[Pkg-mozext-maintainers] Bug#909000: Thunderbird 60 cannot STILL be at stretch normal repository

Carsten Schoenert c.schoenert at t-online.de
Tue Oct 16 11:05:33 BST 2018


Hi,

Am 16.10.18 um 11:00 schrieb Narcis Garcia:
> An obvious vulnerability for user is to not be able to use Enigmail for
> encryption.

yes, the problem here is Enigmail, not Thunderbird! But I don't see that
this as a vulnerability per se from a security perspective.
And you still can install the Mozilla AddOns manually into FF and TB.
It's a loosing of comfort and easy usage of the system provided
packages, but not more for the typical single user cases on a machine or
laptop.

The AddOns for FF and TB will always be special as these software is in
a heavy flow and development. Packaging such software is by this also
always a walk on the edge because you will need to follow the upstream
development really closely. And happily dkg is taking this challenge
really seriously!

> Repository inconsistency is a major (and more clear) vulnerability.
I see no inconsistency, at maximum we have some lag behind upstream
versions.
How will you do automatic encryption *without* the enigmail package? And
is this a security problem?
And being not able to send automated encrypted email is not a
vulnerability as you still can use gpg on the command line and encrypt
your content obviously with less comfort, and it's your decision. And
again, you can still install Enigmail from upstream. So hey, that's life.

For all other things we have Conflicts and Breaks in the package
management system.

Debian is made by people in their free time, so it will happen again and
again that some parts are not completely on the edge. And the decisions
what will happen in Debian is made by their participants, I invite you
to become a member so you can help actively to make Debian better for
your needs.

> Next versions of Mozilla software should not be at "main" repository,
> same as with HPLIP occurs.

The main criteria for main is DFSG clean software not if a software are
made by a specific vendor or group. The hplib package is in main because
it fulfills the DFSG requirements.
I suggest you take a look into the DFSG to understand better how Debian
is working.

-- 
Regards
Carsten Schoenert



More information about the Pkg-mozext-maintainers mailing list