[PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade

Keith Lofstrom keithl at kl-ic.com
Tue Oct 2 19:37:03 UTC 2018 

> On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote:
> > Sometime in the last two days, automatic updates on my
> > older 32 bit laptops "upgraded" to Firefox Quantum
> > 60.2.1.esr, and my saved logins stopped working.  I have
> > backups, and I can restore a previous version of Firefox
> > and my old .mozilla configuration files, then turn off
> > updates, but perhaps there is a way to make this
> > "upgrade" work.
>
> I'm running an old 32 bit distro on the laptops, which
> will get upgraded to a recent 64 bit distro Real Soon Now.
> Then I will upgrade myself to Chromium as John suggested.

On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote:
> Did you report the bug?

Not yet - I need to ponder my use-case a bit, and think
about how it differs from their (minimal) likely testing. 

My WAG is that this happened because we had browser windows
open when updates are scheduled, and their user-neglecting
code treats unlocked login/password files as "unencrypted".

However, the fact that they would even conceive of deleting
/any/ user-generated file without warning or permission
suggests that their design goals are sociopathic and 
arrogant.  I'll send them a bug report when I develop an
easy-to-reproduce use case, but I expect it to be rejected.
It won't be the first time they've done that to my reports.

I hope the Chromium development team is more humane.  If
there is less code, there are fewer insecure interactions.
Code evaluated by two different groups (Google developers
and outsider repackagers) may be better tested.  Many eyes
make all bugs shallow; two sets of eyes makes bugs ever so
slightly less deep.

-----

As an aside, my original reason for becoming involved with
"open-source" (long before Chris Peterson named it) was
that even a non-programmer like me could understand it and
find bugs.  I found the Y2K error in BSD, and my suggested
improvement was coded by Real Programmer(tm).  When most of
us become mere "code consumers", we eat whatever the "cooks
in the fast food code kitchen" churn out.  Some is great,
some is absolutely awful, but the quantity of code is huge,
and the combinatorial number of possible interactions is
literally astronomical, more than the baryon count for the
universe.  That makes secure, high-reliability software
impossible, even with "perfect" programmers and methods.

Web browsers are vulnerable to their innate flaws, but
also to the flaws and exploits in every scrap of active
web content on the internet.  Perhaps we need a two-stage
process; our personal computers use plain-vanilla html
browsers and external proxies that process all the varied
crap out there into maximally simple html, with very few
local extensions.  That simplifies code on our machines,
though admittedly it helps big brother snoop the external
proxies.  I'd rather not have video codecs on the same
machine accessing the same memory as my password files.

----

I wonder how many of you read down this far?  In the
twitter age, most can't read a page of plain English,
much less software code.

Keith

-- 
Keith Lofstrom          keithl at keithl.com

More information about the PLUG mailing list