Hi,
for our inclusion of Thunderbird/Icedove in Tails, we were concerned we
might be always shipping a MUA that has known critical security issues,
and always fix stuff 6 weeks late. This is why we started investigating
Icedove release timing in Debian, tracked on
https://labs.riseup.net/code/issues/10753.
TL;DR: Thunderbird is not always released at the same time as FF, and it
can take N days (mostly 7 to 10) to have a new upstream release in
Debian. This is due to language support and many Debian specific patches
which have not been upstreamed, although the Icedove team would like to
do so (any takers?)
This implies that we have to choose between
a) delay Tails releases to get the new Icedove; or
b) keep sticking to the current Firefox release schedule every 6 weeks.
(a) wquld imply that Tails users could be affected by known FF security
issues for N more days every 6 weeks.
(b) implies that we need to look for counter-measures to Icedove being
subject to known security issues.
So how do we balance security for www / security for email? It seems
hard to judge how much these security issues affect Thunderbird, e.g.
some MFSAs
[
https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/]
probably affect Thunderbird, but as far as we know nobody checked this yet.
>From our current knowledge, we should probably rather stick to the
actual Tails release schedule, and do b). I've previously discussed this
only with intrigeri - but this is bigger than us, hence this email as a
call for wider input from other people :)
What exact counter measures can we think of?
FTR, we ship Icedove from Debian repositories since Tails 1.7.
Cheers!
u.
