On Tue 2018-10-23 20:00:06 +0100, Adam D. Barratt wrote: > From discussions elsewhere, I understand that the "raw" upstream > enigmail - i.e. installed via upstream's addons service - is actually > already compatible with the new Thunderbird version, and the problem > only affects the Debian packages - is that correct? (Specifically, > upstream includes some kind of compatibility shim, which is not shipped > in our packages for DFSG reasons.)
the version of enigmail shipped in the mozilla add-ons has at least two
problems, both arguably DFSG-free-related, and both described in
#909000, i believe.
0) it ships a pre-built copy of OpenPGP.js, which i have not been able
to build directly in debian due to a deep dependency mess (see #787774)
1) by default it downloads a binary from the internet, stores it in the
user's thunderbird profile, and executes it as the user without
checking its integrity with anything beyond an HTTPS (see #891882)
Encouraging users with sensitive communication needs to install
something with either of these choices made this way is pretty
problematic. And users who install enigmail from the add-on store will
most likely never revert to the debian packages that fix these
misfeatures :/
> Explicitly CCing KiBi is generally more effective, as -boot@ is a
> fairly busy list at times. I imagine he'll want the SRM review
> completed first, but that also depends on whether the changes actually
> impact d-i's usage, which I'm not entirely clear on - could you provide
> any insight there?
d-i's usage is limited to gpgv; the gpgv-udeb is deliberately narrowly
targeted, since all d-i needs from gpgv is (a) interpret the debian
distro public keys, and (b) verify signatures on the apt manifests.
None of the changes in this update should affect gpgv's behavior in
either of these tasks.
hope that helps to clarify,
--dkg
signature.asc
Description: PGP signature
