[arch-general] Thunderbird 78
Morten Linderud
foxboron at archlinux.org
Thu Oct 29 12:57:35 UTC 2020
On Thu, Oct 29, 2020 at 01:51:23PM +0100, Geo Kozey via arch-general wrote:
> > From: Kevin Morris <kevr at 0cost.org>
> > With the update, TB is implementing PGP by themselves without gnupg
> > for internal PGP usage. This is quite a large change, security-wise,
> > and could result in encryption/signing being broken. For this reason,
> > some of the Arch security team is doing their work and relentlessly
> > reviewing their implementation, among other changes that have been
> > included in the update binaries.
>
> That's nice to hear that Arch is now doing security audit of package updates
> even when facing lack of manpower. I understand you work closely with
> upstream and other distros which faced exact same issue and we will see
> your final report and patches sent upstream.
We don't do this. We don't have the capacity, nor the technical capability to
review these things. Ensuring it works is not the same as going through
implementation details.
I do not know where Kevin got this impression from.
--
Morten Linderud
PGP: 9C02FF419FECBE16
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20201029/f7b0f1fd/attachment.sig>
More information about the arch-general
mailing list