaps we need a two-stage > > > process; our personal computers use plain-vanilla html > > > browsers and external proxies that process all the varied > > > crap out there into maximally simple html, with very few > > > local extensions. That simplifies code on our machines, > > > though admittedly it helps big brother snoop the external > > > proxies. I'd rather not have video codecs on the same > > > machine accessing the same memory as my password files. > > > > > > > > > > > > I wonder how many of you read down this far? In the > > > twitter age, most can't read a page of plain English, > > > much less software code. > > > > > > Keith > >
Re: [PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade
FWIWI, I have seen no Firefox issues whatsoever on both openSuse and 16/18 LTS Ubuntu branches. Release notes would most likely mention settings location change and how to proceed with the upgrade. I'd guess. -T On Tue, Oct 2, 2018, 1:37 PM Russell Senior wrote: > In my brief investigation, it might result from the location of profiles > moving from one version to another. I can say that I, on firefox 62.0 from > Ubuntu, have not seen this behavior. Since distributions often tweak > builds, it's not beyond the realm of possibility that your distribution's > packagers are at fault here. > > On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom wrote: > > > > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote: > > > > Sometime in the last two days, automatic updates on my > > > > older 32 bit laptops "upgraded" to Firefox Quantum > > > > 60.2.1.esr, and my saved logins stopped working. I have > > > > backups, and I can restore a previous version of Firefox > > > > and my old .mozilla configuration files, then turn off > > > > updates, but perhaps there is a way to make this > > > > "upgrade" work. > > > > > > I'm running an old 32 bit distro on the laptops, which > > > will get upgraded to a recent 64 bit distro Real Soon Now. > > > Then I will upgrade myself to Chromium as John suggested. > > > > On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote: > > > Did you report the bug? > > > > Not yet - I need to ponder my use-case a bit, and think > > about how it differs from their (minimal) likely testing. > > > > My WAG is that this happened because we had browser windows > > open when updates are scheduled, and their user-neglecting > > code treats unlocked login/password files as "unencrypted". > > > > However, the fact that they would even conceive of deleting > > /any/ user-generated file without warning or permission > > suggests that their design goals are sociopathic and > > arrogant. I'll send them a bug report when I develop an > > easy-to-reproduce use case, but I expect it to be rejected. > > It won't be the first time they've done that to my reports. > > > > I hope the Chromium development team is more humane. If > > there is less code, there are fewer insecure interactions. > > Code evaluated by two different groups (Google developers > > and outsider repackagers) may be better tested. Many eyes > > make all bugs shallow; two sets of eyes makes bugs ever so > > slightly less deep. > > > > - > > > > As an aside, my original reason for becoming involved with > > "open-source" (long before Chris Peterson named it) was > > that even a non-programmer like me could understand it and > > find bugs. I found the Y2K error in BSD, and my suggested > > improvement was coded by Real Programmer(tm). When most of > > us become mere "code consumers", we eat whatever the "cooks > > in the fast food code kitchen" churn out. Some is great, > > some is absolutely awful, but the quantity of code is huge, > > and the combinatorial number of possible interactions is > > literally astronomical, more than the baryon count for the > > universe. That makes secure, high-reliability software > > impossible, even with "perfect" programmers and methods. > > > > Web browsers are vulnerable to their innate flaws, but > > also to the flaws and exploits in every scrap of active > > web content on the internet. Perhaps we need a two-stage > > process; our personal computers use plain-vanilla html > > browsers and external proxies that process all the varied > > crap out there into maximally simple html, with very few > > local extensions. That simplifies code on our machines, > > though admittedly it helps big brother snoop the external > > proxies. I'd rather not have video codecs on the same > > machine accessing the same memory as my password files. > > > > > > > > I wonder how many of you read down this far? In the > > twitter age, most can't read a page of plain English, > > much less software code. > > > > Keith > > > > -- > > Keith Lofstrom kei...@keithl.com > > > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade
In my brief investigation, it might result from the location of profiles moving from one version to another. I can say that I, on firefox 62.0 from Ubuntu, have not seen this behavior. Since distributions often tweak builds, it's not beyond the realm of possibility that your distribution's packagers are at fault here. On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom wrote: > > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote: > > > Sometime in the last two days, automatic updates on my > > > older 32 bit laptops "upgraded" to Firefox Quantum > > > 60.2.1.esr, and my saved logins stopped working. I have > > > backups, and I can restore a previous version of Firefox > > > and my old .mozilla configuration files, then turn off > > > updates, but perhaps there is a way to make this > > > "upgrade" work. > > > > I'm running an old 32 bit distro on the laptops, which > > will get upgraded to a recent 64 bit distro Real Soon Now. > > Then I will