Re: [Tails-dev] Security of Thunderbird in Tails

> On Aug 31, 2025, at 6:22 AM, Topi Toosi via Tails-dev <tails-dev@???> wrote:
>
> Hi,
>
> I would like to raise a point about the security of the Thunderbird software in Tails.
>
> Due to the Tails release scheduling the thunderbird package in Tails is almost always one release behind the current version.

I'm not a member of the Tails release group. However, this doesn't seem to be specific to Thunderbird or Tails. This is, in some sense, the inevitable result of being a distribution, that is, packaging software developed by many others who have their own schedule.


> This means that Thunderbird in Tails almost always contains known security vulnerabilities.
>
> Granted - most of the time Thunderbird vulnerabilities "cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts" - as the Mozilla security advisories put it.
>
> However this is not the case every month.

If it's not vulnerable for its intended & reasonably expected uses... it's not vulnerable for them.

If it *is* vulnerable to expected use (e.g., merely receiving & reading an email would cause a takeover), I'd hope that the Tails team would do an emergency release.

I can imagine them doing some other things to compensate:
* making it easier to update from Debian directly
* working with Debian to compile with more hardening flags, to make it harder to attack
* sandboxing Thunderbird

But making a distro & testing it takes time, and that's fundamental. No schedule would be good for everyone I suspect.

--- David A. Wheeler