[arch-general] Thunderbird 78

Kevin Morris kevr at 0cost.org
Wed Oct 28 23:28:04 UTC 2020 

Could you guys reference the security patches that Arch is
critically missing out on by delaying this update? I've noticed
a couple of you speaking on that, but not actually citing
any concrete problem areas.

With the update, TB is implementing PGP by themselves without gnupg
for internal PGP usage. This is quite a large change, security-wise,
and could result in encryption/signing being broken. For this reason,
some of the Arch security team is doing their work and relentlessly
reviewing their implementation, among other changes that have been
included in the update binaries.

This is being done because it's known that PGP on Thunderbird at
the current version in Arch is still using gnupg to do it's work,
so it's known that we can depend on that PGP implementation
in a stable way. Arch wants to make sure that it's users aren't
being faked out; that is, if Arch users expect that they're using
their PGP keys for their email, but TBird's implementation is broken
in some way, that would cause havoc within the community and
possibly leak out private information that people depend on PGP
to keep safe.

Yes, it's taking longer than usual. But the good news is, after this
update, I doubt Mozilla will be modifying their PGP implementation
anytime soon, and thus won't need such close review.

Disclaimer: I'm not an Arch TU, staff member, or anything like that.
I'm just a community member.

On Wed, Oct 28, 2020 at 12:20:45PM +0100, Maarten de Vries via arch-general wrote:
> On Tue, 27 Oct 2020 at 23:26, Bjoern Franke via arch-general <
> arch-general at archlinux.org> wrote:
> 
> > Am 27.10.20 um 23:12 schrieb Javier via arch-general:
> > > I really hope not, I prefer to wait than having to build TB on every
> > release.  Besides, current version works just fine...
> > >
> >
> > There are also bin-packages so you don't have build it really.
> >
> 
> True, but it still won't update automatically with `pacman -Syu`. For an
> email client, automatic security updates are quite important. Having to
> update manually from the AUR would certainly be a downgrade in user
> experience.
> 
> Anyway, I can't imagine that not a single Arch packager or TU is using
> thunderbird.
> 
> -- Maarten

-- 
Kevin Morris
Software Developer

More information about the arch-general mailing list