[tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-17 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal|   Keywords:
Actual Points:|  Parent ID:
   Points:|   Reviewer:
  Sponsor:|
--+-
 Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

 Utilizing sandbox release 0.6, the first startup asks which channel to
 utilize. If selecting alpha, Tor Browser 7.0a3 is downloaded instead of
 the latest 7.0a4. This appears to be because the JSON published URLs are
 not kept up to date. This has been a bug in past too with respect to
 outdated or wrong JSON listings. This should probably be fixed so that
 users are not put in jeopardy of downloading a vulnerable version in the
 future.

 install: Metadata URL:
 https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json

 As you can see, the metadata URL is not updated and therefor the older
 version is downloaded, putting the Tor user potentially at risk due to
 running and outdated or insecure older release.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-17 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by yawning):

 I'm not sure what you expect me to do about this since I have nothing to
 do with uploading the metadata.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-17 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by yawning):

 One thing that would be a permanent fix would be to write a MAR unpacker
 and use the non-incremental MARs instead of the tarball + signature, since
 the XML resources and MARs will always be up to date.

 Patches accepted, I'm not going to do it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-17 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by yawning):

 This is also basically fixed by https://gitweb.torproject.org/tor-browser
 /sandboxed-tor-
 browser.git/commit/?id=fc3475761427977cd63dfaa0351809174b147eb5

 I was told that the `update_2` stuff will be valid for a while, but
 apparently not.

 I could also just force an update check on first launch after an install
 or something.  Maybe I'll do that anyway because it's easy to do

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-18 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by boklm):

 https://aus1.torproject.org/torbrowser/update_2/alpha/downloads.json
 should now be redirected to
 https://aus1.torproject.org/torbrowser/update_3/alpha/downloads.json.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-18 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  new
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-

Comment (by cypherpunks):

 It's not Tor Browser Sandbox specific. Old alphas upgrade themselves the
 same way. Torbutton could warn users at startup, but it's broken the same
 way: https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

Re: [tor-bugs] #22291 [Applications/Tor Browser Sandbox]: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first use

2017-05-18 Thread Tor Bug Tracker & Wiki 
#22291: Tor Browser Sandbox 0.6 downloads an old version of Tor alpha on first 
use
--+-
 Reporter:  6h72Q484AddGha8H  |  Owner:  yawning
 Type:  defect| Status:  closed
 Priority:  Medium|  Milestone:
Component:  Applications/Tor Browser Sandbox  |Version:
 Severity:  Normal| Resolution:  fixed
 Keywords:|  Actual Points:
Parent ID:| Points:
 Reviewer:|Sponsor:
--+-
Changes (by yawning):

 * status:  new => closed
 * resolution:   => fixed


Comment:

 Replying to [comment:5 cypherpunks]:
 > It's not Tor Browser Sandbox specific. Old alphas upgrade themselves the
 same way. Torbutton could warn users at startup, but it's broken the same
 way: https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions

 Huh?  `RecommendedTBBVersions` has nothing to do with the sandbox, and
 `downloads.json` has nothing to do with the normal Tor Browser update
 process.

 Anyway this is basically "fixed" now (thanks bolkm).  Both git master (and
 the next sandbox tag, whenever I get around to it) will pull from
 `update_3` in the future, and there isn't much I can do about "the
 location where all the metadata lives changed" now that I think about it.

--
Ticket URL: 
Tor Bug Tracker & Wiki 
The Tor Project: anonymity online
___
tor-bugs mailing list
tor-bugs@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs