[arch-general] Thunderbird 78

Kevin Morris kevr at 0cost.org
Sun Nov 1 23:16:48 UTC 2020 

Apologies, I had a discussion with somebody about the thread and
ended up with an incorrect understanding about why the package
update has taken longer than expected.

So I spent a little time this last weekend fixing up asp's current
PKGBUILD of thunderbird to build 78.4.0 to help out. 

The following options have been removed from the build process (they
are no longer accepted by thunderbird's source):

    --enable-system-sqlite
    --enable-startup-notification
    --disable-gconf

I used the following toolchains have been used during the build process:

    rust 1.41.0
    node 14.14.0

Note: The default rust toolchain was incompatible with thunderbird's
source, so I moved back to the version they expect for 78.4.0 (>=
1.41.0). Node, I personally use 14.14.0 for some of my own projects
and it just worked out fine with the build.

I have not thoroughly tested through things on the build yet, though.
I have never used thunderbird much, so I'm not sure I would be the best
person to test and ensure all of it's features work right. I do want
to however verify that removing the newly unsupported flags isn't
breaking anything.

Let me know if you'd like the PKGBUILD, or if I can do anything to help
you guys with this update. I've got time to do extra things for now.

Regards,
Kevin

On Thu, Oct 29, 2020 at 02:21:34PM +0100, Geo Kozey via arch-general wrote:
> > From: Morten Linderud via arch-general <arch-general at archlinux.org>
> > Sent: Thu Oct 29 13:57:35 CET 2020
> > To: <arch-general at archlinux.org>
> > Cc: Morten Linderud <foxboron at archlinux.org>
> > Subject: Re: [arch-general] Thunderbird 78
> > 
> > 
> > On Thu, Oct 29, 2020 at 01:51:23PM +0100, Geo Kozey via arch-general wrote:
> > > > From: Kevin Morris <kevr at 0cost.org>
> > > > With the update, TB is implementing PGP by themselves without gnupg
> > > > for internal PGP usage. This is quite a large change, security-wise,
> > > > and could result in encryption/signing being broken. For this reason,
> > > > some of the Arch security team is doing their work and relentlessly
> > > > reviewing their implementation, among other changes that have been
> > > > included in the update binaries.
> > > 
> > > That's nice to hear that Arch is now doing security audit of package updates
> > > even when facing lack of manpower. I understand you work closely with
> > > upstream and other distros which faced exact same issue and we will see
> > > your final report and patches sent upstream.
> > 
> > We don't do this. We don't have the capacity, nor the technical capability to
> > review these things. Ensuring it works is not the same as going through
> > implementation details.
> > 
> > I do not know where Kevin got this impression from.
> > 
> > -- 
> > Morten Linderud
> > PGP: 9C02FF419FECBE16
> 
> I know, I don't demand something like this from Arch devs and I knew someone
> is speaking about things they don't know here so my reply was a bit sarcastic :)
> 
> My only advice would be to push new TB to testing so you get at least some initial
> feedback from users if something is broken or not.
> 
> Yours sincerely
> 
> G. K.

-- 
Kevin Morris
Software Developer

More information about the arch-general mailing list