On Thu 2017-07-27 16:21:21 +0200, Moritz Muehlenhoff wrote:
> We can provide a fixed 1.9.8.1-1 via jessie-security/stretch-security,

I've uploaded 1.9.8.1-1~deb8u1 for jessie-security and 1.9.8.1-1~deb9u1
for stretch-security, thanks!  They're also available on the "jessie"
and "stretch" branches at

   https://anonscm.debian.org/git/pkg-mozext/enigmail.git

> but the current approach of providing Firefox/Thunderbird extensions in a
> stable release is madness and really needs to stop for buster. Neither
> the Firefox, Thunderbird maintainers or the security team can look after
> all these extensions.

I'm less concerned with "all these extensions" than i am with enigmail,
which i think is an important one, until we manage to get it embedded in
thunderbird directly :/ I understand that the release team has a larger
scope, but dropping enigmail from debian stable would be a pretty bad
outcome.

>> I think this could have been avoided if the newer version of thunderbird
>> had been marked as "Breaks: enigmail < 1.9.8" or something similar,
>> though it's not clear how the t-bird maintainers are supposed to know
>> that sort of information about every possible extension.  Perhaps
>> enigmail needs to be special cased since it seems to have more of a
>> history of this kind of problem?
>
> Every maintainer of a Firefox/Thunderbird extension needs to test older
> releases against the latest ESR once that reaches unstable. There's
> an overlap of several months during which we provide the old ESR in
> stable while the new ESR is available, this could've all been caught
> before release time.

i'm not sure which release time you're talking about.  

Thunderbird 52 has not been part of any release, afaict.  i think it was
pulled into jessie and stretch by way of security updates.

We have known that thunderbird 52 is incompatible with prior versions of
enigmail from earlier this year (~2 months ago, see the upstream bug
report).  We just failed to coordinate it properly for the security
update of thunderbird in debian stable and oldstable.  Sorry about that!

At any rate, i think it's working now (modulo a follow up on Paul van
der Vlis's experience of sending out cleartext mail as a separate
issue, which i'm unable to reproduce).  Please follow up if the updated
packages haven't resolved your issues, Shevek.

       --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Pkg-mozext-maintainers mailing list
Pkg-mozext-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-mozext-maintainers

Reply via email to