With the plan to implement option 1a, 1b or 1c ? > 5) wait until the planned 2.0.0.15 (current projections have mentioned June) I think users who read blogs are able to open about:config > etc.) > 4) notify users of the existing workaround (via blogs, etc.) > 3) build an XPI that reverts the pref, and try to notify users (via blogs, This is core code, so if you revert the pref, it will affect Firefox, too (and SeaMonkey). > 2) spin a 2.0.0.15 with the pref reverted Introduce some logic that overrides the core pref with a thunderbird pref.
#FALLOUT 4 UPDATE 1.8 CERTIFICATION CODE#
It has the risk that some other applications dependent on 1.8 branch code Into the application code of each application. Mozilla/netwerk/base/public/security-prefs.js )Ĭould be removed from core, and duplicated We don't have such logic yet, and I guess it will be tricky to code it.ġb) Have separate prefs for Firefox and Thunderbird "SSL connections that attempt to load remote content from the web" I see comments 30-32 as two different proposals.ġa) introduce new smart logic that can distinguish between
> 1) spin a 2.0.0.15 with the fix described in comments 30-32 * requires users to use advanced config editorĥ) wait until the planned 2.0.0.15 (current projections have mentioned June) * less QA & build load than previous optionsĤ) notify users of the existing workaround (via blogs, etc.) * stresses already constrained build and QA resourcesģ) build an XPI that reverts the pref, and try to notify users (via blogs, etc.)
* may not have sufficient build and QA resourcesĢ) spin a 2.0.0.15 with the pref reverted * best for end users, as everyone who got the previous update is likely to get this one and have the problem go away automagically, and they keep the privacy win So for the slight longer term, possible courses of action would seem to be:ġ) spin a 2.0.0.15 with the fix described in comments 30-32 In the 2.0.0.14 post-mortem, it was agreed that we'd add release note verbiage to the 2.0.0.14 relnotes describing the problem and workaround forthwith.
#FALLOUT 4 UPDATE 1.8 CERTIFICATION HOW TO#
That said, if another fix doesn't materialize, I'm pretty sure I'd take a branch-only patch to just revert the pref - particularly in the misconfigured server cases like comment 1, which seem to have made all the NSS people say "oh, no, we can't just flip the pref" in bug 395399 before bug 295922 did just flip the pref, I think if I got an "update" like that to my supposedly stable mail client, I'd just switch to one that didn't throw a dialog at me every 30 seconds, rather than teach my email provider about the intricacies of SSL or look for a bug report that would tell me how to manually change a case-sensitive string pref. something people might be foolish enough to want to see badly enough to risk loading remote images. If I wanted to match individual Danes to their email addresses, I'd start by looking for any instructions about setting usteddomains, and if that failed look for popular newsletters or other frequent mailers with remote images, and as a last resort just start sending mail with remote images that promised to be. Remote content can't be handwaved away with "it's disabled by default" because that's an oversimplification: it's disabled until you click the button on an email, or click the link to always allow remote images from and from anyone pretending to be them, or set either bad-idea pref, to allow all remote content or to allow remote content from any address at a specified domain.
That has the advantage for branch of not needing to break the string freeze, though the disadvantage of not being something I know how to fix, or even how to evaluate the risk of the patch. Given that nobody has (so far) proposed a privacy issue with select automatically for mail servers, only remote content, I think my choice would beĤ) Default to select automatically for imap/pop/smtp(/signing? I'm still unsure about bug 431957), and to ask every time for content. Thunderbird should authenticate using the saved certificate automatically without user intervention, as all previous versions did. The security dialog appears every time Thunderbird is started, or the IMAP connection is restored. Configure IMAP connection via SSL with certificate. I am not sure if the popup is a bug, or if its supposed to be remembering which certificate to use after the first time and isn't.ġ. In previous versions of Thunderbird this authentication was automatic and there was no security popup every time Thunderbird was run. The dialog reads "User Identification Request", "This site has requested that you identify yourself with a certificate". When connecting to a IMAP site via SSL w/ certificate, Thunderbird now pops up a security dialog every time the IMAP connection is opened.