On 02/09/2025 17.16, Topi Toosi via Tails-dev wrote:
David A. Wheeler:
I'm not a member of the Tails release group. However, this doesn't
seem to be specific to Thunderbird or Tails. This is, in some sense,
the inevitable result of being a distribution, that is, packaging
software developed by many others who have their own schedule.
The problem is specific to Thunderbird in that the security updates for
it are typically released by Mozilla on the same day as the updates for
Firefox.
As Tails releases follow the Firefox update cycle, but Thunderbird is
not updated at the same time, Thunderbird is almost always one release
behind. I.e. there is no time when there are no publicly known
vulnerabilities in the Tails version of Thunderbird.
This unfortunate situation is indeed the root cause of this.
If it *is* vulnerable to expected use (e.g., merely receiving &
reading an email would cause a takeover), I'd hope that the Tails team
would do an emergency release.
That is the intention.
To my knowledge Tails has never had an emergency release related to
Thunderbird. Even when there have been vulnerabilities in Thunderbird
which would have compromised the anonymity of the users.
https://tails.net/news/IP_leakage_with_Icedove/ :D
I can imagine them doing some other things to compensate:
* making it easier to update from Debian directly
* working with Debian to compile with more hardening flags, to make it
harder to attack
* sandboxing Thunderbird
Indeed, sandboxing Thunderbird has been our best-effort attempt at
managing the situation, and we know the sandboxing is problematic (see
my other post in this thread).
Agreed. I would hope that actions such as these would be taken and
documented somewhere.
Please open an issue about it on Tails' GitLab and let's try to make it
happen!
Cheers!
_______________________________________________
Tails-dev mailing list
[email protected]
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
[email protected].
