[PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade

Tomas Kuchta tomas.kuchta.lists at gmail.com
Tue Oct 2 21:03:40 PDT 2018


FWIWI, I have seen no Firefox issues whatsoever on both openSuse and 16/18
LTS Ubuntu branches.

Release notes would most likely mention settings location change and how to
proceed with the upgrade. I'd guess.

-T


On Tue, Oct 2, 2018, 1:37 PM Russell Senior <russell at personaltelco.net>
wrote:

> In my brief investigation, it might result from the location of profiles
> moving from one version to another.  I can say that I, on firefox 62.0 from
> Ubuntu, have not seen this behavior.  Since distributions often tweak
> builds, it's not beyond the realm of possibility that your distribution's
> packagers are at fault here.
>
> On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom <keithl at kl-ic.com> wrote:
>
> > > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote:
> > > > Sometime in the last two days, automatic updates on my
> > > > older 32 bit laptops "upgraded" to Firefox Quantum
> > > > 60.2.1.esr, and my saved logins stopped working.  I have
> > > > backups, and I can restore a previous version of Firefox
> > > > and my old .mozilla configuration files, then turn off
> > > > updates, but perhaps there is a way to make this
> > > > "upgrade" work.
> > >
> > > I'm running an old 32 bit distro on the laptops, which
> > > will get upgraded to a recent 64 bit distro Real Soon Now.
> > > Then I will upgrade myself to Chromium as John suggested.
> >
> > On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote:
> > > Did you report the bug?
> >
> > Not yet - I need to ponder my use-case a bit, and think
> > about how it differs from their (minimal) likely testing.
> >
> > My WAG is that this happened because we had browser windows
> > open when updates are scheduled, and their user-neglecting
> > code treats unlocked login/password files as "unencrypted".
> >
> > However, the fact that they would even conceive of deleting
> > /any/ user-generated file without warning or permission
> > suggests that their design goals are sociopathic and
> > arrogant.  I'll send them a bug report when I develop an
> > easy-to-reproduce use case, but I expect it to be rejected.
> > It won't be the first time they've done that to my reports.
> >
> > I hope the Chromium development team is more humane.  If
> > there is less code, there are fewer insecure interactions.
> > Code evaluated by two different groups (Google developers
> > and outsider repackagers) may be better tested.  Many eyes
> > make all bugs shallow; two sets of eyes makes bugs ever so
> > slightly less deep.
> >
> > -----
> >
> > As an aside, my original reason for becoming involved with
> > "open-source" (long before Chris Peterson named it) was
> > that even a non-programmer like me could understand it and
> > find bugs.  I found the Y2K error in BSD, and my suggested
> > improvement was coded by Real Programmer(tm).  When most of
> > us become mere "code consumers", we eat whatever the "cooks
> > in the fast food code kitchen" churn out.  Some is great,
> > some is absolutely awful, but the quantity of code is huge,
> > and the combinatorial number of possible interactions is
> > literally astronomical, more than the baryon count for the
> > universe.  That makes secure, high-reliability software
> > impossible, even with "perfect" programmers and methods.
> >
> > Web browsers are vulnerable to their innate flaws, but
> > also to the flaws and exploits in every scrap of active
> > web content on the internet.  Perhaps we need a two-stage
> > process; our personal computers use plain-vanilla html
> > browsers and external proxies that process all the varied
> > crap out there into maximally simple html, with very few
> > local extensions.  That simplifies code on our machines,
> > though admittedly it helps big brother snoop the external
> > proxies.  I'd rather not have video codecs on the same
> > machine accessing the same memory as my password files.
> >
> > ----
> >
> > I wonder how many of you read down this far?  In the
> > twitter age, most can't read a page of plain English,
> > much less software code.
> >
> > Keith
> >
> > --
> > Keith Lofstrom          keithl at keithl.com
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>


More information about the PLUG mailing list