Hi,
In the last month, I have work with dkg (in CC) to see how to
(ultimately) deal with the end of life of Firefox and Thunderbird ESR as
we know them in jessie. He has been hard at work updating GnuPG in
stable (#910398) so that Enigmail works with that older version of GnuPG
without introducing new security issues. Next step is an update of
Enigmail in stable (in #912194) so that it works with the latest
Thunderbird 60 upload approved by the security team in mid-september.
Because Emilio (also in CC) had claimed the Thunderbird and Firefox
package, I figured I would see what would be required to deal with the
consequences of such an update in jessie. It seemed obvious an update to
at least Enigmail would be required, so I started to drill down into
that. I provided code reviews, rubber-ducking and support to dkg in the
Enigmail and GnuPG updates, mostly in private, but those are now
trickling down in stable updates.
Now, unfortunately, I am back here asking you what we should do about
those packages again. About a month ago, I offered 5 different options:
1. pretend Enigmail works without changing GnuPG, possibly introducing
security issues
2. ship a backport of GnuPG and Enigmail through jessie-sloppy-backports
3. package OpenPGP.js and backport all the way down to jessie
4. remove Enigmail from jessie
5. backport the required GnuPG patchset from stretch to jessie
I believe we have now actively researched most of those issues in one
way or the other:
1. I verified that Enigmail does indeed has security issues with the
current versions of GnuPG, particularly in the Autocrypt mechanism.
2. was never seriously considered
3. I investigated the OpenPGP.js dependency tree and determined it was
an impassable forest
4. hasn't been seriously considered yet, as far as I can tell
5. I have helped dkg backport the patches from GnuPG 2.2 to 2.1 for
stretch
Now I come back to you again for advice. Which path should we take? So
far I'm sticking to option #5 above, but I would welcome other opinions.
I would suggest we wait for Enigmail and GnuPG to trickle down to
stretch and see if any critical issues come out. There are specifically
concerns that the backported GnuPG changes might break unrelated
software that depend on the brittle dialect GnuPG imposes on its
consumers, which *does* change in the backport. I am aware of at least
one program (Monkeysphere) which could FTBFS because of a too brittle,
build-time, test suite. dkg and I are maintainers on that package and
will be able to handle the followup.
That should eventually settle Enigmail/GnuPG: either we backport GnuPG
patches, or we deem the GnuPG patchset is too invasive to backport to
jessie and we remove Enigmail from jessie. The result will be that users
will run an outdated version (if they don't notice the package's removed
or the announcement) or will run an up to date but possibly insecure
version (if they install the Addons version from Mozilla which downloads
an arbitrary binary from the network, see #891882). So I think there's a
strong incentive in backporting the changes, but we should wait and see
what breaks in stable before venturing any further into this dark alley.
Which brings us to Thunderbird (and Firefox) themselves. The last I
heard of this is that LLVM was NEW in jessie. I wrote Emilio to see if
he needed help on that last week, but haven't got a response. Hopefully
all that work will come to fruitition synchronously in a grand fanfare
of uploads all working out perfectly in the end. :)
Voilà. I felt I had been working in the dark on this for a part of
October and figured it would be useful to post a refresher on my
work. Let me know if that's useful / too long / or have any more
questions.
A.
--
Si les triangles avaient un Dieu, ils lui donneraient trois côtés.
- Montesquieu, Lettres persanes
