Downloading the latest version of components instead of hardcoding?

[MagicalDrizzle]

Currently all the components (Firefox, i2pd, extensions, langpacks) version are hardcoded, which has a couple of disadvantages:

• Periodic commits required to simply re-hardcode the version
• Firefox will be out of date - and since the bundle disable autoupdate the only way to update Firefox is update the version in the script and rerun it.
  • Also the script fails to update Firefox if it's already downloaded (which may or may not be intended), so you need to delete the old Firefox folder first.
  • If you don't do this though you get exposed to 0days, which is unfortunately more common than it should be...

Unpacking the installer and deleting unnecessary files
A duplicate file name exists, or the file cannot be found.
Could Not Find V:\Programs\I2PdBrowserPortable_4137cbb-windows\Firefox\App\Firefox\browser\crashreporter-override.ini
The system cannot find the file specified.
The system cannot find the file specified.
The system cannot find the file specified.
Could Not Find V:\Programs\I2PdBrowserPortable_4137cbb-windows\Firefox\App\Firefox\Accessible*.*
...
Could Not Find V:\Programs\I2PdBrowserPortable_4137cbb-windows\Firefox\App\Firefox\update*.*
A subdirectory or file ..\Firefox\App\Firefox\browser\extensions already exists.
OK!

I think we should try to move away from this in favor of checking the newest version and downloading it.

• Firefox:
  • Static JSON file containing the latest versions: https://product-details.mozilla.org/1.0/firefox_versions.json
  • For getting the version from it one could use jq, or if we are trying to keep the dependency to a minimum, then I wrote little blurb using just batch and busybox (replace FIREFOX_ESR115 with FIREFOX_ESR once 115 goes out of support).
    • Speaking of keeping dependency to a minimum, we can replace curl with busybox wget and remove sed as it's already included also. (Also maybe replace 7z.exe and 7z.dll with just 7za/7zr...)

for /f "usebackq" %%i in (
    `busybox wget -q https://product-details.mozilla.org/1.0/firefox_versions.json -O - ^| busybox grep -hEo "FIREFOX_ESR115\": \"[0-9]+\.[0-9]+(\.[0-9]+)?esr" ^| busybox grep -hEo "[0-9]+\.[0-9]+(\.[0-9]+)?esr"`
) do (
    set FFversion=%%i
)

• I2Pd:
  • Static JSON file containing the latest versions: https://api.github.com/repos/PurpleI2P/i2pd/tags

for /f "usebackq" %%i in (
    `busybox wget -q https://api.github.com/repos/PurpleI2P/i2pd/tags -O - ^| busybox grep -hEo "name\": \"[0-9]+\.[0-9]+\.[0-9]+" ^| busybox grep -hEom 1 "[0-9]+\.[0-9]+\.[0-9]+"`
) do (
    set I2Pdversion=%%i
)

• NoScript:
  • Download the html of the addon page and filter out the link.

busybox wget -q https://addons.mozilla.org/en-US/firefox/addon/noscript/ -O - | busybox grep -hEo "https:\/\/addons.mozilla.org\/firefox\/downloads\/file\/[0-9]+\/noscript-[0-9.]+\.xpi"

Result: https://addons.mozilla.org/firefox/downloads/file/4379558/noscript-11.5.2.xpi

[MagicalDrizzle]

I just found out the language packs are stored on the Mozilla FTP with a static URL also.
I think we can replace the hardcoded https://addons.mozilla.org/firefox/downloads/file/4144407/english...xpi with https://ftp.mozilla.org/pub/firefox/releases/%FFversion%/win64/xpi/%locale%.xpi

[r4sas]

I'm against of use of the latest versions of FF, other than used in scripts, because you can never know what have been done to browser and if there any pieces (of integrated to binary or omni.ja) code, which will create any external requests bypassing proxy settings.

What about noscript and language packs - that's good idea.

[MagicalDrizzle]

I would say that's why we use Firefox ESR in the first place - only security fixes without any breaking changes. We might be alright only checking for changes every ESR cycle (115 to 128, 128 to 140). It depends on the balance of possible 0-day risks to possible request leakage I suppose.
Otherwise yeah everything else (I2Pd itself, noscript, langpacks) shouldn't have any risk at all.