[arch-general] Thunderbird 78

Geo Kozey geokozey at mailfence.com
Thu Oct 29 12:51:23 UTC 2020 

> From: Kevin Morris <kevr at 0cost.org>
> Sent: Thu Oct 29 00:28:04 CET 2020
> To: General Discussion about Arch Linux <arch-general at archlinux.org>
> Subject: Re: [arch-general] Thunderbird 78
> 
> 
> Could you guys reference the security patches that Arch is
> critically missing out on by delaying this update? I've noticed
> a couple of you speaking on that, but not actually citing
> any concrete problem areas.

I sent mail with link to mozilla advisory 10h before you asked for it
so this complaint is completely off.

https://www.mozilla.org/en-US/security/known-vulnerabilities/thunderbird/


> With the update, TB is implementing PGP by themselves without gnupg
> for internal PGP usage. This is quite a large change, security-wise,
> and could result in encryption/signing being broken. For this reason,
> some of the Arch security team is doing their work and relentlessly
> reviewing their implementation, among other changes that have been
> included in the update binaries.

That's nice to hear that Arch is now doing security audit of package updates
even when facing lack of manpower. I understand you work closely with
upstream and other distros which faced exact same issue and we will see
your final report and patches sent upstream.

> This is being done because it's known that PGP on Thunderbird at
> the current version in Arch is still using gnupg to do it's work,
> so it's known that we can depend on that PGP implementation
> in a stable way. Arch wants to make sure that it's users aren't
> being faked out; that is, if Arch users expect that they're using
> their PGP keys for their email, but TBird's implementation is broken
> in some way, that would cause havoc within the community and
> possibly leak out private information that people depend on PGP
> to keep safe.

That's great but again is this cooperated with upstream and other
distros in any way? As they made updates already them may have
some knowledge about the matter and it would be waste if every
single distro had to learn everything from scratch.

> Yes, it's taking longer than usual. But the good news is, after this
> update, I doubt Mozilla will be modifying their PGP implementation
> anytime soon, and thus won't need such close review.

Well, if you find some issues (which is the point) then they will have
to modify their implementation, no?

Yours sincerely

G. K.

More information about the arch-general mailing list