On 2/19/16, Nathan Freitas <nat...@freitas.net> wrote: > Mozilla is adding some new runtime installation features to reduce the > size of the mobile Firefox APK. Is this happening at all on desktop? It > makes me nervous as the "default" config could very much more greatly, > not to mention having a new centralized attack channel.
Maybe not so new an attack channel. Have you seen https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/ http://blog.talosintel.com/2016/02/vulnerability-spotlight-libgraphite.html "Since Mozilla Firefox versions 11-42 directly support Graphite, the attacker could easily compromise a server and then serve the specially crafted font when the user renders a page from the server " https://blog.torproject.org/blog/tor-browser-552-released Users on the security level "High" or "Medium-High" were not affected by the bugs in the Graphite font rendering library. Regards, Lee > > ----- Original message ----- > From: Sebastian Kaspari <s.kasp...@gmail.com> > To: "mobile-firefox-dev" <mobile-firefox-...@mozilla.org> > Subject: Downloadable content: Fonts! > Date: Fri, 19 Feb 2016 11:56:42 +0000 > > Good news, everyone! > > Our first step to downloadable content has been enabled in Nightly: This > means we now stopped to ship fonts[1] in the APK and instead download > them > at runtime (Bug 1194338 [2]). > > With that we reduced the size of the APK by roughly 6.4% (~ 2.7MB) [3]. > > Without having the fonts downloaded (yet) our users can still browse > websites but they may look less nice. And in fact, as things go, a bug > caused just that to happen in Nightly (We don't download any fonts): bug > 1249354 [4]. > So if websites are currently looking a bit weird on Nightly then that's > because of that. The bug should be resolved soon and after that let me > know > if you see any new weird issues related to (wrong) fonts. :) > > Our plans for the future: > * Right now we ship the list of fonts and the location to download with > the > application. We want to synchronize this catalog of content from a Kinto > instance: https://bugzilla.mozilla.org/show_bug.cgi?id=1201059 > * We want to download hyphenation dictionaries at runtime too: > https://bugzilla.mozilla.org/show_bug.cgi?id=1095719 > * Eventually we might even want to download (some) localization files at > runtime: https://bugzilla.mozilla.org/show_bug.cgi?id=945123 > > Best, > Sebastian > > [1] https://www.youtube.com/watch?v=6J2rrFiN1Jw > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1194338 > [3] https://twitter.com/Anti_Hype/status/699905577196134400 > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1249354 > _______________________________________________ > mobile-firefox-dev mailing list > mobile-firefox-...@mozilla.org > https://mail.mozilla.org/listinfo/mobile-firefox-dev > _______________________________________________ > tor-dev mailing list > tor-dev@lists.torproject.org > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev > _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
