Re: [Tails-dev] What to do with Firefox 17.0.11ESR?

Delete this message

Reply to this message
Author: sajolida
Date:  
To: The Tails public development discussion list
Subject: Re: [Tails-dev] What to do with Firefox 17.0.11ESR?
> 1. Prepare a 2:3.14.5-1 Debian package for Wheezy.
>   2. Test this package on Wheezy.
>   3. Propose this package to Debian's NSS maintainer and security team.
>   4. Upload this package to the feature-torbrowser-17.0.11esr suite in
>      our APT repository.
>   5. Test this package in the context of Tails 0.21.
>   6. Document how to enable this additional APT suite in Tails, and
>      how to upgrade the binary packages built from the NSS source.

>
> I can do #1, #3 and #4.


I can do #2, #5 and #6 :) depending on the deadline though.

>> By the way, it seems that we are currently running an outdated vulnerable
>> libnss version anyway, because it is installed from backports and not
>> updated there. Version 3.14.4 also fixed a security issue [2], and
>> backports has an unpatched [3] version 3.14.3.
>
> Right. feature/ff24 (pending for review) installs 2:3.15.3-1~bpo60+1,
> so Tails 0.22 should be fine.
>
> So, alternatively we could just speed up the 0.22 release, skip the
> RC, get it out at the time we had planned for the RC, and put
> a point-release out a week later for the next ESR24 update. I'm not
> sure how crazy this would be. I can surely make this decision with my
> RM hat on, but I'd like to hear what others think first.


Another possibility would be to do the usual RC, and advertise it as a
better workaround for people concerned about the libnss issue. The ISO
will be the same, it's just the way we advertise it that changes. No?