> From: Morten Linderud via arch-general <arch-general@archlinux.org> > Sent: Thu Oct 29 13:57:35 CET 2020 > To: <arch-general@archlinux.org> > Cc: Morten Linderud <foxbo...@archlinux.org> > Subject: Re: [arch-general] Thunderbird 78 > > > On Thu, Oct 29, 2020 at 01:51:23PM +0100, Geo Kozey via arch-general wrote: > > > From: Kevin Morris <k...@0cost.org> > > > With the update, TB is implementing PGP by themselves without gnupg > > > for internal PGP usage. This is quite a large change, security-wise, > > > and could result in encryption/signing being broken. For this reason, > > > some of the Arch security team is doing their work and relentlessly > > > reviewing their implementation, among other changes that have been > > > included in the update binaries. > > > > That's nice to hear that Arch is now doing security audit of package updates > > even when facing lack of manpower. I understand you work closely with > > upstream and other distros which faced exact same issue and we will see > > your final report and patches sent upstream. > > We don't do this. We don't have the capacity, nor the technical capability to > review these things. Ensuring it works is not the same as going through > implementation details. > > I do not know where Kevin got this impression from. > > -- > Morten Linderud > PGP: 9C02FF419FECBE16
I know, I don't demand something like this from Arch devs and I knew someone is speaking about things they don't know here so my reply was a bit sarcastic :) My only advice would be to push new TB to testing so you get at least some initial feedback from users if something is broken or not. Yours sincerely G. K.
