On 02/09/2025 17.16, Topi Toosi via Tails-dev wrote:
>
>
> David A. Wheeler:
>>
>> I'm not a member of the Tails release group. However, this doesn't
>> seem to be specific to Thunderbird or Tails. This is, in some sense,
>> the inevitable result of being a distribution, that is, packaging
>> software developed by many others who have their own schedule.
>
> The problem is specific to Thunderbird in that the security updates for
> it are typically released by Mozilla on the same day as the updates for
> Firefox.
>
> As Tails releases follow the Firefox update cycle, but Thunderbird is
> not updated at the same time, Thunderbird is almost always one release
> behind. I.e. there is no time when there are no publicly known
> vulnerabilities in the Tails version of Thunderbird.
This unfortunate situation is indeed the root cause of this.
>> If it *is* vulnerable to expected use (e.g., merely receiving &
>> reading an email would cause a takeover), I'd hope that the Tails team
>> would do an emergency release.
That is the intention.
> To my knowledge Tails has never had an emergency release related to
> Thunderbird. Even when there have been vulnerabilities in Thunderbird
> which would have compromised the anonymity of the users.
https://tails.net/news/IP_leakage_with_Icedove/ :D
>> I can imagine them doing some other things to compensate:
>> * making it easier to update from Debian directly
>> * working with Debian to compile with more hardening flags, to make it
>> harder to attack
>> * sandboxing Thunderbird
Indeed, sandboxing Thunderbird has been our best-effort attempt at
managing the situation, and we know the sandboxing is problematic (see
my other post in this thread).
> Agreed. I would hope that actions such as these would be taken and
> documented somewhere.
Please open an issue about it on Tails' GitLab and let's try to make it
happen!
Cheers!
