greatsuspender / thegreatsuspender

A chrome extension for suspending all tabs to free up memory
https://chrome.google.com/webstore/detail/the-great-suspender/klbibkeccnjlkjkiokjodocebajanakg/
GNU General Public License v2.0
5.04k stars 907 forks source link

will the new owners of this extension stop fucking it up and being shady? #1328

Open spmedia opened 3 years ago

spmedia commented 3 years ago

Thanks

https://github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-719136415 https://github.com/greatsuspender/thegreatsuspender/issues/1263 https://www.bleepingcomputer.com/news/software/the-great-suspender-chrome-extensions-fall-from-grace/

Beware. Stop using this ASAP.

XxX-Force commented 3 years ago

Just install 7.16 from the source. Takes less than 1 minute. Simple. Done.

7.16 is located here:

https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

Instructions for installing it are located here:

https://github.com/greatsuspender/thegreatsuspender#install-as-an-extension-from-source

mirfilip commented 3 years ago

Just install 7.16 from the source. Takes less than 1 minute. Simple. Done.

7.16 is located here:

https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6

Instructions for installing it are located here:

https://github.com/greatsuspender/thegreatsuspender#install-as-an-extension-from-source

Actually, as shady maintainer is still in power, he/she can replace the old tag with something new. Installing from source has no mechanisms for verifying checksums etc. so you won't even know. Just drop this extension and go over to https://github.com/gioxx/MarvellousSuspender if you still want to stick to it.

XxX-Force commented 3 years ago

How is anything from https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6 going to be modified without date changes recorded for the time it was modified. I am not a GitHub expert by any stretch of the imagination, but although there may not be a checksum, there is a commit signature verification, and a GPG key ID of: 4AEE18F83AFDEB23. It clearly states that:

"deanoemcke released this on May 23, 2020"

.. so how can the new entity "replace the old tag with something new" without my being able to know? And, since it is installed from source locally, it will not auto-update. I've crippled the google analytics (that were always present) .. which doesn't even have to be done unless anyone is concerned about it, or just doesn't want it (like me), it's just standard google analytics .. so I just don't get how doing what I suggested here could cause any security issue, but I am honestly happy to learn.

I have nothing against MarvellousSuspender or what seems to me to be another good option from @aciidic called "thegreatsuspender-notrack", I just don't feel the need to switch with the way I have TGS 7.16 set up right now, and I would gladly learn how I am making a mistake in thinking this way.

"he/she can replace the old tag with something new ... you won't even know"

How though? I apologize for the ignorance.

mirfilip commented 3 years ago

How is anything from https://github.com/greatsuspender/thegreatsuspender/releases/tag/v7.1.6 going to be modified without date changes recorded for the time it was modified. I am not a GitHub expert by any stretch of the imagination, but although there may not be a checksum, there is a commit signature verification, and a GPG key ID of: 4AEE18F83AFDEB23. It clearly states that:

"deanoemcke released this on May 23, 2020"

.. so how can the new entity "replace the old tag with something new" without my being able to know? And, since it is installed from source locally, it will not auto-update. I've crippled the google analytics (that were always present) .. which doesn't even have to be done unless anyone is concerned about it, or just doesn't want it (like me), it's just standard google analytics .. so I just don't get how doing what I suggested here could cause any security issue, but I am honestly happy to learn.

I have nothing against MarvellousSuspender or what seems to me to be another good option from @aciidic called "thegreatsuspender-notrack", I just don't feel the need to switch with the way I have TGS 7.16 set up right now, and I would gladly learn how I am making a mistake in thinking this way.

"he/she can replace the old tag with something new ... you won't even know"

How though? I apologize for the ignorance.

@XxX-Force A maintainer can overwrite any GitHub tag. Commit hashes and commit date will change, of course. If you blindly take a tag, checkout, install from source, just because "it's an old version", you are likely not going to check history and dates to look for something suspicious. As for GPG keys - we don't know if new maintainers reuse the original maintainer keys, it may well be. I didn't check that though. My point was more a general one - one just doesn't blindly trust GH tags, as they have no checksum verification, bar some metadata checks like GPG signature, not the code checksums. Of course, unless you go through extra steps like comparing code etc.

Anyhow, I'm not an advocate for MarvellousSuspender or any other solution.