On 17/08/2023 17:29, Karl Auer wrote: > An email program has to be able to read random files to attach them, write > random files to save attachments, access the Internet to send and receive > emails, read and write general storage to store emails and drafts... it is > not nefarious, it's open about what it needs, and it does need it.
Well I've never worked as a SysAdmin, and I retired 11 years ago so I'm way out of touch anyway and won'r argue! But to clarify matters, an email client should surely be confined to each user's process space? As an example of the Thunderbird add-ons to which I referred earlier, an excellent extension I've used in the past is "ImportExportTools NG" - see https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/?src=ss This add-on evidently has 224,601 users and has now been released under a GNU GPL V3 licence. The installation process began with a warning that it was implemented under an earlier Mozilla API which allowed access to the whole system, and I'd like to quote that warning here. However I now find this extension has become incompatible with my version of Thunderbird on OpenSuSE Linux. Furthermore, Thunderbird's update history reveals it has had no fewer than 21 updates (under the same O/S _minor_ release), which have taken it from version 91.8.0 to 115.1.0. Firefox has had 23 updates. What's going on here? This rate of development is way too fast IMO, especially for an open-source package, and may indicate inadequate testing and/or a poor definition of Mozilla's development path. In perhaps similar vein, KDE had an excellent stand-alone email client known as Kmail until someone wanted to "develop" it into a Personal Information System; when I ditched Kmail for Thunderbird it had become bloated, buggy & unreliable, possibly because the Kmail team's ambitions exceed the resources available. More generally, the traditional practice of releasing fully tested & supported Linux distributions is becoming unworkable. Why? Because the workload involved in ensuring version-interoperability with the O/S and each other is becoming unmanageable. For a glimpse of the solution see the SuSE Adaptable Linux Platform project at https://build.opensuse.org/project/show/SUSE:ALP _David Lochrin_ On 17/08/2023 17:29, Karl Auer wrote: > On Thu, 2023-08-17 at 17:15 +1000, Stephen Loosley wrote: >> David writes, >> > and I think Mozilla Thunderbird may offer something similar. >> > I wonder how good their browser sandpit is? Certainly, some >> > earlier Mozilla add-ons, especially Thunderbird, come with a >> > warning that they have unrestricted (really?) access to the >> > computer. > An email program has to be able to read random files to attach them, > write random files to save attachments, access the Internet to send and > receive emails, read and write general storage to store emails and > drafts... it is not nefarious, it's open about what it needs, and it > does need it. > > If you are really serious about such things, airgap your mail program > or run it under a properly configured SELinux or whatever. > > It is entirely possible that malware came in on an email (or that a > phishing attack worked); it is very unlikely that Thunderbird itself is > the vector. > > Regards, K. > _______________________________________________ Link mailing list [email protected] https://mailman.anu.edu.au/mailman/listinfo/link
