From: Kevin Morris <kevr@0cost.org> Sent: Thu Oct 29 00:28:04 CET 2020 To: General Discussion about Arch Linux <arch-general@archlinux.org> Subject: Re: [arch-general] Thunderbird 78
Could you guys reference the security patches that Arch is critically missing out on by delaying this update? I've noticed a couple of you speaking on that, but not actually citing any concrete problem areas.
I sent mail with link to mozilla advisory 10h before you asked for it so this complaint is completely off. https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/
With the update, TB is implementing PGP by themselves without gnupg for internal PGP usage. This is quite a large change, security-wise, and could result in encryption/signing being broken. For this reason, some of the Arch security team is doing their work and relentlessly reviewing their implementation, among other changes that have been included in the update binaries.
That's nice to hear that Arch is now doing security audit of package updates even when facing lack of manpower. I understand you work closely with upstream and other distros which faced exact same issue and we will see your final report and patches sent upstream.
This is being done because it's known that PGP on Thunderbird at the current version in Arch is still using gnupg to do it's work, so it's known that we can depend on that PGP implementation in a stable way. Arch wants to make sure that it's users aren't being faked out; that is, if Arch users expect that they're using their PGP keys for their email, but TBird's implementation is broken in some way, that would cause havoc within the community and possibly leak out private information that people depend on PGP to keep safe.
That's great but again is this cooperated with upstream and other distros in any way? As they made updates already them may have some knowledge about the matter and it would be waste if every single distro had to learn everything from scratch.
Yes, it's taking longer than usual. But the good news is, after this update, I doubt Mozilla will be modifying their PGP implementation anytime soon, and thus won't need such close review.
Well, if you find some issues (which is the point) then they will have to modify their implementation, no? Yours sincerely G. K.