Secure automatic updates for Tor Messenger

added component::archived/tor messenger priority::medium resolution::fixed severity::blocker status::closed type::task labels

Trac:
Cc: sukhbir, proper to sukhbir, proper, arlolra

Consider using the existing Tor consensus, Tor Control Port mechanism, using getinfo consensus/packages. Reference: #10395 (moved)

That seems like the right approach to notifying the client that an update is required. We still need the other half, of that how that update should take place.

I'd expect this to be updated the same way as Tor Browser. From Instantbird's POV it's just the standard update mechanism (although pointing to our server instead of Mozilla).

Trac:
Username: clokep

Trac:
Cc: sukhbir, proper, arlolra to sukhbir, proper, arlolra, boklm
Sponsor: N/A to N/A

In addition to the accounts and OTR keys, perhaps we should also backup the cert_override.txt file if users have added exceptions otherwise they will have to verify the fingerprints again after an update. (Reported by Karsten N.)

Trac:
Severity: N/A to Blocker

I think we want to use the Tor Browser updater patches to do that. Currently the patches are based on firefox 38 ESR, and it is planned to rebase them on ESR 45.

Currently Tor Messenger is based on Firefox 42. I think we should first move Tor Messenger to ESR 45 to make it easier to use the Tor Browser patches.

I opened ticket #18400 (closed) for the move to ESR 45.

I opened ticket #18449 (closed) for Debian packaging.

In comment 11 on ticket #15197 (moved) we can find ESR45 patches for the updater.

Trac:
Reviewer: N/A to N/A

Trac:
Cc: sukhbir, proper, arlolra, boklm to sukhbir, proper, arlolra, boklm, mcs, brade

Trac:
Summary: figure out how to keep Tor Messenger updated to Secure automatic updates for Tor Messenger

Trac:
Resolution: N/A to fixed
Status: new to closed

<+sukhe> hello. yes, I think it's fine to close the tickets. thanks for doing what we should done earlier :)

sad but true: https://blog.torproject.org/sunsetting-tor-messenger

luckily there are alternatives: https://blog.torproject.org/tor-heart-onion-messaging

.. and maybe someday

• https://cwtch.im (#27364)
• https://github.com/warner/magic-wormhole/issues/8

closed

mentioned in issue #18449 (closed)

mentioned in issue #19809 (closed)

mentioned in issue #19817 (closed)