Re: [Tails-dev] Icedove security updates / Tails release schedule
Spencer wrote (04 Jan 2016 19:41:29 GMT) : >> u: >> TL;DR: Thunderbird is not always released at the same time as FF, >> >> This implies that we have to choose between >> a) delay Tails releases to get the new Icedove; or >> b) [Risk security by] sticking to the current Firefox release schedule every >> 6 weeks. > With all due respect to Mozilla devs and all those here involved in making the > decision to migrate to Icedove, this seems like quite the effort for > un(der)usable > and bloated software, especially given the severity of the options above. I'm replying to "the severity of the options above", regarding option b. Let's keep in mind that other email clients we used to ship, or could choose to ship haven't synchronized their release schedule with Firefox either; Ditto for most other software we ship, actually. So, the "security updates are delayed a bit" problem is neither news here, nor specific to Icedove. It *is* a serious problem, however. The long-term solution we've put our odds on so far, that will work regardless of what email client we ship, is to streamline our release process so that we can, some day, put out (smaller) updates more often. This is one of the main reasons why we've been putting so much efforts into our automated test suite lately :) Cheers, -- intrigeri ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, Dean Pierce: run some sort of software update at boot? ..visible indicator This ,and other similar things, would be a nice experience that establishes and enforces trust. I wonder what the technical implications are. trying to avoid them Prolongs the inevitable. Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Icedove security updates / Tails release schedule
Would it be blasphemous to run some sort of software update at boot? Ideally some sort of very visible indicator displaying the date of the most recent security update would be nice too. I feel like these vulnerability gaps are inevitable, and trying to avoid them with tricky scheduling would just make release schedules overly complex, and even then it doesn't really help much against an adversary who isn't bound to such schedules. - DEAN On Mon, Jan 4, 2016 at 11:41 AM, Spencer wrote: > Hi, > >> >> u: >> TL;DR: Thunderbird is not always released at the same time as FF, >> >> This implies that we have to choose between >> a) delay Tails releases to get the new Icedove; or >> b) [Risk security by] sticking to the current Firefox release schedule >> every 6 weeks. >> > > With all due respect to Mozilla devs and all those here involved in making > the decision to migrate to Icedove, this seems like quite the effort for > un(der)usable and bloated software, especially given the severity of the > options above. > > None of these are desired experiences :( > > Wordlife, > Spencer > > > > > ___ > Tails-dev mailing list > Tails-dev@boum.org > https://mailman.boum.org/listinfo/tails-dev > To unsubscribe from this list, send an empty email to > tails-dev-unsubscr...@boum.org. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, u: TL;DR: Thunderbird is not always released at the same time as FF, This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) [Risk security by] sticking to the current Firefox release schedule every 6 weeks. With all due respect to Mozilla devs and all those here involved in making the decision to migrate to Icedove, this seems like quite the effort for un(der)usable and bloated software, especially given the severity of the options above. None of these are desired experiences :( Wordlife, Spencer ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Hi, for our inclusion of Thunderbird/Icedove in Tails, we were concerned we might be always shipping a MUA that has known critical security issues, and always fix stuff 6 weeks late. This is why we started investigating Icedove release timing in Debian, tracked on https://labs.riseup.net/code/issues/10753. TL;DR: Thunderbird is not always released at the same time as FF, and it can take N days (mostly 7 to 10) to have a new upstream release in Debian. This is due to language support and many Debian specific patches which have not been upstreamed, although the Icedove team would like to do so (any takers?) This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) keep sticking to the current Firefox release schedule every 6 weeks. (a) wquld imply that Tails users could be affected by known FF security issues for N more days every 6 weeks. (b) implies that we need to look for counter-measures to Icedove being subject to known security issues. So how do we balance security for www / security for email? It seems hard to judge how much these security issues affect Thunderbird, e.g. some MFSAs [https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/] probably affect Thunderbird, but as far as we know nobody checked this yet. >From our current knowledge, we should probably rather stick to the actual Tails release schedule, and do b). I've previously discussed this only with intrigeri - but this is bigger than us, hence this email as a call for wider input from other people :) What exact counter measures can we think of? FTR, we ship Icedove from Debian repositories since Tails 1.7. Cheers! u. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] Icedove security updates / Tails release schedule
Seems my mail has not reached the list yesterday.. Forwarded Message Subject: Icedove security updates / Tails release schedule Date: Sun, 03 Jan 2016 20:05:05 + To: The Tails public development discussion list Hi, for our inclusion of Thunderbird/Icedove in Tails, we were concerned we might be always shipping a MUA that has known critical security issues, and always fix stuff 6 weeks late. This is why we started investigating Icedove release timing in Debian, tracked on https://labs.riseup.net/code/issues/10753. TL;DR: Thunderbird is not always released at the same time as FF, and it can take N days (mostly 7 to 10) to have a new upstream release in Debian. This is due to language support and many Debian specific patches which have not been upstreamed, although the Icedove team would like to do so (any takers?) This implies that we have to choose between a) delay Tails releases to get the new Icedove; or b) keep sticking to the current Firefox release schedule every 6 weeks. (a) wquld imply that Tails users could be affected by known FF security issues for N more days every 6 weeks. (b) implies that we need to look for counter-measures to Icedove being subject to known security issues. So how do we balance security for www / security for email? It seems hard to judge how much these security issues affect Thunderbird, e.g. some MFSAs [https://www.mozilla.org/en-US/security/advisories/mfsa2015-134/] probably affect Thunderbird, but as far as we know nobody checked this yet. >From our current knowledge, we should probably rather stick to the actual Tails release schedule, and do b). I've previously discussed this only with intrigeri - but this is bigger than us, hence this email as a call for wider input from other people :) What exact counter measures can we think of? FTR, we ship Icedove from Debian repositories since Tails 1.7. Cheers! u. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
[Tails-dev] meetings on conference.riseup.net
The monthly meeting yesterday on conference.riseup.net was a success with 16 people in the room at some point, with most of them attending the meeting. So I removed the mention of OFTC in the announcement for future meetings. ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] [review] Adding handbooks to press.mdwn
elouann: > please review and merge from elouann / documentation > the commits > > * 9c2c2ce - The booklet by capulcu was updated > * 2602858 - Fix link > * 406f630 - Adding handbook from TCIJ Merged, thanks! ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
Re: [Tails-dev] Potential OpSec issue - Identifying Tails Tor vs "other" Tor
Hi, Lee Brotherston wrote (04 Jan 2016 05:20:14 GMT) : > Just to confirm that Tails 2.0 beta1 "looks" like vanilla Tor from the > perspective of the TLS fingerprint: All right, then. Thanks :) Cheers! ___ Tails-dev mailing list Tails-dev@boum.org https://mailman.boum.org/listinfo/tails-dev To unsubscribe from this list, send an empty email to tails-dev-unsubscr...@boum.org.
