Bug 583408 added a few default prefs, see that bug and bug 593135 for some of the things we need to pull across.
Hi Mark, I moved this over to preferences since that is all that needs to be added to implement this and it has nothing to do with the installer code.
Created attachment 648795 [details] [diff] [review] The fix This ports the necessary work of the dependent bugs to Thunderbird. Now we're on aus3, this is much easier, as it is just a matter of matching Firefox's prefs. I've been running with these set manually for a month or so now (and Ludovic also ran for a bit) and its been fine, so I think we should just get on and do this and make our updates even more secure. In the patch I also moved a couple of prefs just to match closer the diffs to the ones in the firefox.js file. I'll be looking to get this into the beta on Tuesday, so that we've a couple of cycles to test it.
Comment on attachment 648795 [details] [diff] [review] The fix Review of attachment 648795 [details] [diff] [review]: ----------------------------------------------------------------- The preferences look fine, and my trunk Thunderbird loads without complaint with this patch applied, but there's not much more I can say about it without testing against an update server (beyond just clicking "check for updates" and having it reply "none found", which I did try). Do you know if the Firefox team has a test harness for this including servers with bad certificates, incorrectly signed updates, etc?
These changes are only for the cert attribute check when checking for an update and there are toolkit tests under http://mxr.mozilla.org/mozilla-central/source/toolkit/mozapps/update/test/chrome/ Specifically: test_0121_check_requireBuiltinCert.xul test_0122_check_allowNonBuiltinCert_validCertAttrs.xul test_0123_check_allowNonBuiltinCert_noCertAttrsCheck.xul test_0131_check_invalidCertAttrs_noUpdate.xul test_0132_check_invalidCertAttrs_hasUpdate.xul test_0141_notify_invalidCertAttrs_noUpdate.xul test_0142_notify_invalidCertAttrs_hasUpdate.xul
Comment on attachment 648795 [details] [diff] [review] The fix [Triage Comment] I want to deploy this everywhere as an additional security layer for updates.
Checked in: https://hg.mozilla.org/releases/comm-aurora/rev/f64150ef70df https://hg.mozilla.org/releases/comm-beta/rev/e1a2535b2646 https://hg.mozilla.org/releases/comm-esr10/rev/1d4617eeb9bd
Unfortunately, this patch broke updates through our locally hosted Thunderbird ESR update server. See bug 800307.