[Pkg-mozext-maintainers] Bug#909000: Bug#909000: Thunderbird 60 cannot STILL be at stretch normal repository

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Oct 16 15:17:51 BST 2018 

On Tue 2018-10-16 12:05:33 +0200, Carsten Schoenert wrote:
> yes, the problem here is Enigmail, not Thunderbird! But I don't see that
> this as a vulnerability per se from a security perspective.
> And you still can install the Mozilla AddOns manually into FF and TB.
> It's a loosing of comfort and easy usage of the system provided
> packages, but not more for the typical single user cases on a machine or
> laptop.

fwiw, the version of enigmail that you get from the Mozilla addons store
has what i consider to be pretty serious problems:

 * it downloads and executes binaries from the web on behalf of the user
   (its "pEp" mode) without any form of verification beyond https
   certificate validation.

 * it contains a bundle of OpenPGP.js, which doesn't appear to be easily
   buildable (or modifiable) from source, so it's not free software in
   the sense that debian cares about.

I don't think we want to encourage people to do that.

> And happily dkg is taking this challenge really seriously!

Thanks for the vote of confidence, Carsten! :)

> And being not able to send automated encrypted email is not a
> vulnerability as you still can use gpg on the command line and encrypt
> your content obviously with less comfort, and it's your decision. And
> again, you can still install Enigmail from upstream. So hey, that's life.

fwiw, i don't consider encryption from the command line to be a
substitute for proper integration with your mail user agent.  If you do
that, you're also likely forcing your peers to do the same thing, and
it's really easy to screw it up on one side or the other.

So this situation really is a security issue for some people, who are
losing the capacity to send and receive encrypted e-mail.  There are
people who, if their mail is forced back into cleartext, run risks with
potential consequences ranging from loss of employment to loss of
liberty or even loss of life.

I really hope debian can get this sorted out for the next stable point
release at the latest.

thanks to everyone for their constructive help getting it done!

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-mozext-maintainers/attachments/20181016/e7d5f1c5/attachment.sig>

More information about the Pkg-mozext-maintainers mailing list