[PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade

Russell Senior russell at personaltelco.net
Tue Oct 2 13:37:12 PDT 2018


In my brief investigation, it might result from the location of profiles
moving from one version to another.  I can say that I, on firefox 62.0 from
Ubuntu, have not seen this behavior.  Since distributions often tweak
builds, it's not beyond the realm of possibility that your distribution's
packagers are at fault here.

On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom <keithl at kl-ic.com> wrote:

> > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote:
> > > Sometime in the last two days, automatic updates on my
> > > older 32 bit laptops "upgraded" to Firefox Quantum
> > > 60.2.1.esr, and my saved logins stopped working.  I have
> > > backups, and I can restore a previous version of Firefox
> > > and my old .mozilla configuration files, then turn off
> > > updates, but perhaps there is a way to make this
> > > "upgrade" work.
> >
> > I'm running an old 32 bit distro on the laptops, which
> > will get upgraded to a recent 64 bit distro Real Soon Now.
> > Then I will upgrade myself to Chromium as John suggested.
>
> On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote:
> > Did you report the bug?
>
> Not yet - I need to ponder my use-case a bit, and think
> about how it differs from their (minimal) likely testing.
>
> My WAG is that this happened because we had browser windows
> open when updates are scheduled, and their user-neglecting
> code treats unlocked login/password files as "unencrypted".
>
> However, the fact that they would even conceive of deleting
> /any/ user-generated file without warning or permission
> suggests that their design goals are sociopathic and
> arrogant.  I'll send them a bug report when I develop an
> easy-to-reproduce use case, but I expect it to be rejected.
> It won't be the first time they've done that to my reports.
>
> I hope the Chromium development team is more humane.  If
> there is less code, there are fewer insecure interactions.
> Code evaluated by two different groups (Google developers
> and outsider repackagers) may be better tested.  Many eyes
> make all bugs shallow; two sets of eyes makes bugs ever so
> slightly less deep.
>
> -----
>
> As an aside, my original reason for becoming involved with
> "open-source" (long before Chris Peterson named it) was
> that even a non-programmer like me could understand it and
> find bugs.  I found the Y2K error in BSD, and my suggested
> improvement was coded by Real Programmer(tm).  When most of
> us become mere "code consumers", we eat whatever the "cooks
> in the fast food code kitchen" churn out.  Some is great,
> some is absolutely awful, but the quantity of code is huge,
> and the combinatorial number of possible interactions is
> literally astronomical, more than the baryon count for the
> universe.  That makes secure, high-reliability software
> impossible, even with "perfect" programmers and methods.
>
> Web browsers are vulnerable to their innate flaws, but
> also to the flaws and exploits in every scrap of active
> web content on the internet.  Perhaps we need a two-stage
> process; our personal computers use plain-vanilla html
> browsers and external proxies that process all the varied
> crap out there into maximally simple html, with very few
> local extensions.  That simplifies code on our machines,
> though admittedly it helps big brother snoop the external
> proxies.  I'd rather not have video codecs on the same
> machine accessing the same memory as my password files.
>
> ----
>
> I wonder how many of you read down this far?  In the
> twitter age, most can't read a page of plain English,
> much less software code.
>
> Keith
>
> --
> Keith Lofstrom          keithl at keithl.com
>


More information about the PLUG mailing list