Could you guys reference the security patches that Arch is critically missing out on by delaying this update? I've noticed a couple of you speaking on that, but not actually citing any concrete problem areas. With the update, TB is implementing PGP by themselves without gnupg for internal PGP usage. This is quite a large change, security-wise, and could result in encryption/signing being broken. For this reason, some of the Arch security team is doing their work and relentlessly reviewing their implementation, among other changes that have been included in the update binaries. This is being done because it's known that PGP on Thunderbird at the current version in Arch is still using gnupg to do it's work, so it's known that we can depend on that PGP implementation in a stable way. Arch wants to make sure that it's users aren't being faked out; that is, if Arch users expect that they're using their PGP keys for their email, but TBird's implementation is broken in some way, that would cause havoc within the community and possibly leak out private information that people depend on PGP to keep safe. Yes, it's taking longer than usual. But the good news is, after this update, I doubt Mozilla will be modifying their PGP implementation anytime soon, and thus won't need such close review. Disclaimer: I'm not an Arch TU, staff member, or anything like that. I'm just a community member. On Wed, Oct 28, 2020 at 12:20:45PM +0100, Maarten de Vries via arch-general wrote:
On Tue, 27 Oct 2020 at 23:26, Bjoern Franke via arch-general < arch-general@archlinux.org> wrote:
Am 27.10.20 um 23:12 schrieb Javier via arch-general:
I really hope not, I prefer to wait than having to build TB on every release. Besides, current version works just fine...
There are also bin-packages so you don't have build it really.
True, but it still won't update automatically with `pacman -Syu`. For an email client, automatic security updates are quite important. Having to update manually from the AUR would certainly be a downgrade in user experience.
Anyway, I can't imagine that not a single Arch packager or TU is using thunderbird.
-- Maarten
-- Kevin Morris Software Developer