View previous topic :: View next topic |
Author |
Message |
Etal Veteran
Joined: 15 Jul 2005 Posts: 1931
|
Posted: Sat Feb 20, 2010 2:41 am Post subject: The problem with Firefox, Gentoo and secure-delete |
|
|
I think more people need to be aware of this.
I was doing an update today, and I found that Firefox now requires SQLite to be built with the secure-delete flag. Knowing what it does, and not wanting that to be enabled system-wide (I use SQLite quite extensively), I went to do some research. Here's what I found:
Gentoo bug: https://bugs.gentoo.org/show_bug.cgi?id=304913
Mozilla bug: https://bugzilla.mozilla.org/show_bug.cgi?id=546162
Here's the problem (I'll quote the bug report):
Quote: | With version 3.6-r2, mozilla-firefox requires sqlite to be built with the
secure-delete flag. The purpose of it is so that when the data in Firefox's
sqlite databases (history, cookies, etc) is cleared, no trace is left.
However, because it zeroes out the data on every delete, this may be
undesirable, especially considering that this is the system sqlite and it
affect all other applications that use it.
[...]
Here is the description from http://www.sqlite.org/compile.html:
SQLITE_SECURE_DELETE
This compile-time option causes SQLite to overwrite deleted information with
zeros in addition to marking the space as available for reuse. Without this
option, deleted data might be recoverable from a database using a binary
editor. However, there is a performance penalty for using this option.
This option does not cause deleted data is securely removed from the
underlying storage media. |
...and it doesn't seem to get anywhere. On one side, the Gentoo maintainer does not want to patch out the check, on the other side, the Mozilla guy does not want to make it optional, and the end result is that we end up with a system-wide SQLite that has to unnecessarily zero out all deleted data.
So, what do you people think of this? |
|
Back to top |
|
|
audiodef Watchman
Joined: 06 Jul 2005 Posts: 6639 Location: The soundosphere
|
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Sat Feb 20, 2010 5:30 am Post subject: |
|
|
You should be using firefox's sqlite.
Or waste yer time with "Gentoo policy" |
|
Back to top |
|
|
Shining Arcanine Veteran
Joined: 24 Sep 2009 Posts: 1110
|
Posted: Sat Feb 20, 2010 3:05 pm Post subject: |
|
|
I think we should cite the fact that some Gentoo users are having major issues because of this to upstream. The gentoo bug report documents it. |
|
Back to top |
|
|
slycordinator Advocate
Joined: 31 Jan 2004 Posts: 3065 Location: Korea
|
Posted: Mon Feb 22, 2010 3:05 am Post subject: |
|
|
Shining Arcanine wrote: | I think we should cite the fact that some Gentoo users are having major issues because of this to upstream. The gentoo bug report documents it. | And the upstream bug documents that upstream doesn't care. _________________ My political stance/bias
slycordinator != slycoordinator |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Mon Feb 22, 2010 6:55 am Post subject: |
|
|
nirbheek wrote: | -> SQLite with Firefox: Firefox will use the bundled sqlite by
default. Users can select the system-wide sqlite by setting
USE=system-sqlite. |
|
|
Back to top |
|
|
gerard27 Advocate
Joined: 04 Jan 2004 Posts: 2377 Location: Netherlands
|
Posted: Mon Feb 22, 2010 11:05 am Post subject: |
|
|
I can't find system-sqlite use flag in /usr/portage/profiles/use.desc.
It isn't listed in /usr/portage/profiles/use.local.desc either.
Can you "make your own" use flags?
Gerard. _________________ To install Gentoo I use sysrescuecd.Based on Gentoo,has firefox to browse Gentoo docs and mc to browse (and edit) files.
The same disk can be used for 32 and 64 bit installs.
You can follow the Handbook verbatim.
http://www.sysresccd.org/Download |
|
Back to top |
|
|
desultory Bodhisattva
Joined: 04 Nov 2005 Posts: 9410
|
Posted: Mon Feb 22, 2010 11:24 am Post subject: |
|
|
gerard82 wrote: | I can't find system-sqlite use flag in /usr/portage/profiles/use.desc.
It isn't listed in /usr/portage/profiles/use.local.desc either. | Note the "will", it is apparently not yet in the tree.
gerard82 wrote: | Can you "make your own" use flags? | Yes, by writing an ebuild, so probably not in the sense that you meant. |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Mon Feb 22, 2010 2:51 pm Post subject: |
|
|
++
I don't need the good will of others impressed - especially security-wise with firefox:
I've my whole /home partition encrypted, firefox is already much slower in linux distributions than in windows, it doesn't get any more secure than that (no need for über-paranoia) and don't need any more slowdown
the developers of firefox know how to use sqlite at its best for firefox itself and optimal performance - so just go with the bundled one
in most cases using the system's libraries is the optimal choice but NOT in this case _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Feb 23, 2010 7:51 pm Post subject: |
|
|
Why is it a compile-time option at all? Can't they just make it an extra flag in sqlite3_open_v2() instead? |
|
Back to top |
|
|
Etal Veteran
Joined: 15 Jul 2005 Posts: 1931
|
Posted: Tue Feb 23, 2010 8:49 pm Post subject: |
|
|
Ant_P wrote: | Why is it a compile-time option at all? Can't they just make it an extra flag in sqlite3_open_v2() instead? |
SQLite 3.6.23 will (according to the Mozilla dev) |
|
Back to top |
|
|
|