[HOME] [DOWNLOAD] [DOCS] [BLOG] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Dealing with TBB native updater


#1

The 4.0.1 browser and upwards I think supports (as of yet) non verified updates through its native updater. I was thinking we should somehow warn people not to update their TBB through that channel.

As for us, an anonymity distro with some dedicated form of TBB upgrades its probably preferable to disable TBB’s native upgrading mechanism altogether and just have people rely on tb-updater/torbrowser-launcher.

Question is if Torbrowser supports such option in first place.


#2

Surprises and shocks me they are going for non-verified updates. Their trac ticket:
https://trac.torproject.org/projects/tor/ticket/13379

Other related Tor Browser updater by The Tor Project trac tickets:
https://trac.torproject.org/projects/tor/query?summary=~updater&col=id&col=summary&col=type&col=status&col=priority&col=milestone&col=component&order=priority

Yes, we should warn about it. TODO:

Disabling could be difficult without forking TBB (which would be too much work, I think). TODO:

  • create a torproject trac ticket, ask if there is a way for distributions to turn off the auto updating feature without recompiling/forking TBB

#3

[quote=“Patrick, post:2, topic:735”]Yes, we should warn about it. TODO:

https://www.whonix.org/blog/tor-browser-updater-warning


#4

[quote=“Patrick, post:2, topic:735”]Disabling could be difficult without forking TBB (which would be too much work, I think). TODO:


#5

Thanks to Rusty Bird (https://lists.torproject.org/pipermail/tor-talk/2014-December/035886.html) I tested, that creating a file

with the content

would disable applying updates using Tor Browser’s internal updater. tb-updater could create that file after extracting Tor Browser. It’s simple to develop.

Now I am wondering if a stable update or adding this at all would be worth it. I think after TPO fixed verification, users would demand another stable update. So this endeavor would cost some time for maintenance. Is it worth it? Any input?


#6
Now I am wondering if a stable update or adding this at all would be worth it. I think after TPO fixed verification, users would demand another stable update. So this endeavor would cost some time for maintenance. Is it worth it? Any input?

I don’t think this is urgent enough to deserve its own maintenance release however it is worth it to have this change.

Having two different update systems could be a headache and cause problems down the line. Better to have just one and stick to it IMO.


#7

Ok. Implemented that. Will all be in Whonix 10. The relevant changelog:

tb-updater: Deactivating Tor Browser’s Internal Updater at least as long it does not support verification. See also:
- https://www.whonix.org/blog/tor-browser-updater-warning
- https://www.whonix.org/forum/index.php/topic,807
tb-updater: make functions skipable through tb_skip_functions environment variable, so users could skip certain patches by using /etc/torbrowser.d configuration folder

Can be disabled in settings:
https://github.com/Whonix/tb-starter/blob/master/etc/torbrowser.d/30_torbrowser_default


#8

Update:
The Tor Project has fixed this in TBB version 4.5a3. (As per blog post.)
https://blog.torproject.org/blog/tor-browser-45a3-released


#9

Follow up task…

consider removal of deactivation of TBB’s internal updater because upstream fixed the issue:
https://phabricator.whonix.org/T105