upgrade myself to Chromium as John suggested. > > On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote: > > Did you report the bug? > > Not yet - I need to ponder my use-case a bit, and think > about how it differs from their (minimal) likely testing. > > My WAG is that this happened because we had browser windows > open when updates are scheduled, and their user-neglecting > code treats unlocked login/password files as "unencrypted". > > However, the fact that they would even conceive of deleting > /any/ user-generated file without warning or permission > suggests that their design goals are sociopathic and > arrogant. I'll send them a bug report when I develop an > easy-to-reproduce use case, but I expect it to be rejected. > It won't be the first time they've done that to my reports. > > I hope the Chromium development team is more humane. If > there is less code, there are fewer insecure interactions. > Code evaluated by two different groups (Google developers > and outsider repackagers) may be better tested. Many eyes > make all bugs shallow; two sets of eyes makes bugs ever so > slightly less deep. > > - > > As an aside, my original reason for becoming involved with > "open-source" (long before Chris Peterson named it) was > that even a non-programmer like me could understand it and > find bugs. I found the Y2K error in BSD, and my suggested > improvement was coded by Real Programmer(tm). When most of > us become mere "code consumers", we eat whatever the "cooks > in the fast food code kitchen" churn out. Some is great, > some is absolutely awful, but the quantity of code is huge, > and the combinatorial number of possible interactions is > literally astronomical, more than the baryon count for the > universe. That makes secure, high-reliability software > impossible, even with "perfect" programmers and methods. > > Web browsers are vulnerable to their innate flaws, but > also to the flaws and exploits in every scrap of active > web content on the internet. Perhaps we need a two-stage > process; our personal computers use plain-vanilla html > browsers and external proxies that process all the varied > crap out there into maximally simple html, with very few > local extensions. That simplifies code on our machines, > though admittedly it helps big brother snoop the external > proxies. I'd rather not have video codecs on the same > machine accessing the same memory as my password files. > > > > I wonder how many of you read down this far? In the > twitter age, most can't read a page of plain English, > much less software code. > > Keith > > -- > Keith Lofstrom kei...@keithl.com > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade
Did you report the bug? On Mon, Oct 1, 2018 at 10:06 PM Keith Lofstrom wrote: > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote: > > Sometime in the last two days, automatic updates on my > > older 32 bit laptops "upgraded" to Firefox Quantum > > 60.2.1.esr, and my saved logins stopped working. I have > > backups, and I can restore a previous version of Firefox > > and my old .mozilla configuration files, then turn off > > updates, but perhaps there is a way to make this > > "upgrade" work. > > I'm running an old 32 bit distro on the laptops, which > will get upgraded to a recent 64 bit distro Real Soon Now. > Then I will upgrade myself to Chromium as John suggested. > > Meanwhile, I restored 60.2.0.esr firefox from a September > 25 backup to a test laptop, and the .mozilla user files. > It's a bit annoying that I must do both. DELETING user > files with an update? That's barbaric. Nyet Kulturni. > > I added "firefox" to the /etc/sysconfig/yum-autoupdate > exclusions list. We'll see how that goes. > > I would be hosed without backups. I thought I needed > backups for security and for my bonehead mistakes, not for > protection from mozilla bonehead programmer mistakes. > > Ah well. Linus Torvalds recently promised to be nicer to > Linux developers in the future. If that works out, I'll > try to be nicer as well. If not, I still have backups. > Sit here, behind this rear tire ... > > Keith > > -- > Keith Lofstrom kei...@keithl.com > ___ > PLUG mailing list > PLUG@pdxlinux.org > http://lists.pdxlinux.org/mailman/listinfo/plug > ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
Re: [PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade
On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote: > Sometime in the last two days, automatic updates on my > older 32 bit laptops "upgraded" to Firefox Quantum > 60.2.1.esr, and my saved logins stopped working. I have > backups, and I can restore a previous version of Firefox > and my old .mozilla configuration files, then turn off > updates, but perhaps there is a way to make this > "upgrade" work. I'm running an old 32 bit distro on the laptops, which will get upgraded to a recent 64 bit distro Real Soon Now. Then I will upgrade myself to Chromium as John suggested. Meanwhile, I restored 60.2.0.esr firefox from a September 25 backup to a test laptop, and the .mozilla user files. It's a bit annoying that I must do both. DELETING user files with an update? That's barbaric. Nyet Kulturni. I added "firefox" to the /etc/sysconfig/yum-autoupdate exclusions list. We'll see how that goes. I would be hosed without backups. I thought I needed backups for security and for my bonehead mistakes, not for protection from mozilla bonehead programmer mistakes. Ah well. Linus Torvalds recently promised to be nicer to Linux developers in the future. If that works out, I'll try to be nicer as well. If not, I still have backups. Sit here, behind this rear tire ... Keith -- Keith Lofstrom kei...@keithl.com ___ PLUG mailing list PLUG@pdxlinux.org http://lists.pdxlinux.org/mailman/listinfo/plug
