[PLUG] Firefox Quantum 60.2.1.esr lost saved passwords - downgrade

Russell Senior russell at personaltelco.net
Thu Oct 4 08:16:30 PDT 2018


This sounds suspiciously like it might be related:

  https://www.scientificlinux.org/category/sl-errata/slsa-20182834-1/

On Thu, Oct 4, 2018 at 6:20 AM Ben Koenig <techkoenig at gmail.com> wrote:

> Deleting user data without warning is bad. There are a number of decisions
> in firefox that concern me as well, and if there really is a situation in
> which it automagically overwrites user data, then that must be fixed.
>
> The idea that it works "fine for me" but not everyone is not applicable
> here. While a feature may be less popular, that does not excuse the
> unexpected deletion of user data. It doesn't matter if a feature was
> changed or updated. Deleting data on a user's computer WITHOUT WARNING is
> unacceptable and that is all there is to it.
>
> If you can reproduce the behavior then fixing it in the code is the only
> acceptable answer.
> Or maybe those of us on the use-case fringe deserve the discrimination
> being dished out by the Twitter birds.
>
>
> On Tue, Oct 2, 2018 at 9:04 PM Tomas Kuchta <tomas.kuchta.lists at gmail.com>
> wrote:
>
> > FWIWI, I have seen no Firefox issues whatsoever on both openSuse and
> 16/18
> > LTS Ubuntu branches.
> >
> > Release notes would most likely mention settings location change and how
> to
> > proceed with the upgrade. I'd guess.
> >
> > -T
> >
> >
> > On Tue, Oct 2, 2018, 1:37 PM Russell Senior <russell at personaltelco.net>
> > wrote:
> >
> > > In my brief investigation, it might result from the location of
> profiles
> > > moving from one version to another.  I can say that I, on firefox 62.0
> > from
> > > Ubuntu, have not seen this behavior.  Since distributions often tweak
> > > builds, it's not beyond the realm of possibility that your
> distribution's
> > > packagers are at fault here.
> > >
> > > On Tue, Oct 2, 2018 at 12:37 PM Keith Lofstrom <keithl at kl-ic.com>
> wrote:
> > >
> > > > > On Sun, Sep 30, 2018 at 06:53:06PM -0700, Keith Lofstrom wrote:
> > > > > > Sometime in the last two days, automatic updates on my
> > > > > > older 32 bit laptops "upgraded" to Firefox Quantum
> > > > > > 60.2.1.esr, and my saved logins stopped working.  I have
> > > > > > backups, and I can restore a previous version of Firefox
> > > > > > and my old .mozilla configuration files, then turn off
> > > > > > updates, but perhaps there is a way to make this
> > > > > > "upgrade" work.
> > > > >
> > > > > I'm running an old 32 bit distro on the laptops, which
> > > > > will get upgraded to a recent 64 bit distro Real Soon Now.
> > > > > Then I will upgrade myself to Chromium as John suggested.
> > > >
> > > > On Mon, Oct 01, 2018 at 10:14:42PM -0700, Russell Senior wrote:
> > > > > Did you report the bug?
> > > >
> > > > Not yet - I need to ponder my use-case a bit, and think
> > > > about how it differs from their (minimal) likely testing.
> > > >
> > > > My WAG is that this happened because we had browser windows
> > > > open when updates are scheduled, and their user-neglecting
> > > > code treats unlocked login/password files as "unencrypted".
> > > >
> > > > However, the fact that they would even conceive of deleting
> > > > /any/ user-generated file without warning or permission
> > > > suggests that their design goals are sociopathic and
> > > > arrogant.  I'll send them a bug report when I develop an
> > > > easy-to-reproduce use case, but I expect it to be rejected.
> > > > It won't be the first time they've done that to my reports.
> > > >
> > > > I hope the Chromium development team is more humane.  If
> > > > there is less code, there are fewer insecure interactions.
> > > > Code evaluated by two different groups (Google developers
> > > > and outsider repackagers) may be better tested.  Many eyes
> > > > make all bugs shallow; two sets of eyes makes bugs ever so
> > > > slightly less deep.
> > > >
> > > > -----
> > > >
> > > > As an aside, my original reason for becoming involved with
> > > > "open-source" (long before Chris Peterson named it) was
> > > > that even a non-programmer like me could understand it and
> > > > find bugs.  I found the Y2K error in BSD, and my suggested
> > > > improvement was coded by Real Programmer(tm).  When most of
> > > > us become mere "code consumers", we eat whatever the "cooks
> > > > in the fast food code kitchen" churn out.  Some is great,
> > > > some is absolutely awful, but the quantity of code is huge,
> > > > and the combinatorial number of possible interactions is
> > > > literally astronomical, more than the baryon count for the
> > > > universe.  That makes secure, high-reliability software
> > > > impossible, even with "perfect" programmers and methods.
> > > >
> > > > Web browsers are vulnerable to their innate flaws, but
> > > > also to the flaws and exploits in every scrap of active
> > > > web content on the internet.  Perhaps we need a two-stage
> > > > process; our personal computers use plain-vanilla html
> > > > browsers and external proxies that process all the varied
> > > > crap out there into maximally simple html, with very few
> > > > local extensions.  That simplifies code on our machines,
> > > > though admittedly it helps big brother snoop the external
> > > > proxies.  I'd rather not have video codecs on the same
> > > > machine accessing the same memory as my password files.
> > > >
> > > > ----
> > > >
> > > > I wonder how many of you read down this far?  In the
> > > > twitter age, most can't read a page of plain English,
> > > > much less software code.
> > > >
> > > > Keith
> > > >
> > > > --
> > > > Keith Lofstrom          keithl at keithl.com
> > > >
> > > _______________________________________________
> > > PLUG mailing list
> > > PLUG at pdxlinux.org
> > > http://lists.pdxlinux.org/mailman/listinfo/plug
> > >
> > _______________________________________________
> > PLUG mailing list
> > PLUG at pdxlinux.org
> > http://lists.pdxlinux.org/mailman/listinfo/plug
> >
> _______________________________________________
> PLUG mailing list
> PLUG at pdxlinux.org
> http://lists.pdxlinux.org/mailman/listinfo/plug
>


More information about the PLUG mailing list