[tor-talk] Firefox vs. Tor Browser Bundle release cycles

Al Billings albill at openbuddha.com
Thu Dec 12 01:43:19 UTC 2013


I’ll also add that a two or three day delta on releases (which is most of those listed) is pretty damned good.

The bugs in those releases aren’t public. Diffing changes and trying to contract zero days is actually quite hard as well. If you were talking about a month long difference in dates, I’d be more concerned.

Also, all bugs aren’t created equal. As you can see looking at the Firefox Known Vulnerabilities page at http://www.mozilla.org/security/known-vulnerabilities/firefox.html, most of the fixes are not sec-critical rated bugs. Sec-critical and (some) sec-high rated issues are the ones that give a real possibility for drive by zero days. Even then, many of these have no known weaponized exploit and are simply dangerous in theory. One of the things Mozilla does before a sec-critical or sec-high bug goes in is look at how easy it is to weaponize as well as where in the ship cycle the release is in order to avoid long windows of exposure after checkin. Two or three days on top of that is not the primary danger.

If you want to focus on greater and lesser degrees of danger, I’d say focus on why ESR versus mainline Firefox releases for TBB’s basis (and the fact that the current TBB is from a now out of support ESR17 branch).

Otherwise, this conversation isn’t terribly useful, as much as you may find it interesting. :-)

Al


More information about the tor-talk mailing list