Firefox [Tor] Browser 0day: Anti-Privacy Implantation at Mass Scale
grarpamp
grarpamp at gmail.com
Fri Sep 16 11:29:53 PDT 2016
On Fri, Sep 16, 2016 at 1:18 PM, Georgi Guninski <guninski at guninski.com> wrote:
> Is Debian _still_ vulnerable to automatic updates, it used to be?:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820698;msg=5
> Debian's Firefox/iceweasel in a VM still give warnings about autoupdates of addons
> when started from terminal (otherwise they are not visible ;) )
Here's FreeBSD's take on the issue...
https://lists.freebsd.org/pipermail/freebsd-announce/2016-August/001739.html
Nevermind that they still [1] don't have their release iso's and everything
else fully reproduceable and cryptographically traceable back to
their source repository, in part because their silly choice of repo (svn)
isn't capable of establishing cryptographic provenance over, and distribution
of, the source, so unlike signable trees git or monotone there's a big gaping
disconnect there. Though they are making good progress on reproduceability.
Oh, and OpenBSD still uses cvs for code authenticity, lol.
Don't mistake this to mean that Linux distroland and model is anything
close to secure either. It's probably much worse.
[1] They claim signed / hashed isos and packages, and
server / filesystem / commiter / sysadmin security / integrity
are backtraceable and sufficient. And that monotonically increasing
numeric commit revID's and 'workflow' prevent using something like git.
I claim baloney.
More information about the cypherpunks
mailing list