Re: [Tails-dev] Tails vs Electrum

u wrote:
> Hi!
>
> On 19.03.19 18:07, sajolida wrote:
>
>> If we decide not to ship the AppImage, we could also try to contact the
>> Debian maintainer.
>
> I'll do that right away.
>
> Cheers!
> u.

Hello,

Thank you very much sajolida for the write up! Very, very well and
clearly written.

I am in constant contact with mithrandi. Trying to contact him by anyone
else is not helpful at this moment and will actually not fix anything
for us (us I mean Tails). He was offline due to some other problems that
prevented him to work on Debian for a period of time. He plans to resume
working on Debian and continue to maintain the packages, but this is not
the main problem.

The real question here is: *Is it still a good choice to install
Electrum for whatever Debian (stable or stable-backports) uses?*

As practice shows us, Electrum is not a very good package to install
from `stable-backports` because of the listing policy and the chain it
has to go through. Remember the RPC vulnerability -- that was not
exploitable in Tails because our firewall blocked the remote requests,
but still. Actually it was thanks to Tails indirectly that the bug was
discovered -- reported of the bug did an audit on all tools in Tails,
and if Electrum wasn't in Tails probably we would still have that bug going.


Currently, previous versions than 3.3 are unable to connect to most of
the servers, and very soon they won't be able to connect to any server.
For the record, I run 2 high capacity servers also available under
.onion hostnames which are able to talk to legacy clients, and will not
change this until we take a decision regarding Electrum in Tails.

On my last discussion with Electrum's Debian maintainer, he said that
there are dependencies that are not in Debian yet, and have to go
through new, etc. and there are huge chances that we won't be able to
have it in Buster. python3-zbar for example, some hardware wallet
libraries, etc.

Let's pretend we make somehow some magic and package everything in
Debian so we have Electrum 3.3.4 running in stable. We appear to be OK
for the time being. But, who knows what the next attack will be, or what
will happen, and then we'll end up in the same situation, that there's a
new version we don't have in `stable-backports`. And we need it urgently
because the one we have doesn't work any more, or it's vulnerable, or
etc. Actually, it is already _3rd time_ we are in this situation.

If we use the AppImage however, we eliminate all these problems. It
already has everything needed inside (the hardware wallet libraries --
we just need to set the udev rules), and it's easy to upgrade / refresh
at every Tails version release. Do we open the door for anything nasty
if we use the AppImage? Does it affect us in any way if we use it just
for this particular tool? We have all the reasons to do it and I see
only advantages. If there's extra work involved to make this happen I
could do all that work.

I say we should find the optimal solution here, and try to avoid
discarding Electrum in Tails - the user base of Electrum under Tails is
actually quite large, I had no idea it was so large until I got flooded
with emails / support questions regarding this.