Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
The problem with Firefox, Gentoo and secure-delete
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
Etal
Veteran
Veteran


Joined: 15 Jul 2005
Posts: 1931

PostPosted: Sat Feb 20, 2010 2:41 am    Post subject: The problem with Firefox, Gentoo and secure-delete Reply with quote

I think more people need to be aware of this.

I was doing an update today, and I found that Firefox now requires SQLite to be built with the secure-delete flag. Knowing what it does, and not wanting that to be enabled system-wide (I use SQLite quite extensively), I went to do some research. Here's what I found:

Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=304913

Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=546162

Here's the problem (I'll quote the bug report):
Quote:
With version 3.6-r2, mozilla-firefox requires sqlite to be built with the
secure-delete flag. The purpose of it is so that when the data in Firefox's
sqlite databases (history, cookies, etc) is cleared, no trace is left.

However, because it zeroes out the data on every delete, this may be
undesirable, especially considering that this is the system sqlite and it
affect all other applications that use it.
[...]
Here is the description from http://www.sqlite.org/compile.html:

SQLITE_SECURE_DELETE
This compile-time option causes SQLite to overwrite deleted information with
zeros in addition to marking the space as available for reuse. Without this
option, deleted data might be recoverable from a database using a binary
editor. However, there is a performance penalty for using this option.
This option does not cause deleted data is securely removed from the
underlying storage media.

...and it doesn't seem to get anywhere. On one side, the Gentoo maintainer does not want to patch out the check, on the other side, the Mozilla guy does not want to make it optional, and the end result is that we end up with a system-wide SQLite that has to unnecessarily zero out all deleted data.

So, what do you people think of this?
Back to top
View user's profile Send private message
audiodef
Watchman
Watchman


Joined: 06 Jul 2005
Posts: 6639
Location: The soundosphere

PostPosted: Sat Feb 20, 2010 3:12 am    Post subject: Reply with quote

Sounds like a question of why can't we all just get along to me.
_________________
decibel Linux: https://decibellinux.org
Github: https://github.com/Gentoo-Music-and-Audio-Technology
Facebook: https://www.facebook.com/decibellinux
Discord: https://discord.gg/73XV24dNPN
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Sat Feb 20, 2010 5:30 am    Post subject: Reply with quote

You should be using firefox's sqlite.

Or waste yer time with "Gentoo policy" :P
Back to top
View user's profile Send private message
Shining Arcanine
Veteran
Veteran


Joined: 24 Sep 2009
Posts: 1110

PostPosted: Sat Feb 20, 2010 3:05 pm    Post subject: Reply with quote

I think we should cite the fact that some Gentoo users are having major issues because of this to upstream. The gentoo bug report documents it.
Back to top
View user's profile Send private message
slycordinator
Advocate
Advocate


Joined: 31 Jan 2004
Posts: 3065
Location: Korea

PostPosted: Mon Feb 22, 2010 3:05 am    Post subject: Reply with quote

Shining Arcanine wrote:
I think we should cite the fact that some Gentoo users are having major issues because of this to upstream. The gentoo bug report documents it.
And the upstream bug documents that upstream doesn't care.
_________________
My political stance/bias
slycordinator != slycoordinator
Back to top
View user's profile Send private message
desultory
Bodhisattva
Bodhisattva


Joined: 04 Nov 2005
Posts: 9410

PostPosted: Mon Feb 22, 2010 6:55 am    Post subject: Reply with quote

nirbheek wrote:
-> SQLite with Firefox: Firefox will use the bundled sqlite by
default. Users can select the system-wide sqlite by setting
USE=system-sqlite.
Back to top
View user's profile Send private message
gerard27
Advocate
Advocate


Joined: 04 Jan 2004
Posts: 2377
Location: Netherlands

PostPosted: Mon Feb 22, 2010 11:05 am    Post subject: Reply with quote

I can't find system-sqlite use flag in /usr/portage/profiles/use.desc.
It isn't listed in /usr/portage/profiles/use.local.desc either.
Can you "make your own" use flags?
Gerard.
_________________
To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download
Back to top
View user's profile Send private message
desultory
Bodhisattva
Bodhisattva


Joined: 04 Nov 2005
Posts: 9410

PostPosted: Mon Feb 22, 2010 11:24 am    Post subject: Reply with quote

gerard82 wrote:
I can't find system-sqlite use flag in /usr/portage/profiles/use.desc.
It isn't listed in /usr/portage/profiles/use.local.desc either.
Note the "will", it is apparently not yet in the tree.
gerard82 wrote:
Can you "make your own" use flags?
Yes, by writing an ebuild, so probably not in the sense that you meant.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Feb 22, 2010 2:51 pm    Post subject: Reply with quote

PaulBredbury wrote:
You should be using firefox's sqlite.

Or waste yer time with "Gentoo policy" :P


++

I don't need the good will of others impressed - especially security-wise with firefox:

I've my whole /home partition encrypted, firefox is already much slower in linux distributions than in windows, it doesn't get any more secure than that (no need for über-paranoia) and don't need any more slowdown

the developers of firefox know how to use sqlite at its best for firefox itself and optimal performance - so just go with the bundled one


in most cases using the system's libraries is the optimal choice but NOT in this case
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Feb 23, 2010 7:51 pm    Post subject: Reply with quote

Why is it a compile-time option at all? Can't they just make it an extra flag in sqlite3_open_v2() instead?
Back to top
View user's profile Send private message
Etal
Veteran
Veteran


Joined: 15 Jul 2005
Posts: 1931

PostPosted: Tue Feb 23, 2010 8:49 pm    Post subject: Reply with quote

Ant_P wrote:
Why is it a compile-time option at all? Can't they just make it an extra flag in sqlite3_open_v2() instead?


SQLite 3.6.23 will (according to the Mozilla dev)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum