Re: [Tails-dev] Security of Thunderbird in Tails

David A. Wheeler:
>
> I'm not a member of the Tails release group. However, this doesn't seem to be specific to Thunderbird or Tails. This is, in some sense, the inevitable result of being a distribution, that is, packaging software developed by many others who have their own schedule.

The problem is specific to Thunderbird in that the security updates for
it are typically released by Mozilla on the same day as the updates for
Firefox.

As Tails releases follow the Firefox update cycle, but Thunderbird is
not updated at the same time, Thunderbird is almost always one release
behind. I.e. there is no time when there are no publicly known
vulnerabilities in the Tails version of Thunderbird.


> If it *is* vulnerable to expected use (e.g., merely receiving & reading an email would cause a takeover), I'd hope that the Tails team would do an emergency release.

To my knowledge Tails has never had an emergency release related to
Thunderbird. Even when there have been vulnerabilities in Thunderbird
which would have compromised the anonymity of the users.


> I can imagine them doing some other things to compensate:
> * making it easier to update from Debian directly
> * working with Debian to compile with more hardening flags, to make it harder to attack
> * sandboxing Thunderbird

Agreed. I would hope that actions such as these would be taken and
documented somewhere.



Cheers,

Topi