On Fri 2018-12-14 09:26:50 -0500, Antoine Beaupré wrote: > I have outlined the tradeoffs of this in the past. For me, the biggest > concern is that users will blindly install Enigmail from the app store > and that actually has security vulnerabilities because the jessie gpg > version is too old, as I understand it.
Installing enigmail from addons.mozilla.org (what i think anarcat means by "the app store") raises not only concerns about gpg compatibility on jessie -- it also downloads and runs arbitrary binary code from the Internet: https://bugs.debian.org/891882 This is fixed in debian by a change in the defaults, but upstream appears to have no intention to change those defaults in the version in addons.mozilla.org. Leaving jessie users vulnerable to this would make me pretty sad. I appreciate the work that anarcat is doing here! --dkg
Description: PGP signature